Not an actual issue.

[unfriendly]

Hi, I am learning and I am wondering if you would have any time to talk about your QEMU DMA cheat.

[LWSS]

yeah ok what do u want to know?

[unfriendly]

Is there any way would it be possible to directly write to the video buffer or to an external program like looking glass without adding more detection vectors than reading from memory (I know looking glass requires a signed driver that red hat has signed or yourself) and I don't know if anti-cheats look at that as a suspicious thing. I know parsec has a opengl implementation, but that has a lot of downsides.

[LWSS]

you mean like this? (https://github.com/LWSS/peeper)

Writing to the video buffer would be a huge pain and specific to your driver afaik.

[unfriendly]

Thank you! That is exactly what I meant (I am going to spend a few figuring out how it works, trying to implement my own visuals library, and integrating other pentesting tools into the gui for use on things than games)! and oh ok, I did not know that would be such a big task.

[LWSS]

cool bro, good luck

[unfriendly]

Would you want to help work on a modified Qemu that randomizes (it uses semi-random data to make more realistic entries (meaning some manufacturer names are reused on devices, but serial numbers and versions are randomized)) (e.g ACPI tables, version data, device names, manufacturer information, model numbers, and drive names for each machine) I know its simple, but I can't find a single one available that does it at all or well and without manual input (requiring you to patch multiple things and compile bits and pieces from different sources). I made a simple script that does most of those things and fixes all detected issues in al-khaser and Pafish as well as bypassing NVidias error 43, and NVidias mobile GPU battery detection/battery monitoring probe via the ACPI table and the SMBIOS instead of going through KVM, allowing you to fix rtdsc detection.

[LWSS]

I actually didn't know about al-khaser/pafish, thanks.

Well I have never ran into vm-detection issues from any of the anti-cheats, blizzard, easyAC, BE, etc... This could be an issue for valorant however, apparently they have 3 different vm detection methods or so if I remember the thread on uc right.

The only one I have looked into a little is cpuid, and from what I read, it could be bypassed by changing the configuration to spoof the cpuid. Also I know you can change the hdd names here too.

I think it would probably be ideal to do as much as you can without forking qemu because from my experience people don't like building big stuff, they would rather hook the installed program than rebuild it from source. (this is why I didn't fork looking-glass for peeper)

[unfriendly]

I ran into the VM issue when trying doing a bug bounty on ESEA (I know I probably won't find anything but its fun to learn), and I'll have to see if Riot has a bug bounty for Valorant since that seems cool to look at if they have 3 detection methods, also you cant spoof the CPUID (EAX, EBX, ECX, and EDX registers) on Qemu due to their CPU clock emulation implementation and using KVM, since by default Qemu uses KVM for GPU passthrough afaik.

And I did not think of that, I could create a module for Qemu through the libvirt wrapper which would make use the of it easy, but I don't know how I would fix the RTDSC clock issue, the other issues could be solved with that, but idk about that one.

[LWSS]

Yeah let me know if you come up with something, it sounds useful in the future. I want to make a tool like Reclass that goes into qemu memory. It sucks not having it lol.

[unfriendly]

(I would like to retract a good portion of this statement, it seems Riot is being extremely open about Valorant and its anti-cheat Vanguard, they even setup a bug bounty on HackerOne and have great responses on reddit/twitter)

Also, holy shit Riot seems like a fucking shitty company pardon my language (after reading UC and fact-checking it) I am doing it as soon as I get a key screw the bug bounty. (Like seriously don't fucking sue and dox cheat creators or users, use them as data, and as a constructive resource, I do agree with banning cheaters, but doxxing and going the legal route is too far and stifles anti-cheat development/improvement, seriously if Riot sees this please hire people to reverse your anti-cheat, help foster an opensource community that both tries to find flaws and contributes to fixing them, and make it a better product, and stop going after people like Blizzard/Epic/etc....)

[unfriendly]

Also reclass going in Qemu memory would be amazing or radare and binary ninja in combo, from the kvm explorer project (https://github.com/Heep042/kvm_explorer) it doesn't seem difficult to make a POC plugin for one of these programs to save memory and load it.

[LWSS]

yeah i'm friends with heep and have used kvm_explorer, but it kinda stinks, can't deref pointers and doesn't have adjustable view. He was going to make a reclass fork but i'm not sure if he finished it.

[unfriendly]

Oh thats cool, I hope he releases it if is finished! I am going to work on integrating a implementation in binary ninja and radare as it seems the windows debugging options under settings>updates>developer>device portal and it gives you a web portal that allows you to grab direct dumps of running applications over a rest API (useless for dynamic analysis like reclass), but its easy as pie to use that rest api in any external program. (and it seems no anti-cheat looks if that setting is enabled??? Kinda a big over sight right?)

[unfriendly]

Do you have a Discord or other chat software like wire, threema, etc...? (My email is publicly listed on my github profile, if you want to send it over non public channels)

[LWSS]

yeah sorry I got my fingers in a lotta pies and sometimes I dont take the time to lick em It's been one-a those days#4849