Author: Sh0ck

Why the eSport is a security fail ?

Today I will talk about one of my favourite domain, the electronic sport competitions and the underground activities behind.

I will try to explain why the eSport is a security fail, I’m a old counter-strike player (CS:GO actually) so I will take this sample.

I watched many professionnals players, I followed the eSport scene many years and when I watched movies or streams directly, I was like “wow they are really strong”.

But something was wrong, some players was god like, I don’t considere myself like bad at counter-strike, I did some lan tournaments, I was global elite on the game (highest level actually) etc…

So I started to introduce myself under another nickname on a cheat community (unknowncheats forums).

I started to create some cheats on a really well know game (I will not share the name here because they decided to arrest some cheats developers recently), not to share or sell them, only for my own knowledge to learn new things about the reverse engineering (my weakness in the computer security).

And the game surprised me, there is no anticheat, only some anti-debuggers on the last version of the game (IsDebuggerPresent and some first-time exceptions that you can disable with xdbg).

To inject in the game process, you can use a simple LoadLibrary method, some guys use a manual mapping method but injections methods are mostly not considered.

Like you probably know, there is two type of cheats, internals (dll injection) and externals (actions on the game process without injections).

This game surprised me again when I tried a simple WriteProcessMemory on the online mode, you can enable the god mode, run faster, jump or fly like superman and you will be never detected because the game work in p2p mode and trust everything from the client, you can kick or crash the others players remotely.

There is also some kernel methods for the paranoid cheaters, you can use a vulnerable driver to be ring0 and avoid some anticheats:

https://github.com/Zer0Mem0ry/KernelBhop

After few months, I finally created a fully functionnal cheat for this game with ImGui included etc… I was able to execute all the game internal functions with some hashes (the game use a sort of custom virtual table where all game functions was registered with a hash, so the solution between the updates was to create an array with the old hashes and the new hashes, call the old hash, use a custom translator to call the new hash from the old one).

Now I will talk about CS:GO (yes I use the real name here but you will probably understand why).

CS:GO is one of the most game played on steam, the objective of this game is to be a counter-terrorist in a team of 5 players and kill the terrorists (5 players also in the competitive matches).

The game is actually protected by the Valve Anti-Cheat (VAC) system and an overwatch system (you can watch the game of a suspect and decide to voteban him or not).

To be honest with you, the VAC system is weak but the overwatch system is a good method, most of cheaters are banned with the overwatch method because you can’t really hide a powerful cheat (like an aimbot) but if you are smart, you can avoid to be banned if you hide your cheat (try to play with your wallhack without watch the ennemy behind a wall, play smart etc…).

There is also private cheats, a CS:GO player has been recently disqualified and banned from the FPL (Faceit Pro League), the FPL is the CS:GO Professionnal League (cash prizes are actually huge during the official tournaments) like you can see here:

https://www.esportsearnings.com/games/245-counter-strike-global-offensive/largest-tournaments

day0s was qualified in a month while some professional players had to play a few years to get there.

His cheat used the game scoreboard, actually in the game, when you press “TAB” you can see your scoreboad and use your mouse to click on a player name to recommand him, mute him etc…

But like you see in this movie, the cheat use the scoreboard to move the mouse cursor where the enemy is, day0s was able to know the exact position of his enemy each time he pressed TAB.

But this is only one the private cheats used by the CS:GO players, you can found some interesting projects on unknowncheats (like some hardware sonar cheats or sound based cheats):

Some players were accused and the main question was “how they cheated in lan where you can’t use your own computer and your own hardware ?” the answer is really simple:

Steam workshop allowed to use pictures with zipped file content, some players used a custom mouse with a cheat included, some players used their smartphone in usb directly on the lan computers etc…

There is also illegal sellers available on internet: http://hardwarecheats.com/

And finally here is an interview of supex0, the KQLY and Sf‘s custom cheats developer (two french CS:GO pro players banned few years ago):

Cash prizes is the main problem of the eSport scene and a real challenge for the anti-cheats industry.

I just presented the basic stuff here but there is also a cheats industry with advanced methods like you can see here:

Here is the details about the DMA leaks :

http://blog.frizk.net/2019/02/remote-live-memory-analysis-with-memory.html
https://github.com/EngineOwningSoftware/pcileech-webradar

Skripal Case from Russia with Love

Hello folks,

Today I will talk about the Skripal case and the OSINT methods used by the Bellingcat group to find the real identities of the russian spies behind the SergueĂŻ and Ioulia Skripal poisoning.

