2016

Happy ‘late’ New Year to everyone.

I will continue my work on cVision in the coming months along with some other projects I have in mind. Stay tuned.. and oh yeah http://cra0vision.net look out for this soon.

More UI work I’ve done over the break.

Posted in Main | Tagged , | Leave a comment

[REL] LiveDump

LiveDump – A simple memory dumper

I’m a fan of 010 Editor‘s templating system they have in place where you can write layouts for hex dumps or file formats I use it in almost all of my research/reversing. More information about that can be found here even though the hex editor has a built in system to open a live processes memory it’s not really great. I needed a system where the data I was looking at was live and updated almost instantaneously so I wrote LiveDump. LiveDump is a simple memory dumper which will either dump a region of memory once to a file or constantly dump it every X many milliseconds, this way I can see the data updated almost live in 010 editor and make use of their templating to reverse a portion of a data structure or class object. There are things like Reclass which are purposely built for this reason which I do use however my own personal preference is the templating feature built into 010 editor as it’s very robust and you incorporate loops and logic into it to display the data out how you want it.

livedump

Usage: Select the process from the process list, then enter an address and size. The address and size input fields accept both decimal and hexadecimal numbers, if your input is going to be hexadecimal then you must add a ‘0x’ prefix or ‘h’ postfix to the numerical value. Now either begin dumping continuously to a file by hitting “Begin Dump” or “Dump Once” if you wish to dump only once.

LiveDump.zip | SHA1: 934fb95654cb05d2168e1e707a5cc80418380d4f

 

Posted in Main | Tagged , , , , , , , , , , | Leave a comment

[REL]Cheat Engine Trainer Decryptor/Unpacker

So someone uploaded a pretty dodgy looking binary to unknowncheats.me and since I moderate the uploaded files and determine if they are safe or not I decided to take a look at the particular submission, turned out to be a safe Cheat Engine trainer (sfx). Cheat Engine allows you to create trainers which include the Cheat Engine base along with the Cheat Engine table which stores the basic offsets and memory edits a user would of created, they allow this to be saved in an ‘encrypted’ manner to stop script kiddies from stealing each others CE tables. The author stated in the source code that this is very trivial however stops most of the idiots who have no idea what they are doing stealing tables. Anyway I wrote a small tool to automatically decrypt them back into plaintext xml. Sorry kids no binary here  :-)

http://github.com/cra0kalo/CETRAINER_DECRYPT

 

 

Posted in Main | Tagged , , , , , , | Leave a comment

[REL] Overwatch Revealer

For all that don’t known (and no I’m not referring to Blizzard’s new game) CSGO has a system called Overwatch where basically people who have been reported for cheating get their demos reviewed by other players or “overwatchers”. Typically these demos are stripped of all? most? information about the suspected cheater player, this includes their name, text chat, gun names (if any custom names are given to weapons) and other player names leaving the person watching the demo unaware of who it is they are reviewing. Now this is great as hopefully people who are doing these overwatch cases are not biased towards a certain player because of their name/display picture or even inventory. But hey in my opinion it’s no fun so I’ve made this tool which will reveal the suspected player  😛

cvow

Here are some case examples I’ve done before: Image1 | Image2 | Image3

<Download>

Anyway here is a short video I made showcasing the tool.

 

 

 

Posted in Main | Tagged , , , , | Leave a comment

DirectX GUI WIP

I have been working on GUI related developments in the past few weeks. Here is some demo work of controls I’v reimplemented in dirext2DI for cVision.

Currently developed:

  • Label
  • Button
  • Input Button
  • Panel
  • Slider
  • Tab Control
  • Image
  • Checkbox

2015-10-17_15-42-08

2015-10-20_00-28-05

Posted in Main | Tagged , , , , | Leave a comment

It’s been a while

Hello?

It’s been a while since I’ve posted anything here though it’s not because I haven’t been doing anything actually I’ve been more productive in these few months then before.

So I’ve been working on many things mainly cVision which will soon be up here. Dynamic code generation has been something I’ve been studying with cVision basically rendering any sort of signature scanning or code hashing useless, with that out of the way cVision is done sort of at least the application side is all functioning if you’re reading this and are interested in purchasing a copy get in contact with me.

As for other stuff well I’ve started working on the Insomniac Games engine again with Ratchet and Clank ill post more about that later.

Posted in Main | Leave a comment

CSGO Far/Extended ESP Concept

So not too long ago this happened.

S1

 

Valve released an update to csgo which basically put PVS to use. This update basically would not network entities(in our case the enemy players) that were not in the visibility leaf of the player. Later on they released another update which bought this concept of player occlusion. The server would now not send any data of enemy players when they were not visible. It wasn’t as bad as what SMAC does but it ended the life of the far ESP cheat in the game, you could no longer see enemy players unless they were close to you.

Since this is handled server side there is no real feasible way to get around this. I’ve seen this done in many other games like dota2 with its fog of war system.

