search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
2.08k stars 296 forks source link

[Anti-Cheat] Add Code-Stage Anti-Cheat ToolKit Detection #297

Open apkunpacker opened 2 years ago

apkunpacker commented 2 years ago

Samples :

https://www.virustotal.com/gui/file/791245109462e6d908be230ee88bc4997840c4096001a73853bf28f936ea314d/ https://www.virustotal.com/gui/file/2cf374251a23dccce31724ec940c465565a871c9680234a5b6607c40626dd4ab/ https://www.virustotal.com/gui/file/0dbd4cac4a10855b2eb44548d93d4c9a0ca374f89bfc3703bd24d21c8e924398/

Website - http://codestage.net

APKiD Scan :

$ apkid '791245109462e6d908be230ee88bc4997840c4096001a73853bf28f936ea314d.apks'
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] 791245109462e6d908be230ee88bc4997840c4096001a73853bf28f936ea314d.apks!base.apk!assets/audience_network.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : possible Build.SERIAL check
 |-> compiler : unknown (please file detection issue!)
[*] 791245109462e6d908be230ee88bc4997840c4096001a73853bf28f936ea314d.apks!base.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, ro.hardware check, ro.kernel.qemu check
 |-> compiler : r8
[*] 791245109462e6d908be230ee88bc4997840c4096001a73853bf28f936ea314d.apks!base.apk!classes2.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible VM check
 |-> compiler : r8 without marker (suspicious)
[*] 791245109462e6d908be230ee88bc4997840c4096001a73853bf28f936ea314d.apks!base.apk!classes3.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check
 |-> compiler : r8 without marker (suspicious)
[*] 791245109462e6d908be230ee88bc4997840c4096001a73853bf28f936ea314d.apks!base.apk!classes4.dex
 |-> compiler : r8 without marker (suspicious)

Possible Rule Can be for its libil2cpp.so which contains all of anti cheat protection.

$ r2 libil2cpp.so                                 
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
 -- I am Pentium of Borg. Division is futile. You will be approximated.
[0x00a14d60]> izz~+cheat
97635  0x0228586c 0x0228586c 48  49   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/Injection Detector
97636  0x0228589d 0x0228589d 113 114  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_injection_detector.html       
97637  0x0228590f 0x0228590f 56  57   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/Obscured Cheating Detector  
97638  0x02285948 0x02285948 121 122  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_obscured_cheating_detector.html
97639  0x022859c2 0x022859c2 49  50   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/Speed Hack Detector         
97640  0x022859f4 0x022859f4 114 115  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_speed_hack_detector.html      
97641  0x02285a67 0x02285a67 52  53   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/Time Cheating Detector
97642  0x02285a9c 0x02285a9c 117 118  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_time_cheating_detector.html   
97643  0x02285b12 0x02285b12 47  48   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/WallHack Detector
97644  0x02285b42 0x02285b42 113 114  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_wall_hack_detector.html
97680  0x0228646f 0x0228646f 79  80   .rodata             ascii   Check for the "walk through the walls" kind of cheats made via Rigidbody hacks?
97681  0x022864bf 0x022864bf 90  91   .rodata             ascii   Check for the "walk through the walls" kind of cheats made via Character Controller hacks?
97682  0x0228651a 0x0228651a 116 117  .rodata             ascii   Check for the "see through the walls" kind of cheats made via shader or driver hacks (wireframe, color alpha, etc.)?
97683  0x0228658f 0x0228658f 78  79   .rodata             ascii   Check for the "shoot through the walls" kind of cheats made via Raycast hacks?
97694  0x0228681f 0x0228681f 37  38   .rodata             ascii   Please use CheatChecked event instead
97769  0x022870c2 0x022870c2 7   8    .rodata             ascii   CHEATER
apkunpacker commented 2 years ago

