VAC3 Changes

I’m going to refrain from posting public information about VAC from this post forward. They seem to have noticed we are using the .text section of the modules to keep track of modules and the timestamps to determine if any updates occurred.

The .rdata seems to be merged now with the code section (.text) so we can’t really use section hashes anymore.


No doubt that someone new is working with the VAC team and they have read my posts or they have just picked back up from the inactivity as evident of the recent major banwaves hitting p2cs.

If we look at the pdb paths of the modules we can see that they are not like the old ones which accidentally shipped a while back


The path has changed and I know this doesn’t exactly prove anything but It’s just something I’ve picked up.



Posted in Main | Leave a comment

VAC Banwave (13/09/2016)

A few days ago there was a massive VAC ban wave. Some of the major P2C providers got hit:

  • Interwebz
  • UnityHacks
  • Aimware


Other providers got hit but I’m not aware of who they are. News sites are reporting this to be the largest ban wave of the year. Firstly I’m going to start by saying this is not a server side detection as a big post on reddit and various other sites have threads titled “untrusted ban wave”. Untrusted though yes mostly is a ban that occurs when the server side anti-cheat detects an anomaly or something that shouldn’t be set on your client however it can also occur when the clientside VAC scanner detects an injection occurring. These bans are delayed as far as I know as when I was using the public Xenos injector I received an untrusted ban which later showed up on my profile as a VAC ban.


So moving on this ban wave was in fact a normal VAC ban wave.

File: vac_module_0_ee76faea4b2d4cdb951ebd9dcff92799.dll
Size: 61KB
Export TimeStamp: 13/09/2016 4:27:31 AM
Debug TimeStamp: 13/09/2016 4:27:31 AM
.text hash: F0B95B4B38F1752FDFCD7E7F6779165339E93FB2

File: vac_module_1_3d7b7d8d50356e415bebe04ad1464257.dll
Size: 60KB
Export TimeStamp: 3/09/2016 6:16:46 AM
Debug TimeStamp: 3/09/2016 6:16:46 AM
.text hash: E922440FEF9D16FCD1DD55329B2C43D2F0EBF7F8

The morning I woke up to the ban news I did another VAC module dump and clearly you can see they updated their modules. The 60kb module is responsible for scanning processes. The 61kb is an updated version which fixes an issue for windows10 (how02 found this). My guess is this VAC wave was targeting P2C loaders and processes that spawn before injection into the game. Remember VAC now can start when you login to Steam so running a potentially flagged loader even before the game is launched can see you VAC banned if you join a VAC secured server.

Lets see what the next wave brings us 🙂

Posted in Main | Tagged , , , , , | Leave a comment

Updated VAC3 Modules

As mentioned in the previous post Valve has changed the way they do import hiding. Previously there would be a bunch of string objects usually for each module that is being imported so “kernel32.dll” -> “GetProcAddress”,”ReadProcessMemory”, “OutputDebugStringA” etc and these would all be passed through a function which has an initial xor key of 0x55.

       public unsafe string DecryptString(byte[] strData)
            byte[] out_str = new byte[strData.Length];
            byte key = 0x55;

            byte* v3; // edx@1
            byte v4; // bl@1
            byte result; // al@1
            int v6; // edi@1
            int v7; // esi@2

            fixed (byte* str = strData)
                fixed (byte* str_out = out_str)
                    v3 = str_out;
                    v4 = key;
                    result = key;
                    v6 = (char)key ^ *(byte*)str;
                    if ((char)key != *(byte*)str)
                        v7 = (int)(str + 1 - (byte*)str_out);
                            result = (byte)(v4 ^ v3[v7]);
                            v4 = v3[v7];
                            *v3++ = result;
                        while (v6 != 0);

                    *v3 = 0;

            return Encoding.ASCII.GetString(out_str).TrimEnd('\0');

Now however they changed the operation and they are using IceKey encryption to decode the strings which get decoded in one big block.

Runfunc is what is called to run a vac module for a specific scan.

signed int __stdcall runfunc(int func_to_scan, void *inputPacket, int inputPacketSize, void *outputPacket, int outputPacketSize)

The inputPacket now contains a key they use to decode the strings. The decryption routine now looks like this:

Once the input packet is decrypted a 4byte key is then used to decrypt the string block with size of 0xA80.

if ( dword_115E944C )
    decryptImportStrings((int)&unk_115E9440, (int)&unk_115E9440, 0xA80, (int)v1);
  v2 = GetModuleHandleA(ModuleName);
  dword_119EA4D4 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))GetProcAddress(v2, ProcName);
  dword_119EA4DC = (int (__stdcall *)(_DWORD, _DWORD))GetProcAddress(v2, aP);



There you have it nothing so difficult but I guess they don’t want people who have no idea what they are doing to be able to analyze the modules effectively. That being said though you can just hook GetProcAddress and everything is revealed anyway 😛



Posted in Main | Tagged , , , , , , , , , , , | Leave a comment

VAC3 Updates


Valve pushed an update for VAC3 a few days ago or it could of been a week I’m not sure I didn’t actually check the modules for a week.

