deprale
commented
1 month ago shocker, I'm telling you...
Open Samuil1337 opened 1 month ago
deprale
commented
1 month ago shocker, I'm telling you...
Weather-OS
commented
2 days ago Do HyperV configurations still work with BattlEye?
zhaodice
commented
1 day ago Unfortunately, I clearly do not have any reverse technology on Windows, and in this case, it can only be analyzed by others. I am indeed powerless, and I just started by proposing a way to bypass detection. In fact, if you really want to get rid of it once and for all, it is better to get a cheap integrated graphics gpu computer
Samuil1337
commented
1 day ago @zhaodice why so dramatic lol. Even if we don't know the exact cause, we have a list of things we could improve. I would start there and when all checks on al-khazer are green, I would try again.
Samuil1337
commented
1 day ago @Weather-OS, the Hyper-V method will always work against timing based detections, but there are also other ways to deobfuscate VMs. It's worth a shot, but I doubt it will fix everything. Not only that, but nested-virtualization is kinda slow especially on AMD processors. To use it, set the hyperv mode to passthrough in your domain XML under the feature section, enable SVM (AMD) or VMX (Intel) as CPU features (you may not need it, if you are on host-passthrough mode) and run a Kernel without the RDTSC patch. Then in Windows completely enable the Hyper-V feature in "Turn Windows features on or off" or turn on memory integrity in Windows Defender. I think both work, but the latter is a lot slower.
Scrut1ny
commented
3 hours ago I took inspiration from your project and improved a lot, I've made a very useful advanced script that automates multiple tasks. I try keeping it updated as much as I can and add as much as I can. My project is for bypassing Anti Cheats and Proctoring exam software. I just focus on the main branch for patching instead of indivisual versions.
deprale
commented
3 hours ago I took inspiration from your project and improved a lot, I've made a very useful advanced script that automates multiple tasks. I try keeping it updated as much as I can and add as much as I can. My project is for bypassing Anti Cheats and Proctoring exam software. I just focus on the main branch for patching instead of indivisual versions.
It is by no means useful, you just re-edited some strings and added a beautiful README, that's about it...
Instead of adding compiletime randomization of the static strings, you instead just replaced them with "FUCKFUCKFUCKFUCK", anyone who will use that will also get banned, if they use it for evading exam software they will also get banned if manually reviewed and they see strings like FUCK... wtf is in your head?
Weather-OS
commented
2 hours ago I took inspiration from your project and improved a lot, I've made a very useful advanced script that automates multiple tasks. I try keeping it updated as much as I can and add as much as I can. My project is for bypassing Anti Cheats and Proctoring exam software. I just focus on the main branch for patching instead of indivisual versions.
Didn't know assholes used qemu-anti-detection
Samuil1337
commented
2 hours ago @deprale, I think you looked at the wrong patch. The v8.2.2.patch is the one I assume was created using regular expressions or a script and the master.patch has more real sounding names albeit without 100% coverage. It's still a great jump from ASUS HARDDISK, ASUS KEYBOARD, ASUS PROCESSOR etc. The "compile-time randomization" is a little bit difficult to implement for the hardware identifiers, because they have to be hardcoded one way or another, but serials are easy to change. I would suggest filtering for the default serial number like "FUCK" and changing it to a random number. I do agree with Weather Reporto that you could've delivered your criticism more politely.
Dear @zhaodice,
I hope this message finds you well. I unfortunately have to inform you that BattlEye has had an update that improved their VM detection mechanisms to the point where they are able to unmask our patched QEMU.
After the new Fortnite season update there is an error message telling me to stop the process "Virtual Machine", indicating that the virtual machine is in fact at fault. This happens when I try to join a match, which means that EAC (which checks for VMs on game startup) is working, but BattlEye (which runs during matches) is not. It is also reasonable to assume that the new attack is timing based, because these type of methods need to be run a lot of times to accurately determine if the CPU is fake and I am stuck for minutes in the loading screen until the kick (that could be Fortnite being slow though). It is also possible that they added "ASUS HARDDISK" etc. and the default serial numbers of this patch to their black list. Last but not least I want to redirect to #77. There I described the imperfections of this patch and my exact setup.
I assume that the cretins at BattlEye just googled "hide qemu", which also resurfaces the moral question of maintaining a public Github repo that is 100% used by some if not most people to cheat (although I am not one of them). If you - Dice - or anybody else is willing to do dynamic analysis on BattlEye/Fornite, I would greatly appreciate it, because that would enable us to fix the root cause more precisely.
Yours sincerely, Samuil1337