The story started when a friend shared me some informations about two nicknames “Dorbik” and “Matad0r“, a vendor of bullet proof hosting services (a bulletproof hosting guarantees that websites hosted in these locations will not be shut down, even if they are blatantly hosting criminal content).

I searched a bit and found some interesting informations :

http://garwarner.blogspot.com/2012/03/operation-open-market-vendors.html

[REDACTED Defendant #20] AKA Dorbik AKA Matad0r is a vendor of Bullet Proof Hosting services. Bulletproof hosting guarantees that websites hosted in these locations will not be shut down, even if they are blatantly hosting criminal content. Other criminals hosted carding forums and phishing sites on Dorbik’s services.

With the USA official district court document (in 2017 before the Skripal Case) :

https://www.rospres.com/images/24042017merged.pdf

I searched the “Dorbik” nickname in this document and found the name of the dark market vendor:

Sergei Litvinenko” -> Sergei Like “Sergei Skripal” but Litvinenko like “Alexandre Litvinenko” who was a British naturalised Russian defector and former officer of the Russian FSB secret service.

You can read his full biography here: https://en.wikipedia.org/wiki/Alexander_Litvinenko

Like Sergei Skripal, Litvinenko got hospitalised in what was established as a case of poisoning by radioactive polonium-210 (Novitchok for the Skripal case).

He died from the poisoning on 23 November 2006.

From coincidences, I suggest that Sergei Skripal was “Sergei Litvinenko” aka “Dorbik” aka “Matad0r” and that Alexander Litvinenko was a member of his family but the informations are not enough to confirm this theory.

On 4 March 2018, Sergei Skripal and Yulia Skripal were poisoned in Salisbury with a Novichok nerve agent, according to official UK sources and the Organisation for the Prohibition of Chemical Weapons (OPCW).

In the 1990s, Sergei Skripal was an officer for Russia’s Main Intelligence Directorate (GRU) and worked as a double agent for the UK’s secret service from 1995 until his arrest in Moscow in December 2004.

Like you know, Alexander Litvinenko died in 2006, and weirdly, the same year, Sergei Skripal was convicted of high treason and sentenced to 13 years in a penal colony by a Russian court.

Two Russian nationals, who go by the names Alexander Petrov and Ruslan Boshirov were accused of the murder attempt on Sergei Skripal (fake names obviously):

Recently, On 14 September 2018, the website “Bellingcat” wrote an article about Alexander Petrov and established a link from the suspect’s passport and the russian security services, you can read the full post here: https://www.bellingcat.com/news/uk-and-europe/2018/09/14/skripal-poisoning-suspects-passport-data-shows-link-security-services/

You can see the last minute travel plans:

And you can see an important informations about his passport:

Alexander Petrov’s passport dossier is marked with a stamp containing the instruction “Do not provide any information”. This stamp does not exist in standard civilian passport files. A source working in the Russian police force who regularly works with the central database confirmed to Bellingcat and The Insider that they have never seen such a stamp on any passport form in their career. That source surmised that this marking reserved for operatives of the state under deep cover.

And more important, the domestic passport photo matches the photos released by the UK authorities and the face of the person calling himself Alexander Petrov:

Today, Bellingcat Investigation Team released others important informations, they found the real identity of Ruslan Boshirov from OSINT methods.

He was identified as a GRU colonel named Anatoliy Chepiga: https://www.bellingcat.com/news/uk-and-europe/2018/09/26/skripal-suspect-boshirov-identified-gru-colonel-anatoliy-chepiga/

The passport file contained a photograph – dated approximately in 2003, when this passport was obtained – that strongly resembled a younger “Boshirov” as seen in passport photos released by the UK police:

The amazing work of the bellingcat team identified the suspect from a 2003 database, he used his personnal address as “Military Unit 20662, Khabarovsk“, It also listed his place of birth as “village of Nikolaevka”, further linking this person to the Hero of the Russian Federation with the same name.

Bellingcat has contacted confidentially a former Russian military officer of similar rank as Colonel Chepiga, in order to receive a reaction to what Bellingcat found. The source, speaking on condition of anonymity, expressed surprise that at least one of the operatives engaged in the operation in Salisbury had the rank of colonel. Even more surprising was the suspects’ prior award of the highest military recognition.

On 13 September the two men were interviewed on Russian television where they claimed they were tourists visiting the city.

On 2 October 2018 Bellingcat released more informations about the colonel, they obtained a photograph posted on the Russian social network “Odnoklassniki (OK)” by a visitor who visited the Far-Eastern Military Academy (abbreviated as DVOKU in Russian) where you can see a picture of the colonel.