Heres a log of the modules I dumped today and their time stamp dates.

PETimeSort :: 18/08/2016 4:43:29 PM

File: vac_module_0_8e2837dc1874e71c3ba4c70c493f012bea0597be.dll
Size: 35KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 351654168C6FA1D84709EFAB9369378596B92D7D

File: vac_module_10_9a3d07112e4e379334a448a542bfdea463674fcc.dll
Size: 114KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 2DF41439CF8E91F2D59194D18E33C86DFE1EEB75

File: vac_module_14_c0bbd5951bdf7c3337b0e81b2429d25dc018aa50.dll
Size: 32KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 8E9E0E046259943E34699B55C0142F65EB2C2729

File: vac_module_13_7161146422a2783dd2bd69b048d073794c937a54.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 21AD7FAF03D33E6164C9B009D0333F0FEE9AB7D3

File: vac_module_1_1c9adeac978bd1e63ca4aa0e1ed3479a72877809.dll
Size: 69KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 95F61937748CD4AB814120AB7F20D4AC1D09DBF8

File: vac_module_2_d94ea2256edf3c6e03b968240fea154c925130c3.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 86B7B4D3CF07548A96F5F45118FA25CB48F40B88

File: vac_module_5_8500a4687cfabfda2f9fd042971fd481b65b70e6.dll
Size: 33KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: F90141CE8C03CD7E359383C3ADA2015B4074B309

File: vac_module_9_34fccfdc7d987f0e74fb2e546a7abb834ba65b84.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: E7C549ACB6CCFA4FA384E3840822B6FFA9C286D6

File: vac_module_3_b23a14b07fd555d321e0432fb7f46859a06ec33c.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:36 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 1011BBCC7ADDFB8009E47A9161699E435EE7DA33

File: vac_module_7_f66f12c2dfc34b29f0d4305184b03d3845b9b0a3.dll
Size: 29KB
Export TimeStamp: 6/08/2016 4:35:24 AM
Debug TimeStamp: 6/08/2016 4:35:25 AM
.text hash: ED084D6562A429CF961267B7343F61212EAB80E4

File: vac_module_11_f260797499ce388f196b546b59260a77a23cbaf2.dll
Size: 32KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 22DCA9E5141D960F1E45BF5735D8B9093B882F26

File: vac_module_12_c7423854a06351f64c30490099e85780f849306e.dll
Size: 27KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: 564FBABA08AFC5E8FD3F18F24DC1A36BF922D8A4

File: vac_module_15_51d5f83421482ab6a9fd0dc0f69ed4ee8d374659.dll
Size: 29KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: A22FD7769504A63C091A6CFC8A40CCB7E4311E71

File: vac_module_4_53b065d69934b4b49c02bfd38cb31f16fd61a7ec.dll
Size: 38KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 06AF72EDDBBC3BA5CA88B6B0AB559B667795FF1F

File: vac_module_6_7cfdd6223b83ed997f22d0d493bc4f6876e474c6.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 68D8008E7D6AA4813F493301DAE90F8A25FC58D5

File: vac_module_8_9b09a83cf7a9a95614e061165e2f41b6ac031def.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: 09A5EABA9F67A030B1FE719A64A74DE627A849D0

We can see they all seem to be updated at the same date. I will leave discussion to the thread on unknowncheats but at a first look we can see they seem to of changed the import resolver function which decodes the import strings.

UnknownCheats Thread


Posted in Main | Tagged , , , | Leave a comment

Ghost In The Shell First Assault

I’ve been working on reverse engineering this game with a bunch of friends over @ UnknownCheats

Heres some media about it all 🙂

Posted in Main | Leave a comment

Analyzing UnityHacks in the role of a VAC engineer



I’ve looked at many P2Cs(pay-to-cheat) in the past and unity is one I’ve come back to revisit to see if they have fixed stupid design concepts that could see them detected in an instance and seems like nope. If Valve actually actively looked for what I’m about to go through in this post they would be detected maybe we should let them know  😉


This concept that is utilized by unityhacks is a way of them somewhat securing their cheat loader from detection. It is basically injecting their loader code into another 32bit process and then doing the loading from there.


Unityhacks accesses the following Internet addresses:

there is also one for handshake but I will not get into this area much so I’m just going over it briefly. Once the user has been authenticated the server will stream a PE image which is the loader code and the hack itself.

