cRadar/cVision It’s happening soon :)

Well now it’s portable/safe/easy

cvision_attrack3Pic2

Pic1

 

Posted in Main | Leave a comment

CSGO Update 5/14/15 (PVS/isDormant) No ghosts please!

Today Valve released an update for CSGO which broke most ESP hacks once players got to a certain distance away from the player. I’m not going to explain what PVS is so I’ll be linking this reddit thread which has a pretty decent explanation.

LINK

Now, I haven’t looked into a workaround for this yet but here is how to remove ghostly ESP boxes or w/e it is. My post on UC

http://www.unknowncheats.me/forum/1225738-post10.html

Posted in Main | Leave a comment

cVision – AWESOME, CUSTOMIZABLE, UNDETECTABLE!

I normally keep blog posts technical but here is what I have been working on soon to be released!

cvision_attract2

<link removed for now>

 

 

Posted in Main | Tagged , | Leave a comment

Halo Online (eldorado) Data Extractor 1.0

Quoted from Readme.txt, I don’t want to type anymore am tired

 Download 1.0

Posted in Main | Tagged , , , , , | Leave a comment

cVision

cVision is a part of my framework of applications I’ve been working on these days. After weeks of research on the Valve Anticheat system don’t want to reveal too much yet but heres some box art and graphics I did.

tw

 

 

Posted in Uncategorized | Leave a comment

Fox Engine Model Studio (Closed beta release)

Since I’ve been busy going to throw this out there as a closed public beta to be eligible fill out the survey please.

http://www.surveymonkey.com/s/WFY5M7K

What does the FMDL exactly?

Lets you extract the game assets .fmdl (Models/Maps/Geometry/Characters) etc

 

 

Posted in Uncategorized | Leave a comment

[REL] Dumping VAC2 and VAC3 the easier way

What is VAC?

VACVAC stand for (Valve Anti-cheat) and is used in many games to prevent cheats be it Valve games or 3rd party titles (Modern Warfare/DayZ). VAC comes in many different versions at the time of writing this the latest version we are calling VAC3. VAC2 and VAC3 are the only activate modules right now for games like Counter-Strike Global Offensive.

 

Where is VAC, how is it loaded?

VAC2 is loaded through SteamService, when you start a game steamservice appears to load it. Valve first dumps the vac2 module into your %temp% directory then calls LoadLibrary. You can see this for yourself by hooking the LoadLibrary API call or by using an API Monitor.

apimonVAC2

Furthermore you can open up the .tmp file which is actually a dll and search for the string “vac2″ to confirm thats it.

vac2hex

What about VAC3?

VAC3 works a little differently. It’s manually mapped by steamservice which means there are no calls to LoadLibrary and that means there is no reason for them to write the module to disk.

Dumping VAC2 and VAC3

Tools required

VAC2

Dumping VAC2 is the easiest, run procmon and lets set some filters up.

procmon_filters

The first is the Process Name set this to “steam”, then add another filter for Path set this to your %temp% directory. If you’re unsure what your temp directory is type %temp% into the windows explorer bar and hit enter.

tmpwin32

Now that you have the filter setup launch a game that uses VAC2 for example Counter-Strike Global Offensive.

You will notice that Procmon has some entries now that look like this:

vac2procmon

Head over to that directory and copy out the file to a safe place. Double check its vac2 by opening the file with your hex editor and searching for the vac2 string I mentioned eariler.

VAC3

Forcing LoadLibrary

Since VAC3 is manually mapped into memory the first thought that you might get is “find where its loaded and just dump the region with the size given“. Sure that works and you can do it like that however this way is even easier. Like the subheading says we are going to force steamservice to load it via loadlibrary.

Begin by running patchSteamService.exe

patchSS

 

This will now patch the steamservice module and VAC3 should now load like VAC2 via LoadLibrary.

How it works

Found by kokole, there is a subroutine inside steamservice which is basically like this:

idapressYou can patch this yourself if you know what you’re doing it’s not hard all you need to do is patch the instruction “jz” to “jmp” so it will always call sub_1000F680. Or just use the tool and it will do it for you.

 Now to dump!

