Cra0 - Software Engineer

Reverse Engineering PixMob LED Concert Bracelets Part One

Mon, 30 Dec 2024 00:00:00 +1000

Introduction

Firstly, I want to share a bit of background on how this project began. Before this, I had virtually no understanding of microcontrollers or low-level communication protocols like I²C and SPI. My unexpected dive into hardware hacking started at a Taylor Swift concert, which I was dragged to attend. Each attendee was handed a wristband upon entering the arena. Initially, these wristbands were dark; a plastic tag kept the coin cell battery from powering the device. Removing it proved anticlimactic—the show hadn’t even begun, so I realized I’d just have to wait.

Exploring Hardware Hacking

Sat, 07 Dec 2024 00:00:00 +1000

Over the last year I have been preoccupied with something that was completely new to me - hardware hacking. This journey has been filled with curiosity, frustration and a shit ton of learning.

I’ve always been fascinated by the inner workings of devices, but it wasn’t until I started exploring hardware in detail that I truly understood the complexity and intricacy of these systems.

In the next few posts I’ll be sharing my experiences, insights and learnings from this engaging field. I will discuss a range of topics, including the communication protocols utilized by microcontrollers, firmware analysis and hardware security.

Debugging the Windows kernel on VMware Part Two

Thu, 06 Jun 2024 00:00:01 +1000

In this article, I will guide you on how to set up KDNET on a VMWare instance of Windows 10 for debugging. If you haven’t already, I encourage you to read part one of my guide, which provides additional context on this topic, especially regarding WinDbg.

Debugging over the Network

The diagram below illustrates the topological setup we will focus on in this tutorial. While we are using the same physical PC for both the host and guest OS. This configuration however, can be adapted to work with separate machines on the same network, such as a laptop.

Debugging the Windows kernel on VMware Part One

Sun, 18 Feb 2024 00:00:00 +1000

Numerous methods exist for configuring a Windows virtual machine for debugging purposes, such as through Virtual Box or QEMU. However, this guide will concentrate specifically on the configuration process using VMware. Debugging the Windows Kernel virtually removes the need for two physical computers.

For part one of this article I will cover the setup process involved with debugging the Kernel using WinDbg over a virtual serial port.

Above is a diagram illustrating the debugging process using the serial port method. Take note how both the host and guest are running on the same physical hardware.

THE FINALS a new f2p arena game

Sat, 23 Dec 2023 00:00:00 +1000

THE FINALS

Without regurgitating too much about this game, THE FINALS is a new free-to-play arena shooter that was released about two weeks ago on Steam.

Previously I had taken a look at this game during the multiple beta releases earlier this year but now that it’s finally released lets talk about it’s state.

BETA releases

There were a few beta releases of this game and I only participated in the last one. Initially, the game appeared to be packed, leading me to suspect it used something akin to VMP. However, it soon became clear that it was utilizing a different form of protection. I’v come across this this before in The Cycle: Frontier after [Byfron] was acquired by Roblox. The later stages of that game before it died horribly they switched to another protection solution which the community dubbed Walmart Byfron. this was that.

CS2 Votekick XSS

Tue, 12 Dec 2023 00:00:00 +1000

Yesterday, I came across something hilarious that actually turned out to be more malicious than I thought.

A new post appeared on Reddit - NSFW showing someone observing a pornographic image in their CS2 game appearing on the Vote Kick screen. This is very unusual as there should be no graphics appearing on that panel in the game. At first I thought this has to be photoshop or fake but it turns out it was in fact real.

Counter-Strike 2 Release

Thu, 26 Oct 2023 00:00:00 +1000

Last month in September, Valve officially released Counter-Strike 2, which took over from Counter-Strike: Global Offensive on Steam.

Although I haven’t had the chance to play the game yet, I’ve heard that it hasn’t changed much from the beta version I tried in March. My involvement in other research projects has kept me from diving deeper into the game, despite my initial strong interest.

CS2 Code Integrity & VAC

A few weeks, articles started appearing saying AMD’s Anti-Lag+ technology is getting Counter-Strike 2 players banned. This got me interested, so I started looking into the game again.

Preserving Your Digital Sandcastles with an IDA Plugin

Sun, 16 Jul 2023 00:00:00 +1000

Sandcastles

You might be wondering what sandcastles have to do with reverse engineering and IDA plugins. Bear with me here; it’s not as far off as you might think.

When we’re at the beach, building sandcastles can be a joyous, engrossing task. We invest time, effort, and creativity into constructing our tiny kingdoms. Yet, as we all know, the next wave or high tide can wash away all that hard work in an instant, leaving no trace of the intricate designs we’d assembled. Perhaps you have experienced this, or witnessed it happen to others.

Counter-Strike 2 Limited Test Release

Fri, 24 Mar 2023 00:00:00 +1000

Valve yesterday released Counter-Strike 2 in a closed beta run to a select group of people. It has been a long time since there was anything announced like this but I think we all saw it coming.

