Tutorial MTA: SA's kernel mode anticheat is a joke (information)

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
574
19,508
64
Game Name
MTA: SA
Anticheat
MTA: SA Kernel Mode Driver
How long you been coding/hacking?
Idk
Coding Language
None
So in the past few days I've been reversing MTA: SA's anti cheat and I decided to start out with the driver (FairplayKD.sys) because I wanted to be able to inject my stuff without any problem. Here I'm gonna show you why this driver is a joke.

To dynamically import functions, the driver builds encrypted stack strings, decrypt them and convert them to Unicode and calls MmGetSystemRoutineAddress, which get the address of exported functions from ntoskrnl.exe (the kernel and executive) and hal.dll (HAL).

Example:


String decryption code:
C++:
size_t i = 0;
char random_shit = 0;

do
{
    random_shit = ( ( 3 - i ) ^ *pString & 0x7F ) - i * i;
    ++i;
    *pString++ = random_shit & 0x7F;
}
while ( i < strlen( pString ) );
So after knowing about that, I easily found where it grabs the address of ObRegisterCallbacks:

(DecryptStringAndGetRoutineAddress is a function that does exactly what I said)

Here's where the driver registers the call-backs:

(you can also see PsSetCreateProcessNotifyRoutine there).

Inside RegisterShittyCallbacks:
->
You can see they register 2 pre-operation call-backs - which are called by ObpCallPreOperationCallbacks, one for process and the other for thread. I'm gonna only show the process one since both call-backs are basically the same shit.

Before getting into the pre-operation call-back, let's see how the driver store information about process like itself. MTA: SA's driver stores information about some processes in a global array that I called SpecialProcessesInfo and. Example of it being accesed:

Each entry in that array is represented by this structure:

C++:
struct _PROCESS_INFO
{
  DWORD ProcessId;
  DWORD Unknown;
  DWORD Type;
  DWORD Flags;
};
The type member can be one of the following numbers:

Code:
TYPE    PROCESS

1          Normal Process
2          csrss.exe
3          lsass.exe
4          svchost.exe
5          Multi Theft Auto.exe or MULTIT~1.EXE
6          mta_sa.exe or proxy_sa.exe
7          raidcall.exe
8          LVPrcSrv.exe or LWEMon.exe
9          Action_x86.bin or Action_x64.bin
I named that global array as "SpecialProcessesInfo" because type 1 processes (normal processes) won't be added to the list. From PcreateProcessNotifyRoutine (the callback set by PsSetCreateProcessNotifyRoutine): Screenshot

Now that I explained about this stuff, let's go to the PreOperation Callback: Screenshot

What basically happens here is this:

1-Check if target is gta_sa.exe or proxy_sa.exe
2- Check‬ if it isn't gta_sa/proxy_sa that's doing the operation
3- Check the operation (create/duplicate)
4.1- Check if some bits representing write access or other operations are set. Go to step 5 if true.
4.2- Check if the process that's creating/duplicating the handle is of type 1, 5, or 6. Go to step 5 if true.
5- Strip handle..

That means we can use type 7 (raidcall.exe) to inject our stuff in there. I've coded a basic manual mapping injector (thx @Broihon) to test it and look what happened: Screenshot (Injected random dll lul)

Get rekt shitty driver.

Moral of the story: raidcall is the real MVP

Still gotta see the user mode part but at least I can inject my shit.
 
Last edited by a moderator:

Thiago

Newbie
Full Member
Nobleman
Feb 28, 2017
57
508
3
Interesting. Their anti cheat is shit indeed, you can just rename ReClass.exe to csrss.exe and have rpm/wpm access. I would like to see someone trying to evade their global ban tho, it's another story. I succesfully did it, but they log every one of your fails so the driver I was using got detected and I gave up :p
 
Apr 21, 2018
2
14
0
So in the past few days I've been reversing MTA: SA's anti cheat and I decided to start out with the driver (FairplayKD.sys) because I wanted to be able to inject my stuff without any problem. Here I'm gonna show you why this driver is a joke.

What basically happens here is this:

1-Check if target is gta_sa.exe or proxy_sa.exe
2- Check‬ if it isn't gta_sa/proxy_sa that's doing the operation
3- Check the operation (create/duplicate)
4.1- Check if some bits representing write access or other operations are set. Go to step 5 if true.
4.2- Check if the process that's creating/duplicating the handle is of type 1, 5, or 6. Go to step 5 if true.
5- Strip handle..

That means we can use type 7 (raidcall.exe) to inject our stuff in there. I've coded a basic manual mapping injector (thx @Broihon) to test it and look what happened: Screenshot (Injected random dll lul)

Get rekt shitty driver.

Moral of the story: raidcall is the real MVP
Just.. lol.

pd. do you have discord? pm me if yes pls <3
 

Kleon742

0x66 0x90
Member Spotlight
Moderator
Dank Tier VIP
Dank Tier Donator
Sep 2, 2018
308
12,638
38
Well done! I appreciate your work and the idea of sharing this with us!
 

Schnellfeuer

Newbie
Silenced
Dank Tier Donator
Aug 20, 2017
223
1,408
6
I don't understand a single word :D But thanks for your share! Great work (i guess)!
 

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
574
19,508
64
Got more information to share here. Idk when I'm posting it because I need to do some testing and I'm working on other projects rn. Gonna update this post when I'm finished with it.

It seems like they use IOCTL requests to get information about the state of the driver like if the callbacks are present and some other stuff. Gotta see where they call DeviceIoControl to see what they do with this information.
 
  • Like
Reactions: Kleon742 and Rake

Thiago

Newbie
Full Member
Nobleman
Feb 28, 2017
57
508
3
Are you working on netc.dll? I'd love to see how they detect basic stuff.
 

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
574
19,508
64
Are you working on netc.dll? I'd love to see how they detect basic stuff.
Yeah I'm figuring out the structures it uses for IOCTL requests. Also it seems they hook some stuff but Idk what they are doing exactly.
 
Nov 7, 2018
4
12
0
Hi Sir Can you add me on dc please? Skyflux#2148 or you can send ur dc via pm no matter. I have a question about mta but i can't ask from here
 

Thiago

Newbie
Full Member
Nobleman
Feb 28, 2017
57
508
3
Hi Sir Can you add me on dc please? Skyflux#2148 or you can send ur dc via pm no matter. I have a question about mta but i can't ask from here
Are you the same guy who asked me about MTA in UC?
What's so important that has to be privately shared?
 

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
574
19,508
64
Found this old IDB for FairplayKD.sys in my PC so I'm posting it. It's not fully reversed (I've lost my fully reversed one) but I'm sure this will help someone as the driver didn't change a lot.
 

Attachments

Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts