Analyzing UnityHacks in the role of a VAC engineer

UnityHacks

I’ve looked at many P2Cs(pay-to-cheat) in the past and unity is one I’ve come back to revisit to see if they have fixed stupid design concepts that could see them detected in an instance and seems like nope. If Valve actually actively looked for what I’m about to go through in this post they would be detected maybe we should let them know¬† ūüėČ

Man-in-the-Middle

This concept that is utilized by unityhacks is a way of them somewhat securing their cheat loader from detection. It is basically injecting their loader code into another 32bit process and then doing the loading from there.

dummy

Unityhacks accesses the following Internet addresses:

there is also one for handshake but I will not get into this area much so I’m just going over it briefly. Once the user has been authenticated the server will stream a PE image which is the¬†loader code and the hack itself.

Obviously we can discover what is being written into the target process by hooking NtWriteVirtualMemory and even if direct systemcalls were done there are still ways of dumping the written buffer.

HOOK1

Now ignore the .dll extension these aren’t exactly valid PE images rather raw WPM dumps of what has happened between the loader “UnityHacks.exe” and the middle man “dummy.exe”

The first few files you see there all contain names of the imports the incoming mapped PE image will use, this is standard manual map stuff nothing interesting here

What makes them more silly is the fact that they stream in the PE image header like I mean even if they didn’t you can reconstruct the sections .text .data .reloc etc when its been mapped however this just makes our lives easier. Looking at the PE image header we can see at a first glance they are using VMProtect indicated by the ‘vmp0’ section header name.

pe_unity_1

Strings of the PE Image indicate references to a hardware id function.  and you can see they have some web address there of google which my guess is used for testing net connectivity.

mm

Now this PE image is mapped into the dummy process along with a few other things. One is a segment which contains the Loaders folder path + some data about your hardware id.

The actual hack is also mapped into the MIM process however it is encrypted I mean you can kindof guess it by the filesize just look at dump_9.dll’s filesize ūüėõ

Oh yeah there is also another module which gets mapped which they inject into Steam this is just a guess but I think it has something to do with altering vac3 and basic housekeeping functions

hwid

Hack Loader

Now when you run Steam the middle man process maps the Steam module into steam and waits for CSGO.exe

Once counter-strike global offensive is running it will begin to map itself into csgo. Once again PE header of the image is there they map the sections along with your hwid segment which has the path to the loader. The ascii path is plaintext they don’t do any xor or any other method of hiding it.

relocs

Cracking the file open in IDA we notice a few things. :0 Looks like the addresses are fixed to that instance of injection (they are based around 0x30000000). My guess is the server or the loader relocates the addresses on each run it can be fixed easily though.

Some strings are encrypted “sub_314770” using key¬†e3ab54f47028db88209bbfce1af2bfa4 however we can see either they got lazy or forgot to encrypt these

ss+(2016-07-18+at+06.51.14)

Conclusion

A simple signature search for “\Unityhacks\” in the csgo address space will be enough to detect this cheat. Emulating the hwid function and cracking this cheat is also feasible some have done it in the past eg. CaptionJack @ r3cheats just takes a little time to write a emulator which maps the required sections and patches the image for run.

If you want a copy of the dumped files + hack image for analysis purposes pm me I will not post public links nor will I post a working crack.

 

Posted in Main | Tagged , , , , , , , , , , , , , , | Leave a comment

Valve got it wrong once again

So you may remember the incident from a long time back when a whole bunch of Modern Warfare 2 users got VAC banned for no reason.

http://gamerant.com/valve-banning-innocent-mw2-free-gifts-johnj-31099/

For those who haven’t been following the VAC team they have been in somewhat of a hibernation over the past months as VAC bans handed out were not targeting specific P2Cs (Pay 2 Cheat). However more recently they have come back and are now actively targeting cheat providers again. The last update to Steam shows that VAC3 is now loaded when you sign into an account this isn’t really an issue if you know the ways around it (I have a VAC disabler in the works coming soon to cra0vision.net) but they are more aggressively scanning for cheat software now before a VAC secured game is even launched.

This aggression has shown some downside as some false positives were in fact stated by the VAC team today on reddit.

A

Research work on VAC and such will most likely be posted on UnknownCheats or this blog if you are interested.

Posted in Main | Tagged , , , , , , | Leave a comment

Teardrop WIP

I’m working on a DLL injector which utilizes the various techniques of remote code injection. I haven’t really done any research or anything interesting hence my lack of posts on this blog.

RP

Posted in Main | Leave a comment

cVision!

Splash_App

OMG ITS HERE!

If you have been following my stuff you most likely know already ūüôā https://cra0vision.net

 

Posted in Main | Leave a comment

VAC3 Dump (5/04/2016)

VAC3 Dump (5/04/2016)

So the CSGO majors are over, hoping for a big ban wave to flood out the idiots in the scene decided to do a vac3 dump to see if anything has changed since it’s been a good 3 months since I’ve last looked at VAC. There was a few modules deployed prior to this month

Full download of the modules can be found on UnknownCheats

Posted in Main | Tagged , , , , , , | Leave a comment

CSGO : Far ESP Concept #2

Counter-Strike Global Offensive Far ESP Concept #2

Introduction

As mentioned previously in my other concept point, Valve have disabled the networking of dormant players in CSGO. Dormant meaning the players who your client should not be rendering as they are invisible to you by occlusion of objects or are outside the visibility leaf in the BSP tree. More in-depth information about these concepts can be found below:

These systems are utilized on Valve official servers however there are other techniques 3rd parties use to extend the functionality such as the anti-wall feature in SMAC which is used by leagues use to prevent people wall hacking. The concept presented in this post looks at another way of bypassing this and allowing the user to see the enemy players from anywhere on the map.

