- 19
- 45
- Версия SA-MP
-
- 0.3.7 (R1)
- 0.3.7-R3
- 0.3.7-R4
- 0.3DL
Hello BLAST.HK,
Iam releasing my analysis knowledges about FenixZone Anticheat and solution to prevent being detected.
Iam releasing my analysis knowledges about FenixZone Anticheat and solution to prevent being detected.
Basically everything is here
https://github.com/WaterinoS/FenixZoneACBypass
I would start how they managed to load the anticheat into process memory:
Its Basic RCE (Remote Code Execution) via RPC_ShowDialog
Its ilegall to use RCE
How you can detect incoming malicious rpc like this one?
- Make IncomingRPC Hook
- Check for RPC_ShowDialog
- Check packet size .. MaxSize of every normal dialog is for example 33000, but they oversized it (injected assembly via that so its around 382032 b (unpacked its ~ 220kb))
- All you need to do is to get bitstream data and check every byte until you found byte[0] = 'M' && byte[1] = 'Z' (dont need to explain to experienced people) then just extract assembly from start to end of the bitstream..
- Make bypass
Their modules explained:
nz.dll - Basic dll being injected by RCE too (33kb) it basically contains export to load PE into memory from path.. if iam not mistaken
anti-key.asi - be careful, they also extracting random named .asi file (in this case anti-key) into ur gta sa directory, but its basically just dll downloader and loader..
nzeE831D.tmp - Obfuscated assembly (easy to deobfuscate, but iam not gonna share the src to keep something for myself), which contains crypted/packed (via MPRESS) assembly which is our anticheat file. => its basically self unpacker (thats the file we are focusing in IncomingRPC hook primary)
discord-rpc.dll - dont need to explain.. not dangerous (dc presence)
etc
How they communicate (client-server)?
Well I didnt spent lof of time analyzing this.. but I would say they making shadow copy of sendto and also sending ingame commands like /buto, /cuco etc.. and these commands are important !
/cuco [message] => i dont really know what it does, but I guess its also verified on the serverside.. lets say [message] is number somehow generated and stored in variable - if you call original you are basically fine.
/buto [message] - well this one is improtant cuz every 15th call of one callback its sending /buto <hex> which i reversed and this one is primary checked on the server - if it does not match with their side => KICK
and with every command comes also sendto on their server, you can find their server ip by urself. (ports are randomly generated - its opening socket, sendto and then just instant close)
What this anticheat do?
- Memory scans
- Module scans
- Window handles scans
- .ASi/.SF/.CS Scans
- SAMPFUNCS Console Detections
- Etc
If you want to know more - do research by urself. :)
Released bypass .ASI file
Source Code
Binary in attachments or on github/output
They gonna patch it very soon, but experienced people could update it by themselves.
If you have any questions then my discord is watersmoke
Thanks to CikaUIF (CikaDjokica) for help with analysis, crack.
Enjoy
Последнее редактирование:
