Jump to content

Narvikz

Member
  • Posts

    18
  • Joined

  • Last visited

  • Days Won

    4
  • Feedback

    0%

Everything posted by Narvikz

  1. It was developed for almost 10 years keeping pace with microsoft releases, way before XP / ME / 2000 or even 98. I find it hard to link it with any kind of leak opposed to a research project. Afaik windows source code has leaked 3 years or so ago, but prior to that we haven't taken a peek in some decades. idk what's the need for that tin foil hat, Microsoft even provides symbols for most their stuff. It was not based off stolen code.
  2. Yea ok. I will not be discussing this with you, but my fault for dropping it in without any context anyway. ReactOS reached Windows Server 2003 compatibility, then the project was halted due to loss of interest. Anyone who can understand it sees the point has been proven and that kernel integrity checks were not really needed for ReactOS, nor would it make sense enforce its own root authority chain of trust nor Microsoft's in their own research OS. I really hope you're not Frankie. I never seen martysama thread but I remember how annoying that guy was over skype asking for information like he actually needed that money to be partying or something. I am not surprised by the turn of events. bad joke bad
  3. It would literally take me 10 minutes to put together so many words let alone organize them in coherent sentences. Hell if I wanted to fool someone into believing I'm some kindaivy league PhD biochemist for reddit in so many words it'd probably take me more like 20. I'm betting you took 30 minutes to come up with this post alone. Why don't you grab a book in your free time? Oh and BTW reverse engineering is miraculous. Surprise surprise, there's WinServer2003 compatible reversed from source windows: [Hidden Content] mind = blown
  4. Yes everything is possible. I don't think you will though. If you ever get through this import-resources-nonsense issue into the technicalities feel free to HMU, if we're talking about the client that is and not whole back-end server suite, you may be feeling suicidal and I don't wanna get your hopes up
  5. Uh, partly actually, a year ago. Cheats at this point are ridiculously easy to detect or block.. That's not the point however. What I'm saying is unlike anyone else that's tried I can and will deliver. And I'll deliver an overkill solution.
  6. Yea, I know about Frankie and his tricks, when I exposed him he tried to make friends with me for information on how to defeat m2bob, hilarious kid. You wouldn't have an issue with my solution, cheaters wouldn't stand a chance lol About unpacking protection, what's wrong with VMProtect 3? It's really strong I heard. I can't really develop a virtual machine system to run code at within feasible time but might work on something later on.
  7. That is absolutely outrageous. Very good answer to every question I had. Thanks very much, looking for more answers. EDIT: What about solutions on the market? They claim to block m2bob, are they all scamming (not surprised if so)?
  8. So, some of you may know me, my name isn't deeply tied to the metin2 scene but I've appeared enough in it. For those who don't, lets just put it like this: I'm a knowledgeable guy, and I'll prove it. Deeply tied to the cheating community I've worked and stayed under the radar in several anticheats, from small proprietary ones like MLG Anticheat (NewZ), worked on disabling known-to-you anticheats like HackShield without really any difficulty. I've gone up against BattleEye, Valve's Anti Cheat multiple times in multiple games having established a known name in the CS:GO scene, I've since gone up against BattleEye rootkit, and went undetected on state-of-the art anticheats like ESEA. I've defeated anticheats like EAC, ESL Wire, 5EWin, CEVO Celavimus, FaceIt Serverside anticheat where I led public research on how to bypass it and released a full explanation of their tech on popular cheating forums. I've developed Kernel-Mode solutions to cheating in several anticheats like BattleEye, EAC, ESEA, FaceIt client on demand from customers (Oh, did I mention I'm a freelancer?). I've had ties with multiple pay 2 cheat websites and SandMann016 himself and I even worked on one in the past. So, I can deliver. It takes an hacker to beat cheating. If I push this to the market this will be a killing blow on cheating on metin2. Now my questions: Is there still a demand for anti-cheating solutions? Are solutions on the market any good? What is my competition? Thanks everyone
  9. This tutorial is absolutely useless and everyone using it deserves to be exposed to the mediocrity behind it. At very least to have a reliable HWID generator you want to use (as bare minimum, you could do it way more complicated) GetAdaptersInfo to retrieve the MAC Address of the network adapter and DeviceIoControl to get the serial number of the disk, and then hash them combined to generate an unique string to identify the machine.
  10. Hackshield is a useless piece of software, its developers are incompetent.
  11. It's really easy to do something like this. You'll want to store the hashes (use your favourite hash algorithm for this matter) of the remote files in a public location so that it can be accessed by the client, and have an organized tree of your remote files. Whenever the client is booted you'll check the hashes of the local files and match them to the remote server. If they're different then just transfer them (careful about potential memory leaks and make sure to clear your memory buffer to disk from time to time, just general good practises). If the file is missing transfer them anyway.
  12. RPI's CPU is an ARM based CPU, what you installed was probably the arm port of freebsd which anyway won't run these ELF files. You could try and compile it for the ARM architecture with a compiler, perhaps you could even cross-compile it from your original computer if you find a arm cross compiler, maybe it will work, but you can't run the x86-32/x86-64 ELF file directly.
  13. What an executable packer does is running a compression algorithm on the original executable and generate a new executable which will uncompress it on runtime and setup the process environment so you'll run it, depending on how large and how optimized this algorithm is your mileage may vary but it might very well decrease the total size. This is what software like UPX does and to counter this you might either reverse engineer how the compressed payload is uncompressed and do it yourself, intercept the process procedures at runtime right after it is uncompressed but before the process environment is all changed and dump it from memory or dump the final state of the process and rebuild some of its (potentially) damaged sections. Now, probably you're also up to code virtualisation on top of that, which will allow you to store the actual instructions in a byte array as data and run it through a VM that will interpret it, to counter this you'll have to try a little harder. You can't simply decompile a portable executable file, that doesn't make sense, code is interpreted and turned into assembly by a compiler and there's no real reliable way to go back from that, it's just not how it works. Additionally, you should be specifically careful since there's red flags on the executable pointing towards a Ramnit malicious payload, this is a PE Infector virus that once on a machine will search for portable executable files, append a new malicious section and replace their Entry Point to run that malicious section. This will effectively ruin all your programs and there's no coming back from that, so I suggest you do not open that ever. Also, fuck off for bashing an upcoming reverse engineer, you guys are cancer and a shame to the free Internet.
  14. To be honest at the time we talked I wasn't even remotely capable of doing anything remotely close to what I am now, 2-3 years passed I think? Glad to see it's all going well with your business, mine's had better days honestly, there were months where I could easily hit 5K€ back then, now I'm banking none lol, but hey no worries, I'm rethinking on another approach on my projects. You're welcome, I mean, the dude clearly circumvents the piece of bloatware this is meant to primarily work on, but he could've think out of the box and went way further than that, his system is so flawed. Using syscalls for this kind of stuff isn't hard, what's hard is actually getting all the indexes you need to work on all the operative systems you want it to work for, this means easily > 20 indexes for each system function you want to call. There's information online already with the indexes for operative systems ranging from Windows XP to Windows 8, however there's stuff clearly missing there like the Windows Server 2003 R2, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows 10 and Windows Server 2016, you gotta do your homework for those. You can check a public table here: x86 | x86-x64 It's relatively easy to implement them though, you can even do wrappers quite easily if you don't have prologue/epilogue on your function using the naked keyword. EDIT: The patcher files are now located at this subdomain: ni871050_1.vweb02.nitrado.net Obviously Slait's been lurking around and seen this, now there's no public list of files available but the harm that there was to be done was already done by now, I guess it's pointless to just change your subdomain now isn't it Slait?
