Anti-cheat crackme or NSEngine bypassing

Good day. Today guys from Armored Software, special for hack-lovers and reverse-engineering, will explain how you can take off simple Anti-cheat with the server side. Today we going to bypass NSEngine Anti-cheat which created especially for MuOnline. This is a very simple protection which cost about $100. That’s why we choose it to demonstrate basic bypass methods.

Step 0x00. Exploration

We took a random server with this protection. So, today our target is http://muolymp.com. For first let’s create an account and download game client.

First, our point is collecting as much information as we can. After that, we can start to research possible ways to attack.

In our case anti-cheat module loading via patching of Entry Point.

Untitled2

Pic.1. Entry Point of main.exe

As we can see wzVideo.dll loads into main.exe. This is an Anti-Cheat library. This library protected via Safe Engine. You can’t run the client without Launcher. As you can see this Launcher from our team. Also, you can’t execute the game without loading of the wzVideo.dll.

This protection can block such cheats as Cheat Engine, but it seems what it do it by searching Cheat Engine windows title. It says about the poor level of protection and contrary protection description. Meanwhile, this anti-cheat can block absolutely legal application what can cause some inconvenience (for example Total Commander can be blocked too).

 

Untitled

Pic. 2. Memory dump of WzVideo.dll library

Attempts to stop the threads of anti-cheat will be detected, but there is no control over the integrity of the memory. The code section of the game could be quietly modified.

According to the anti-cheat description, network traffic has additional encryption what makes impossible to play without anti-cheat. Let’s look inside.

UntitledPic. 2. Outgoing traffic

Untitled2
Pic. 3. Incoming traffic

As it turned out encryption layer is adjusted only for the incoming traffic. It is noticeable in the packet headers (in MuOnline there are four types of header C1, C2, C3, C4). Moreover, one can easily see that the entropy of the ciphertext is sufficiently small which means that the cipher is very simple. Repeating bytes tell us that this is block cipher and is adjusted for each byte. Also, it should be noted that the decryption is performed through the traffic interception of ws2_32.recv () function in the import table of the client.

Step 0x01. Searching gap

And so we have an entirely open client which is available for modification of memory, therefore, modify the game client algorithms us no one bothers and anti-cheat blocking software is made on prohibited hardcoded names of windows, thanks to this we can patch these names in the memory of the process and use cheats. However, our goal is to remove the protection completely.

With regard to the protection of network traffic, so it involved a very simple encryption algorithm. As an additional layer of encryption is adjusted only for the incoming traffic. So you can try to carry out the attack by implementing a fake proxy server, which will emulate decrypt incoming traffic and send it to the clean client. But the question arises whether it is possible to obtain the encryption algorithm? Let’s try to explore the traffic handling functions.

Untitled
Pic. 4. Hook for ws2_32.recv()

As you can see in the picture, the encryption algorithm is quite simple. Here is a sample pseudo-code:

Therefore, there shouldn’t be any problems with writing an intermediate proxy server. Thus seizing wzVideo.dll library from a client application and reconfiguring the connection to our fake web proxy server. Consequently, we can completely bypass this protection.

Step 0x02. Realization of attack

Let’s turn directly to the implementation of ideas. We need to perform two things:

  1. Implement a proxy server decoding the incoming traffic
  2. To remove the library from the client and redirect the connection to our proxy

The proxy server has been implemented based on the source code to bypass encryption EncDec. I made a code to decrypt the traffic gs_recv_proxy_filter() filter to support NSEngine encryption. The source code is available below.

Next, let’s remove loading anti-cheat module through OllyDbg by replacing loading commands with NOPs.

Step 0x03. Conclusion

Our expert protection rating 1.0 / 5

Low-level detection of cheats, almost missing the means of self-defense and protection of the gameplay, destructive action on legal software. The picture was saved only by the presence of the encryption protocol, but it is only a unidirectional and Safe Engine protector. He was not included in the assessment but slightly complicates the analysis because of the lack removal scripts.

Small video which shows bypass result

 

As you can see protection was completely bypassed, binaries with source code you can take here.

Thanks for attention.

Author: DoS.Ninja

Leave a Reply

Your email address will not be published. Required fields are marked *

*