Hello UGBASE,
Iam releasing my analysis knowledges about FenixZone Anticheat and solution to prevent being detected.
Basically everything is here
github.com
I would start how they managed to load the anticheat into process memory:
Its Basic RCE (Remote Code Execution) via RPC_ShowDialog
Its ilegall to use RCE
How you can detect incoming malicious rpc like this one?
github.com
Their modules explained:
nz.dll - Basic dll being injected by RCE too (33kb) it basically contains export to load PE into memory from path.. if iam not mistaken
anti-key.asi - be careful, they also extracting random named .asi file (in this case anti-key) into ur gta sa directory, but its basically just dll downloader and loader..
nzeE831D.tmp - Obfuscated assembly (easy to deobfuscate, but iam not gonna share the src to keep something for myself), which contains crypted/packed (via MPRESS) assembly which is our anticheat file. => its basically self unpacker (thats the file we are focusing in IncomingRPC hook primary)
discord-rpc.dll - dont need to explain.. not dangerous
etc
How they communicate (client-server)?
Well I didnt spent lof of time analyzing this.. but I would say they making shadow copy of sendto and also sending ingame commands like /buto, /cuco etc.. and these commands are important !
/cuco [message] => i dont really know what it does, but I guess its also verified on the serverside.. lets say [message] is number somehow generated and stored in variable - if you call original you are basically fine.
/buto [message] - well this one is improtant cuz every 15th call of one callback its sending /buto <hex> which i reversed and this one is primary checked on the server - if it does not match with their side => KICK
and with every command comes also sendto on their server, you can find their server ip by urself. (ports are randomly generated - its opening socket, sendto and then just instant close)
What this anticheat do?
If you want to know more - do research by urself.
Also I will release #TE Project 1.0.2.5fz (spec. edition) with FZ bypass soon on our discord server.
If you have any questions then my discord is watersmoke
Thanks to CikaUIF (CikaDjokica) for help with analysis, crack.
Enjoy
Iam releasing my analysis knowledges about FenixZone Anticheat and solution to prevent being detected.
Basically everything is here
GitHub - WaterinoS/FenixZoneACBypass: Mehehehehe
Mehehehehe. Contribute to WaterinoS/FenixZoneACBypass development by creating an account on GitHub.
github.com
I would start how they managed to load the anticheat into process memory:
Its Basic RCE (Remote Code Execution) via RPC_ShowDialog
Its ilegall to use RCE
How you can detect incoming malicious rpc like this one?
- Make IncomingRPC Hook
- Check for RPC_ShowDialog
- Check packet size .. MaxSize of every normal dialog is 33000, but they oversized it (injected assembly via that so its around 382032 b (unpacked its ~ 220kb))
- All you need to do is to get bitstream data and check every byte until you found byte[0] = 'M' && byte[1] = 'Z' (dont need to explain to experienced people) then just extract assembly from start to end of the bitstream..
- Well now you have assembly whats next?
FenixZoneACBypass/snippets.cpp at main · WaterinoS/FenixZoneACBypass
Mehehehehe. Contribute to WaterinoS/FenixZoneACBypass development by creating an account on GitHub.
github.com
Their modules explained:
nz.dll - Basic dll being injected by RCE too (33kb) it basically contains export to load PE into memory from path.. if iam not mistaken
anti-key.asi - be careful, they also extracting random named .asi file (in this case anti-key) into ur gta sa directory, but its basically just dll downloader and loader..
nzeE831D.tmp - Obfuscated assembly (easy to deobfuscate, but iam not gonna share the src to keep something for myself), which contains crypted/packed (via MPRESS) assembly which is our anticheat file. => its basically self unpacker (thats the file we are focusing in IncomingRPC hook primary)
discord-rpc.dll - dont need to explain.. not dangerous
etc
How they communicate (client-server)?
Well I didnt spent lof of time analyzing this.. but I would say they making shadow copy of sendto and also sending ingame commands like /buto, /cuco etc.. and these commands are important !
/cuco [message] => i dont really know what it does, but I guess its also verified on the serverside.. lets say [message] is number somehow generated and stored in variable - if you call original you are basically fine.
/buto [message] - well this one is improtant cuz every 15th call of one callback its sending /buto <hex> which i reversed and this one is primary checked on the server - if it does not match with their side => KICK
and with every command comes also sendto on their server, you can find their server ip by urself. (ports are randomly generated - its opening socket, sendto and then just instant close)
What this anticheat do?
- Memory scans
- Module scans
- Window handles scans
- .ASi/.SF/.CS Scans
- SAMPFUNCS Console Detections
If you want to know more - do research by urself.
Also I will release #TE Project 1.0.2.5fz (spec. edition) with FZ bypass soon on our discord server.
If you have any questions then my discord is watersmoke
Thanks to CikaUIF (CikaDjokica) for help with analysis, crack.
Enjoy
