Category: Reverse Engineering

Why the eSport is a security fail ?

Today I will talk about one of my favourite domain, the electronic sport competitions and the underground activities behind.

I will try to explain why the eSport is a security fail, I’m a old counter-strike player (CS:GO actually) so I will take this sample.

I watched many professionnals players, I followed the eSport scene many years and when I watched movies or streams directly, I was like “wow they are really strong”.

But something was wrong, some players was god like, I don’t considere myself like bad at counter-strike, I did some lan tournaments, I was global elite on the game (highest level actually) etc…

So I started to introduce myself under another nickname on a cheat community (unknowncheats forums).

I started to create some cheats on a really well know game (I will not share the name here because they decided to arrest some cheats developers recently), not to share or sell them, only for my own knowledge to learn new things about the reverse engineering (my weakness in the computer security).

And the game surprised me, there is no anticheat, only some anti-debuggers on the last version of the game (IsDebuggerPresent and some first-time exceptions that you can disable with xdbg).

To inject in the game process, you can use a simple LoadLibrary method, some guys use a manual mapping method but injections methods are mostly not considered.

Like you probably know, there is two type of cheats, internals (dll injection) and externals (actions on the game process without injections).

This game surprised me again when I tried a simple WriteProcessMemory on the online mode, you can enable the god mode, run faster, jump or fly like superman and you will be never detected because the game work in p2p mode and trust everything from the client, you can kick or crash the others players remotely.

There is also some kernel methods for the paranoid cheaters, you can use a vulnerable driver to be ring0 and avoid some anticheats:

https://github.com/Zer0Mem0ry/KernelBhop

After few months, I finally created a fully functionnal cheat for this game with ImGui included etc… I was able to execute all the game internal functions with some hashes (the game use a sort of custom virtual table where all game functions was registered with a hash, so the solution between the updates was to create an array with the old hashes and the new hashes, call the old hash, use a custom translator to call the new hash from the old one).

Now I will talk about CS:GO (yes I use the real name here but you will probably understand why).

CS:GO is one of the most game played on steam, the objective of this game is to be a counter-terrorist in a team of 5 players and kill the terrorists (5 players also in the competitive matches).

The game is actually protected by the Valve Anti-Cheat (VAC) system and an overwatch system (you can watch the game of a suspect and decide to voteban him or not).

To be honest with you, the VAC system is weak but the overwatch system is a good method, most of cheaters are banned with the overwatch method because you can’t really hide a powerful cheat (like an aimbot) but if you are smart, you can avoid to be banned if you hide your cheat (try to play with your wallhack without watch the ennemy behind a wall, play smart etc…).

There is also private cheats, a CS:GO player has been recently disqualified and banned from the FPL (Faceit Pro League), the FPL is the CS:GO Professionnal League (cash prizes are actually huge during the official tournaments) like you can see here:

https://www.esportsearnings.com/games/245-counter-strike-global-offensive/largest-tournaments

day0s was qualified in a month while some professional players had to play a few years to get there.

His cheat used the game scoreboard, actually in the game, when you press “TAB” you can see your scoreboad and use your mouse to click on a player name to recommand him, mute him etc…

But like you see in this movie, the cheat use the scoreboard to move the mouse cursor where the enemy is, day0s was able to know the exact position of his enemy each time he pressed TAB.

But this is only one the private cheats used by the CS:GO players, you can found some interesting projects on unknowncheats (like some hardware sonar cheats or sound based cheats):

Some players were accused and the main question was “how they cheated in lan where you can’t use your own computer and your own hardware ?” the answer is really simple:

Steam workshop allowed to use pictures with zipped file content, some players used a custom mouse with a cheat included, some players used their smartphone in usb directly on the lan computers etc…

There is also illegal sellers available on internet: http://hardwarecheats.com/

And finally here is an interview of supex0, the KQLY and Sf‘s custom cheats developer (two french CS:GO pro players banned few years ago):

Cash prizes is the main problem of the eSport scene and a real challenge for the anti-cheats industry.

I just presented the basic stuff here but there is also a cheats industry with advanced methods like you can see here:

Here is the details about the DMA leaks :

http://blog.frizk.net/2019/02/remote-live-memory-analysis-with-memory.html
https://github.com/EngineOwningSoftware/pcileech-webradar

Universal-ImGui-D3D11-Hook

Hello,

Today I decided to release a correct version of an ImGui menu directly hooked into a directx11 application.

The sources are available here: https://github.com/Sh0ckFR/Universal-ImGui-D3D11-Hook

I did that because my goal was to add some menus in games like GTA5, but sources available on the net was not really user/developer-friendly.

My work is based on: https://github.com/Rebzzel/Universal-D3D11-Hook

I just fixed some issues, added ImGui and added the mouse / keyboard InputHook.

If you want to use it, you can compile the project (don’t forget to add MinHook and ImGui correctly) and inject your dll in the targeted directx10/11 application.

The most important part is in d3d11hook:

D3D11_HOOK_API void ImplHookDX11_Present(ID3D11Device *device, ID3D11DeviceContext *ctx, IDXGISwapChain *swap_chain)
{
	if (GetAsyncKeyState(OpenMenuKey) & 0x1) {
		menu->IsOpen ? menu->IsOpen = false : menu->IsOpen = true;
	}

	menu->Render();
}

HRESULT __stdcall PresentHook(IDXGISwapChain* pSwapChain, UINT SyncInterval, UINT Flags)
{
	std::call_once(g_isInitialized, [&]() {
		pSwapChain->GetDevice(__uuidof(g_pd3dDevice), reinterpret_cast<void**>(&g_pd3dDevice));
		g_pd3dDevice->GetImmediateContext(&g_pd3dContext);

		ImGui_ImplDX11_Init(g_hWnd, g_pd3dDevice, g_pd3dContext);
		inputHook->Init(g_hWnd);
	});

	ImplHookDX11_Present(g_pd3dDevice, g_pd3dContext, g_pSwapChain);

	return phookD3D11Present(pSwapChain, SyncInterval, Flags);
}

I suggest you to edit ImplHookDX11_Present only if you want to add your own code.

Have a good day 😉