The existing Source Engine that powers CSGO is still running on x86 and the graphic capabilities are long dated.

Despite being a closed beta, I was unable to obtain access through official channels. It seems that the developers are primarily granting access to those who actively play the game, and unfortunately, I have not been. However I managed to get a copy of the game files and it runs fine in an offline capability with steam_api64.dll patched.

DLL Hijacking for Code Execution

Sat, 18 Feb 2023 00:00:00 +1000

Introduction

Although not a novel concept, DLL Hijacking or proxying has proven to be a valuable technique in various scenarios, such as software exploitation, as well as being employed in the cracking of common software and game hacking.

Dynamic Link Library (DLL)

To begin with, you may be unfamiliar with or curious about the concept of DLLs. DLL, short for Dynamic Link Library, refers to the essential libraries that contain functional code or resources utilized in Windows applications. These libraries share the same Portable Executable (PE) file format as .EXE files. In this post, I will provide a brief overview of their structure to facilitate an understanding of the DLL proxying process.

IDA Plugin - Jump To Offset

Wed, 14 Dec 2022 00:00:00 +1000

Little bit of background

Following off the previous post about IDA plugins I’ve also created another which provides you useful functionality.

This time it lets you jump to a location using a direct offset. Essentially the RVA of the image you enter into the dialog. Why IDA does not have this as an option? I have no idea but I got bothered enough to justify building something that does this.

Usage

Use the shortcut keys Shift + G to bring up the input dialog and enter an offset to jump to relative to the image base.

IDA Plugin - Get Offset

Wed, 05 Oct 2022 00:00:00 +1000

Little bit of background

When you are working with a process module dump in IDA Pro it’s important to make note of the Imagebase so you can easily locate functions or data you are observing in live memory.

Now in a perfect world the module/exe you import into IDA would be loaded at 0x04000000 or if it’s 64bit 0x0000000140000000. Why those constants you may ask? Raymond Chen explains that in his post here.

New Blog Launched!

Fri, 09 Sep 2022 00:00:00 +1000

It has been a while since I have been inactive with posts, releases and content. I’ve been working behind the scenes to relaunch this site on a new headless CMS.

All my old content posted since 2014 has been converted over in the Archived Posts section which have had all their hyperlinks updated to be all working again.

Content and other releases can be found via the Downloads page.

In the coming weeks and months I will be releasing more blog posts and research material. If you wish to contact me for any requests or info you can do so via the About page.

Thank you - Cra0

Fri, 09 Sep 2022 00:00:00 +1000

Thank you for your donation. Much appreciated!

About

Thu, 01 Sep 2022 00:00:00 +1000

I do research and development in computer software. This mainly involves reverse engineering and breaking things to see how they work. I have released some tools to extract, data mine and modify various game titles. Additionally I’ve written some articles around anti-cheats like VAC and BattlEye. You can browse my GitHub and software releases here.

If you have any questions, queries or comments shoot me an email via:

If you would like to support me and the research I do you can donate via the button below:

BattlEye Anti-Anti LoadLibrary

Tue, 02 Oct 2018 15:15:45 +0000

So while testing some things against a BattlEye protected again I noticed recently there was an update that prevents LoadLibrary from being utilized even after unloading the Anti-cheat.

First of all I thought, maybe Mr Bastian isn’t unloading the minifilter hook or it’s the PsSetLoadImageNotifyRoutine catching the LoadLibrary call but that didn’t really make sense.

Checking the system for any hooks and routines installed returned nothing, so how is he still blocking the LoadLibrary call even after the BEDaisy driver is unloaded and BEClient.dll gone from the game’s module list.

Valve Anti-Cheat Untrusted Bans (VAC) CSGO

Thu, 07 Sep 2017 11:21:03 +0000

So recently I’ve seen people surprized at how they are getting ‘untrusted bans’ on cheating forums. Some even confused at what that term even means.

Even though Valve hasn’t given us a definition of what it means previously it was understood that an ‘untrusted ban’ was the serversided anticheat ban given to players who send incorrect data to the game server in Valve’s official matchmaking. Most prominently player view angles which are stored in the Euler format (X,Y,Z) (Pitch, Yaw, Roll) if sent incorrectly to the game server instantly will flag your account as ‘untrusted’.

VAC3 Updates

Thu, 08 Jun 2017 15:24:49 +0000

I haven’t posted anything here in a while and well this just happened yesterday.

They are indeed doing something to the timestamps of the modules because

File: vac_module_0_4034d3e194a4d269c43e889593b00bcb.dll
Size: 29KB
Export TimeStamp: 13/05/2017 4:07:59 AM
Debug TimeStamp: 13/05/2017 4:07:59 AM
.text hash: 70E41F8439001066DE3FFFB00B1CDE52A0BF9E6F

File: vac_module_0_125e53d20a0cbe4849b7ff5f0130a2bf.dll
Size: 29KB
Export TimeStamp: 16/05/2017 4:59:39 AM
Debug TimeStamp: 16/05/2017 4:59:39 AM
.text hash: 3AD50243148A16042AA035749A1AEC049FCEA2A3

Same module, which enumerates drivers that is 100% identical has different timestamps.

