m0d_sa FenixZone AC Bypass

Hello UGBASE,
Iam releasing my analysis knowledges about FenixZone Anticheat and solution to prevent being detected.

Basically everything is here

GitHub - WaterinoS/FenixZoneACBypass: Mehehehehe

Mehehehehe. Contribute to WaterinoS/FenixZoneACBypass development by creating an account on GitHub.

github.com

I would start how they managed to load the anticheat into process memory:
Its Basic RCE (Remote Code Execution) via RPC_ShowDialog
Its ilegall to use RCE

How you can detect incoming malicious rpc like this one?

• Make IncomingRPC Hook
• Check for RPC_ShowDialog
• Check packet size .. MaxSize of every normal dialog is 33000, but they oversized it (injected assembly via that so its around 382032 b (unpacked its ~ 220kb))
• All you need to do is to get bitstream data and check every byte until you found byte[0] = 'M' && byte[1] = 'Z' (dont need to explain to experienced people) then just extract assembly from start to end of the bitstream..
• Well now you have assembly whats next?

Use snippets here and you have complete bypass, cuz I did all the work for ya...

FenixZoneACBypass/snippets.cpp at main · WaterinoS/FenixZoneACBypass

Mehehehehe. Contribute to WaterinoS/FenixZoneACBypass development by creating an account on GitHub.

github.com

Their modules explained:
nz.dll - Basic dll being injected by RCE too (33kb) it basically contains export to load PE into memory from path.. if iam not mistaken
anti-key.asi - be careful, they also extracting random named .asi file (in this case anti-key) into ur gta sa directory, but its basically just dll downloader and loader..
nzeE831D.tmp - Obfuscated assembly (easy to deobfuscate, but iam not gonna share the src to keep something for myself), which contains crypted/packed (via MPRESS) assembly which is our anticheat file. => its basically self unpacker (thats the file we are focusing in IncomingRPC hook primary)
discord-rpc.dll - dont need to explain.. not dangerous
etc

How they communicate (client-server)?
Well I didnt spent lof of time analyzing this.. but I would say they making shadow copy of sendto and also sending ingame commands like /buto, /cuco etc.. and these commands are important !

/cuco [message] => i dont really know what it does, but I guess its also verified on the serverside.. lets say [message] is number somehow generated and stored in variable - if you call original you are basically fine.
/buto [message] - well this one is improtant cuz every 15th call of one callback its sending /buto <hex> which i reversed and this one is primary checked on the server - if it does not match with their side => KICK
and with every command comes also sendto on their server, you can find their server ip by urself. (ports are randomly generated - its opening socket, sendto and then just instant close)

What this anticheat do?

• Memory scans
• Module scans
• Window handles scans
• .ASi/.SF/.CS Scans
• SAMPFUNCS Console Detections

Just fokin everything

If you want to know more - do research by urself.
Also I will release #TE Project 1.0.2.5fz (spec. edition) with FZ bypass soon on our discord server.
If you have any questions then my discord is watersmoke

Thanks to CikaUIF (CikaDjokica) for help with analysis, crack.

Enjoy

​

 

[Expl01T3R]

Someone told me its patched, since then i didnt updated it yet.

Just tested on FZ S2, still works, playing for 3+ mins.

UPD: Its working on S2 for me, pushed new version on github, u can download the asi file from

rce_protection/output at main · WaterinoS/rce_protection

Universal RCE Protection for SA:MP using #TE SDK. Contribute to WaterinoS/rce_protection development by creating an account on GitHub.

github.com

 

[SobFoX]

Awesome guy.

Now you're almost as famous as me.

 

[lenhizskrayz999]

Just tested on FZ S2, still works, playing for 3+ mins.

If it works, the Anticheat does not detect it, but if you want to enter with a Cheat and with the FIX it does not work, it detects the Cheat.

 

[Expl01T3R]

If it works, the Anticheat does not detect it, but if you want to enter with a Cheat and with the FIX it does not work, it detects the Cheat.

Huh?
Can you send some screenshots? my discord is watersmoke

 

[francis7777]

Expl01T3R and Sobfox are 2 poor lammers who have no knowledge. For years, Expl01T3R has dedicated himself to nothing more than making cheats that are useless. His PC is an i5; he doesn't even have money to buy a PC. He is completely useless and an embarrassment, trying to get attention with foolishness. He couldn't emulate the anticheat; the only thing he did was nullify threads, ridiculous.

 

[Expl01T3R]

Expl01T3R and Sobfox are 2 poor lammers who have no knowledge. For years, Expl01T3R has dedicated himself to nothing more than making cheats that are useless. His PC is an i5; he doesn't even have money to buy a PC. He is completely useless and an embarrassment, trying to get attention with foolishness. He couldn't emulate the anticheat; the only thing he did was nullify threads, ridiculous.