1 More Sample - https://virustotal.com/gui/file/404c618c03040c44950c1678e9fb5399576f146ccfdbf43c0208869831519d35

Scan - 

$ apkid 'Big Bang_3.7.2.apk'
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] Big Bang_3.7.2.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
 |-> compiler : dx (possible dexmerge)
 |-> manipulator : dexmerge
$ r2 assets/bin/Data/Managed/Assembly-CSharp.dll                           
Metadata Signature: 0x1ce6f8 0x10001424a5342 12
.NET Version: v2.0.50727
Number of Metadata Streams: 5                                                           
DirectoryAddress: 6c Size: b08c4
Stream name: #~ 4
DirectoryAddress: b0930 Size: 576e0
Stream name: #Strings 12
DirectoryAddress: 108010 Size: ed7f8
Stream name: #US 4                                                                      
DirectoryAddress: 1f5808 Size: 10
Stream name: #GUID 8                                                                    
DirectoryAddress: 1f5818 Size: 1ee2c                                                    
Stream name: #Blob 8
 -- Everything up-to-date.                                                              
[0x007e498e]> izz~+cheat                                                                
22394 0x00283d9e 0x0068599e 28  29   .text   ascii   CodeStage.AntiCheat.Examples       
22400 0x00283e13 0x00685a13 26  27   .text   ascii   CodeStage.AntiCheat.Common
22402 0x00283e38 0x00685a38 29  30   .text   ascii   CodeStage.AntiCheat.Detectors      
22406 0x00283e88 0x00685a88 24  25   .text   ascii   ObscuredCheatingDetector           
22409 0x00283ec4 0x00685ac4 33  34   .text   ascii   CodeStage.AntiCheat.ObscuredTypes
22436 0x0028407f 0x00685c7f 25  26   .text   ascii   CodeStage.AntiCheat.Utils          
24816 0x0028cdca 0x0068e9ca 9   10   .text   ascii   m_cheater
24988 0x0028d8e8 0x0068f4e8 18  19   .text   ascii   m_sessionwideCheat
28079 0x0029a1c6 0x0069bdc6 7   8    .text   ascii   cheater
29851 0x002a1f3b 0x006a3b3b 25  26   .text   ascii   obscuredTypeCheatDetected          
29852 0x002a1f55 0x006a3b55 21  22   .text   ascii   wallHackCheatDetected
37693 0x002c27e0 0x006c43e0 11  12   .text   ascii   get_cheater                        
37694 0x002c27ec 0x006c43ec 11  12   .text   ascii   set_cheater
40359 0x002cddd5 0x006cf9d5 30  31   .text   ascii   OnObscuredTypeCheatingDetected     
40395 0x002ce025 0x006cfc25 18  19   .text   ascii   OnCheatingDetected
47761 0x003113a1 0x00712fa1 7   15   .text   utf16le cheater
51415 0x0033b0cd 0x0073cccd 57  115  .text   utf16le Too slow! Learn how to cheat and maybe you have a chance!                                                                  
51440 0x0033bb58 0x0073d758 44  89   .text   utf16le What? No! You cheater, how is this possible?                                                                               
59527 0x003b0e4e 0x007b2a4e 32  66   .text   utf16le Obscured Vars Cheating Detected!
59546 0x003b1378 0x007b2f78 58  117  .text   utf16le <color="#0287C8"><b>Anti-Cheat Toolkit Sandbox</b></color>
59547 0x003b13ef 0x007b2fef 79  159  .text   utf16le Here you can overview common ACTk features and try to cheat something yourself.
59548 0x003b1490 0x007b3090 173 347  .text   utf16le ACTk offers own collection of the secure types to let you protect your variables from <b>ANY</b> memory hacking tools (Cheat Engine, ArtMoney, GameCIH, Game Guardian, etc.).                                      
