Black Sector, Analysis
Black Sector Solutions is a cheat/hwid spoofer developer that has many really high end cheats. The sample that I will be looking at today is their HWID (Hardware ID) Spoofer. HWID Spoofers are a helpful tool to have, most anti cheats like Battleye and Easy Anti Cheat bans are hardware bans. Meaning if you were to just buy the game again you would get banned.
In this write up I think its important that I really go into detail about how I reverse engineer applications, from start to finish. Since more and more people are reading my posts I think this will be a little more useful for new comers.
To begin, I always get a feel for the application that I am working with. Is it using a packer? Is is vmprotected? Is it making any networking requests? Within 10-15 minutes of working with the sample you will quickly see what you are up against. Again all of this is done inside of a VM (Virtual Machine), I use Virtual Box. Some samples will refuse to run inside of a Virtual Machine, lucky for us this is not the case.
Lets first open our sample in IDA. This will tell us pretty quickly if its packed or not. Most of the time when the application is packed IDA will give you a warning that the imports have been destroyed or there is a jump to an address that doesnt exist. In our case neither of these situations played out. The next step would be to look at the strings tab. Sometimes there are no strings (meaning that they are probably encrypted), or there are strings, but they make no sence (meaning that they are encrypted). In our case there are strings, but they make no sence at all.
Now that we know that the strings are encrypted, we can always try dumping the memory at runtime. Usually strings will be encrypted inside of the PE (portable executable), but once the PE is running it unencrypts itself and stores the unencryted values in memory. If we are able to dump the application and find the offsets of useful data we can write a program to change those values at runtime (almost like making a cheat for a cheat). I personally have had much success with changing useful data inside of an application at runtime. For example, say you have an application that has a randomly generated string that is passed as a query string to a php server. If we are able to change that random string to something that we already know the response too then we dont need to worry about anything else. We can simply change the random string at runtime to what we want it to be.
Anyways, after dumping the PE from memory one of the first things I usually do is double click it and see if it runs. If the application runs with no issues (other then maybe some missing dll's if you didnt run it inside of the folder that has all the dll's it needs) then we know that the application is the same in memory as it is on disk. Next thing I do is open it in IDA to see of the strings have been unencrypted. Sadly for us this is not the case. Strings are still the same as they were before.
At this point we know the following: the application has encrypted strings, the application is the same in memory as it is on disk, and we havent been able to unencrypt the strings. Usually at this point its a good idea to take a look at the networking this application uses. Does the sample use HTTP(s)? TCP? UDP? Is the data understandable?
The first thing I like to do when observing network traffic from an application is to run fiddler/charles and open the application. This will tell us if the application makes any HTTP(s) requests to standard ports (80, 443, 8080, etc). In our case Black Sector doesnt use HTTP(s), which is nice to see. This will be the first cheat that I reverse that doesnt use HTTP(s).
So now that we know that the application doesnt use HTTP(s), we kick it up a notch and use Wireshark. When we start the application we can see that a DNS request is made for as1-blacksector.solutions which points to 126.96.36.199. Directly after that we send a few TCP packets to 188.8.131.52:27010 (as1-blacksector.solutions:27010). Lets create a filter for wireshark and get 3-5 samples of the network communication at different parts of the applications execution. The filter Ill be using is: ip.addr == 184.108.40.206 && tcp.port == 27010. This will filter all TCP packets that we want.
The key to network analysis is having mulitple samples. Creating samples will help you see the data that changes and the data that stays the same. It also makes it easier to pick out parts in the protocol that you could later on spoof potentially. Here is an example of the analysis of the data that is sent when the application starts.
With the data above we can already make a few assumptions. The communication is probably not encrypted considering that we dont see a key exchange. 2.) we can see some data that doesnt change this is a pretty good hint that the communication is indeed not encrypted. By all means though I could be incorrect. Black sector could have just built the PE with the servers public key already inside of it. We really dont know.
Lets get more samples from different parts sections of the communication. Directly after that startup preramble, we are presented with a login box. Lets take some samples of the the networking traffic that is sent when with the following varibles: incorrect password, unknown username, invalid hwid. I took 3 of each, this should provide enough data to understand some of the networking protocol.
One of the first things I notice is the reaccurance of 4 bytes that seam to be a status code of the login. First lets look at valid username/password.
As you can see the 43 00 00 00 section is one of the only static things that the server responds with. The value is 80 00 00 00 if the username and password are correct but the hwid is not in their database. The value is 04 00 00 00 if the username/password is incorrect. Knowning this information we can then attempt to main in the middle the application. This will allow us to dynamiclly edit the network data...
Man In The Middle
With an elementary understanding of the networking protocol I figured it would be time to make a MITM (Man in the middle) proxy and start working dynamiclly with our ideas. This will help us understand the networking data even more.
Lets first begin with changing what as1-blacksector.solutions resolves to. This will route all networking traffic to our proxy instead of the server itself. There are more than a handful of ways to go about changing where the application makes requests to. We can change the hosts file to point as1-blacksector.solutions to 127.0.0.1, we could add a iptables rule that routes all traffic outbound on a port certain port to another one, we can host our own DNS server and make an A record to point as1-blacksector.solutions to 127.0.0.1.
After a very short amount of time I was supprised to see that the application actually checks to see if its domain name is inside of the hosts file. I tested out a few things just to see how the application was testing to see if the as1-blacksector.solutions was inside the hosts file. It seams that it is using some sort of regex considering that appending "S" to the end of the domain name still gives us an error, but putting a random charator in the middle of the domain name doesnt give us the error anymore.
Domain name in hosts file
Putting a random charator in the middle of the domain name
Appending extra charators to the end
This leaves us with either editing iptables or hosting our own DNS. Since making a DNS record is alot easier than debugging windows iptables I figured I would download simpledns and make a DNS record to point as1-blacksector.solutions -> 127.0.0.1
Doing this worked! We are now able to run our MITM application which we can use to spoof responces and so on. I decided I would make a python application since python is such a high level language it wont make the complicated more complicated.
I then tried to spoof the response from the server when the username/password was incorrect. Sadly I didnt have much luck. At this point I had spent quite alot of time with this sample. As of right now I am now super interested in continuing with this sample simply becuase there are other samples that I want to work with. I'm sure I will come back to this in a week or two, maybe even sooner, and with that I leave you with this:
Image of me patching invalid username/password to valid username/password
This is not the end of this project, as I see it, its only a matter of time until myself or someone else continues my work. So whats next? Well, I'm glad you asked... Have you ever wondered how an application/game determined you were banned? Well most of us would assume that there would be some network request that is made to a server that would query a database. Next post will be about how in the world Rainbow Six Seige determines that you are banned, and can we possibly spoof it?