Valve Anti-cheat (VAC) in 2017

Thu, 16 Feb 2017 01:07:17 +0000

Lets first talk about Valve’s roadmap for Counter-Strike Global Offensive, mentioned briefly by Valve’s Gabe Newell in a reddit AMA he said the following:

As far as a roadmap is concerned, our priorities for 2017 are to replace the UI with Panorama, to make CS:GO available in more territories where a lot of Counter-Strike fans don’t have easy access to it (like China), and anti-cheat. Of course, we’re also planning on continuing to ship bug fixes and new features throughout the year, as in the past.

VAC3 Changes

Sat, 22 Oct 2016 20:54:30 +0000

I’m going to refrain from posting public information about VAC from this post forward. They seem to have noticed we are using the .text section of the modules to keep track of modules and the timestamps to determine if any updates occurred.

The .rdata seems to be merged now with the code section (.text) so we can’t really use section hashes anymore.

No doubt that someone new is working with the VAC team and they have read my posts or they have just picked back up from the inactivity as evident of the recent major banwaves hitting p2cs.

VAC Banwave (13/09/2016)

Thu, 15 Sep 2016 17:08:54 +0000

A few days ago there was a massive VAC ban wave. Some of the major P2C providers got hit:

Interwebz
UnityHacks
Aimware

Other providers got hit but I’m not aware of who they are. News sites are reporting this to be the largest ban wave of the year. Firstly I’m going to start by saying this is not a server side detection as a big post on reddit and various other sites have threads titled “untrusted ban wave”. Untrusted though yes mostly is a ban that occurs when the server side anti-cheat detects an anomaly or something that shouldn’t be set on your client however it can also occur when the clientside VAC scanner detects an injection occurring. These bans are delayed as far as I know as when I was using the public Xenos injector I received an untrusted ban which later showed up on my profile as a VAC ban.

Updated VAC3 Modules

Sun, 21 Aug 2016 19:01:50 +0000

As mentioned in the previous post Valve has changed the way they do import hiding. Previously there would be a bunch of string objects usually for each module that is being imported so “kernel32.dll” -> “GetProcAddress”,”ReadProcessMemory”, “OutputDebugStringA” etc and these would all be passed through a function which has an initial xor key of 0x55.

 public unsafe string DecryptString(byte[] strData)
 {
 byte[] out_str = new byte[strData.Length];
 byte key = 0x55;


 byte* v3; // edx@1
 byte v4; // bl@1
 byte result; // al@1
 int v6; // edi@1
 int v7; // esi@2

 fixed (byte* str = strData)
 fixed (byte* str_out = out_str)
 {
 v3 = str_out;
 v4 = key;
 result = key;
 v6 = (char)key ^ *(byte*)str;
 if ((char)key != *(byte*)str)
 {
 v7 = (int)(str + 1 - (byte*)str_out);
 do
 {
 result = (byte)(v4 ^ v3[v7]);
 v4 = v3[v7];
 *v3++ = result;
 --v6;
 }
 while (v6 != 0);

 }
 *v3 = 0;
 }

 return Encoding.ASCII.GetString(out_str).TrimEnd('\0');
 }

Now however they changed the operation and they are using IceKey encryption to decode the strings which get decoded in one big block.

VAC3 Updates

Thu, 18 Aug 2016 18:01:38 +0000

Valve pushed an update for VAC3 a few days ago or it could of been a week I’m not sure I didn’t actually check the modules for a week.

Heres a log of the modules I dumped today and their time stamp dates.

PETimeSort :: 18/08/2016 4:43:29 PM

File: vac_module_0_8e2837dc1874e71c3ba4c70c493f012bea0597be.dll
Size: 35KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 351654168C6FA1D84709EFAB9369378596B92D7D

File: vac_module_10_9a3d07112e4e379334a448a542bfdea463674fcc.dll
Size: 114KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 2DF41439CF8E91F2D59194D18E33C86DFE1EEB75

File: vac_module_14_c0bbd5951bdf7c3337b0e81b2429d25dc018aa50.dll
Size: 32KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 8E9E0E046259943E34699B55C0142F65EB2C2729

File: vac_module_13_7161146422a2783dd2bd69b048d073794c937a54.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 21AD7FAF03D33E6164C9B009D0333F0FEE9AB7D3

File: vac_module_1_1c9adeac978bd1e63ca4aa0e1ed3479a72877809.dll
Size: 69KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 95F61937748CD4AB814120AB7F20D4AC1D09DBF8

File: vac_module_2_d94ea2256edf3c6e03b968240fea154c925130c3.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 86B7B4D3CF07548A96F5F45118FA25CB48F40B88

File: vac_module_5_8500a4687cfabfda2f9fd042971fd481b65b70e6.dll
Size: 33KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: F90141CE8C03CD7E359383C3ADA2015B4074B309

File: vac_module_9_34fccfdc7d987f0e74fb2e546a7abb834ba65b84.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: E7C549ACB6CCFA4FA384E3840822B6FFA9C286D6

File: vac_module_3_b23a14b07fd555d321e0432fb7f46859a06ec33c.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:36 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 1011BBCC7ADDFB8009E47A9161699E435EE7DA33

File: vac_module_7_f66f12c2dfc34b29f0d4305184b03d3845b9b0a3.dll
Size: 29KB
Export TimeStamp: 6/08/2016 4:35:24 AM
Debug TimeStamp: 6/08/2016 4:35:25 AM
.text hash: ED084D6562A429CF961267B7343F61212EAB80E4

File: vac_module_11_f260797499ce388f196b546b59260a77a23cbaf2.dll
Size: 32KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 22DCA9E5141D960F1E45BF5735D8B9093B882F26

File: vac_module_12_c7423854a06351f64c30490099e85780f849306e.dll
Size: 27KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: 564FBABA08AFC5E8FD3F18F24DC1A36BF922D8A4

File: vac_module_15_51d5f83421482ab6a9fd0dc0f69ed4ee8d374659.dll
Size: 29KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: A22FD7769504A63C091A6CFC8A40CCB7E4311E71

File: vac_module_4_53b065d69934b4b49c02bfd38cb31f16fd61a7ec.dll
Size: 38KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 06AF72EDDBBC3BA5CA88B6B0AB559B667795FF1F

File: vac_module_6_7cfdd6223b83ed997f22d0d493bc4f6876e474c6.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 68D8008E7D6AA4813F493301DAE90F8A25FC58D5

File: vac_module_8_9b09a83cf7a9a95614e061165e2f41b6ac031def.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: 09A5EABA9F67A030B1FE719A64A74DE627A849D0

We can see they all seem to be updated at the same date. I will leave discussion to the thread on unknowncheats but at a first look we can see they seem to of changed the import resolver function which decodes the import strings.

Ghost In The Shell First Assault

Thu, 18 Aug 2016 16:30:00 +0000

I’ve been working on reverse engineering this game with a bunch of friends over @ UnknownCheats

Heres some media about it all 🙂

Analyzing UnityHacks in the role of a VAC engineer

Mon, 18 Jul 2016 17:15:57 +0000

UnityHacks

I’ve looked at many P2Cs(pay-to-cheat) in the past and unity is one I’ve come back to revisit to see if they have fixed stupid design concepts that could see them detected in an instance and seems like nope. If Valve actually actively looked for what I’m about to go through in this post they would be detected maybe we should let them know 😉

Man-in-the-Middle

This concept that is utilized by unityhacks is a way of them somewhat securing their cheat loader from detection. It is basically injecting their loader code into another 32bit process and then doing the loading from there.

Valve got it wrong once again

Sat, 25 Jun 2016 13:44:39 +0000

So you may remember the incident from a long time back when a whole bunch of Modern Warfare 2 users got VAC banned for no reason.

http://gamerant.com/valve-banning-innocent-mw2-free-gifts-johnj-31099/

For those who haven’t been following the VAC team they have been in somewhat of a hibernation over the past months as VAC bans handed out were not targeting specific P2Cs (Pay 2 Cheat). However more recently they have come back and are now actively targeting cheat providers again. The last update to Steam shows that VAC3 is now loaded when you sign into an account this isn’t really an issue if you know the ways around it (I have a VAC disabler in the works coming soon to cra0vision.net) but they are more aggressively scanning for cheat software now before a VAC secured game is even launched.

Teardrop WIP

Wed, 15 Jun 2016 14:19:45 +0000

I’m working on a DLL injector which utilizes the various techniques of remote code injection. I haven’t really done any research or anything interesting hence my lack of posts on this blog.

VAC3 Dump (5/04/2016)

Tue, 05 Apr 2016 15:28:52 +0000

VAC3 Dump (5/04/2016)

So the CSGO majors are over, hoping for a big ban wave to weed the idiots in the scene. I decided to do a vac3 dump to see if anything has changed since it’s been a good 3 months since I’ve last looked at the anti-cheat. There were a few modules deployed prior to this month.

File: vac_module_8_e2014210dee9ef00edb44b1a0dcfee9d535b87ea.dll
Debug TimeStamp: 2/03/2016 8:44:49 AM
File: vac_module_3_8750686ddaf3e5a9c7559b0cd5d4fd2719a5c10a.dll
Debug TimeStamp: 9/03/2016 1:29:52 PM
File: vac_module_13_33221c8ce2195501792009c9d07db7fdf0c70345.dll
Debug TimeStamp: 22/03/2016 4:57:10 PM
File: vac_module_20_fd593d82e14e8702383e6ad0aa473e0de5795249.dll
Debug TimeStamp: 31/03/2016 9:42:21 AM

Full download of the modules can be found on UnknownCheats.

Counter-Strike Global Offensive Far ESP Concept #2

Mon, 07 Mar 2016 20:01:31 +0000

Introduction

As mentioned previously in my other concept point, Valve have disabled the networking of dormant players in CSGO. Dormant meaning the players who your client should not be rendering as they are invisible to you by occlusion of objects or are outside the visibility leaf in the BSP tree. More in-depth information about these concepts can be found below:

These systems are utilized on Valve official servers however there are other techniques 3rd parties use to extend the functionality such as the anti-wall feature in SMAC which is used by leagues use to prevent people wall hacking. The concept presented in this post looks at another way of bypassing this and allowing the user to see the enemy players from anywhere on the map.

[REL] LiveDump

Wed, 02 Dec 2015 18:51:31 +0000

LiveDump – A simple memory dumper

I’m a fan of 010 Editor‘s templating system they have in place where you can write layouts for hex dumps or file formats I use it in almost all of my research/reversing. More information about that can be found here even though the hex editor has a built in system to open a live processes memory it’s not really great. I needed a system where the data I was looking at was live and updated almost instantaneously so I wrote LiveDump. LiveDump is a simple memory dumper which will either dump a region of memory once to a file or constantly dump it every X many milliseconds, this way I can see the data updated almost live in 010 editor and make use of their templating to reverse a portion of a data structure or class object. There are things like Reclass which are purposely built for this reason which I do use however my own personal preference is the templating feature built into 010 editor as it’s very robust and you incorporate loops and logic into it to display the data out how you want it.

[REL]Cheat Engine Trainer Decryptor/Unpacker

Thu, 05 Nov 2015 17:01:13 +0000

So someone uploaded a pretty dodgy looking binary to unknowncheats.me and since I moderate the uploaded files and determine if they are safe or not I decided to take a look at the particular submission, turned out to be a safe Cheat Engine trainer (sfx). Cheat Engine allows you to create trainers which include the Cheat Engine base along with the Cheat Engine table which stores the basic offsets and memory edits a user would of created, they allow this to be saved in an ‘encrypted’ manner to stop script kiddies from stealing each others CE tables. The author stated in the source code that this is very trivial however stops most of the idiots who have no idea what they are doing stealing tables. Anyway I wrote a small tool to automatically decrypt them back into plaintext xml. Sorry kids no binary here 🙂

[REL] Overwatch Revealer

Tue, 27 Oct 2015 18:18:45 +0000

For all that don’t known (and no I’m not referring to Blizzard’s new game) CSGO has a system called Overwatch where basically people who have been reported for cheating get their demos reviewed by other players or “overwatchers”. Typically these demos are stripped of all? most? information about the suspected cheater player, this includes their name, text chat, gun names (if any custom names are given to weapons) and other player names leaving the person watching the demo unaware of who it is they are reviewing. Now this is great as hopefully people who are doing these overwatch cases are not biased towards a certain player because of their name/display picture or even inventory. But hey in my opinion it’s no fun so I’ve made this tool which will reveal the suspected player. 😛

DirectX GUI WIP

Sat, 17 Oct 2015 15:43:34 +0000

I have been working on GUI related developments in the past few weeks. Here is some demo work of controls I’v reimplemented in dirext2DI for cVision.

Currently developed:

Label
Button
Input Button
Panel
Slider
Tab Control
Image
Checkbox

CSGO Far/Extended ESP Concept

Mon, 15 Jun 2015 02:39:44 +0000

So not too long ago this happened. :|

Valve released an update to csgo which basically put PVS to use. This update basically would not network entities(in our case the enemy players) that were not in the visibility leaf of the player. Later on they released another update which bought this concept of player occlusion. The server would now not send any data of enemy players when they were not visible. It wasn’t as bad as what SMAC does but it ended the life of the far ESP cheat in the game, you could no longer see enemy players unless they were close to you.

Halo Online (eldorado) Data Extractor 1.0

Fri, 03 Apr 2015 21:47:16 +0000

Quoted from Readme.txt, I don’t want to type anymore am tired

Title: 		Halo Online (eldorado) Data extractor
Version: 	1.0
Author: 	Cra0kalo @cra0kalo http://cra0kalo.com
Required: 	.NET Frameworks 4.5


Information:
For now this is just a crude unpacker, in later releases hopefully it will be able to reconstruct file formats such as textures and sounds.

Usage:
eldorado_dat -d <data file> <output directory>

Example Usage:
eldorado_dat -d O:/RamBox/video.dat O:/RamBox/_extracted
	

Shout out to the ElDorito dev team!

Download:

Dumping VAC2 and VAC3 the easier way

Mon, 02 Feb 2015 18:09:28 +0000

What is VAC?

VAC stand for (Valve Anti-cheat) and is used in many games to prevent cheats be it Valve games or 3rd party titles (Modern Warfare/DayZ). VAC comes in many different versions at the time of writing this the latest version we are calling VAC3. VAC2 and VAC3 are the only activate modules right now for games like Counter-Strike Global Offensive.

Where is VAC, how is it loaded?

VAC2 is loaded through SteamService, when you start a game steamservice appears to load it. Valve first dumps the vac2 module into your %temp% directory then calls LoadLibrary. You can see this for yourself by hooking the LoadLibrary API call or by using an API Monitor.

Fox Engine Tool - We have bones!

Sat, 10 Jan 2015 00:22:26 +0000

Chico says hi!

Bones

Kojima productions seems to store bone data like so:

 [DebuggerDisplay("idx = {idx} name = {name}")]
 public class foxBone
 {
 public int16 idx; //name of string also
 public int16 parent;

 public Vector4 bonePos;
 public Quaternion boneRot;
 };

Now I don’t exactly know whats going on here because my first attempt didn’t work using that quaternion so I re-wrote my matrix class in C# which was originally written in VB.NET and ancient as hell.

Fox Engine (Metal Gear Solid 5 GZ)

Sat, 03 Jan 2015 20:37:35 +0000

Fox Engine

There has been many advancements from last time I posted both by Sergeanur and the others making it possible to extract assets from Kojima Production’s Metal Gear Solid Ground Zeros. The Foxengine’s superb image quality is made possible by physically-Based Rendering (PBR). It can make a low polygon model look photo-realistic and it can do it well, researching the file format along with JayK, Chrrox and Volfin I’ve discovered that in fact most the models used in game are pretty standard and have a low poly count.

Metal Gear Solid 5 GZ (Fox Engine)

Fri, 26 Dec 2014 20:34:45 +0000

I played this game briefly before leaving for my Christmas holidays, when I got back I saw that someone had already managed to figure out the package format they use. “g0s” Extracting the files it seems they have used zlib chunks on textures .ftex. Heres something funny, on top of the encryption the package archives use they xor encrypt their shader files… It’s a dead giveaway when you open the shader binary up in a hex editor.

Circumvent (Themida/Hackshield/Etc..) Ultimate Memory Dump Tutorial

Tue, 02 Dec 2014 15:17:16 +0000

Backstory & Information

This tutorial was made possible by Nexon’s Counter-Strike Online 2 that nasty piece of shit left me no choice but to resort to this brutal nasty method.

Now to give a little info first in case anyone reading this has no idea what I’m talking about or doesn’t understand the concept of memory. Games & Applications that run on your system all use RAM. Sometimes they store sensitive information or valuable data there that shouldn’t be accessed by the end-user, for example an AES encryption key or maybe game assets like models/textures/scripts. This data isn’t usually protected as you can force a dump of an application’s memory, however some software/game developers like to restrict user access to this data usually to stop cheaters or people exploiting their software (like myself 😈 ). Now I won’t go into detail on what the kernel is nor what userland means but I will say that these developers use methods of protecting memory data which can be circumvented with a simple trick. The example case I will be using in this tutorial is the game Counter-Strike Online 2. Nexon the developers of this game are utilizing a technique to elevate the game process into kernel level. This means trying to access the game process or memory isn’t possible by the user anymore, normally achieved via a driver installed on the system. In CS Online2’s case Hackshields EagleNT.SYS elevates the process CounterStrikeOnline2.exe and access is not possible anymore.

Alien Isolation (Omodel) WIP (Vertex Format)

Mon, 01 Dec 2014 17:08:05 +0000

We have figured out the pak tree currently working on each vertex format structure the game throws at us! Up next rigged models.

Alien Isolation (Omodel) Progress (Vertices/UVs/Textures)

Wed, 26 Nov 2014 13:56:25 +0000

General Progress Info

Progress has been slow for Alien Isolation since I’ve been busy with other things however a friend of mine volfin has been helping out with this project. We have been working on the model pak files which store the level geometry props and characters. The devs seem to love storing data in separate files as the paks themselves only contain the vertices and faces for each model. Omodels as I like to call them store a piece of a model mesh though sometimes they just contain the entire model itself like in the example mesh I’m about to talk about below.

Tutorial: Intel GPA & Ripping geometry from 3D applications

Thu, 20 Nov 2014 19:28:05 +0000

Background Information

Intel GPA wasn’t initially designed to be used to rip assets from 3D applications but basically what we are doing here is hooking into the GPA application and dumping the vertex buffer and index buffer for the (ergs/drawcalls) it captured.

Lets start by gathering our ingredients 😉

What you will need:

Setup and Capture

Once you have setup Intel GPA begin by running the gpamonitor. Browse to your desired 3D application and hit Run. (In this example I have TitanFall)

TitanFall BSPInspect

Mon, 10 Nov 2014 17:30:15 +0000

Like I said months ago I would be looking into the BSP map format for titanfall. Well I’m calling the subtool BSPInspect. In the process of making some fancy UI for it currently and actually parsing the file format.

Like ata4 described on the V alve Developers Wiki the BSP fileformat for Titanfall differs as the core lumps usually used in source engine titles are now unused and depreciated. This is made evident in the bsppack dll provided in titanfall.

Call of Duty Advance Warfare Sound (.pak) FLAC dumper

Thu, 06 Nov 2014 14:27:10 +0000

Same as ghosts the sound pak files are just mushed flac audio.

Download:

CODAW_FlacDumper_x64_3.0.zip

CODAW_FlacDumper_x64_2.0.zip

Alien Isolation Generic PAK Unpacker (.PAK)

Sun, 19 Oct 2014 22:08:05 +0000

Alien Isolation PAK files have slight variants, there was the texture ones which I previously made a tool on and now looking into the model I’ve figured out that they share a common structure. When they mean package they seem to store only the core data inside them. Lets take textures for example, you got your package file full of just compressed texture data then a linking header file containing the filenames and texture headers. Same sort of deal with the models packages except they store all sorts of strings in the accompanying file like bone names and such.

Alien Isolation (.PAK .BIN) PC/XBOX/PS3

Wed, 15 Oct 2014 00:23:39 +0000

Not going to say much here this will crudely unpack the games texture archives and “try” to produce a valid dds file

v0.4 fixed RGBA DDS header bitmask values being 0
v0.3 fixes imageSizes, added support for DXT5 decode
v0.2 fixes data alignment issues

Download:

AITexPAKExtract_0.4.zip

AITexPAKExtract_0.3.zip

Destiny (XBOX/PS3) PKGTool Alpha

Sat, 27 Sep 2014 22:25:54 +0000

I took a look.🙄Their package files (.pkg) are compressed with some sort of Lzma variant from the oodle compression package by radgametools. Actually not too sure about this 😕

This basically extracts all the entries in the archive. Since the filenames are hashed with SHA1 I set the output filenames as their offset in the pkg package.

Download:

DestinyPKGTool.zip Source Code

SourceVMT Color Tool

Sat, 06 Sep 2014 22:36:43 +0000

This tool will allow you to basically visualize the color values you plug into a VMT. It’s nothing special but saves you time from tweaking a VMT -> checking in hlmv/game -> re-tweaking.

Download:

SourceVMT_ColorTool.zip

TitanFall VPKTool 3.3 Update

Sun, 03 Aug 2014 02:37:41 +0000

My Plans

Well it’s been a while since I last touched Titanfall, the hype had ended for me and I didn’t really play the game anymore. The fact that it didn’t even run after the first dlc patch caused me to uninstall it and forget. However recently seeing the maps in the latest dlc has sort of sparked my interest into playing it again and attempting to mod the game. If I can recall the VPKRepacker which comes with the VPKTool works however it’s a pain in the ass to use because you have to extract everything edit stuff and then repack it all again which takes like an hour in total for both operations so I made plans for making a new repacker which operates in a different way which should be easier and more feasible to use. That brings me to my next idea, a MOD manager for Titanfall. Respawn haven’t really said anything regarding mods after Vincent posted on twitter they would “evaluate” the possibility for modding the game after release, well the sad truth is they don’t wish to support modding. Aw well doesn’t mean I can’t write tools to mod the game now which is why I’m going to write a mod manager that people can use to make mods for the game and then ship them around in tfm files (titanfall mod) for everyone else to use. The doritos mod isn’t dead ok 😀

TopKek MDL Sorter

Sun, 22 Jun 2014 02:49:42 +0000

Basically sorts mdl files (source studio model data) into their respective filepaths. For example if you have an mdl Character\_Brian.mdl which was compiled to be located in.

"cra0kalo/models/Character_Brian.mdl"

It will basically make that folder structure for you and place the mdl file along with its trailing .dx80 .dx90 .vca files there. This is extremely useful for games like Vindictus

I forgot to make a blog post about this, I guess at the time It wasn’t really relevant since someone requested it and I didn’t think it was that useful.

Watch_Dogs Modding/Toolkit WIP

Sat, 07 Jun 2014 11:13:44 +0000

Watch Dogs Research

So not to long ago watch_dogs came out, the game runs pretty poorly due to its unoptimized nature and Ubisoft did state they would release a patch for optimization however I’ve already beaten the game so I don’t think It really concerns me anymore. That being said I’d recommend it, has a nice single-player campaign.

So lets talk about watch_dogs modding/reverse engineering, firstly to give a little back-story info the engine it runs on titled the Disrupt engine it’s an engine derived and created from the previous Dunia Engine (Farcry3) by Ubisoft Montreal. Some aspects are the same as Dunia which helped in reversing the game assets however there are significant changes. Dunia was reversed originaly by others, one person I know who has worked on this engine’s structure or I should say has worked on reversing Farcry3 is Rick. You can find his research and info here and on Xentax. Watch_Dogs uses a sort of bizarre way of storing its assets, they are stored inside these .fat/dat archives heres what the structure looks like.

