EXE Signature

[guru]

Hi,

I think you all know about VAC. VAC has started using EXE signature scans to detect cheats(Famous of them is mw2 external esp hack detection. Detected after 9 months of hard work). Do any body know how exe signatures are scanned? Or how the scan is performed? Because sph4ck has started to program exe which would act like a scrambler to avoid vac detection. If we get an idea about exe signature scanning we can get our cheats undetected from vac. So any valuable points regarding EXE signature scanning are welcomed.


Note: Mention how VAC checks an exe(like checking readprocessmemory function in exe or method names like aimbot, readgame data).

 

[Fleep]

I agree with you on this Guru, dealing with Vac is something I am still inexperienced with, maybe someone with some knowledge in cheat detection can provide some input here.
I am hoping to tackle this problem soon also, but like anything having an idea of how the anti cheat behaves is always helpful to know.

From what I read a while back, most functions are detected by Vac, including ReadProcessMemory WriteProcessMemory etc. This pretty much removes any external hacks from the picture.

Obviously with this in mind DLL's and C++ is the way to go, other than that any extra info is awesome sauce.

Fleep

 

[guru]

And fleep one more way to get around VAC is simple thing. Run your hack in python or java(very few people use java for game hacking). Because you need not create an exe while using python or java(or any other language that don't create exe before executing). VAC scans only EXE not the run environment in programming(means it don't check for either we are running java or python simultaneously). This is the present way people use to get around VAC bans.

Apart from this, we need to know how to scramble the exe to avoid detection since we make our hack mostly in c++ and winapi. If we get the idea on exe signature scanning we can scramble our exe to what ever level we need.

 

[Fleep]

Interesting stuff, but wouldnt Java and Python limit the amount of things your hack can do?, I'l have a look into that when I start focusing on bypassing anti-cheat.

Fleep

 

[guru]

Did you look at the source code which i posted in c/c++ section. My friend is trying to port that code to python. He has done almost everything expect fixing structs in python. Actually he got full functionality in his hack. When he runs his hack, we see no difference between exe and python code. Soon me too would be moving to python or do a difficult job of java using open gl .


Once we started to run hacks using java/python then detecting them is very difficult as java create only class file (unlike exe) which cannot be inspected except for JVM. I don't know much about python. But class file is difficult to inspect without help of java virtual machine.


Even though we get ton of info on how to avoid vac bans. Knowledge on exe signature scanning would help us create hack soon with usual c++ way. My hack for 4d1 would be soon detected. It has drawn attention from 4d1. Soon they would fix the hack. Simple exe signature scanning would ban my hack. Injecting dll is definitely a 'no'. VAC is particular about exe and other dll file checks that the game is not modified in client.

 

[BlackPitchPL]

Most of pay hack are not block the vac They only look if vac try to make a screen shoot and ofc they have special function's to inject and i also know that they are inject after the vac is running not at start

 

[guru]

Blackpitchpl, could you please elucidate further into it? And also what do you mean by special functions? Just curious

 

[BlackPitchPL]

I'm not a specialist in this case that's all i was mean that they r using more complicated injection method .

 

[justintcs]

Sir Fleep, I need your help to code something to bypass these anti-cheat program. We need to fills memory with random data and a piece of code, It avoids any anti-cheat program to be able to detect this hack by looking at fixed memory locations. Because idk how to write some code to fills memory with random data.

 

[nomad]

OK so I was thinking about this quite a lot and I think I have a possible solution. If any of you have ever looked into AV bypass you would know what metasploit is.

if not I would look it up and focus on encoders.

Would the encoding function be adaptable too making a randomized exe signatures to bypass VAC, in much the same way as it does for AV.

Memory scanning for patches or hooks is a different story though.