  15. Hello guys. I'm Narvikz, I've been in the Metin2 scene since forever, actually I feel like I'm kind of the furniture already and unluckily full of dust by now This will actually be one of the slight amount of contributes I've given to metin2dev, I've jumped off ship a while back since this game died but apparently some troll still support it, anyway that's not related to this thread so let's keep it out of here. As there's still demand for some reason so is there a supply of game hacks, it's the basics of games, the more players there are the bigger the market for payhax and so the more profitable they are. I was contacted by a friend of mine (Runah Services) which told me that he wasn't unable to detect m2bob in any way, he also said that there are very few people who are doing it and those who are able to detect were keeping it private, he did not find anyone providing a satisfactory service to protect against these tools. What I have to say about this? You fools, you clueless fools. So, let's face it, you guys just don't have a clue about what you are doing. Right off the bat I could enumerate dozens of ways to systematically detect that m2bob is running on some system and think of its basic architecture. But first, let's talk about its architecture and how we can defeat it. Architecture M2Bob - Patcher.exe: This is the start up process when you first start using M2bob, this will generate a 128-bit Digest (probably md5) for each file that is to be checked on disk, send it through a POST HTML request to an API that will compare the client side files to the server side up-to-date files, if any file's digest is any different it will download the most up to date file using the HTTP protocol and replace it at disk. This patcher will connect to a web server hosted at the subdomain ni220471_1.vweb02.nitrado.net and as you can see in the spoiler, little reservations has Slait as to what's hosted there. Once everything is updated it will open M2Bob.exe which we'll talk about next. M2Bob.exe This file when opened from outside the Program Files will create a randomly named (yet with constant size - 10 characters) folder inside of the Program Files folder of your computer and then another one with the same template. After that it will spawn a copy of itself with a random name (yet same size once again) and do the same for the M2Bob_Dll.dll changing its extension to ".e" instead of "dll". After that it will open that randomly named executable and execute from there. Once you press the button to start the game it will spawn a metin2client instance, it will inject its module into the process memory. After that it doesn't close the open HANDLE to the game which leaves us a HUGE detection vector to take advantage of. M2Bob_Dll.dll This module once injected into metin2client will run a few Signature Scans to find the game's subroutines it needs to call in order to simulate game actions. If you take a look into the module's memory you can see those patterns and its masks quite easily, this uses a standard FindPattern function that's been around since the very start of the cheating scene. It will then automate the actions of the player using complex algorithms which are not relevant for what we care about. Security wise all M2Bob does is hooking Module32Next and whenever at your iteration through the module list you hit the m2bob random named module it jumps it to the next one, successfully hiding its module from the simplest of all module enumeration techniques. Good job Slait, always work for the minimal standards and do not think out of the box The hooking method used is the BIGGEST PILE OF CRAP I'VE EVER SEEN being done on a Windows NT based Operative System This is still a detour with a trampoline hook at function start but instead of replacing the first 5 bytes with a JMP + 32 bit absolute memory address he does THE MOST RETARDED SHIT I'VE SEEN IN A WHILE. Trust me guys, I've seen so much retarded shit lately, but Slait takes the crown on this one, he really deserves it since he's put a lot of effort into this. Instead of copying the first five bytes of this function, replacing it by a simple JMP to a memory region where it has these first five bytes followed by his detour function and then a trampoline JMP back to where it all started, he managed to do a 8 FUCKING BYTE LONG in-line hook, when literally every Windows API function is compatible with Hotpatching (easy first 5 bytes hooks). System Overview The whole system is really weak, it circumvents the protection mechanisms that is supposed to which are a PILE OF CRAP like Hackshield and GameGuard or whatever the fuck GameForge is using nowadays, but it doesn't really think out of the box when it comes to protection and obfuscation. Slait wouldn't stand a chance if GameForge purchased an actual decent service from someone who has a single clue about