[Question] DLL Structure

[.Zer0]

Hey so I just open this Thread so you can ASK about specific parts of The DLL and get possible answer to it.

So also I got a question

Does anyone know for what The AutoAim is for in the assembly sharp I cannot remember anything using anykind of autoaim or am I wrong?

[fisheyed]

Hey so I just open this Thread so you can ASK about specific parts of The DLL and get possible answer to it.

So also I got a question

Does anyone know for what The AutoAim is for in the assembly sharp I cannot remember anything using anykind of autoaim or am I wrong?

As far as i've traced it - it is used by the NPC.

[.Zer0]

Hmm interesting you could work with that increase range of NPC and other stuff

[fisheyed]

For educational purpose only:

Part 1. local detection

Where they get their valid hashes from:

Code:

decrypting --> TextAsset asset = Resources.Load("fndid", typeof(TextAsset));

How they are checking:

Code:

private bool AssemblyAllowed(string libraryPath)
{
    string str = libraryPath.Substring(libraryPath.LastIndexOf("/") + 1);
    int assemblyHash = GetAssemblyHash(libraryPath);
    for (int i = 0; i < this.allowedAssemblies.Length; i++)
    {
        AllowedAssembly assembly = this.allowedAssemblies[i];
        if ((assembly.name == str) && (Array.IndexOf<int>(assembly.hashes, assemblyHash) != -1))
        {
            return true;
        }
    }
    return false;
}

Where they are checking:

Code:

private bool FindSecretionInCurrentAssemblies()
    {
        foreach (string str in FindLibrariesAt(Application.get_dataPath() + "/Managed/"))
        {
            if (!this.AssemblyAllowed(str))
            {
                return true;
            }
        }
        return false;
    }

What they are checking:

Code:

  internal static string[] FindLibrariesAt(string dir)
    {
        string[] strArray = new string[0];
        if (Directory.Exists(dir))
        {
            strArray = Directory.GetFiles(dir, "*.dll", SearchOption.AllDirectories);
            for (int i = 0; i < strArray.Length; i++)
            {
                strArray[i] = strArray[i].Replace('\\', '/');
            }
        }
        return strArray;
    }

Whatelse they are detecting:

Code:

private void OnNewAssemblyLoaded(object sender, AssemblyLoadEventArgs args)
    {
        if (this.AssemblyAllowed(args.LoadedAssembly.CodeBase))
        {
            return;
        }
    Label_0016:
        goto Label_0016;
    }

What they do on detection:

Code:

private void StartDetectionInternal(Action callback)
    {
        if (isRunning)
        {
            Debug.LogWarning("[ACTk] Secretion Detector already running!");
            return;
        }
        base.onDetection = callback;
        if (this.allowedAssemblies == null)
        {
            this.LoadAndParseAllowedAssemblies();
        }
        if (!this.signaturesAreNotGenuine)
        {
            if (!this.FindSecretionInCurrentAssemblies())
            {
                AppDomain.CurrentDomain.AssemblyLoad += new AssemblyLoadEventHandler(this.OnNewAssemblyLoaded);
                isRunning = true;
                base.set_enabled(true);
                return;
            }
            this.OnSecretionDetected();
            goto Label_007C;
        }
        this.OnSecretionDetected();
    Label_003E:
        goto Label_003E;
    Label_007C:
        goto Label_007C;
    }

Where i believe they indirectly store results due to not exiting earlier:

Code:

 this.hexTable = new string[0x100];
            for (int j = 0; j < 0x100; j++)
            {
                this.hexTable[j] = j.ToString("x2");

In combination with:

Code:

private string PublicKeyTokenToString(byte[] bytes)
    {
        string str = string.Empty;
        for (int i = 0; i < 8; i++)
        {
            str = str + this.hexTable[bytes[i]];
        }
        return str;
    }

When do they check:

Code:

Startup and runtime due to start, pause, resume, stop functionality.

Part 2. How they might handle local results

Code:

  public void ReauthenticateClients()
{
    this._LastReauthenticationTime = Time.get_time();
    this.HandleHangingRequests();
    this.BurnPeasants();
    this.CycleKey();
    this.RequestVerification();
}

When they ban:

Code:

 
  public uint GetExpectedResponse(uint key, int verifierIndex)
{
    if (verifierIndex >= this.AuthenticityVerifiers.Count)
    {
        return 0;
    }
    MonoBehaviour behaviour = this.AuthenticityVerifiers[verifierIndex];
    if (behaviour == null)
    {
        return 0;
    }
    behaviour.set_enabled(false);
    behaviour.get_gameObject().set_name(key.ToString());
    behaviour.set_enabled(true);
    return Convert.ToUInt32(behaviour.get_gameObject().get_name(), 10);
}

They ban like this:

Code:

  public void BurnPeasants()
{
    foreach (Player player in this._Peasants)
    {
        Server.Ban(player, 1, this.BanReason);
    }
    this._Peasants.Clear();
}

Part 3. How Part 1. and 2. may interconnect

Part 1. is based upon:

Code:

.Core.Optimized which contains base for Part 1 detector and all sorts of crypto combined datatype definitions used mainly by PlayerHealth related methods in .Entities.Definitions. connected to almost any interaction events with the environment or timebased events.

Results
-The label deadlocks may account for crashes/hangs.
-Bans can be undetermisitic in time schedule - depends on when/if they scan.
-Earliest ingame ban would be minimum after 4*60 seconds
-Lost interaction capability with object may be accounted for by the keyed valuetypes connected to almost any player interaction.
-They detect injection - not all kinds of injection: reflection or any managed kind of injection will be detected.

[.Zer0]

Thanks man this is great ! I had to laugh The ban function BurnPeasants xD

But So they actually do notice injecton hmm so do you think The are preparing a ban wave?

[fisheyed]

Thanks man this is great ! I had to laugh The ban function BurnPeasants xD

But So they actually do notice injecton hmm so do you think The are preparing a ban wave?

I guess it's not a specific injection check - they just re-check the modules they loaded themselves - and by that could detect some .NET based ( so also clrhosting) events - it rather depends on the injection context used.

I think they prepare some stuff, see how it works out (that's why they only have a 24h ban in yet - afraid of false positives) and maybe gather inormation and act later or upgrade later.

[.Zer0]

Well any info they gather isn't accurate enough anyway if they cannot reduce or avoid false positives in the first place.
Well if everything else fails we go directly to memory :P

[encode]

That is crap, replace method IL with your own before JIT and voilá, no detection.

This is CLI dont forget.

[fisheyed]

That's why i said .NET based methods / reflection get detected - i actually tested that :P Then i made a mono hook.

This uses the same method they use to detect loaded assemblies:

Code:

using System;
using System.Reflection;

namespace examplehost
{
	class MainClass
	{
		public static void Main()
		{
			AppDomain currentDomain = AppDomain.CurrentDomain;
			currentDomain.AssemblyLoad += new AssemblyLoadEventHandler(MyAssemblyLoadEventHandler);
			
			PrintLoadedAssemblies(currentDomain);
			Console.ReadKey();

			PrintLoadedAssemblies(currentDomain);
			Console.ReadKey();
		}
		
		static void PrintLoadedAssemblies(AppDomain domain)
		{
			Console.WriteLine("LOADED ASSEMBLIES:");
			foreach (Assembly a in domain.GetAssemblies())
			{
				Console.WriteLine(a.FullName);
			}
			Console.WriteLine();
		}
		
		static void MyAssemblyLoadEventHandler(object sender, AssemblyLoadEventArgs args)
		{
			Console.WriteLine("ASSEMBLY LOADED: " + args.LoadedAssembly.FullName);
			Console.WriteLine();
		}
	}
}

Now inject via reflection or clr hosting and it gets detected - that was my point.

[encode]

Show me your "tested" code.

Swap IL/CIL/MSIL(whatever you call it) of target method with your own opcodes in runtime.

You can swap even after they hit JIT.

- - - Updated - - -

That's why i said .NET based methods / reflection get detected - i actually tested that :P Then i made a mono hook.

This uses the same method they use to detect loaded assemblies:

Code:

using System;
using System.Reflection;

namespace examplehost
{
	class MainClass
	{
		public static void Main()
		{
			AppDomain currentDomain = AppDomain.CurrentDomain;
			currentDomain.AssemblyLoad += new AssemblyLoadEventHandler(MyAssemblyLoadEventHandler);
			
			PrintLoadedAssemblies(currentDomain);
			Console.ReadKey();

			PrintLoadedAssemblies(currentDomain);
			Console.ReadKey();
		}
		
		static void PrintLoadedAssemblies(AppDomain domain)
		{
			Console.WriteLine("LOADED ASSEMBLIES:");
			foreach (Assembly a in domain.GetAssemblies())
			{
				Console.WriteLine(a.FullName);
			}
			Console.WriteLine();
		}
		
		static void MyAssemblyLoadEventHandler(object sender, AssemblyLoadEventArgs args)
		{
			Console.WriteLine("ASSEMBLY LOADED: " + args.LoadedAssembly.FullName);
			Console.WriteLine();
		}
	}
}

Now inject via reflection or clr hosting and it gets detected - that was my point.

I am talking about that?, re-read my 2 post.

[fisheyed]

No but i am and was talking about that - because this is what they do. Mono hooking isn't affected.

[encode]

then why answer my statement if what you are talking about is not the same

[fisheyed]

then why answer my statement if what you are talking about is not the same

Sorry encode - don't know what you're after or to argue about nothing. You prolly have lots more experience then me in reversing and systemical knowledge - but i wasn't after that.

I answered because you said that my info: .NET injections are being detected - answered with: this is crap. It's not - it's fact. Sure you can circumvent it, but i was just pointing out the current situation so ppl don't get banned for not knowing.

Have a good one.

[encode]

Sorry encode - don't know what you're after or to argue about nothing. You prolly have lots more experience then me in reversing and systemical knowledge - but i wasn't after that.

I answered because you said that my info: .NET injections are being detected - answered with: this is crap. It's not - it's fact. Sure you can circumvent it, but i was just pointing out the current situation so ppl don't get banned for not knowing.

Have a good one.

I didnt said is not, and the crap is their detection, i point you how to stop the detection.

The update i was going to release, before some dickhead said me i was late releasing(Im not the worker of nobody), contain a runtime patcher for that detection, so people could had assembly modifications.

Sorry if my english is not so good.

[.Zer0]

I didnt said is not, and the crap is their detection, i point you how to stop the detection.

The update i was going to release, before some dickhead said me i was late releasing(Im not the worker of nobody), contain a runtime patcher for that detection, so people could had assembly modifications.

Sorry if my english is not so good.

you shouldn't let someone affect your decision of what you do if its a single person then just fuck his opinion there are enough idiots on the internet if you want to release it that is your choice and not to be asked for it is a gift and a contribution not a service that is bound.