BattlEye communication hook

To combat masses of video game hackers, anti cheat systems need to collect and process a lot of information from clients. This is usually usually done by sending everything to the servers for further analysis, which allows the attackers to circumvent these systems through interesting means, one of them being hijack of the communication routine. […]

BattlEye hypervisor detection

This article has been co-authored by Daax Rynd The cat and mouse game of game-hacking continues to fuel the innovation of exploitation and mitigation. The usage of virtualization technology in game-hacking has exploded ever since copy-pastable hypervisors such as Satoshi Tanda’s DdiMon and Petr Beneš’ hvpp hit the scene. These two projects are being used […]

BattlEye single stepping

With game-hacking always feeling like it is a step ahead of current anti-cheat technologies, developers from both sides are constantly trying to innovate and best one another. Continuing from our last post we will take a deeper look at another new technique that the defenders, namely BattlEye, have come up with to detect people whose […]

BattlEye stack walking

With game-hacking being a continuous cat and mouse game, rumours about new techniques spread like fire. As such in this blog post we will take a look into one of the new heuristic techniques that BattlEye, a large anti-cheat provider, has recently added to its arsenal. Most widely known as stack walking This is usually […]

BattlEye main shellcode updates

Anticheats change as time goes on, features come and go to maximize the efficiency of the product. I did a complete write-up of BattlEye’s shellcode a year ago on my blog, and this article will merely reflect the changes that have been made to said shellcode. Blacklisted timestamps Last time I analyzed BattlEye, there were […]

NC3 2019 – write-up

  • On 19/12/2019
  • In ctf

NC3 2019 was a CTF ran by the National Cyber Crime Center in Denmark. I participated as the organizer and team captain of ‘Holdet’, in which we finished first place. If you’d like a more thorough explanation of a certain challenge, you are more than welcome to leave a comment and i will update the […]

Bypassing kernel function pointer integrity checks

  • On 07/11/2019
  • In nt

Ensuring (system) integrity is an important detail in software security products such as anti-cheats or anti-viruses. These are prevalent to make sure that the operating system’s main functionality has not been tampered. One common integrity check is the verification of individual driver objects. These driver objects can be manipulated directly in memory (direct kernel object […]

Hooking the graphics kernel subsystem

  • On 20/10/2019
  • In nt

Today’s cheats are predominantly using internal directx hooks or window overlays to visualize hidden game information. These two methods are widely documented, but other, more inconspicous method include hooking graphics routines in the Windows kernel, as we will demonstrate in this article. There’s no public release using a similar method to this, which is a […]

Exam surveillance – the return. (ExamCookie)

Preface It has come to my attention that the Danish government has not only postponed The Digital Exam Monitor, that we analyzed and completely bypassed in our previous article, but also possibly discontinued a week after we contacted them about our bypass. Not to speculate that we independently got the Danish government to withdraw their […]

The nadir of surveillance (Den Digitale Prøvevagt)

Preface If you only came here for the bypass, scroll down to the Circumvention section at the bottom. Danish Exam surveillance The Danish Ministry of Education recently published an update to the current school exam system, Net Exams, which announced the implementation of The Digital Exam Monitor (Den Digitale Prøvevagt in Danish). This surveillance program […]