what they're doing (lol, even fucking Bastian Suter would perform better) instead of this pile of crap. There's no solid DRM and the system is overall really weak and shouldn't take much longer than a few hours to crack to a talented reverse engineer. Detection Vectors Well, I don't even know where to start, the whole system is flawed and weak, there's holes everywhere so I'll enumerate some quick detection vectors I can think off, and yes, I HAVE TESTED MOST OF THOSE AND THEY WORK Method #1 - Hidden Memory Pages (TESTED & WORKING) Iterate through memory pages and using VirtualQuery find those which are 4096 byte long (size of the PE Header) and being used, for those check if you can get a DOS MZ executable signature, and if you do then you most probably have a PE Header memory page. Interpret cast that memory address to NT Header and check the TimeDateStamp and or SizeOfCode or other parameters that are constant (there's tons of them) and allow you to uniquely identify m2bob. Method #2 - Open HANDLEs to game process (TESTED & WORKING) You're gonna have to use the Native API and some Undocumented structures and functions to get this done, it's really easy to do so though, shouldn't take you longer than an hour to being able to enumerate all you need to do this. Calling NtQuerySystemInformation with SystemHandleInformation as first parameter while the return value of this function is different than STATUS_INFO_LENGTH_MISMATCH or STATUS_BUFFER_OVERFLOW you are able to populate a SYSTEM_HANDLE_INFORMATION object which will have the first 4 bytes as the count of SYSTEM_HANDLE objects present in an array that follows it. This list once populated will contain a list that contains all the HANDLEs opened in your environment, this means all the File, Registry Keys, Processes, Threads, etc, HANDLEs will be enumerated and will be in that list. But to know the type of HANDLE you're dealing with you have to first call QueryObject on that HANDLE with ObjectTypeInformation to know more about it. This will get you a UNICODE string that will contain the HANDLE type, you only want the ones that are "Process" so you can filter the irrelevant ones out. Then you can check if the HANDLE is targeting your game's process id (you can get your process id at the PEB of your process), if it is you're gonna want to run some checks on that process to check whether if it's a legit one or a blacklisted one. You can do this by opening a HANDLE to it with OpenProcess and PROCESS_QUERY_LIMITED_INFORMATION as parameter. Then you're gonna want to get the executable path in disk using QueryFullProcessImageName, from there you can just read the first 4096 bytes of that file, cast them to NT Header and do the same checks as mentioned above. Alternatively you could just open the handle with PROCESS_VM_READ privileges, and use ReadProcessMemory to get the PE Header, but PROCESS_QUERY_LIMITED_INFORMATION never fails, even if the process is run as administrator or it is a system process and since m2bob doesn't use any Dynamic Forking technique it is pointless to use anything more than that. Method #3 - Integrity checks at Module32Next (TESTED & WORKING) Okay, this might sound retarded because there's malware that will spread to every process in the target system and hide itself using a user-mode rootkit that might hook Module32Next, thing is, Slait's kind of hooking is so retarded there is no actual way this would raise a false positive. This is his retarded hook: The 1st byte will always be FF, the 2nd will always be 25, the 7th will always be E4 and the 8th stays at a constant F8 as well. Check those and insert a huge dildo in Slait's ass, seriously, isn't that hard really. Do you think that's even hard? Please...... Method #4 - DNS Cache (Untested But Will Work) So, now we're jumping to the shitty methods that are only here to fill the thread just so you can be proven wrong when you say it can't be done. Basically whenever you resolve a domain name a UDP request is sent to your DNS Server asking for the resolution of a certain domain or subdomain, it will answer with some records for that domain, these records contain the IP Address it resolves to, and that IP address will be the one you'll connect using the Internet Protocol version 4. Your operative system will cache those resolutions so that each time you need to have that domain solved it doesn't bother your DNS Server with requests each time and there is a faster resolution, you can use this to beat M2Bob once again. You don't wanna look for m2bob.net since that could flag players that just crawled around that website, but if you flag their patch server subdomain, you can actually accurately flag players that have been using m2bob. Remember ni220471_1.vweb02.nitrado.net? Yup, flag the shit out of it. Method #5 - USN Journal (Untested But Will Work) The USN Journal is a system in the NTFS that keeps track of changes to files in the user's system. It will contain the timestamp of the said change, the file name and the reason for the log. The first two need no explanation, as to the third it could range from Opening the file, deleting, moving, renaming, creating, etc, etc. How's this useful? Remember how opening M2Bob.exe spawns a different executable in the Program Files folder and opens it? Well, you don't access that executable directly, you still open M2Bob.exe, this means that you could just look for entries in the USN Journal in the last 15 minutes or so that contain the name M2Bob.exe and are followed by some program in the Program Files folder a few milliseconds after (or even skip the latter) that has been opened and just kick the player from the game whenever you detect it. Aditional Methods Detection Vectors, detection vectors everywhere, I laugh at all the incompetents that for months tried to do it and failed systematically, you fools, how can you be so clueless? Even though Module32Next is hooked Module32NextW is not, which means that if you use the UNICODE alternative of the kernel32 library you will get unfiltered results - Good fucking job Slait, Incompetence at its fittest (inb4 every incompetent out there edits a public anti cheat source to use Module32NextW LOL) Haven't checked it, but even though Windows API module enumeration modules are hooked to spoof the results, you should be able to use the InInitializationOrderModuleList, InLoadOrderModuleList or the InMemoryOrderModuleList to find its module. Just be h4rdc0r3 and use Syscalls. Since you're incompetent you won't do this, hell you couldn't even get the indexes for your own operative system version let alone do it for 20 different versions per each function you wanna call. Anyway just implement the native API functions without actually calling them, this can be done really easy and WITH LITTLE INLINE ASM CODE using naked hooks, that will make sure that you don't break the stack inside of the function. You can look into this HERE. Your function call will be done within the kernel, meaning that this would bypass any placed hooks by Slait. Why the hell would your metin2 game process own 2 windows bruh? Doesn't make sense to me, just kick them dude. Signature Scans, this is pointless because his system is all flawed but could be a nice backup resort if he ever decides to use his brain. Pretty sure m2bob has some exported shit in their PE Header, just scan for it using the hidden PE Header detection shown above. As I'm really fucking tired already of writing a long ass thread incomparable to anything ever seen before here or anywhere released publicly online I won't even write down any more detection vectors, the system is filled with holes, I think I've proven my point already and it's pointless to keep doing this. This is a rant thread because you guys that own a metin2 server to make a quick buck should be ashamed of how unskilled you actually are, you are complete incompetents that keep leeching public releases and stealing other people's/servers' work, claiming it as your own or often not even mentioning it since people just don't even care any more. You provide public PAID services on an area you don't have a clue about, you're just scamming customers and selling them dreams. It is really frustrating for me since I left the scene when I was still a kid, I barely knew English and I stayed mostly on my local country's forums, my contributes back then were merely in the translation area, I've put a lot of effort into it now that I think about it, after that I limited my contributes to helping people with general Linux/BSD issues, but then it seemed that owning a Metin2 Private Servers built with pieces and pieces of stolen or leaked work was a trend, and I got really really pissed at the whole scene, I just started trolling all the retards asking for assistance with BSD issues that are from 101 classes, obvious errors that even my grandfather could solve and other retarded threads. Have Fun guys, I know most of you won't use this for anything since even being spoonfed all the methods you're so clueless you can't write this down on code, but maybe there's some one out there that will actually use some nice tips like this, and since I gave them to one guy privately on skype I might as well post them publicly for everyone to see. I've been contacted by SandMann016 to work with him, and to be honest it kind of makes me sad that I am releasing this, I never managed to proceed with those plans but still, he seemed to be a decent guy back when I first met him, but oh well, here it is now. /rant
×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.