Thanks bro

 

[SobFoX]

Expl01T3R and Sobfox are 2 poor lammers who have no knowledge. For years, Expl01T3R has dedicated himself to nothing more than making cheats that are useless. His PC is an i5; he doesn't even have money to buy a PC. He is completely useless and an embarrassment, trying to get attention with foolishness. He couldn't emulate the anticheat; the only thing he did was nullify threads, ridiculous.

It seems to me that you need a small controller on your servers. It's been a long time since your players had FPS 1. You probably miss it.

 

[francis7777]

It seems to me that you need a small controller on your servers. It's been a long time since your players had FPS 1. You probably miss it.

I don't play SA-MP, but this proves my point: collecting cars on a SA-MP server to cause FPS drops is very lammer-like. Has no one ever told you how truly sad your life is? I mean, creating cheats for nothing for years... it's surprising that I have to explain this to you, LAMMER.

 

[SobFoX]

I don't play SA-MP, but this proves my point: collecting cars on a SA-MP server to cause FPS drops is very lammer-like. Has no one ever told you how truly sad your life is? I mean, creating cheats for nothing for years... it's surprising that I have to explain this to you, LAMMER.

Jealousy is eating you up

 

[Mattioli]

Watersmoke, you are our whore just like you always were, you and all the disgusting Russians and Czechs like you

 

[Mattioli]

 

[Expl01T3R]

Watersmoke, you are our whore just like you always were, you and all the disgusting Russians and Czechs like you

AHahhahahahahahhaha iam ded

 

[Expl01T3R]

Watersmoke, you are our whore just like you always were, you and all the disgusting Russians and Czechs like you

Hilarious, bro. You mad? Don’t be — I fully reversed your entire anticheat and bypassed it in under a week.
But that’s just the beginning.
I’ve reported you to multiple government agencies and to OVH, the hosting provider behind your FenixZone servers.
An abuse ticket has already been created. You’ll likely be contacted and asked to take down the RCE exploit you’re actively using against players — though I doubt you will.
Which only makes things easier.

 

[youngDro]

Will you update it? They patched it in S1, there's a lot of people who could pay money for a bypass like this

 

[Expl01T3R]

Will you update it? They patched it in S1, there's a lot of people who could pay money for a bypass like this

Gonna check yea.

 

[SobFoX]

Gonna check yea.

He added a screenshot of access to all the users personal files on the computer now it's a 100% trojan

 

[SobFoX]

// write access to const memory has been detected, the output may be wrong!
ULONG __stdcall sub_6C0C54BC(PVOID Parameter)
{
  HMODULE v1; // eax
  BOOL (__stdcall *ProcAddress)(HDC, int, int, HICON); // eax
  BOOL v3; // esi
  BOOL IsIconic; // ebx
  HWND ForegroundWindow; // ebx
  int v7; // esi
  int v8; // ebx
  int v9; // esi
  int i; // ebx
  HANDLE ProcessHeap; // eax
  PVOID Heap; // esi
  HANDLE CurrentProcess; // eax
  LPCSTR lpLibFileName; // [esp+0h] [ebp-398h]
  LPCSTR lpProcName; // [esp+4h] [ebp-394h]
  HGDIOBJ v16; // [esp+3Ch] [ebp-35Ch]
  COLORREF Pixel; // [esp+40h] [ebp-358h]
  int x; // [esp+44h] [ebp-354h]
  int y; // [esp+48h] [ebp-350h]
  HBITMAP h; // [esp+4Ch] [ebp-34Ch]
  HMODULE hLibModule; // [esp+50h] [ebp-348h]
  HDC hdc; // [esp+54h] [ebp-344h]
  HDC hDC; // [esp+58h] [ebp-340h]
  HMODULE hModule; // [esp+5Ch] [ebp-33Ch]
  struct tagPOINT Point; // [esp+64h] [ebp-334h] BYREF
  struct tagCURSORINFO pci; // [esp+6Ch] [ebp-32Ch] BYREF
  CHAR v27[256]; // [esp+80h] [ebp-318h] BYREF
  CHAR String[256]; // [esp+180h] [ebp-218h] BYREF
  ICONINFO piconinfo; // [esp+280h] [ebp-118h] BYREF

  hModule = j_LoadLibraryA("gdi32.dll");
  if ( !hModule )
  {
    j_wsprintfA(v27, "Error al cargar gdi32.dll");
    return -1;
  }
  hLibModule = j_LoadLibraryA("user32.dll");
  if ( !hLibModule )
  {
    j_wsprintfA(v27, "Error al cargar user32.dll");
    v1 = hModule;
LABEL_14:
    j_FreeLibrary(v1);
    return -1;
  }
  CreateCompatibleDC = (HDC (__stdcall *)(HDC))j_GetProcAddress(hModule, "CreateCompatibleDC");
  CreateCompatibleBitmap = (HBITMAP (__stdcall *)(HDC, int, int))j_GetProcAddress(hModule, "CreateCompatibleBitmap");
  SelectObject = (HGDIOBJ (__stdcall *)(HDC, HGDIOBJ))j_GetProcAddress(hModule, "SelectObject");
  BitBlt = (BOOL (__stdcall *)(HDC, int, int, int, int, HDC, int, int, DWORD))j_GetProcAddress(hModule, "BitBlt");
  GetPixel = (COLORREF (__stdcall *)(HDC, int, int))j_GetProcAddress(hModule, "GetPixel");
  DeleteDC = (BOOL (__stdcall *)(HDC))j_GetProcAddress(hModule, "DeleteDC");
  DeleteObject = (BOOL (__stdcall *)(HGDIOBJ))j_GetProcAddress(hModule, "DeleteObject");
  ProcAddress = (BOOL (__stdcall *)(HDC, int, int, HICON))j_GetProcAddress(hLibModule, "DrawIcon");
  DrawIcon = ProcAddress;
  if ( !CreateCompatibleDC
    || !CreateCompatibleBitmap
    || !SelectObject
    || !BitBlt
    || !GetPixel
    || !DeleteDC
    || !DeleteObject
    || (v3 = 0, !ProcAddress) )
  {
    j_wsprintfA(v27, "No se pudieron obtener todas las funciones necesarias.");
    j_FreeLibrary(hModule);
    v1 = hLibModule;
    goto LABEL_14;
  }
  while ( 1 )
  {
    while ( 1 )
    {
      ForegroundWindow = j_GetForegroundWindow();
      j_GetWindowTextA(ForegroundWindow, String, 256);
      if ( !sub_6C0C8124() )
      {
        IsIconic = j_IsIconic(ForegroundWindow);
        if ( !IsIconic )
          break;
      }
      j_Sleep(0x7D0u);
    }
    if ( j_GetAsyncKeyState(1) >= 0 )
      goto LABEL_59;
    if ( v3 )
    {
      IsIconic = v3;
      goto LABEL_59;
    }
    if ( !j_GetCursorPos(&Point) )
    {
      j_wsprintfA(v27, (const char *)dword_6C0D3808);
      goto LABEL_57;
    }
    hdc = j_GetDC(0);
    if ( !hdc )
    {
      j_wsprintfA(v27, "Error al obtener el DC de la pantalla.");
      goto LABEL_57;
    }
    hDC = CreateCompatibleDC(hdc);
    if ( !hDC )
    {
      j_wsprintfA(v27, "Error al crear el DC de memoria.");
      goto LABEL_30;
    }
    h = CreateCompatibleBitmap(hdc, 21, 21);
    if ( !h )
      break;
    v16 = SelectObject(hDC, h);
    v7 = Point.x - 10;
    v8 = Point.y - 10;
    if ( !BitBlt(hDC, 0, 0, 21, 21, hdc, Point.x - 10, Point.y - 10, 0xCC0020u) )
      j_wsprintfA(v27, "Error al capturar la imagen.");
    pci.cbSize = 20;
    memset(&pci.flags, 0, 0x10u);
    if ( j_GetCursorInfo(&pci) )
    {
      if ( (pci.flags & 1) != 0 )
      {
        memset(&piconinfo, 0, sizeof(piconinfo));
        if ( j_GetIconInfo(pci.hCursor, &piconinfo) )
        {
          DrawIcon(hDC, Point.x - v7 - piconinfo.xHotspot, Point.y - v8 - piconinfo.yHotspot, pci.hCursor);
          if ( piconinfo.hbmColor )
            DeleteObject(piconinfo.hbmColor);
          if ( piconinfo.hbmMask )
            DeleteObject(piconinfo.hbmMask);
        }
      }
    }
    v9 = 0;
    for ( i = 0; i != 42; ++i )
    {
      if ( GetPixel(hDC, *(&::x + 2 * i), *(&::y + 2 * i)) == 0xFFFFFF )
        ++v9;
    }
    if ( v9 == 42 )
    {
      j_wsprintfA(v27, "Alerta: Menu-v6 Detectado");
LABEL_46:
      sub_6C0C8D68(lpLibFileName, lpProcName);
      sub_6C0C8D58();
      j_Sleep(0x12Cu);
      j_CreateThread(0, 0, sub_6C0C9074, 0, 0, 0);
      goto LABEL_50;
    }
    if ( v9 > 36 )
    {
      j_wsprintfA(v27, "Alerta: Menu-v7 Detectado");
      goto LABEL_46;
    }
    j_wsprintfA(v27, "El cursor activo NO coincide con la forma de la flecha (Coincidencias: %d/%d).", v9, 42);
LABEL_50:
    for ( y = 0; y != 21; ++y )
    {
      for ( x = 0; x != 21; ++x )
      {
        Pixel = GetPixel(hDC, x, y);
        ProcessHeap = j_GetProcessHeap();
        Heap = j_RtlAllocateHeap(ProcessHeap, 0, 0x320u);
        if ( !Heap )
        {
          j_wsprintfA(&piconinfo, "Error al asignar memoria para colorArray");
          CurrentProcess = j_GetCurrentProcess();
          j_TerminateProcess(CurrentProcess, 0xFFFFFFFF);
        }
        lpMem = Heap;
        dword_6C0CAF24 = 100;
        MEMORY[0] = Pixel;
        MEMORY[4] = 1;
        dword_6C0CAF28 = 1;
      }
    }
    SelectObject(hDC, v16);
    DeleteObject(h);
    DeleteDC(hDC);
    j_ReleaseDC(0, hdc);
    IsIconic = 1;
LABEL_59:
    v3 = IsIconic;
    j_Sleep(0x64u);
  }
  j_wsprintfA(v27, "Error al crear el bitmap.");
  DeleteDC(hDC);
LABEL_30:
  j_ReleaseDC(0, hdc);
LABEL_57:
  j_FreeLibrary(hModule);
  j_FreeLibrary(hLibModule);
  return 0;
}

