Cheating in online video-games
Adrien Garin
Introduction
Code Cheating in online video-games modification An example with CS:GO Code injection
Offsets
Valve Anti Cheat Adrien Garin No Flash
ESP EPITA
Conclusion July 18, 2015
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 1 / 37 Intro
Cheating in online Counter Strike: Global Offensive (2012) video-games Source Engine (2004) Adrien Garin Prize Money Awarded: $5,269,708.88 (4 July 2015) Introduction
Code modification
Code injection
Offsets
Valve Anti Cheat
No Flash
ESP
Conclusion
Adrien Garin (EPITA) CheatingFigure: in online CS:GO video-games ingame July 18, 2015 2 / 37 What do we want
Cheating in online video-games
Adrien Garin
Introduction
Code modification AIMBOT / Trigger BOT Code injection No Flash Offsets Wall hack Valve Anti Cheat ESP No Flash Radar Hack ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 3 / 37 Cheat theory
Cheating in online video-games
Adrien Garin
Introduction
Code modification Change code in .text Code injection Players attributes and info are in memory Offsets Find the good addresses Valve Anti Cheat Objects are very often dynamically allocated No Flash Hooking ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 4 / 37 CSGO code
Cheating in online video-games
Adrien Garin
Introduction
Code modification csgo.exe (resources loading, some checksums) Code injection client.dll (C BaseEntity, EntityList, LocalPlayer, Offsets RadareBase. . . ) Valve Anti Cheat engine.dll No Flash server.dll ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 5 / 37 Infinite money
Cheating in online video-games
Adrien Garin
Introduction
Code modification Current money is in memory Code injection
Offsets Use Cheat Engine to find where Valve Anti Then find which instruction wrote to this address Cheat
No Flash Patch it
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 6 / 37 Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection
Offsets
Valve Anti Cheat
No Flash
ESP
Conclusion
Figure: Money IDA
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 7 / 37 Why
Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection We need to read and write to game memory Offsets We also want to hook some stuff Valve Anti Cheat We have to inject code No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 8 / 37 Internal vs External
Cheating in online video-games
Adrien Garin
Introduction
Code modification Code injection You can access the game internally or externally from Offsets another process Valve Anti Cheat Internal cheats can call game functions
No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 9 / 37 LoadLibrary
Cheating in online video-games
Adrien Garin
Introduction Classical method is to call LoadLibrary Code modification Or LdrLoadDll Code injection allocate memory for the string my module.dll in remote Offsets process Valve Anti Cheat Write the string at allocated address No Flash Create a new remote thread which will execute ESP LoadLibraryA Conclusion But it is not stealth
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 10 / 37 PEB
Cheating in online video-games typedef struct _PEB { Adrien Garin BYTE Reserved1[2]; Introduction BYTE BeingDebugged; Code modification BYTE Reserved2[1];
Code injection PVOID Reserved3[2];
Offsets PPEB_LDR_DATA Ldr; Valve Anti PRTL_USER_PROCESS_PARAMETERS ProcessParameters; Cheat BYTE Reserved4[104]; No Flash PVOID Reserved5[52]; ESP PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; Conclusion BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; } PEB, *PPEB;
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 11 / 37 Get PEB
Cheating in online video-games
Adrien Garin PEB address is in segment register FS Introduction
Code modification Getting PEB Code injection PPEB peb; Offsets
Valve Anti Cheat __asm No Flash { ESP mov eax, FS:[0x30] Conclusion mov peb, eax };
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 12 / 37 Iterate Ldr LinkedList
Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection
Offsets
Valve Anti Cheat
No Flash
ESP Conclusion Figure: PEB
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 13 / 37 Manual mapping
Cheating in online video-games
Adrien Garin
Introduction
Code modification Allocate enough space in remote process heap Code injection Patch relocations Offsets Load dependencies Valve Anti Cheat Patch imports No Flash Stealthier than LoadLibrary ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 14 / 37 Differences with ELFs
Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection Elfs use position independant code Offsets Dlls don’t Valve Anti Cheat Dlls are always relocated by the kernel memory manager No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 15 / 37 PE
Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection
Offsets
Valve Anti Cheat
No Flash
ESP
Conclusion
Figure: Portable Executable
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 16 / 37 Relocations
Cheating in online video-games
Adrien Garin IMAGE BASE RELOCATION Introduction Num relocs = (SizeOfBlock - 8) / sizeof(WORD) Code modification The high 4 bits are a relocation type Code injection
Offsets The bottom 12 bits are offsets
Valve Anti Cheat struct IMAGE_BASE_RELOCATION No Flash { ESP DWORD VirtualAddress; Conclusion DWORD SizeOfBlock; };
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 17 / 37 Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection
Offsets
Valve Anti Cheat
No Flash
ESP
Conclusion
Figure: Relocation block
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 18 / 37 Import and IAT
Cheating in online video-games
Adrien Garin
Introduction
Code modification Code injection Use LoadLibrary to load dependencies Offsets
Valve Anti patch IAT Cheat
