For educational purpose only:
Part 1. local detection
Where they get their valid hashes from:
Code:
decrypting --> TextAsset asset = Resources.Load("fndid", typeof(TextAsset));
How they are checking:
Code:
private bool AssemblyAllowed(string libraryPath)
{
string str = libraryPath.Substring(libraryPath.LastIndexOf("/") + 1);
int assemblyHash = GetAssemblyHash(libraryPath);
for (int i = 0; i < this.allowedAssemblies.Length; i++)
{
AllowedAssembly assembly = this.allowedAssemblies[i];
if ((assembly.name == str) && (Array.IndexOf<int>(assembly.hashes, assemblyHash) != -1))
{
return true;
}
}
return false;
}
Where they are checking:
Code:
private bool FindSecretionInCurrentAssemblies()
{
foreach (string str in FindLibrariesAt(Application.get_dataPath() + "/Managed/"))
{
if (!this.AssemblyAllowed(str))
{
return true;
}
}
return false;
}
What they are checking:
Code:
internal static string[] FindLibrariesAt(string dir)
{
string[] strArray = new string[0];
if (Directory.Exists(dir))
{
strArray = Directory.GetFiles(dir, "*.dll", SearchOption.AllDirectories);
for (int i = 0; i < strArray.Length; i++)
{
strArray[i] = strArray[i].Replace('\\', '/');
}
}
return strArray;
}
Whatelse they are detecting:
Code:
private void OnNewAssemblyLoaded(object sender, AssemblyLoadEventArgs args)
{
if (this.AssemblyAllowed(args.LoadedAssembly.CodeBase))
{
return;
}
Label_0016:
goto Label_0016;
}
What they do on detection:
Code:
private void StartDetectionInternal(Action callback)
{
if (isRunning)
{
Debug.LogWarning("[ACTk] Secretion Detector already running!");
return;
}
base.onDetection = callback;
if (this.allowedAssemblies == null)
{
this.LoadAndParseAllowedAssemblies();
}
if (!this.signaturesAreNotGenuine)
{
if (!this.FindSecretionInCurrentAssemblies())
{
AppDomain.CurrentDomain.AssemblyLoad += new AssemblyLoadEventHandler(this.OnNewAssemblyLoaded);
isRunning = true;
base.set_enabled(true);
return;
}
this.OnSecretionDetected();
goto Label_007C;
}
this.OnSecretionDetected();
Label_003E:
goto Label_003E;
Label_007C:
goto Label_007C;
}
Where i believe they indirectly store results due to not exiting earlier:
Code:
this.hexTable = new string[0x100];
for (int j = 0; j < 0x100; j++)
{
this.hexTable[j] = j.ToString("x2");
In combination with:
Code:
private string PublicKeyTokenToString(byte[] bytes)
{
string str = string.Empty;
for (int i = 0; i < 8; i++)
{
str = str + this.hexTable[bytes[i]];
}
return str;
}
When do they check:
Code:
Startup and runtime due to start, pause, resume, stop functionality.
Part 2. How they might handle local results
Code:
public void ReauthenticateClients()
{
this._LastReauthenticationTime = Time.get_time();
this.HandleHangingRequests();
this.BurnPeasants();
this.CycleKey();
this.RequestVerification();
}
When they ban:
Code:
public uint GetExpectedResponse(uint key, int verifierIndex)
{
if (verifierIndex >= this.AuthenticityVerifiers.Count)
{
return 0;
}
MonoBehaviour behaviour = this.AuthenticityVerifiers[verifierIndex];
if (behaviour == null)
{
return 0;
}
behaviour.set_enabled(false);
behaviour.get_gameObject().set_name(key.ToString());
behaviour.set_enabled(true);
return Convert.ToUInt32(behaviour.get_gameObject().get_name(), 10);
}
They ban like this:
Code:
public void BurnPeasants()
{
foreach (Player player in this._Peasants)
{
Server.Ban(player, 1, this.BanReason);
}
this._Peasants.Clear();
}
Part 3. How Part 1. and 2. may interconnect
Part 1. is based upon:
Code:
.Core.Optimized which contains base for Part 1 detector and all sorts of crypto combined datatype definitions used mainly by PlayerHealth related methods in .Entities.Definitions. connected to almost any interaction events with the environment or timebased events.
Results
-The label deadlocks may account for crashes/hangs.
-Bans can be undetermisitic in time schedule - depends on when/if they scan.
-Earliest ingame ban would be minimum after 4*60 seconds
-Lost interaction capability with object may be accounted for by the keyed valuetypes connected to almost any player interaction.
-They detect injection - not all kinds of injection: reflection or any managed kind of injection will be detected.