Today I will be discussing everybody's favorite, hardware breakpoints and how as an anti cheater you may prevent a cheater from using them ( a stupid noob cheater that is ) and how as a cheater you can use a driver to fool the anti cheat code into thinking there is a spoon.
Let's begin:
Anti cheat perspective:
Concept:
1) Choose game process
2) Inject your code
3) Setup a VEH
4) Place HWBPs
5) Trigger HWBPs / check with exception / GTC, this makes sure that if they hook GTC we will see 0s in the DrX when we know it shouldn't be, etc obvious shit
6) Check all good stuff to make sure hood shit happened
7) ???
8) Profit
Bypassing it?
Concept:
1) Observe the HWBPs anti cheat has placed
2) In Driver do interception of reportback DrX, read phrack article below as that contains very useful info relating exactly to doing this
3) Place your "shadow" HWBPs
4) To everybody, reportback the DrX anti cheat has placed, if they update their DrX ( refer to phrack article ) update your faked listings as well
5) Using the alien technology from area 51 called IDT abuse, desync the fuck out of the pages where the anti cheat HWBPs are placed.
6) Check access to that specific 4 bytes, or whatever, all else gets no exception, this is for the anti cheat hwbp shit ok?
7) If anti cheat HWBP was called, do magical hood shit by faking exception for anticheat usermode code to see, IDT again plz
8) If your HWBPs are called, do nothing spectatucular except make sure your VEH is called and nobody else's, since likely anti cheat VEH will be toplevel you will have to obviously have to make sure the kernel code calls your handler instead.
9) ???
10) Profit
FMI:
That's all.
Let's begin:
Anti cheat perspective:
Concept:
1) Choose game process
2) Inject your code
3) Setup a VEH
4) Place HWBPs
5) Trigger HWBPs / check with exception / GTC, this makes sure that if they hook GTC we will see 0s in the DrX when we know it shouldn't be, etc obvious shit
6) Check all good stuff to make sure hood shit happened
7) ???
8) Profit
Bypassing it?
Concept:
1) Observe the HWBPs anti cheat has placed
2) In Driver do interception of reportback DrX, read phrack article below as that contains very useful info relating exactly to doing this
3) Place your "shadow" HWBPs
4) To everybody, reportback the DrX anti cheat has placed, if they update their DrX ( refer to phrack article ) update your faked listings as well
5) Using the alien technology from area 51 called IDT abuse, desync the fuck out of the pages where the anti cheat HWBPs are placed.
6) Check access to that specific 4 bytes, or whatever, all else gets no exception, this is for the anti cheat hwbp shit ok?
7) If anti cheat HWBP was called, do magical hood shit by faking exception for anticheat usermode code to see, IDT again plz
8) If your HWBPs are called, do nothing spectatucular except make sure your VEH is called and nobody else's, since likely anti cheat VEH will be toplevel you will have to obviously have to make sure the kernel code calls your handler instead.
9) ???
10) Profit
FMI:
That's all.
Comment