Natural Selection 2 MeshTool

Tue, 20 May 2014 12:41:04 +0000

Not sure what the devs were thinking when they engineered the model format for this game. Their vertex buffer structure is 92 bytes long which could of easily been around 40 if they actually utilized common compression techniques like compressing the UVs into halffloats or store bone indices as bytes instead of 32bit integers. Anyway I don’t think anyone cares thats reading this so I’ll stop bitching.

Whats Included?

The Scary TCP32764 backdoor

Tue, 29 Apr 2014 17:37:33 +0000

I won’t say too much about this backdoor, it basically happens on your router/gateway which accepts a TCP connection on port 32764 Eloi Vanderbeken @elvanderb found this vulnerability last year in December and even though Netgear and Dlink have stated it’s *patched* they actually just disabled it.

I’ve made a small .NET tool which checks to see if you actually are vulnerable to this backdoor the source code can be found on github.

TitanFall VPKTool 3.0 Release

Wed, 02 Apr 2014 00:48:30 +0000

Firstly let me say mission accomplished! 😀

It’s been a while but here is 3.0 of the titanfall tool now supports repacking.

See changelog.txt for a full list of updates but the main ones are:

Added repacking support
Fixed audio export issues
Portable exe

Downloads:

Titanfall VPKTool3 Installer Titanfall VPKTool3 Portable

Enjoy and happy modding. 🙂

TitanFall VPK Tool Public Beta!

Sat, 22 Feb 2014 20:05:13 +0000

OMG HERE IT IS!

Download:

Link Outdated

TitanFall VPKTool Information

Wed, 19 Feb 2014 21:57:20 +0000

So the beta’s nearly over and the game should be patched and fixed for a March release.

I’ve been working on getting extraction capabilities for the TitanFall VPK Tool to extract all those game assets. Alot of people have been asking, when are you releasing this? Along with Russian’s emailing me about getting the text localized for their country or something anyway basically here is whats going on.

TitanFall VPK Tool

Sat, 15 Feb 2014 20:49:37 +0000

Well the beta is out and I won’t go back on my word 😛

Before you complain read this!

-Supports viewing titanfall VPK content only!

Since the VPK format has changed and the actual vpk content stuff is either encrypted or compressed, for now its only viewing. I will post updates to facepunch/twitter/this blog so keep an eye out.

Download:

Titanfall_VPKTool2.zip

Disney INFINITY Model Extractor

Mon, 03 Feb 2014 23:13:37 +0000

Extracts mesh from .vbuf and .ibuf. Bone support in next release

Changelog

Version 1.1

Fixed Normals now you can export them

Version 1.0

Release

Download:

Disney Infinity Model Extractor v1.1

Metal Gear Solid 4 .SEG TO .DDS

Mon, 03 Feb 2014 14:14:21 +0000

A tool to convert MGS4 seg files to DirectDraw Surface textures.

Version 1.0

Release

Download:

MSG4TextureTool v1.0.1

BinaryDomain Reversing WIP

Thu, 23 Jan 2014 23:44:18 +0000

An update finally!

Been working on this for a month now and I can say that the GMD format is nearly reversed.

Call of Duty Ghosts PAK Extractor WIP

Wed, 15 Jan 2014 16:08:12 +0000

Well here it is, supports FLAC streams for now.

Screenshots

Version 1.2

Version 1.0

Download:

COD_GHOSTS_Toolset.zip

StudioMDL 2013

Wed, 15 Jan 2014 16:04:10 +0000

Won’t go into much detail here, if you mod for the source engine then you would know what studiomdl is.

Usual commands and parameters apply here however I will add some additional options in the future.

StudioMDL Compiler

VALID COMMANDS:

Features

Updated texture limits
Able to compile vta (vertex animation over 128mb’s)
Updated bone limits from 256 to 512 (may crash the game)

Usage: Throw inside dota2’s bin/ or csgo’s bin/ alongside the dll it comes with.

Ratchet and Clank Trilogy Texture Extractor

Wed, 15 Jan 2014 16:07:35 +1100

Here it is!

This tool will allow you to extract all the texture archives from Ratchet & Clank Trilogy game on the ps3.

Screenshots

Download:

(updated to v1.1) – supports Ratchet Deadlock

R&C_Textool.zip

Gameloft Archive Tool (.gla)

Wed, 15 Jan 2014 16:07:01 +1100

Package Extractor

First real file format I have reversed, this tool will extract the contents of a gameloft archive.

Download:

Gameloft Archive Tool v1.0

403 Forbidden

Mon, 01 Jan 0001 00:00:00 +0000

You don’t have authorization to view this resource.

Go back to the previous page

500 Internal Server Error

Mon, 01 Jan 0001 00:00:00 +0000

Oops! Something went really wrong it seems. Please try again later.