m0d_sa FenixZone AC Bypass

Hello UGBASE,
Iam releasing my analysis knowledges about FenixZone Anticheat and solution to prevent being detected.

Basically everything is here

I would start how they managed to load the anticheat into process memory:
Its Basic RCE (Remote Code Execution) via RPC_ShowDialog
Its ilegall to use RCE


How you can detect incoming malicious rpc like this one?
  • Make IncomingRPC Hook
  • Check for RPC_ShowDialog
  • Check packet size .. MaxSize of every normal dialog is 33000, but they oversized it (injected assembly via that so its around 382032 b (unpacked its ~ 220kb))
  • All you need to do is to get bitstream data and check every byte until you found byte[0] = 'M' && byte[1] = 'Z' (dont need to explain to experienced people) then just extract assembly from start to end of the bitstream..
  • Well now you have assembly whats next?
Use snippets here and you have complete bypass, cuz I did all the work for ya...

Their modules explained:
nz.dll - Basic dll being injected by RCE too (33kb) it basically contains export to load PE into memory from path.. if iam not mistaken
anti-key.asi - be careful, they also extracting random named .asi file (in this case anti-key) into ur gta sa directory, but its basically just dll downloader and loader..
nzeE831D.tmp - Obfuscated assembly (easy to deobfuscate, but iam not gonna share the src to keep something for myself), which contains crypted/packed (via MPRESS) assembly which is our anticheat file. => its basically self unpacker (thats the file we are focusing in IncomingRPC hook primary)
discord-rpc.dll - dont need to explain.. not dangerous
etc

How they communicate (client-server)?
Well I didnt spent lof of time analyzing this.. but I would say they making shadow copy of sendto and also sending ingame commands like /buto, /cuco etc.. and these commands are important !

/cuco [message] => i dont really know what it does, but I guess its also verified on the serverside.. lets say [message] is number somehow generated and stored in variable - if you call original you are basically fine.
/buto [message] - well this one is improtant cuz every 15th call of one callback its sending /buto <hex> which i reversed and this one is primary checked on the server - if it does not match with their side => KICK
and with every command comes also sendto on their server, you can find their server ip by urself. (ports are randomly generated - its opening socket, sendto and then just instant close)

What this anticheat do?
  • Memory scans
  • Module scans
  • Window handles scans
  • .ASi/.SF/.CS Scans
  • SAMPFUNCS Console Detections
Just fokin everything

If you want to know more - do research by urself. :)
Also I will release #TE Project 1.0.2.5fz (spec. edition) with FZ bypass soon on our discord server.
If you have any questions then my discord is watersmoke

Thanks to CikaUIF (CikaDjokica) for help with analysis, crack.

Enjoy


 

Attachments

  • bypassed.png
    bypassed.png
    2.2 MB · Views: 40

SobFoX

Expert
Joined
Jul 14, 2015
Messages
1,497
Solutions
5
Reaction score
927
Location
Israel
Well done, I've done this before. It could have been made much shorter, but it doesn't matter. The main thing is that it works and everyone enjoys it. Well done. ;)
 

Expl01T3R

Active member
Joined
Nov 20, 2022
Messages
152
Reaction score
29
Location
Czech Republic
In a bit it’s gonna stop working, you’ll see hahaha
I’m aware that FenixZone can easily update and block this code, but it doesn’t really matter, right? We can update it just as quickly.
What’s actually funny is that such a well-known server is auto-exploiting people via RCE without giving them the option to say “NO, I don’t want that.” That’s literally illegal.
I’m just surprised no one has filed a criminal report yet.
 

CikaDJokica

Active member
Joined
Apr 2, 2021
Messages
25
Solutions
1
Reaction score
8
Location
C++ hack gang

Expl01T3R

Active member
Joined
Nov 20, 2022
Messages
152
Reaction score
29
Location
Czech Republic
FZ are not capable of patching your bypass
I believe they can, just change mechanism of their /buto <hex> command or just rework their threads code and they can still get rid of me until I patch my bypass again.
Its more like racing who will have latest thing, but thats what I wanna avoid, iam really lazy person so if they keep updating their ac everyday iam about to stop updating my bypass.

thats exactly what I meant there
I dont understand how you mean it.. the FZ owner and his devs are noobs, they simply cant patch it .. I will always find a way to bypass their shit.
I said "they simply cant patch it, I will always find a way to bypass their shit." but what I exactly meant was "They can patch the anticheat, but I will always find way to patch my bypass."
Just to be clear.
And sorry for my wonderful english :ROFLMAO: :cool:
 
Top