 

[SobFoX]

Take a screenshot for me XD

// write access to const memory has been detected, the output may be wrong!
ULONG __stdcall sub_6C0C9074(PVOID Parameter)
{
  HMODULE LibraryA; // eax
  HMODULE v3; // ebx
  DWORD nBufferLength; // [esp+30h] [ebp-538h]
  DWORD nBufferLengtha; // [esp+30h] [ebp-538h]
  LPSTR lpBuffer; // [esp+34h] [ebp-534h]
  LPSTR lpBuffera; // [esp+34h] [ebp-534h]
  int v8; // [esp+B0h] [ebp-4B8h] BYREF
  CHAR FileName[260]; // [esp+148h] [ebp-420h] BYREF
  CHAR Buffer[260]; // [esp+24Ch] [ebp-31Ch] BYREF
  int savedregs; // [esp+568h] [ebp+0h] BYREF

  savedregs = (int)&savedregs;
  byte_6C0CA268 = 1;
  sub_6C0C877C();
  if ( !j_GetTempPathA(0x104u, Buffer) )
    return 1;
  j_wsprintfA(FileName, "%s%s_KThgshtx.tmp", Buffer, "Idan_Romantis");//nick name player XDDDDD
  LibraryA = j_LoadLibraryA("gdi32.dll");
  v3 = LibraryA;
  if ( LibraryA )
  {
    CreateCompatibleDC = (HDC (__stdcall *)(HDC))j_GetProcAddress(LibraryA, "CreateCompatibleDC");
    CreateCompatibleBitmap = (HBITMAP (__stdcall *)(HDC, int, int))j_GetProcAddress(v3, "CreateCompatibleBitmap");
    SelectObject = (HGDIOBJ (__stdcall *)(HDC, HGDIOBJ))j_GetProcAddress(v3, "SelectObject");
    BitBlt = (BOOL (__stdcall *)(HDC, int, int, int, int, HDC, int, int, DWORD))j_GetProcAddress(v3, "BitBlt");
    dword_6C0D2078 = (int)j_GetProcAddress(v3, "GetDIBits");
    DeleteDC = (BOOL (__stdcall *)(HDC))j_GetProcAddress(v3, "DeleteDC");
    DeleteObject = (BOOL (__stdcall *)(HGDIOBJ))j_GetProcAddress(v3, "DeleteObject");
    dword_6C0D207C = (int)j_GetProcAddress(v3, "GetObjectA");
    j_GetProcAddress(v3, "StretchBlt");
    j_FreeLibrary(v3);
  }
  j_wsprintfA(&v8, "Alerta: Memoria Modificada Menu Cheat");
  sub_6C0C8D68(nBufferLength, lpBuffer);
  sub_6C0C8D58();
  sub_6C0C8D68(nBufferLengtha, lpBuffera);
  return 0;
}

 

[francis7777]

It's just an anticheat, that's all. You guys keep whining because you want to use cheats and can't. You can't report anyone or do anything. It's honestly sad how you've spent your life making cheats without getting anything in return. It's truly pathetic, especially considering you're supposed to be grown adults by now. Very pathetic.

 

[Expl01T3R]

Will you update it? They patched it in S1, there's a lot of people who could pay money for a bypass like this

Just pushed update for S1.

rce_protection/output at main · WaterinoS/rce_protection

Universal RCE Protection for SA:MP using #TE SDK. Contribute to WaterinoS/rce_protection development by creating an account on GitHub.

github.com