Obviously we can discover what is being written into the target process by hooking NtWriteVirtualMemory and even if direct systemcalls were done there are still ways of dumping the written buffer.


Now ignore the .dll extension these aren’t exactly valid PE images rather raw WPM dumps of what has happened between the loader “UnityHacks.exe” and the middle man “dummy.exe”

The first few files you see there all contain names of the imports the incoming mapped PE image will use, this is standard manual map stuff nothing interesting here


What makes them more silly is the fact that they stream in the PE image header like I mean even if they didn’t you can reconstruct the sections .text .data .reloc etc when its been mapped however this just makes our lives easier. Looking at the PE image header we can see at a first glance they are using VMProtect indicated by the ‘vmp0’ section header name.


Strings of the PE Image indicate references to a hardware id function.  and you can see they have some web address there of google which my guess is used for testing net connectivity.


Now this PE image is mapped into the dummy process along with a few other things. One is a segment which contains the Loaders folder path + some data about your hardware id.

The actual hack is also mapped into the MIM process however it is encrypted I mean you can kindof guess it by the filesize just look at dump_9.dll’s filesize 😛

Oh yeah there is also another module which gets mapped which they inject into Steam this is just a guess but I think it has something to do with altering vac3 and basic housekeeping functions


Hack Loader

Now when you run Steam the middle man process maps the Steam module into steam and waits for CSGO.exe

Once counter-strike global offensive is running it will begin to map itself into csgo. Once again PE header of the image is there they map the sections along with your hwid segment which has the path to the loader. The ascii path is plaintext they don’t do any xor or any other method of hiding it.


Cracking the file open in IDA we notice a few things. :0 Looks like the addresses are fixed to that instance of injection (they are based around 0x30000000). My guess is the server or the loader relocates the addresses on each run it can be fixed easily though.

Some strings are encrypted “sub_314770” using key e3ab54f47028db88209bbfce1af2bfa4 however we can see either they got lazy or forgot to encrypt these



A simple signature search for “\Unityhacks\” in the csgo address space will be enough to detect this cheat. Emulating the hwid function and cracking this cheat is also feasible some have done it in the past eg. CaptionJack @ r3cheats just takes a little time to write a emulator which maps the required sections and patches the image for run.

If you want a copy of the dumped files + hack image for analysis purposes pm me I will not post public links nor will I post a working crack.


Posted in Main | Tagged , , , , , , , , , , , , , , | Leave a comment

Valve got it wrong once again

So you may remember the incident from a long time back when a whole bunch of Modern Warfare 2 users got VAC banned for no reason.

For those who haven’t been following the VAC team they have been in somewhat of a hibernation over the past months as VAC bans handed out were not targeting specific P2Cs (Pay 2 Cheat). However more recently they have come back and are now actively targeting cheat providers again. The last update to Steam shows that VAC3 is now loaded when you sign into an account this isn’t really an issue if you know the ways around it (I have a VAC disabler in the works coming soon to but they are more aggressively scanning for cheat software now before a VAC secured game is even launched.

This aggression has shown some downside as some false positives were in fact stated by the VAC team today on reddit.


Research work on VAC and such will most likely be posted on UnknownCheats or this blog if you are interested.

Posted in Main | Tagged , , , , , , | Leave a comment

Teardrop WIP

I’m working on a DLL injector which utilizes the various techniques of remote code injection. I haven’t really done any research or anything interesting hence my lack of posts on this blog.


Posted in Main | Leave a comment




If you have been following my stuff you most likely know already 🙂


Posted in Main | Leave a comment

VAC3 Dump (5/04/2016)

VAC3 Dump (5/04/2016)

So the CSGO majors are over, hoping for a big ban wave to flood out the idiots in the scene decided to do a vac3 dump to see if anything has changed since it’s been a good 3 months since I’ve last looked at VAC. There was a few modules deployed prior to this month

File: vac_module_8_e2014210dee9ef00edb44b1a0dcfee9d535b87ea.dll
Debug TimeStamp: 2/03/2016 8:44:49 AM
File: vac_module_3_8750686ddaf3e5a9c7559b0cd5d4fd2719a5c10a.dll
Debug TimeStamp: 9/03/2016 1:29:52 PM
File: vac_module_13_33221c8ce2195501792009c9d07db7fdf0c70345.dll
Debug TimeStamp: 22/03/2016 4:57:10 PM
File: vac_module_20_fd593d82e14e8702383e6ad0aa473e0de5795249.dll
Debug TimeStamp: 31/03/2016 9:42:21 AM

Full download of the modules can be found on UnknownCheats

Posted in Main | Tagged , , , , , , | Leave a comment