Since there is no way to get around this I thought to myself hmm well the enemy player positions show up on the radar when a friendly spots an enemy. Know where I’m going with this 😛

S2

The remedy to the far ESP fix is to use this data to draw boxes around the enemy when they are out of view because of the visibility check. Lucky for us the data they store in the radar structure is world coordinates XYZ instead of the 2D ones relative to the map.

So taking a look at the data where the radar is stored here is what I was able to reverse:

Here is an example with live data:

S4

 

And so when the enemy is spotted by one of your team members using this data which is networked unlike the entity data we get this.

S3

 

Now I know it doesn’t solve the problem but it helps seeing them when they are visible by one of your team members.

Here is a video:

Posted in Main | Tagged , , , , | Leave a comment

Halo Online (eldorado) Data Extractor 1.0

Quoted from Readme.txt, I don’t want to type anymore am tired

 Download 1.0

Posted in Main | Tagged , , , , , | Leave a comment

Fox Engine Model Studio (Closed beta release)

Since I’ve been busy going to throw this out there as a closed public beta to be eligible fill out the survey please.

http://www.surveymonkey.com/s/WFY5M7K

What does the FMDL exactly?

Lets you extract the game assets .fmdl (Models/Maps/Geometry/Characters) etc

 

 

Posted in Uncategorized | Leave a comment

[REL] Dumping VAC2 and VAC3 the easier way

What is VAC?

VACVAC stand for (Valve Anti-cheat) and is used in many games to prevent cheats be it Valve games or 3rd party titles (Modern Warfare/DayZ). VAC comes in many different versions at the time of writing this the latest version we are calling VAC3. VAC2 and VAC3 are the only activate modules right now for games like Counter-Strike Global Offensive.

 

Where is VAC, how is it loaded?

VAC2 is loaded through SteamService, when you start a game steamservice appears to load it. Valve first dumps the vac2 module into your %temp% directory then calls LoadLibrary. You can see this for yourself by hooking the LoadLibrary API call or by using an API Monitor.

apimonVAC2

Furthermore you can open up the .tmp file which is actually a dll and search for the string “vac2” to confirm thats it.

vac2hex

What about VAC3?

VAC3 works a little differently. It’s manually mapped by steamservice which means there are no calls to LoadLibrary and that means there is no reason for them to write the module to disk.

Dumping VAC2 and VAC3

Tools required

VAC2

Dumping VAC2 is the easiest, run procmon and lets set some filters up.

procmon_filters

The first is the Process Name set this to “steam”, then add another filter for Path set this to your %temp% directory. If you’re unsure what your temp directory is type %temp% into the windows explorer bar and hit enter.

tmpwin32

Now that you have the filter setup launch a game that uses VAC2 for example Counter-Strike Global Offensive.

You will notice that Procmon has some entries now that look like this:

vac2procmon

Head over to that directory and copy out the file to a safe place. Double check its vac2 by opening the file with your hex editor and searching for the vac2 string I mentioned eariler.

VAC3

Forcing LoadLibrary

Since VAC3 is manually mapped into memory the first thought that you might get is “find where its loaded and just dump the region with the size given“. Sure that works and you can do it like that however this way is even easier. Like the subheading says we are going to force steamservice to load it via loadlibrary.

Begin by running patchSteamService.exe

patchSS

 

This will now patch the steamservice module and VAC3 should now load like VAC2 via LoadLibrary.

How it works

Found by kokole, there is a subroutine inside steamservice which is basically like this:

idapressYou can patch this yourself if you know what you’re doing it’s not hard all you need to do is patch the instruction “jz” to “jmp” so it will always call sub_1000F680. Or just use the tool and it will do it for you.

 Now to dump!

Once you have patched steamservice run procmon and setup the filter like you would for VAC2.

Run your VAC3 protected game (eg. Counter-Strike Global Offensive). You will notice now a lot is going on in procmon:

vac_3MlSlowly the VAC3 modules will become visible, initially there are two modules loaded on startup for Counter-Strike Global Offensive (vac2 and vac3Auto)VAC3 auto is used to detect injectors on game launch. The other VAC3 modules will load as you’re playing on a VAC3 secured server.

If you navigate to the path shown there in procmon you may not find the modules this is because they are marked as hidden. Enabling hidden folder will not work here the only way I’ve found to access them is via commandprompt.

Run a command prompt shell (cmd.exe) and cd to the temp directory then type the name of the file or the full path and hit enter.

cmdVac3

It should show a dialog box to open the file select the option “Select a program from a list of installed programs” then select your hex editor. If you see these then most likely you have dumped a vac3 module. You can make sure by opening it with IDA and checking the exports for runfunc.

VAC3_PE1

VAC3_PE2

 

Tutorial End.

Dumped modules (1_02_2015_vac2+3_dump.rar (162.4 KB))

 

 

 

 

 

Posted in Misc | Tagged , , , , , , , , , , , , | Leave a comment