[Security Analysis] status0's ESEA SoundESP

Quote:

Originally Posted by imi-tat0r [Only registered and activated users can see links. Click Here To Register...] 1. General Today we want to show you our analysis of [Only registered and activated users can see links. Click Here To Register...]. The provider also offers an [Only registered and activated users can see links. Click Here To Register...] which probably uses the exact same bypass, so this analysis is suitable for both his products. status0 didn't want to hand out a vouch copy to us, even though we agreed on signing anything that would prevent us from leaking his cheat and said he doesn't trust us. This was the first sign that the cheat is a scam, as a proper analysis would only benefit him if the product was well made. Shortly after this discussion, one of his SoundESP customers contacted us, providing us with all the information and files he received. [Only registered and activated users can see links. Click Here To Register...] In the next paragraphs we're going to analyze the ESEA Bypass he is offering and point out why his cheat is not worth any money. 2. Protection The whole thing is barely protected at all. DreamBoard.exe, which is the cheat loader, is protected with a simple password check which can easily be patched. [Only registered and activated users can see links. Click Here To Register...] helper.dll, which is the actual cheat itself, is protected with VMProtect but the coder didn't use the VMProtect SDK, resulting in a generally unprotected dll with only a mutated Entrypoint. This can be "undone" by simply performing a runtime dump. [Only registered and activated users can see links. Click Here To Register...] 3. Security The provider claims to have a lot of security features in his cheat and lists a few examples:[code=code] Security Unique signatures String encryption Code mutation ring0 &many undisclosed ones [/code] - We can't verify the unique signatures as we only have one build available, but it is highly unlikely that anything in here is unique per customer. - String encryption is not present in the cheat loader, only in the cheat itself. [Only registered and activated users can see links. Click Here To Register...] - Code mutation does not exist. - The ring0 part is actually performed from ring3 (read 4. Bypass) - After looking for the many undisclosed ones we were unable able to find anything except VMProtect and the Launcher.exe being removed from the Windows prefetch folders, which should not be counted as proper Security. [Only registered and activated users can see links. Click Here To Register...] 4. Bypass 4.1. General This is from Readme-lg.txt: Code: - Start Netlimiter and make sure its minimized into tray - Start Lauchner.exe as ADMIN (important) - Follow the instructions in the command prompt - A Message Box should appear that indicates Success, press ok(else contact the support with provided error code) - Disconnect the usb stick - Start the Anti-Cheat + Game - Enjoy and dont play obvious ;) The first thing that got us suspicious was the fact that a user needs to install and run thirdparty software in order to use the hack. The next thing that we noticed was, Netlimiter is using a driver. Why this is so suspicious is the fact, that earlier this year an exploit was released on *************, which lets you [Only registered and activated users can see links. Click Here To Register...] in order to inject into processes like csrss.exe. 4.2. Magic (not really) The creator of the UC post also mentioned the following: Code: Keep stealth in mind [...] - Rename the genuine driver as *.sys.tmp - Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved - Load driver, get your handle, unload driver - Delete MalwareFox driver from where we copied it - Rename the genuine driver back to its original name Here's where Netlimiter gets interesting, because their driver could potentially be used for the above. In the ************* thread, you can find some sample code to get a Handle. [Only registered and activated users can see links. Click Here To Register...] and after a quick look we found the exact same code inside DreamBoard.exe. [Only registered and activated users can see links. Click Here To Register...] With this information, it was obvious that the hack simply exploits a public vulnerability to hide itself. The fact that the bypass is public and the cheat got released way after the exploit, clearly shows the sketchy mentality of the provider and makes this product basically worthless. 5. Hack This will be very short, as the hack itself is very basic and nothing that we found was worth mentioning. The hack does what it's supposed to do. It uses OpenAL, which is the Audio Library counterpart of OpenGL, to properly position the sounds in 3D space. 6. Conclusion Even though the cheat itself works and is doing what it's supposed to do, the bypass used is public since early 2018 and the provider is blatantly lying about the security. The product appears to be written by someone with little to no knowledge about what he/she does while still trying to look somewhat legit to the naked eye. Due to the fact that all the valuable parts of the cheat are public, this is not worth a single cent in our opinion, but definitely not worth 150€ per month. greetings, imi-tat0r, aequabit and the ev0lve.xyz Team

Quote:

Originally Posted by FaceMyFizz Good Job uses Public Bypass and wants Money for it ^^ BTW i have heard that some people got Banned with it?

Quote:

Originally Posted by imi-tat0r [Only registered and activated users can see links. Click Here To Register...] 1. General Today we want to show you our analysis of [Only registered and activated users can see links. Click Here To Register...]. The provider also offers an [Only registered and activated users can see links. Click Here To Register...] which probably uses the exact same bypass, so this analysis is suitable for both his products. status0 didn't want to hand out a vouch copy to us, even though we agreed on signing anything that would prevent us from leaking his cheat and said he doesn't trust us. This was the first sign that the cheat is a scam, as a proper analysis would only benefit him if the product was well made. Shortly after this discussion, one of his SoundESP customers contacted us, providing us with all the information and files he received. [Only registered and activated users can see links. Click Here To Register...] In the next paragraphs we're going to analyze the ESEA Bypass he is offering and point out why his cheat is not worth any money. 2. Protection The whole thing is barely protected at all. DreamBoard.exe, which is the cheat loader, is protected with a simple password check which can easily be patched. [Only registered and activated users can see links. Click Here To Register...] helper.dll, which is the actual cheat itself, is protected with VMProtect but the coder didn't use the VMProtect SDK, resulting in a generally unprotected dll with only a mutated Entrypoint. This can be "undone" by simply performing a runtime dump. [Only registered and activated users can see links. Click Here To Register...] 3. Security The provider claims to have a lot of security features in his cheat and lists a few examples:[code=code] Security Unique signatures String encryption Code mutation ring0 &many undisclosed ones [/code] - We can't verify the unique signatures as we only have one build available, but it is highly unlikely that anything in here is unique per customer. - String encryption is not present in the cheat loader, only in the cheat itself. [Only registered and activated users can see links. Click Here To Register...] - Code mutation does not exist. - The ring0 part is actually performed from ring3 (read 4. Bypass) - After looking for the many undisclosed ones we were unable able to find anything except VMProtect and the Launcher.exe being removed from the Windows prefetch folders, which should not be counted as proper Security. [Only registered and activated users can see links. Click Here To Register...] 4. Bypass 4.1. General This is from Readme-lg.txt: Code: - Start Netlimiter and make sure its minimized into tray - Start Lauchner.exe as ADMIN (important) - Follow the instructions in the command prompt - A Message Box should appear that indicates Success, press ok(else contact the support with provided error code) - Disconnect the usb stick - Start the Anti-Cheat + Game - Enjoy and dont play obvious ;) The first thing that got us suspicious was the fact that a user needs to install and run thirdparty software in order to use the hack. The next thing that we noticed was, Netlimiter is using a driver. Why this is so suspicious is the fact, that earlier this year an exploit was released on *************, which lets you [Only registered and activated users can see links. Click Here To Register...] in order to inject into processes like csrss.exe. 4.2. Magic (not really) The creator of the UC post also mentioned the following: Code: Keep stealth in mind [...] - Rename the genuine driver as *.sys.tmp - Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved - Load driver, get your handle, unload driver - Delete MalwareFox driver from where we copied it - Rename the genuine driver back to its original name Here's where Netlimiter gets interesting, because their driver could potentially be used for the above. In the ************* thread, you can find some sample code to get a Handle. [Only registered and activated users can see links. Click Here To Register...] and after a quick look we found the exact same code inside DreamBoard.exe. [Only registered and activated users can see links. Click Here To Register...] With this information, it was obvious that the hack simply exploits a public vulnerability to hide itself. The fact that the bypass is public and the cheat got released way after the exploit, clearly shows the sketchy mentality of the provider and makes this product basically worthless. 5. Hack This will be very short, as the hack itself is very basic and nothing that we found was worth mentioning. The hack does what it's supposed to do. It uses OpenAL, which is the Audio Library counterpart of OpenGL, to properly position the sounds in 3D space. 6. Conclusion Even though the cheat itself works and is doing what it's supposed to do, the bypass used is public since early 2018 and the provider is blatantly lying about the security. The product appears to be written by someone with little to no knowledge about what he/she does while still trying to look somewhat legit to the naked eye. Due to the fact that all the valuable parts of the cheat are public, this is not worth a single cent in our opinion, but definitely not worth 150€ per month. greetings, imi-tat0r, aequabit and the ev0lve.xyz Team

Quote:

Originally Posted by skadro I actually dont have the time to focus on such a bad try of discrediting therefore i just write the most important stuff: It is only one of my bypasses and it worked. I had a dispute with this guy on High Minded because he was discrediting me since beginning just for his own sake. Someone leaked him one version i had and he now analysed it to discredit me once more. Here, I use a vulnerable driver to load my cheat which is nothing bad. The hack was UD since leak so he didnt proof that im scam nor that the hack is not working. He is a rat and after this statement, i will just leak his hack and his users should asap stop using his hacks to avoid a ban. I am still undetected and got two other bypasses ready.

Quote:

Originally Posted by skadro I actually dont have the time to focus on such a bad try of discrediting therefore i just write the most important stuff: It is only one of my bypasses and it worked. I had a dispute with this guy on High Minded because he was discrediting me since beginning just for his own sake. Someone leaked him one version i had and he now analysed it to discredit me once more. Here, I use a vulnerable driver to load my cheat which is nothing bad. The hack was UD since leak so he didnt proof that im scam nor that the hack is not working. He is a rat and after this statement, i will just leak his hack and his users should asap stop using his hacks to avoid a ban. I am still undetected and got two other bypasses ready.

Quote:

Originally Posted by imi-tat0r The fact that you used a public bypass, even if it would only be one of many you have, is sad enough. The Hack has many detection vectors. I'll just name a few: - Handle can be enumerated - DLL is loaded via LoadLibrary into csrss.exe meaning ESEA can easily dump the memory Also you will not leak shit

Quote:

Originally Posted by skadro Holy cow he thinks im using loadlibrary on csrss.exe. lmao. Additionally no, there is no handle when they scan. Damn it. you are as unqualified as possible. I will not continue reading this, i got work to do. you are a rat and karma is a bitch, i told you already.

Quote:

Originally Posted by imi-tat0r [Only registered and activated users can see links. Click Here To Register...] - So you're getting this just for fun? Even if you manual map the hack into the process, your bypass still is public

Quote:

Originally Posted by imi-tat0r [Only registered and activated users can see links. Click Here To Register...] - So you're getting this just for fun? Even if you manual map the hack into the process, your bypass still is public

Quote:

Originally Posted by Ossus He probably doesn't even know what your screenshot means cuz he is lacking a lot of knowledge about coding in general and just c&p a public bypass

Quote:

Originally Posted by skadro It is used to fix the imports on manual mapping the hack, not even bypass related. You goddamn liar. Proof: [Only registered and activated users can see links. Click Here To Register...] Oh man, you dont fk with me. You will enjoy what will happen Guess you´re wrong, idiot. I will not read any more stuff that will be posted. Its discrediting with proven lies, half knowledge and i will not put any more time into proofing anything to full retards.