 

[Departure]

An exe signature is an array of bytes, which could be one of the functions that is common with game hacks, This could be searched in memory or the dll on disk, So standard exe packers wont help you here if its scanned in memory as the code is unpacked in memory. What you need is something like themida or similar that does a couple of nice things, first it doesn't decrypt/unpack the code in memory until its needed and secondly it creates like a virtual machine emulation for your code to run in, Top that of with anti dump themida provides and you have a pretty good start of avoiding the signature detection. you could also code polymorphism functions which change its signature every time its its executed.

 

[guru]

https://www.exetools.com/protectors.htm

Check these tools. In particular, "upx-scrambler". Would it be able to bypass the normal vac's EXE signature scanning?!

 

[Drew]

Sorry to reply on an old post but i wanted to say something about this topic,if your saying VAC is detecting an external hack which is a seperate exe then VAC has to be checking every process in the task manager for that signiture there for has to be using WINAPI functions Process32First,Process32Next, my guess to avoid VAC from detecting your external ESP is to hook OpenProcess within steam and make the process id to something like 0,that way VAC cant open the process handle and run ReadProcessMemory on the target exe,just my suggestion,great forum btw...

 

[Splaze]

Drew Sounds good, but there are still other solutions to get your hack undetected.

 

[kokole]

If you would like to avoid VAC, my suggestion is to disable it by hooking the imported functions it uses. VAC is loaded into steam.exe and it reads memory from the game process or other processes using ReadProcessMemory and NtReadVirtualMemory. Here is a list of them:

- kernel32.dll -

LoadLibraryExA
FreeLibrary
GetProcAddress
GetCurrentProcess
GetCurrentProcessId
GetLastError
SetLastError
GetModuleHandleA
GetModuleFileNameA
OutputDebugStringA
CloseHandle
OpenProcess
ReadProcessMemory
Sleep
SuspendThread
ResumeThread
GetThreadContext
GetCurrentThreadId
GetSystemInfo
GetSystemDirectoryA
GetWindowsDirectoryA
GetVersionExA
VirtualQuery
VirtualQueryEx
VirtualAlloc
VirtualFree
VirtualProtect
IsBadReadPtr
FlushInstructionCache
GetProcessHeap
HeapAlloc
HeapFree
CreateFileA
CreateFileW
SetFilePointer
GetFileSize
ReadFile
GetFileInformationByHandle
GetVolumeInformationW
CreateToolhelp32Snapshot
Heap32First
Module32First
Module32Next
Process32First
Process32Next
Thread32First
Thread32Next

- ntdll.dll -

NtReadVirtualMemory
NtQueryVirtualMemory
NtMapViewOfSection
NtOpenProcess
NtQuerySystemInformation
NtQueryInformationProcess
NtClose
NtQueryObject
NtDuplicateObject

- psapi.dll -

GetModuleInformation
EnumProcessModules
GetModuleBaseNameA
GetModuleFileNameExA
EnumProcesses
GetMappedFileNameA
GetProcessImageFileNameA

- advapi32.dll -

OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges

- dbghelp.dll -

StackWalk64
SymFunctionTableAccess64
SymGetModuleBase64

- version.dll -

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

- kernel32.dll -

GetModuleHandleExA
OpenThread
AddVectoredExceptionHandler
EncodePointer

Those aren't ALL of the imported functions it uses, but they're most of them. Also, don't change the bytes of the imported functions by detouring or mid-hooking because VAC checks for that.

 

[c5]

Will a simple IAT hook do the trick or do they also check where the function is located?

 

[kokole]

Will a simple IAT hook do the trick or do they also check where the function is located?

Not sure actually.

 

[brinkz]

As far as I remember they are detecting IAT Hooks, yes.

 

[NTvalk]

What malware developers do to bypass antiviruses is randominzing the filename/location and adding random file contents to the end of the file.. that should change the exe signature too rigth?

 

[c5]

What malware developers do to bypass antiviruses is randominzing the filename/location and adding random file contents to the end of the file.. that should change the exe signature too rigth?

Randomizing filename or location is a very weak protection, the same applies to adding random data at the end of the file. A strong virus will have good metamorphic code that mutates the payload and itself thus making it signature proof.