59550 0x003b163f 0x007b323f 161 323  .text   utf16le Below you can try to cheat few variables of the regular types and their obscured (secure) analogues (you may change initial values from Tester object inspector):
59561 0x003b1b72 0x007b3772 82  165  .text   utf16le <color="#FF4040"><b>PlayerPrefs:</b></color>\neasy to cheat, only 3 supported types
59578 0x003b213f 0x007b3d3f 89  179  .text   utf16le Allows to detect Cheat Engine's speed hack (and maybe some other speed hack tools) usage.
59580 0x003b220d 0x007b3e0d 33  67   .text   utf16le <b>Obscured Cheating Detector</b>
59581 0x003b2252 0x007b3e52 108 218  .text   utf16le Detects cheating of any Obscured type (except ObscuredPrefs, it has own detection features) used in project.
59620 0x003b29fb 0x007b45fb 18  37   .text   utf16le Cheating detectors
59621 0x003b2a21 0x007b4621 33  67   .text   utf16le CodeStage.AntiCheat.ObscuredTypes
59663 0x003b2fbf 0x007b4bbf 28  57   .text   utf16le Anti-Cheat Toolkit Detectors
59672 0x003b3642 0x007b5242 26  53   .text   utf16le Obscured Cheating Detector
59673 0x003b3678 0x007b5278 51  103  .text   utf16le [ACTk] Obscured Cheating Detector: already running!
59674 0x003b36e1 0x007b52e1 126 253  .text   utf16le [ACTk] Obscured Cheating Detector: disabled but StartDetection still called from somewhere (see stack trace for this message)!
59675 0x003b37e0 0x007b53e0 231 463  .text   utf16le [ACTk] Obscured Cheating Detector: has properly configured Detection Event in the inspector, but still get started with Action callback. Both Action and Detection Event will be called on detection. Are you sure you wish to do this?
59676 0x003b39b1 0x007b55b1 178 357  .text   utf16le [ACTk] Obscured Cheating Detector: was started without any callbacks. Please configure Detection Event in the inspector, or pass the callback Action to the StartDetection method.
59694 0x003b478b 0x007b638b 73  147  .text   utf16le [ACTk] WallHack Detector: can't detect wireframe cheats on this platform!
61207 0x003cc851 0x007ce451 28  57   .text   utf16le Anti-Cheat Toolkit Detectors
61208 0x003cc88a 0x007ce48a 30  61   .text   utf16le Code Stage/Anti-Cheat Toolkit/
61209 0x003cc8c7 0x007ce4c7 54  109  .text   utf16le GameObject/Create Other/Code Stage/Anti-Cheat Toolkit/
61213 0x003cca0b 0x007ce60b 49  50   .text   ascii   0Code Stage/Anti-Cheat Toolkit/Injection Detector
61216 0x003ccadd 0x007ce6dd 57  58   .text   ascii   8Code Stage/Anti-Cheat Toolkit/Obscured Cheating Detector
61217 0x003ccb19 0x007ce719 26  53   .text   utf16le Obscured Cheating Detector
61218 0x003ccb4e 0x007ce74e 35  71   .text   utf16le [ACTk] Obscured Cheating Detector:
61223 0x003ccd7a 0x007ce97a 50  51   .text   ascii   1Code Stage/Anti-Cheat Toolkit/Speed Hack Detector
61229 0x003ccf22 0x007ceb22 48  49   .text   ascii   /Code Stage/Anti-Cheat Toolkit/WallHack Detector
61234 0x003cd011 0x007cec11 80  81   .text   ascii   OCheck for the "walk through the walls" kind of cheats made via Rigidbody hacks?
61235 0x003cd066 0x007cec66 91  92   .text   ascii   ZCheck for the "walk through the walls" kind of cheats made via Character Controller hacks?
61236 0x003cd0c6 0x007cecc6 117 118  .text   ascii   tCheck for the "see through the walls" kind of cheats made via shader or driver hacks (wireframe, color alpha, etc.)?
61237 0x003cd140 0x007ced40 79  80   .text   ascii   NCheck for the "shoot through the walls" kind of cheats made via Raycast hacks?
apkunpacker commented 2 years ago