More informations can be found on:

https://www.bellingcat.com/news/uk-and-europe/2018/10/02/anatoliy-chepiga-hero-russia-writing-wall/

About the second suspect (Dr. Alexander Mishkin), Bellingcat released a full report, you are able to read it here:

https://www.bellingcat.com/news/uk-and-europe/2018/10/09/full-report-skripal-poisoning-suspect-dr-alexander-mishkin-hero-russia/

Recently, a GRU hackers team tried to hack the OPCW buildings to erase some evidences from different operations, a rental car full of hacking devices has been found on a parking near the OPCW buildings :

You can read the informations on:

https://www.bbc.com/news/world-europe-45746837
https://www.wired.com/story/russian-spies-indictment-hotel-wi-fi-hacking/
https://themoscowtimes.com/news/Russian-man-idetified-in-Dutch-hacking-probe-was-member-of-secret-services-football-team-63091
https://www.fbi.gov/wanted/cyber/gru-hacking-to-undermine-anti-doping-efforts
https://twitter.com/christogrozev/status/1047781100498681857

Universal-ImGui-D3D11-Hook

Hello,

Today I decided to release a correct version of an ImGui menu directly hooked into a directx11 application.

The sources are available here: https://github.com/Sh0ckFR/Universal-ImGui-D3D11-Hook

I did that because my goal was to add some menus in games like GTA5, but sources available on the net was not really user/developer-friendly.

My work is based on: https://github.com/Rebzzel/Universal-D3D11-Hook

I just fixed some issues, added ImGui and added the mouse / keyboard InputHook.

If you want to use it, you can compile the project (don’t forget to add MinHook and ImGui correctly) and inject your dll in the targeted directx10/11 application.

The most important part is in d3d11hook:

[Cpp]
D3D11_HOOK_API void ImplHookDX11_Present(ID3D11Device *device, ID3D11DeviceContext *ctx, IDXGISwapChain *swap_chain)
{
if (GetAsyncKeyState(OpenMenuKey) & 0x1) {
menu->IsOpen ? menu->IsOpen = false : menu->IsOpen = true;
}

menu->Render();
}

HRESULT __stdcall PresentHook(IDXGISwapChain* pSwapChain, UINT SyncInterval, UINT Flags)
{
std::call_once(g_isInitialized, [&]() {
pSwapChain->GetDevice(__uuidof(g_pd3dDevice), reinterpret_cast(&g_pd3dDevice));
g_pd3dDevice->GetImmediateContext(&g_pd3dContext);

ImGui_ImplDX11_Init(g_hWnd, g_pd3dDevice, g_pd3dContext);
inputHook->Init(g_hWnd);
});

ImplHookDX11_Present(g_pd3dDevice, g_pd3dContext, g_pSwapChain);

return phookD3D11Present(pSwapChain, SyncInterval, Flags);
}
[/Cpp]

I suggest you to edit ImplHookDX11_Present only if you want to add your own code.

Have a good day 😉

Read The Fancy Manual – RTFM/SigSegv1 Story

Hello folks,

Today something new is coming on my blog, yes you probably already saw it but my future posts will be only in english 🙂

I decided to do that to reach a broad public and increase my english skill of course, so please, don’t hesitate to correct me if you see any mistakes 😉

Well today I will talk about our french community, Read The Fancy Manual, to present what we did, why and for who exactly.

When we started, we was a small group of friends, our main goal was just to talk between us in Paris and drink some beers (we can’t really hide it).

We did some meetups, and some people joined us because they liked the idea to create a community in Paris in different places.

And Hackira from the game HackerzVoice asked us during the World Music Day 2017 “Hey guys why you don’t create your own event ?” I was a bit surprised, we thinked about that and answered “let’s do it”.

Few months later, we created the Read The Fancy Manual Association, declared it, and we started to search how to do that.

Our first partners was the 42 school, NewbieContest and Encelis (thank you again), we contacted some companies indirectly most of the time, only via our contacts and some of them (Synacktiv, AlgoSecure, NetXP, Yogosha, Wavestone) decided to help us.

To be honest, without them, our french computer security community would already be dead and and that would have been a pity because all of our members are passionate.

Actually, the first prequals will be launched the 28 of September with 5 challenges, we want to keep this prequals phase for the next editions to avoid a large public, only enthusiast people with enough skill to pass this phase.

I want to be clear on one point anyway, we are not elitist, beginners are welcome during the meetups to talk with our members, personnally, I am here to help everyone and share my ideas.

