MOSS 0.98 Bypass

[dmx66_96]

Hai guys,

This night I noticed into some section of the ESL.eu Italy they are using an "Anticheat" called MOSS and I decided to reverse this piece of "fantastic" shit to make my night much funny.

This Anticheat it DOESN'T:
- Scan any memory or process
- Obfuscate any address (like ESEA)
- Comunicate with an external server (except for a governent site to take the right hour and date. I will speak about this later)
- Hook any API

Also It's not packed or protected with any antidebugging technique, then the life It's easier for EVERYBODY.

After searching for the string %s.JPG -> Look at local call from 0040307C -> Scrolled up a bit. I see this piece of code that manage if the software have to screen or not.

Code:

     00402FFF  |> 83BD 60FEFFFF >|CMP DWORD PTR SS:[EBP-1A0],1            ;  Compare the EBP-1A0 if It's 1
00403006     0F85 9A000000  JNZ Moss.004030A6                        ;  If EBP-1A0 it's 0 It'doesnt jump and make a screen...
0040300C  |. 8B95 50FCFFFF  |MOV EDX,DWORD PTR SS:[EBP-3B0]          ;  ...Some lines above...
00403012  |. 83C2 01        |ADD EDX,1                               ;  ... @ CALL 00405450

After breakpointing at 00403006 and 00402FFF and watching with CheatEngine the value of EPB-1A0, I got the confirmation about I need only to check this flag to bypass the screenshot.
If I read the value '1', I've to turn off all visuals.


Another ghett9 way to bypass the screen is getting the EAX address of the called function to make screen that is:

Code:

     00403061  |. 8B15 E4F15700  |MOV EDX,DWORD PTR DS:[57F1E4]
00403067  |. 52             |PUSH EDX                                ; /Arg4 => 00000000
00403068  |. A1 E8F15700    |MOV EAX,DWORD PTR DS:[57F1E8]           ; |
0040306D  |. 50             |PUSH EAX                                ; |Arg3 => 00000006
0040306E  |. 8D8D 68FEFFFF  |LEA ECX,DWORD PTR SS:[EBP-198]          ; |
00403074  |. 51             |PUSH ECX                                ; |Arg2
00403075  |. 8D95 58FCFFFF  |LEA EDX,DWORD PTR SS:[EBP-3A8]          ; |
0040307B  |. 52             |PUSH EDX                                ; |Arg1
0040307C  |. E8 CF230000    |CALL Moss.00405450                      ; \<--Screenshot function

And doing this other magic tricks:

Code:

     // Set the screenshot time to 1 and we'll give at the ac the opportunity to make a single screen
*(int*)0x0057F1E8 = 1;
// After 60 seconds...
Sleep( 60000 );
// .. The software need to wait 133337 minutes before take another screen
 *(int*)0x0057F1E8 = 133337;

Another funny things It's about, as I said, the comunication with the government website for getting the current time and hour. If you have a firewall installed, block the comunication and set your Windows clock in which hour you want to see into the logs. Same story when you stop the ac, block the comunication and put the hour and date you want.
Then if you forgot to start MOSS into an ESL match, you can easily create a fake MOSS log file without problems. (Or maybe a clean log file without dirty screens)
(Unfortunately I've no motivation for doing this on Olly, maybe later. I promise )


Hope you njoed this, If I said some shit let me know.
A lil thanks go to lowHertz for giving me sum "privatel33b45mless0n5" : o)

[kmanev073]

why did you post this in CF sorce section...

[~FALLEN~]

I find this odd because LowHertz is apart of UC not MPGH, but idk. Anyways that's some funny crap man haha, good job.