Help to defeat the anti DBG/BP dll injection/ejection of the US client

AlainProvist · 10/04/2015, 12:39

Hey RE friends.

I recently spent a large amount of time digging inside the US client of AK to understand what makes it different compared to the FR and DE ones, when trying to inject/eject dlls, attach/detach debugger and use breakpoints while in game.

I had some really hard time to figure what was causing this with a nearly identical game.bin, and I finally found what causes this. It appears to be an unknown module (not coming from any dll on your machine) inserted in the game process by an unidentified thread, that will run silently and start another thread when entering in game that will defeat anything stated previously. The thread is then stopped when returning to the char selection.

From what I found over the web it seems to be something similar to what they use in Battlefield 4, named Paladin.
seg000:000C4A58 0000005B C Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.

The good news is that it can be defeated by hooking the CreateThread kernel function and making it return when trying to start code at this address (using some patterns to identify the code). The maybe bad one is that it could send any information to the server that could make them suspicious of they are not sent any longer.

And here I am, requesting help to determine wether or not this code can be killed like this without any risk, or find a better solution to nullify it silently. I'd also be curious to know how it is injected in the process.

In any case I add as an attached file the full module dump. Feel free to crush your mind on it too

.

edit : the module was @0x2AB50000 and the guilty thread start @0x2ab547ee from 0x2AB548CC

Daifoku · 10/04/2015, 18:13

Downloaded the file, analyzed it with IDA but it's just too big and would take too much time for me

I suggest to place a conditional Log on WSASend and send in olly.
You should be able to filter out all non-game-packets.

This is not a good solution but a fast one.

AlainProvist · 10/05/2015, 08:59

As far as I can see, there is no link from this module and the game module. In this case, it's more than possible that any information that could be sent is not using the wsasend. They could use any encryption and any protocole to send the information to another server, or they could inject those information in a file sent along with dump when the crash handler is triggered.
The problem is that I can't get the import table from IDA, and this really don't help to figure what this code is doing. Even the string list is one char shifted in IDA and I have no idea why this happened.

killzone · 10/05/2015, 22:20

You were able to sniff out what it sends/receives to the server?
If you were, you might want to reroute it if that is possible and create an emulator for that...

Edit:
And this is why I dont like to make bots on a protected client. Its too pain in the *** to deal with.

Oriya9 · 10/12/2015, 16:38

It's a driver actually.
The way it works is like this:
1. The following directory is being created (if doesn't exist): "AuraKingdom\avital"
2. Two files are being dumped there (directly from memory), both of them are *.sys files (drivers).
3. Those two files are also being copied to System32.
4. Services are being created for those two drivers.
5. The game starts the services.

It's an old and really inefficient anti-cheat that is used in a very few games (like Rakion and Wolf Team).

It doesn't send anything. Don't worry.
Also, this driver is very problematic and can cause a PAGE_FAULT_IN_NONPAGED_AREA BSoD (especially in Windows 8 and 10), so that's just another reason to not let it run.

AlainProvist · 10/12/2015, 19:20

Thanks for the info Oriya

, do you have an idea of where these data come from in memory ? From the server streaming it or from some data file ? Because the FR client seems to not have this module using the same client code as the US one now.

Oriya9 · 10/12/2015, 19:43

Quote:

Originally Posted by AlainProvist

Thanks for the info Oriya , do you have an idea of where these data come from in memory ? From the server streaming it or from some data file ? Because the FR client seems to not have this module using the same client code as the US one now.

I haven't dug into it too much so I don't know where the actual memory comes from.
But it's not from the server, it's a local source.
I assume it's from the client memory itself (most likely compressed data that's being uncompressed and dumped, but it could be raw binary data as well).

It could also be inside the PKGs, it's not one of the files in the PKGs but it could be the same as what I've explained above (raw binary inside one of the files that are compressed into a PKG or compressed inside a compressed file in the PKG).

Either way, like I said, it doesn't send anything and it's being "created" and dumped locally. It's safe (and I'd even say advised) to not let it run.
I'd also recommend deleting the *.sys files that the game copies from the "avital" directory to System32 (can be done by booting Windows in Safe Mode).
The two files are the same files as in the "avital" directory.

One last thing, I don't have the DE/FR clients installed but I'm pretty sure they have the data in it, it's not something related to AeriaGames but to X-Legend.
Their games in other regions also have this (Japan/Thailand/etc).
It's possible that it's just not running the driver (starting the service) in the DE/FR clients, but I'm almost certain it's in the client.

AlainProvist · 10/12/2015, 23:42

It could be inside the exe as well, but in this case this means that the server or some data is triggering the code to be self injected as a module and then be executed, and that is precisely what I'm looking for in the code

.

Oriya9 · 10/13/2015, 01:04

Quote:

Originally Posted by AlainProvist

It could be inside the exe as well, but in this case this means that the server or some data is triggering the code to be self injected as a module and then be executed, and that is precisely what I'm looking for in the code .

That's what I meant by

Quote:

Originally Posted by Oriya9

I assume it's from the client memory itself (most likely compressed data that's being uncompressed and dumped, but it could be raw binary data as well).