Some members of the french infosec are more interested to trash talk some people and I can’t accept that on my side, with RTFM, we want a clean community with a good mentality.

Anyway, I need to talk about the next steps for RTFM, our prequals will be open the 28 of September, everyone can try it for free and if you validate the different challenges, you will be able to register you and grab a ticket for approximatively 10€ (to be sure that you will come).

The first of december, the event will be organized in the 42 school in Paris, some french and english speakers will be present, and you will be able to participate to a CTF (jeopardy in solo but you could play in team also if you want).

I hope that you will like our event and if everyone liked it, we will organize more editions of course 🙂

I want to talk about another thing, but during our creation, we were able to meet the Defcon group Paris.

This group has been created just after our group, so we decided to talk with the organisators, we are not really partners actually but we decided to support them and they decided the same thing for us, I want to thank them because they are some great and really interesting people.

For the future, I would communicate more with different international groups to create a link between us without forget our main goal, be a cool french conference with a community behind and develop more projects, in our association, everyone is able to purpose something, we take the decisions in group via a voting system.

Finally, I want to thank all of you and I urge you to be the criminal of your own curiosity.

Point de vue intĂ©ressant sur l’investigation OSINT d’une image

Hello chers lecteurs,

Aujourd’hui j’ai pu avoir une conversation intĂ©ressante avec x0rz ainsi qu’une autre personne sur discord donc je souhaitais vous en faire part en espĂ©rant que cela puisse aider certaines personnes Ă  retrouver un lieu prĂ©cis visible sur une photo voir mĂȘme une personne.

x0rz a en effet demandé à plusieurs personnes ceci :

L’objectif Ă©tait donc de retrouver le lieu ou toute autre information liĂ©e Ă  cette photo.

Une personne a donc suggĂ©rer que la photo avait Ă©tĂ© prise vers le Pont d’IĂ©na Ă  cĂŽtĂ© de la Tour Eiffel :

On peut en effet voir le bĂątiment typiquement parisien juste au-dessus Ă  gauche, et les immeubles Ă  droite, une autre photo a donc Ă©tĂ© mise en ligne par cette mĂȘme personne :

D’aprĂšs cette mĂȘme personne, les tĂąches noires sur le pont semblaient ĂȘtre les bas-reliefs, ce qui a confirmĂ© le lieu gĂ©nĂ©ral de la photo.

x0rz a ensuite suggéré que la photo avait été prise en rooftop de cette façon :

En cherchant sur streetview, cette mĂȘme personne a rĂ©ussi Ă  trouver le lieu prĂ©cis en se basant sur des Ă©lĂ©ments visibles sur la photo et en les comparant :

En cherchant un peu, le lieu semblait ĂȘtre l’hotel 5 Ă©toiles Shangri-La situĂ© au 10, avenue d’IĂ©na, Paris, 75116, France :

Une autre personne sur discord a donc superposĂ©e l’image du lieu ainsi que l’image de la personne, on a donc pu observer que l’image Ă©tait bien centrĂ©e :

J’ai pour le coup suggĂ©rĂ© que les nuages visibles ne variaient pas sur le cĂŽtĂ© gauche de l’image mais qu’ils changeaient cependant sur le cĂŽtĂ© droit, on peut donc en dĂ©duire que la photo a Ă©tĂ© prise le mĂȘme jour que la photo de prĂ©sentation de l’hĂŽtel.

Cependant l’image est trop parfaite et on peut apercevoir quelques dĂ©coupes mal faites sur les cheveux du cĂŽtĂ© gauche de la femme, il est donc fort probable que cette mĂȘme femme sur la photo ait Ă©tĂ© dĂ©tourĂ©e et rajoutĂ©e par dessus l’autre image, elle n’a donc probablement jamais mis les pieds dans cet hĂŽtel.

Cette analyse est intĂ©ressante dans le sens que mĂȘme sans rĂ©sultats directs de Google Images ou bien TinEye, il est toujours possible de repĂ©rer plusieurs petits Ă©lĂ©ments disponibles sur une photo et de remonter petit Ă  petit jusqu’Ă  retrouver l’endroit prĂ©cis ainsi que l’angle oĂč elle a Ă©tĂ© prise, mais Ă©galement la date approximative sans mĂȘme analyser les metadata.

Pour plus d’informations, vous pouvez jeter un oeil sur l’article exceptionnel de x0rz :

https://blog.0day.rocks/uncovering-foreign-trolls-trying-to-influence-french-elections-on-twitter-a78a8c12953