Call of Duty: Black Ops 3 is protected by a DRM that, among other things, protects the integrity of the game鈥檚 code at runtime. Reverse engineering those integrity checks has been a personal goal I had for a long time. In this post I鈥檓 going to describe my process of achieving exactly that, so let鈥檚 dive in. Disclaimer Just a little disclaimer here. The goal of this post is not to encourage piracy....
I recently started to experiment with hypervisors and their use for bypassing anti-cheat or anti-tampering systems. This post will describe the concept of hypervisor-assisted hooking and a few simple approaches to detect such hooks. What is a hypervisor? In short: A hypervisor allows to run virtual machines with hardware acceleration. The concept of hypervisors in general is a huge topic, but for this post, all that depth doesn鈥檛 really matter....
Thanks to Rektinator and TwistedFate for helping me solve this challenge. JIT was one of Google鈥檚 pwnable challenges. It implements an artificial assembly language, which gets jit-compiled into x64 assembly. An example program looks like this: MOV(A, 10) STR(A, 1) LDR(A, 2) SUM() JMP(2) RET() It supports basic instructions to move, add and subtract, jump and compare values. Two files were given: compiler.c and FancyJIT.java The c file implements the jit-compilation by translating each indiviual instruction into the corresponding x64 assembly instruction and storing everything in an executable buffer....
For our graduation-party at school two years ago, a friend of mine, Olrik, and I decided to play the Nyan Cat theme on all PCs at school. With the name 9os, we started writing the entire project using 16bit x86 assembly. The task was to draw the rainbow behind the cat, then the cat itself, play the music and in the end draw the stars. Drawing the rainbow was pretty simple, as it consists only of a few stripes that need to be drawn at alternating heights and colors....
After having started to use libraries like libpcap or WinDivert, I got curious about low-level networking protocols like Ethernet, IP, ICMP, ARP, TCP or UDP. Especially the Address Resolution Protocol (ARP) fascinated me, as I have previously used tools like Ettercap or Cain & Abel to experiment with Man-in-the-middle attacks using ARP poisoning, however, I did not know how ARP poisoning worked in detail. Basically, using an ARP request, you can request the MAC address of a particular host behind a local IPv4 address....
A few years ago, I became aware of a security issue in most Call of Duty games. Although I did not discover it myself, I thought it might be interesting to see what it could be used for. Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the host鈥檚 system inside a stack-allocated buffer within the game鈥檚 network handling....