No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 19 / 37 Getting offsets
Cheating in online video-games
Adrien Garin
Introduction
Code modification We have a static pointer in .bss section Code injection We have to find its location Offsets
Valve Anti Cheat C BasePlayer.cpp No Flash static C BasePlayer *s pLocalPlayer = NULL; ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 20 / 37 Sigs
Cheating in online video-games
Adrien Garin
Introduction
Code modification Code injection Game client is often updated Offsets Offsets change Valve Anti Cheat We don’t want to waste time No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 21 / 37 Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection
Offsets
Valve Anti Cheat
No Flash
ESP
Conclusion
Figure: LocalPlayer offset
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 22 / 37 Cheating in online video-games Instructions Adrien Garin lea esi, [eax * 4 + XXXX]
Introduction mov [XXXX], edx Code mov eax, [ecx + 0x8] modification mov ecx, [eax + 0x4] Code injection
Offsets Signature Valve Anti Cheat const uint8_t sigs[] = No Flash { ESP 0x8D, 0x34, 0x85, 0x00, 0x00, 0x00, 0x00, Conclusion 0x89, 0x15, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x41, 0x08, 0x8B, 0x48, 0x00 };
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 23 / 37 Protecting offsets
Cheating in online video-games
Adrien Garin
Introduction
Code modification Some cheaters want to protect offsets by packing their Code injection cheat Offsets IAT is destroyed you can’t hook WPM Valve Anti Cheat But you can still hook the native API No Flash WriteProcessMemory uses NtWriteVirtualMemory in ntdll ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 24 / 37 VAC
Cheating in online video-games
Adrien Garin Several modules Introduction
Code Not in FS modification Loaded by steamservices.exe Code injection
Offsets Encrypted in .data Valve Anti manuel mapped into steam.exe Cheat
No Flash Not loaded in the same time ESP No information available when you get banned Conclusion Bans are delayed No kernel module
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 25 / 37 Dump
Cheating in online video-games
Adrien Garin
Introduction
Code modification 1 Put a BP in steamservices.exe just before it injects Code injection steam.exe Offsets
Valve Anti 2 Find where VAC is located in .data Cheat 3 Dump No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 26 / 37 Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection
Offsets
Valve Anti Cheat
No Flash
ESP
Conclusion
Figure: Dump VAC IDA
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 27 / 37 Behaviour
Cheating in online video-games
Adrien Garin
Introduction Checksums game binaries Code modification Checks if you disabled DSE on Windows x64 Code injection Checks if you hooked stuff in kernel32.dll Offsets
Valve Anti It was checking your DNS cache Cheat Read memory of process which opened a handle on No Flash
ESP csgo.exe Conclusion It looks for known public injectors
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 28 / 37 Loaders
Cheating in online video-games
Adrien Garin
Introduction
Code VAC uses mainly signatures modification If you release a public cheat it will be detected soon Code injection Offsets Use a loader to make generated code unique Valve Anti Cheat Junk code addition No Flash Change order of structs ESP String encryption Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 29 / 37 String encryption
Cheating in online video-games
Adrien Garin
Introduction
Code modification Code injection VAC is also scanning your strings litterals Offsets
Valve Anti Don’t forget to encrypt them Cheat
No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 30 / 37 How
Cheating in online video-games
Adrien Garin
Introduction
Code modification Code injection m flFlashMaxAlpha a float between [0.0f, 255.0f] Offsets Create a thread which check whether its value is > 0.0f Valve Anti Cheat Write 0.0f No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 31 / 37 Internal
Cheating in online video-games
Adrien Garin
Introduction Code Glow effect since Source SDK v2013 modification
Code injection Handled with a GlowManager Offsets 2 boolean values to set Valve Anti Cheat You can set the color No Flash The engine will use stencil buffer to show a glow effect ESP around entities models Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 32 / 37 Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection
Offsets
Valve Anti Cheat
No Flash
ESP
Conclusion
Figure: VMT
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 33 / 37 Cheating in online video-games
Adrien Garin
Introduction
Code modification PaintTraverse hook
Code injection g pVGuiPanel object Offsets Method PaintTraverse Valve Anti Cheat Method 41 in the vtable of g VGuiPanel No Flash thiscall calling convention ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 34 / 37 External
Cheating in online video-games
Adrien Garin
Introduction
Code modification
Code injection 1 Run game in windowed mode Offsets 2 Open a transparent window Valve Anti Cheat 3 Draw your stuff at enemies position No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 35 / 37 TriggerBot
Cheating in online video-games
Adrien Garin
Introduction
Code modification Code injection m inCrossHairId at offset 0x2410 Offsets
Valve Anti Attacks are handled with a boolean value Cheat
No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 36 / 37 Conclusion and other stuff
Cheating in online video-games
Adrien Garin
Introduction
Code modification Code injection Don’t use existing toolz Offsets Make your cheat unique Valve Anti Cheat Kernel cheat ? No Flash
ESP
Conclusion
Adrien Garin (EPITA) Cheating in online video-games July 18, 2015 37 / 37