https://virustotal.com/gui/file/96064daba953dfea5c1ecafb24a45c39ad355742aa9a2dade6c93e64d98a35e5

$ apkid 'Battle Legion_2.6.0.apk'
[+] APKiD 2.1.3 :: from RedNaga :: rednaga.io
[*] Battle Legion_2.6.0.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible VM check, ro.kernel.qemu check
 |-> compiler : dexlib 2.x
[*] Battle Legion_2.6.0.apk!classes2.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : /proc/cpuinfo check, Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.ID check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, Build.USER check, SIM operator check, device ID check, emulator file check, network operator name check, possible Build.SERIAL check, possible VM check, possible ro.secure check, ro.build.type check, ro.hardware check, ro.kernel.qemu check, ro.product.device check
 |-> compiler : dexlib 2.x
[*] Battle Legion_2.6.0.apk!assets/audience_network.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : possible Build.SERIAL check
 |-> compiler : unknown (please file detection issue!)

This Have Anti Cheat in 2 Different Libs

$ r2 libnqtpnxd.so
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
 -- Almost 5am, maybe you should go to bed.
[0x00033d3c]> izz~+cheat                                                                        
49288 0x00269db8 0x0026cdb8 113 114  .data               ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_injection_detector.html
49289 0x00269e2a 0x0026ce2a 48  49   .data               ascii   Code Stage/Anti-Cheat Toolkit/Injection Detector
49290 0x00269e5b 0x0026ce5b 56  57   .data               ascii   Code Stage/Anti-Cheat Toolkit/Obscured Cheating Detector                                                                       
49291 0x00269e94 0x0026ce94 121 122  .data               ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_obscured_cheating_detector.html      
49292 0x00269f0e 0x0026cf0e 114 115  .data               ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_speed_hack_detector.html             
49293 0x00269f81 0x0026cf81 49  50   .data               ascii   Code Stage/Anti-Cheat Toolkit/Speed Hack Detector                                                                              
49294 0x00269fb3 0x0026cfb3 117 118  .data               ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_time_cheating_detector.html          
49295 0x0026a029 0x0026d029 52  53   .data               ascii   Code Stage/Anti-Cheat Toolkit/Time Cheating Detector                                                                           
49296 0x0026a05e 0x0026d05e 113 114  .data               ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_wall_hack_detector.html              
49297 0x0026a0d0 0x0026d0d0 47  48   .data               ascii   Code Stage/Anti-Cheat Toolkit/WallHack Detector                                                                                
49382 0x0026b09d 0x0026e09d 79  80   .data               ascii   Check for the "walk through the walls" kind of cheats made via Rigidbody hacks?                                                
49383 0x0026b0ed 0x0026e0ed 90  91   .data               ascii   Check for the "walk through the walls" kind of cheats made via Character Controller hacks?                                     
49384 0x0026b148 0x0026e148 116 117  .data               ascii   Check for the "see through the walls" kind of cheats made via shader or driver hacks (wireframe, color alpha, etc.)?           
49385 0x0026b1bd 0x0026e1bd 78  79   .data               ascii   Check for the "shoot through the walls" kind of cheats made via Raycast hacks?                                                 
49432 0x0026b9b0 0x0026e9b0 37  38   .data               ascii   Please use CheatChecked event instead
$ r2 libil2cpp.so
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
 -- There's more than one way to skin a cat
[0x00bd8eb0]> izz~+cheat                                                                        
135794 0x02caf995 0x02caf995 113 114  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_injection_detector.html
135795 0x02cafa07 0x02cafa07 48  49   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/Injection Detector
135796 0x02cafa38 0x02cafa38 56  57   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/Obscured Cheating Detector                                                                      
135797 0x02cafa71 0x02cafa71 121 122  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_obscured_cheating_detector.html     
135798 0x02cafaeb 0x02cafaeb 114 115  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_speed_hack_detector.html            
135799 0x02cafb5e 0x02cafb5e 49  50   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/Speed Hack Detector                                                                             
135800 0x02cafb90 0x02cafb90 117 118  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_time_cheating_detector.html         
135801 0x02cafc06 0x02cafc06 52  53   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/Time Cheating Detector                                                                          
135802 0x02cafc3b 0x02cafc3b 113 114  .rodata             ascii   http://codestage.net/uas_files/actk/api/class_code_stage_1_1_anti_cheat_1_1_detectors_1_1_wall_hack_detector.html             
135803 0x02cafcad 0x02cafcad 47  48   .rodata             ascii   Code Stage/Anti-Cheat Toolkit/WallHack Detector                                                                               
135882 0x02cb0c3e 0x02cb0c3e 79  80   .rodata             ascii   Check for the "walk through the walls" kind of cheats made via Rigidbody hacks?                                               
135883 0x02cb0c8e 0x02cb0c8e 90  91   .rodata             ascii   Check for the "walk through the walls" kind of cheats made via Character Controller hacks?                                    
135884 0x02cb0ce9 0x02cb0ce9 116 117  .rodata             ascii   Check for the "see through the walls" kind of cheats made via shader or driver hacks (wireframe, color alpha, etc.)?          
135885 0x02cb0d5e 0x02cb0d5e 78  79   .rodata             ascii   Check for the "shoot through the walls" kind of cheats made via Raycast hacks?                                                
135932 0x02cb1551 0x02cb1551 37  38   .rodata             ascii   Please use CheatChecked event instead