Once you have patched steamservice run procmon and setup the filter like you would for VAC2.

Run your VAC3 protected game (eg. Counter-Strike Global Offensive). You will notice now a lot is going on in procmon:

vac_3MlSlowly the VAC3 modules will become visible, initially there are two modules loaded on startup for Counter-Strike Global Offensive (vac2 and vac3Auto)VAC3 auto is used to detect injectors on game launch. The other VAC3 modules will load as you’re playing on a VAC3 secured server.

If you navigate to the path shown there in procmon you may not find the modules this is because they are marked as hidden. Enabling hidden folder will not work here the only way I’ve found to access them is via commandprompt.

Run a command prompt shell (cmd.exe) and cd to the temp directory then type the name of the file or the full path and hit enter.

cmdVac3

It should show a dialog box to open the file select the option “Select a program from a list of installed programs” then select your hex editor. If you see these then most likely you have dumped a vac3 module. You can make sure by opening it with IDA and checking the exports for runfunc.

VAC3_PE1

VAC3_PE2

 

Tutorial End.

Dumped modules (1_02_2015_vac2+3_dump.rar (162.4 KB))

 

 

 

 

 

Posted in Misc | Tagged , , , , , , , , , , , , | Leave a comment

And we have bones ;)

Chico says hi!MGS_Bones

 

Bones

Kojima productions seems to store bone data like so

Now I don’t exactly know whats going on here because my first attempt didn’t work using that quaternion so I re-wrote my matrix class in C# which was originally written in VB.NET and ancient as hell.

Avclass

I ended up zeroing out the bone rotations (for now) since I have no clue what format they are storing the quat in.

After messing around with bones with the help of chrrox and jayk I was able to get skinning working and exported to SMD.

Posted in Main | Tagged , , | Leave a comment

Fox Engine (Metal Gear Solid 5 GZ)

foxBanner

Fox Engine

There has been many advancements from last time I posted both by and the others making it possible to extract assets from Kojima Production’s Metal Gear Solid Ground Zeros. The Foxengine’s superb image quality is made possible by physically-Based Rendering (PBR). It can make a low polygon model look photo-realistic and it can do it well, researching the file format along with JayK, Chrrox and Volfin I’ve discovered that in fact most the models used in game are pretty standard and have a low poly count.

Modding

Anyhow there has been many people in the modding scene playing around with the engine. Mostly its been model swapping which surprisingly works without breaking the game.

Here are some to check out if you haven’t seen them already.

There has even been texture modding

N9OXggn

 

Fox Engine Model Studio

So you may be wondering why I’m talking about all this? Well I’d like to personally contribute to this by making it possible to import/replace actual geometry, thats where my new tool comes into play. The Fox Engine Model Studio I’m dubbing will allow the extraction of the game models and also (yet to be implemented) the ability to replace models in the game.

What is left to do??

The FMDL format by Kojima Productions isn’t overly complex however there are still unknown structures and data in there we have yet to reverse engineer and understand what they exactly do. If model importing is going to be a reality then those structures need to be parsed and understood to a degree. I will post more about that as more research is done.

Thanks to JayK, Chrrox and Volfin with their format research help heres some WIP shots of whats to come.

foxTool

chico_fox

snake

kojima_fox

paz

 

 

 

Posted in Main | Tagged , , , , , , | Leave a comment

Metal Gear Solid 5 GZ (Fox Engine)

I played this game briefly before leaving for my Christmas holidays, when I got back I saw that someone had already managed to figure out the package format they use. “g0s” Extracting the files it seems they have used zlib chunks on textures .ftex. Heres something funny, on top of the encryption the package archives use they xor encrypt their shader files… It’s a dead giveaway when you open the shader binary up in a hex editor.

For example GrModelShaders_dx11.fsop you notice the 0x9c repeated and repeated.

Fox_SHR

Lets Xor that selection of bytes by 0x9C see what happens.

Fox_SHRDec

😎 Easy right?

Heres an overview of what their model format looks like (FMDL). Pretty straight forward..

Fox_MDL

 

 

Posted in Main | Tagged , , , , | Leave a comment