!!!Note I’m not going to reveal how this works just yet. This is a concept point only!!!

The Source Dedicated Server (SRCDS)

Although we are going to be looking at Valve’s own instances of srcds they deploy in match-making this should work on any other server too.

Concept

There is a way, well rather¬†various ways to interact with the game server and receive information that is not suppose to be disclosed to you. I’m going to be utilizing one of those¬†ways in this demonstration. There are limitations to this method as you will soon see but it works fine so far.

A usual competitive game in CSGO has 5 players on each team. One of the players we use as a relay who captures the enemy player information (eg. position data/health/current weapon) and relays that information to the other connected players. To make the connection easier a server is utilized. Here is a diagram:

Exa1

Our 5th player (modified spectator client) is receiving data from the game server for all connected players (friendly/enemy). This information is then sent to the relay server which then broadcasts it to each of the other four connected clients. Information can be received and either drawn on a mini-map radar or can be drawn as an ESP like so:

 

Advantages/Disadvantages

The advantages and disadvantages are pretty obvious. You get the information you need about the enemy team but you pay the price of a fifth player being absent.

Further work

This concept could be improved drastically if the requirement of a 5th connected player was removed. Maybe have an external client connected somehow? Any questions contact me via email me[AT]cra0.net or twitter @cra0kalo

 

Posted in Main | Tagged , , , , , , | Leave a comment

2016

Happy ‘late’ New Year to everyone.

I will continue my work on cVision in the coming months along with some other projects I have in mind. Stay tuned.. and oh yeah http://cra0vision.net look out for this soon.

More UI work I’ve done over the break.

Posted in Main | Tagged , | Leave a comment

[REL] LiveDump

LiveDump – A simple memory dumper

I’m a fan of 010 Editor‘s templating system they have in place where you can write layouts for hex dumps or file formats I use it in almost all of my research/reversing. More information about that can be found here¬†even though the hex editor has a built in system to open a live processes memory it’s not really great. I needed a system where the data I was looking at was live and updated almost instantaneously so I wrote LiveDump. LiveDump is a simple memory dumper which will either dump a region of memory once to a file or constantly dump it every X many milliseconds, this way I can see the data updated almost live in 010 editor and make use of their templating to reverse a portion of a data structure or class object. There are things like Reclass which are purposely built for this reason which I do use however my own personal preference is the templating feature built into 010 editor as it’s very robust and you incorporate loops and logic into it to display the data out how you want it.

livedump

Usage: Select the process from the process list, then enter an address and size. The address and size input fields accept both decimal and hexadecimal numbers, if your input is going to be hexadecimal then you must add a ‘0x’ prefix or ‘h’ postfix to the numerical value. Now either begin dumping continuously to a file by hitting “Begin Dump” or “Dump Once” if you wish to dump only once.

LiveDump.zip | SHA1: 934fb95654cb05d2168e1e707a5cc80418380d4f

 

Posted in Main | Tagged , , , , , , , , , , | Leave a comment

[REL]Cheat Engine Trainer Decryptor/Unpacker

So someone uploaded a pretty dodgy looking binary to unknowncheats.me¬†and since I moderate the uploaded files and determine if they are safe or not I decided to take a look at the particular submission, turned out to be a safe Cheat Engine trainer (sfx). Cheat Engine allows you to create trainers which include the Cheat Engine base along with the Cheat Engine table which stores the basic offsets and memory edits a user would of created, they allow this to be saved in an ‘encrypted’ manner to stop script kiddies from stealing each others CE tables. The author stated in the source code that this is very trivial however¬†stops most of the idiots who have no idea what they are doing stealing tables. Anyway I wrote a small tool to automatically decrypt them back into plaintext xml. Sorry kids no binary here¬† ūüôā

http://github.com/cra0kalo/CETRAINER_DECRYPT

 

 

Posted in Main | Tagged , , , , , , | Leave a comment

[REL] Overwatch Revealer

For all that don’t known (and no I’m not referring to Blizzard’s new game) CSGO has a system called Overwatch where basically people who have been reported for cheating get their demos reviewed¬†by other players or “overwatchers”. Typically these demos are stripped of all? most? information about the suspected cheater player, this includes their name, text chat, gun names (if any custom names are given to weapons) and other player names leaving the person watching the demo unaware of who it is they are reviewing. Now this is great as hopefully people who are doing these overwatch cases are not biased towards a certain player because of their name/display picture or even inventory. But hey in my opinion it’s no fun so I’ve made this tool which will reveal the suspected player¬† ūüėõ

cvow

Here are some case examples I’ve done before: Image1 | Image2 | Image3

<Download>

Anyway here is a short video I made showcasing the tool.

 

 

 

Posted in Main | Tagged , , , , | Leave a comment