Register for your free account! | Forgot your password?

Go Back   elitepvpers > Shooter > Counter-Strike
You last visited: Today at 02:41

  • Please register to post and access all features, it's quick, easy and FREE!


[Security Analysis] status0's ESEA SoundESP

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Apr 2014
Posts: 23
Received Thanks: 22
[Security Analysis] status0's ESEA SoundESP



1. General

Today we want to show you our analysis of .
The provider also offers an which probably uses the exact same bypass, so this analysis is suitable for both his products.

status0 didn't want to hand out a vouch copy to us, even though we agreed on signing anything that would prevent us from leaking his cheat and said he doesn't trust us.
This was the first sign that the cheat is a scam, as a proper analysis would only benefit him if the product was well made.

Shortly after this discussion, one of his SoundESP customers contacted us, providing us with all the information and files he received.


In the next paragraphs we're going to analyze the ESEA Bypass he is offering and point out why his cheat is not worth any money.

2. Protection

The whole thing is barely protected at all.
DreamBoard.exe, which is the cheat loader, is protected with a simple password check which can easily be patched.


helper.dll, which is the actual cheat itself, is protected with VMProtect but the coder didn't use the VMProtect SDK, resulting in a generally unprotected dll with only a mutated Entrypoint.
This can be "undone" by simply performing a runtime dump.


3. Security

The provider claims to have a lot of security features in his cheat and lists a few examples:[code=code]
Security

Unique signatures
String encryption
Code mutation
ring0
&many undisclosed ones
[/code]
- We can't verify the unique signatures as we only have one build available, but it is highly unlikely that anything in here is unique per customer.
- String encryption is not present in the cheat loader, only in the cheat itself.

- Code mutation does not exist.
- The ring0 part is actually performed from ring3 (read 4. Bypass)
- After looking for the many undisclosed ones we were unable able to find anything except VMProtect and the Launcher.exe being removed from the Windows prefetch folders, which should not be counted as proper Security.


4. Bypass

4.1. General

This is from Readme-lg.txt:
Code:
- Start Netlimiter and make sure its minimized into tray
- Start Lauchner.exe as ADMIN (important)
- Follow the instructions in the command prompt
- A Message Box should appear that indicates Success, press ok(else contact the support with provided error code)
- Disconnect the usb stick
- Start the Anti-Cheat + Game
- Enjoy and dont play obvious ;)
The first thing that got us suspicious was the fact that a user needs to install and run thirdparty software in order to use the hack. The next thing that we noticed was, Netlimiter is using a driver.
Why this is so suspicious is the fact, that earlier this year an exploit was released on UnknownCheats, which lets you in order to inject into processes like csrss.exe.

4.2. Magic (not really)

The creator of the UC post also mentioned the following:
Code:
Keep stealth in mind
[...]
- Rename the genuine driver as *.sys.tmp
- Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved
- Load driver, get your handle, unload driver
- Delete MalwareFox driver from where we copied it
- Rename the genuine driver back to its original name
Here's where Netlimiter gets interesting, because their driver could potentially be used for the above.

In the UnknownCheats thread, you can find some sample code to get a Handle.

and after a quick look we found the exact same code inside DreamBoard.exe.

With this information, it was obvious that the hack simply exploits a public vulnerability to hide itself.
The fact that the bypass is public and the cheat got released way after the exploit, clearly shows the sketchy mentality of the provider and makes this product basically worthless.

5. Hack

This will be very short, as the hack itself is very basic and nothing that we found was worth mentioning.
The hack does what it's supposed to do. It uses OpenAL, which is the Audio Library counterpart of OpenGL, to properly position the sounds in 3D space.

6. Conclusion

Even though the cheat itself works and is doing what it's supposed to do, the bypass used is public since early 2018 and the provider is blatantly lying about the security.
The product appears to be written by someone with little to no knowledge about what he/she does while still trying to look somewhat legit to the naked eye.

Due to the fact that all the valuable parts of the cheat are public, this is not worth a single cent in our opinion, but definitely not worth 150€ per month.

greetings,
imi-tat0r, aequabit and the ev0lve.xyz Team



imi-tat0r is offline  
Thanks
8 Users
Old 10/29/2018, 16:58   #2
 
elite*gold: 0
Join Date: Oct 2018
Posts: 13
Received Thanks: 0
Quote:
Originally Posted by imi-tat0r View Post


1. General

Today we want to show you our analysis of .
The provider also offers an which probably uses the exact same bypass, so this analysis is suitable for both his products.

status0 didn't want to hand out a vouch copy to us, even though we agreed on signing anything that would prevent us from leaking his cheat and said he doesn't trust us.
This was the first sign that the cheat is a scam, as a proper analysis would only benefit him if the product was well made.

Shortly after this discussion, one of his SoundESP customers contacted us, providing us with all the information and files he received.


In the next paragraphs we're going to analyze the ESEA Bypass he is offering and point out why his cheat is not worth any money.

2. Protection

The whole thing is barely protected at all.
DreamBoard.exe, which is the cheat loader, is protected with a simple password check which can easily be patched.


helper.dll, which is the actual cheat itself, is protected with VMProtect but the coder didn't use the VMProtect SDK, resulting in a generally unprotected dll with only a mutated Entrypoint.
This can be "undone" by simply performing a runtime dump.


3. Security

The provider claims to have a lot of security features in his cheat and lists a few examples:[code=code]
Security

Unique signatures
String encryption
Code mutation
ring0
&many undisclosed ones
[/code]
- We can't verify the unique signatures as we only have one build available, but it is highly unlikely that anything in here is unique per customer.
- String encryption is not present in the cheat loader, only in the cheat itself.

- Code mutation does not exist.
- The ring0 part is actually performed from ring3 (read 4. Bypass)
- After looking for the many undisclosed ones we were unable able to find anything except VMProtect and the Launcher.exe being removed from the Windows prefetch folders, which should not be counted as proper Security.


4. Bypass

4.1. General

This is from Readme-lg.txt:
Code:
- Start Netlimiter and make sure its minimized into tray
- Start Lauchner.exe as ADMIN (important)
- Follow the instructions in the command prompt
- A Message Box should appear that indicates Success, press ok(else contact the support with provided error code)
- Disconnect the usb stick
- Start the Anti-Cheat + Game
- Enjoy and dont play obvious ;)
The first thing that got us suspicious was the fact that a user needs to install and run thirdparty software in order to use the hack. The next thing that we noticed was, Netlimiter is using a driver.
Why this is so suspicious is the fact, that earlier this year an exploit was released on UnknownCheats, which lets you in order to inject into processes like csrss.exe.

4.2. Magic (not really)

The creator of the UC post also mentioned the following:
Code:
Keep stealth in mind
[...]
- Rename the genuine driver as *.sys.tmp
- Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved
- Load driver, get your handle, unload driver
- Delete MalwareFox driver from where we copied it
- Rename the genuine driver back to its original name
Here's where Netlimiter gets interesting, because their driver could potentially be used for the above.

In the UnknownCheats thread, you can find some sample code to get a Handle.

and after a quick look we found the exact same code inside DreamBoard.exe.

With this information, it was obvious that the hack simply exploits a public vulnerability to hide itself.
The fact that the bypass is public and the cheat got released way after the exploit, clearly shows the sketchy mentality of the provider and makes this product basically worthless.

5. Hack

This will be very short, as the hack itself is very basic and nothing that we found was worth mentioning.
The hack does what it's supposed to do. It uses OpenAL, which is the Audio Library counterpart of OpenGL, to properly position the sounds in 3D space.

6. Conclusion
Even though the cheat itself works and is doing what it's supposed to do, the bypass used is public since early 2018 and the provider is blatantly lying about the security.
The product appears to be written by someone with little to no knowledge about what he/she does while still trying to look somewhat legit to the naked eye.

Due to the fact that all the valuable parts of the cheat are public, this is not worth a single cent in our opinion, but definitely not worth 150€ per month.

greetings,
imi-tat0r, aequabit and the ev0lve.xyz Team
Good Job uses Public Bypass and wants Money for it ^^
BTW i have heard that some people got Banned with it?


FaceMyFizz is offline  
Old 10/29/2018, 16:59   #3
 
elite*gold: 0
Join Date: Apr 2014
Posts: 23
Received Thanks: 22
Quote:
Originally Posted by FaceMyFizz View Post
Good Job uses Public Bypass and wants Money for it ^^
BTW i have heard that some people got Banned with it?
So far we've heard rumors of people getting banned but nothing confirmed yet.
imi-tat0r is offline  
Old 10/29/2018, 17:19   #4
 
elite*gold: 30
The Black Market: 123/0/0
Join Date: Sep 2012
Posts: 5,019
Received Thanks: 1,396
Quote:
Originally Posted by imi-tat0r View Post


1. General

Today we want to show you our analysis of .
The provider also offers an which probably uses the exact same bypass, so this analysis is suitable for both his products.

status0 didn't want to hand out a vouch copy to us, even though we agreed on signing anything that would prevent us from leaking his cheat and said he doesn't trust us.
This was the first sign that the cheat is a scam, as a proper analysis would only benefit him if the product was well made.

Shortly after this discussion, one of his SoundESP customers contacted us, providing us with all the information and files he received.


In the next paragraphs we're going to analyze the ESEA Bypass he is offering and point out why his cheat is not worth any money.

2. Protection

The whole thing is barely protected at all.
DreamBoard.exe, which is the cheat loader, is protected with a simple password check which can easily be patched.


helper.dll, which is the actual cheat itself, is protected with VMProtect but the coder didn't use the VMProtect SDK, resulting in a generally unprotected dll with only a mutated Entrypoint.
This can be "undone" by simply performing a runtime dump.


3. Security

The provider claims to have a lot of security features in his cheat and lists a few examples:[code=code]
Security

Unique signatures
String encryption
Code mutation
ring0
&many undisclosed ones
[/code]
- We can't verify the unique signatures as we only have one build available, but it is highly unlikely that anything in here is unique per customer.
- String encryption is not present in the cheat loader, only in the cheat itself.

- Code mutation does not exist.
- The ring0 part is actually performed from ring3 (read 4. Bypass)
- After looking for the many undisclosed ones we were unable able to find anything except VMProtect and the Launcher.exe being removed from the Windows prefetch folders, which should not be counted as proper Security.


4. Bypass

4.1. General

This is from Readme-lg.txt:
Code:
- Start Netlimiter and make sure its minimized into tray
- Start Lauchner.exe as ADMIN (important)
- Follow the instructions in the command prompt
- A Message Box should appear that indicates Success, press ok(else contact the support with provided error code)
- Disconnect the usb stick
- Start the Anti-Cheat + Game
- Enjoy and dont play obvious ;)
The first thing that got us suspicious was the fact that a user needs to install and run thirdparty software in order to use the hack. The next thing that we noticed was, Netlimiter is using a driver.
Why this is so suspicious is the fact, that earlier this year an exploit was released on UnknownCheats, which lets you in order to inject into processes like csrss.exe.

4.2. Magic (not really)

The creator of the UC post also mentioned the following:
Code:
Keep stealth in mind
[...]
- Rename the genuine driver as *.sys.tmp
- Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved
- Load driver, get your handle, unload driver
- Delete MalwareFox driver from where we copied it
- Rename the genuine driver back to its original name
Here's where Netlimiter gets interesting, because their driver could potentially be used for the above.

In the UnknownCheats thread, you can find some sample code to get a Handle.

and after a quick look we found the exact same code inside DreamBoard.exe.

With this information, it was obvious that the hack simply exploits a public vulnerability to hide itself.
The fact that the bypass is public and the cheat got released way after the exploit, clearly shows the sketchy mentality of the provider and makes this product basically worthless.

5. Hack

This will be very short, as the hack itself is very basic and nothing that we found was worth mentioning.
The hack does what it's supposed to do. It uses OpenAL, which is the Audio Library counterpart of OpenGL, to properly position the sounds in 3D space.

6. Conclusion

Even though the cheat itself works and is doing what it's supposed to do, the bypass used is public since early 2018 and the provider is blatantly lying about the security.
The product appears to be written by someone with little to no knowledge about what he/she does while still trying to look somewhat legit to the naked eye.

Due to the fact that all the valuable parts of the cheat are public, this is not worth a single cent in our opinion, but definitely not worth 150€ per month.

greetings,
imi-tat0r, aequabit and the ev0lve.xyz Team
Damit die Bilder zu sehen sind.

Wollte ebend auf HM fragen, ob ich das teilen kann


burncode is offline  
Old 10/29/2018, 17:20   #5
 
elite*gold: 7
Join Date: Jun 2013
Posts: 108
Received Thanks: 17
I actually dont have the time to focus on such a bad try of discrediting therefore i just write the most important stuff:
It is only one of my bypasses and it worked. I had a dispute with this guy on High Minded because he was discrediting me since beginning just for his own sake.
Someone leaked him one version i had and he now analysed it to discredit me once more. Here, I use a vulnerable driver to load my cheat which is nothing bad. The hack was UD since leak so he didnt proof that im scam nor that the hack is not working. He is a rat and after this statement, i will just leak his hack and his users should asap stop using his hacks to avoid a ban. I am still undetected and got two other bypasses ready. He by is own is using a public tdl loader which he never managed to stay ud on bigger AC´s because he really uses public stuff that got proven to be detected hundreds of times.

Additional stuff out of my thread:

"He just opened one of my unpacked installer(=not running ingame) in a debugger and declared it as reverse engeneered. It is not loaded while playing therefore your security findings are useless and you even skipped the only file which is run while ingame and compatible with the security feautures i name in my thread in your wannabe analysis, because it was packed which actually would have required reversing skills. Finally this is no security analysis rather than a bypass Leak and this is the worst stuff you can do to yourself. You are a meme and a rat and like i already said, karma is a ***** and will hit you back. Harder than you tried to hit me.

I do not send the same bypass to all users to avoid risks of multiple bans, something you will never understand with your real public tdl vac/mm hack ev0lve.xyz, which gets sigged soon and continously from now on, which is just one thing i will care of.
skadro is offline  
Old 10/29/2018, 17:23   #6
 
elite*gold: 30
The Black Market: 123/0/0
Join Date: Sep 2012
Posts: 5,019
Received Thanks: 1,396
Quote:
Originally Posted by skadro View Post
I actually dont have the time to focus on such a bad try of discrediting therefore i just write the most important stuff:
It is only one of my bypasses and it worked. I had a dispute with this guy on High Minded because he was discrediting me since beginning just for his own sake.
Someone leaked him one version i had and he now analysed it to discredit me once more. Here, I use a vulnerable driver to load my cheat which is nothing bad. The hack was UD since leak so he didnt proof that im scam nor that the hack is not working. He is a rat and after this statement, i will just leak his hack and his users should asap stop using his hacks to avoid a ban. I am still undetected and got two other bypasses ready.
Mach halt und quatsch nicht rum.
Nebenbei ist es eine Analyse.
burncode is offline  
Thanks
1 User
Old 10/29/2018, 17:24   #7
 
elite*gold: 0
Join Date: Apr 2014
Posts: 23
Received Thanks: 22
Quote:
Originally Posted by skadro View Post
I actually dont have the time to focus on such a bad try of discrediting therefore i just write the most important stuff:
It is only one of my bypasses and it worked. I had a dispute with this guy on High Minded because he was discrediting me since beginning just for his own sake.
Someone leaked him one version i had and he now analysed it to discredit me once more. Here, I use a vulnerable driver to load my cheat which is nothing bad. The hack was UD since leak so he didnt proof that im scam nor that the hack is not working. He is a rat and after this statement, i will just leak his hack and his users should asap stop using his hacks to avoid a ban. I am still undetected and got two other bypasses ready.
The fact that you used a public bypass, even if it would only be one of many you have, is sad enough.

The Hack has many detection vectors. I'll just name a few:
- Handle can be enumerated
- DLL is loaded via LoadLibrary into csrss.exe meaning ESEA can easily dump the memory

Also you will not leak ****
imi-tat0r is offline  
Old 10/29/2018, 17:29   #8
 
elite*gold: 7
Join Date: Jun 2013
Posts: 108
Received Thanks: 17
Quote:
Originally Posted by imi-tat0r View Post
The fact that you used a public bypass, even if it would only be one of many you have, is sad enough.

The Hack has many detection vectors. I'll just name a few:
- Handle can be enumerated
- DLL is loaded via LoadLibrary into csrss.exe meaning ESEA can easily dump the memory

Also you will not leak ****
Holy cow he thinks im using loadlibrary on csrss.exe. lmao. Additionally no, there is no handle when they scan. **** it. you are as unqualified as possible. I will not continue reading this, i got work to do. you are a rat and karma is a *****, i told you already.
skadro is offline  
Old 10/29/2018, 17:32   #9
 
elite*gold: 0
Join Date: Apr 2014
Posts: 23
Received Thanks: 22
Quote:
Originally Posted by skadro View Post
Holy cow he thinks im using loadlibrary on csrss.exe. lmao. Additionally no, there is no handle when they scan. **** it. you are as unqualified as possible. I will not continue reading this, i got work to do. you are a rat and karma is a *****, i told you already.
- So you're getting this just for fun?
Even if you manual map the hack into the process, your bypass still is public
imi-tat0r is offline  
Thanks
3 Users
Old 10/29/2018, 19:32   #10
 
elite*gold: 0
Join Date: Jun 2012
Posts: 103
Received Thanks: 23
Quote:
Originally Posted by imi-tat0r View Post
- So you're getting this just for fun?
Even if you manual map the hack into the process, your bypass still is public
He probably doesn't even know what your screenshot means cuz he is lacking a lot of knowledge about coding in general and just c&p a public bypass
Ossus is offline  
Thanks
2 Users
Old 10/30/2018, 00:56   #11
 
elite*gold: 7
Join Date: Jun 2013
Posts: 108
Received Thanks: 17
Quote:
Originally Posted by imi-tat0r View Post
- So you're getting this just for fun?
Even if you manual map the hack into the process, your bypass still is public
It is used to fix the imports on manual mapping the hack, not even bypass related. You goddamn liar.

Proof:



Oh man, you dont fk with me. You will enjoy what will happen

Quote:
Originally Posted by Ossus View Post
He probably doesn't even know what your screenshot means cuz he is lacking a lot of knowledge about coding in general and just c&p a public bypass
Guess you´re wrong, idiot.

One more statement:



I will not read any more stuff that will be posted. Its discrediting with proven lies, half knowledge and i will not put any more time into proofing anything to full retards.

EDIT: There we go:
skadro is offline  
Thanks
1 User
Old 10/30/2018, 02:22   #12
 
elite*gold: 0
Join Date: Apr 2014
Posts: 23
Received Thanks: 22
Quote:
Originally Posted by skadro View Post
It is used to fix the imports on manual mapping the hack, not even bypass related. You ******* liar.

Proof:



Oh man, you dont fk with me. You will enjoy what will happen



Guess you´re wrong, idiot.


I will not read any more stuff that will be posted. Its discrediting with proven lies, half knowledge and i will not put any more time into proofing anything to full retards.
As I said, your bypass still is public though
imi-tat0r is offline  
Old 10/30/2018, 18:28   #13
 
elite*gold: 0
Join Date: Oct 2018
Posts: 1
Received Thanks: 0

the 3d sound esp works well,and aimbot can be set like Kjaerbye aim style
But you can also set it to a perfectly legit aimbot,very profect to get a headshot
AZLGOOD is offline  
Old 11/02/2018, 15:58   #14
 
elite*gold: 0
Join Date: Apr 2014
Posts: 23
Received Thanks: 22
push
imi-tat0r is offline  
Old 11/07/2018, 18:16   #15
 
elite*gold: 197
Join Date: Dec 2015
Posts: 17
Received Thanks: 6
It wouldn't be so sad if the price wasnt that high, push btw


JyBit is offline  
Reply



« CSGO alte UI? | Skins/Geld verdienen in Cs Go? »

Similar Threads
[Selling] status0 - CSGO Hardware Aimbot - FACEIT/ESEA/EAC++ Hack/Cheat
11/16/2018 - Counter-Strike Trading - 27 Replies
http://fs1.directupload.net/images/181016/tjjgt2rk.jpg Preview https://www.youtube.com/watch?v=0d6-cPcFYLQ Announcement Because of a leaking user i will temporarly stop selling this for the safety of the other users until everything is clarified
[Selling] ★ status0 - FACEIT/ESEA/EAC++ Undetected CS GO League 3D Sound ESP Hack
11/05/2018 - Counter-Strike Trading - 79 Replies
https://i.imgur.com/KJZUO9N.jpg Announcement Selling Hardware Aimbot Because of a leaking user i will temporarly stop selling this for the safety of the other users until everything is clarified Security: Every league user needs to verify himself
[Selling] Vindicator - CSGO External [Aim|RCS|ESP|Glow|SoundESP|Trigger|Misc]
10/12/2018 - Counter-Strike Trading - 49 Replies
http://i.imgur.com/ZSCbAgC.jpg?1 Product Link => Vindicator | CSGO External Pricing: 1 Month - 15.99€ Our site is an autobuy, PayPal is done usually within 5 minutes, BitCoin can take up to one hour as it waits for confirmations. Payment options are PayPal & Bitcoin, whereas Bitcoin has 15% discount on every sub and every product on our page.



All times are GMT +1. The time now is 02:41.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2018 elitepvpers All Rights Reserved.