[Security Analysis] status0's ESEA SoundESP

imi-tat0r · 10/29/2018, 16:16

1. General

Today we want to show you our analysis of

.
The provider also offers an

which probably uses the exact same bypass, so this analysis is suitable for both his products.

status0 didn't want to hand out a vouch copy to us, even though we agreed on signing anything that would prevent us from leaking his cheat and said he doesn't trust us.
This was the first sign that the cheat is a scam, as a proper analysis would only benefit him if the product was well made.

Shortly after this discussion, one of his SoundESP customers contacted us, providing us with all the information and files he received.

In the next paragraphs we're going to analyze the ESEA Bypass he is offering and point out why his cheat is not worth any money.

2. Protection

The whole thing is barely protected at all.
DreamBoard.exe, which is the cheat loader, is protected with a simple password check which can easily be patched.

helper.dll, which is the actual cheat itself, is protected with VMProtect but the coder didn't use the VMProtect SDK, resulting in a generally unprotected dll with only a mutated Entrypoint.
This can be "undone" by simply performing a runtime dump.

3. Security

The provider claims to have a lot of security features in his cheat and lists a few examples:

Code:

Security

Unique signatures
String encryption
Code mutation
ring0
& many undisclosed ones

- We can't verify the unique signatures as we only have one build available, but it is highly unlikely that anything in here is unique per customer.
- String encryption is not present in the cheat loader, only in the cheat itself.

- Code mutation does not exist.
- The ring0 part is actually performed from ring3 (read 4. Bypass)
- After looking for the many undisclosed ones we were unable able to find anything except VMProtect and the Launcher.exe being removed from the Windows prefetch folders, which should not be counted as proper Security.

4. Bypass

4.1. General

This is from Readme-lg.txt:

Code:

- Start Netlimiter and make sure its minimized into tray
- Start Lauchner.exe as ADMIN (important)
- Follow the instructions in the command prompt
- A Message Box should appear that indicates Success, press ok(else contact the support with provided error code)
- Disconnect the usb stick
- Start the Anti-Cheat + Game
- Enjoy and dont play obvious ;)

The first thing that got us suspicious was the fact that a user needs to install and run thirdparty software in order to use the hack. The next thing that we noticed was, Netlimiter is using a driver.
Why this is so suspicious is the fact, that earlier this year an exploit was released on *************, which lets you

in order to inject into processes like csrss.exe.

4.2. Magic (not really)

The creator of the UC post also mentioned the following:

Code:

Keep stealth in mind
[...]
- Rename the genuine driver as *.sys.tmp
- Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved
- Load driver, get your handle, unload driver
- Delete MalwareFox driver from where we copied it
- Rename the genuine driver back to its original name

Here's where Netlimiter gets interesting, because their driver could potentially be used for the above.

In the ************* thread, you can find some sample code to get a Handle.

and after a quick look we found the exact same code inside DreamBoard.exe.

With this information, it was obvious that the hack simply exploits a public vulnerability to hide itself.
The fact that the bypass is public and the cheat got released way after the exploit, clearly shows the sketchy mentality of the provider and makes this product basically worthless.

5. Hack

This will be very short, as the hack itself is very basic and nothing that we found was worth mentioning.
The hack does what it's supposed to do. It uses OpenAL, which is the Audio Library counterpart of OpenGL, to properly position the sounds in 3D space.

6. Conclusion

Even though the cheat itself works and is doing what it's supposed to do, the bypass used is public since early 2018 and the provider is blatantly lying about the security.
The product appears to be written by someone with little to no knowledge about what he/she does while still trying to look somewhat legit to the naked eye.

Due to the fact that all the valuable parts of the cheat are public, this is not worth a single cent in our opinion, but definitely not worth 150€ per month.

greetings,
imi-tat0r, aequabit and the ev0lve.xyz Team

~~FaceMyFizz~~ · 10/29/2018, 16:58

Quote:
Originally Posted by imi-tat0r
1. General

Today we want to show you our analysis of .
The provider also offers an which probably uses the exact same bypass, so this analysis is suitable for both his products.

status0 didn't want to hand out a vouch copy to us, even though we agreed on signing anything that would prevent us from leaking his cheat and said he doesn't trust us.
This was the first sign that the cheat is a scam, as a proper analysis would only benefit him if the product was well made.

Shortly after this discussion, one of his SoundESP customers contacted us, providing us with all the information and files he received.

In the next paragraphs we're going to analyze the ESEA Bypass he is offering and point out why his cheat is not worth any money.

2. Protection

The whole thing is barely protected at all.
DreamBoard.exe, which is the cheat loader, is protected with a simple password check which can easily be patched.

helper.dll, which is the actual cheat itself, is protected with VMProtect but the coder didn't use the VMProtect SDK, resulting in a generally unprotected dll with only a mutated Entrypoint.
This can be "undone" by simply performing a runtime dump.

3. Security

The provider claims to have a lot of security features in his cheat and lists a few examples:[code=code]
Security

Unique signatures
String encryption
Code mutation
ring0
&many undisclosed ones
[/code]
- We can't verify the unique signatures as we only have one build available, but it is highly unlikely that anything in here is unique per customer.
- String encryption is not present in the cheat loader, only in the cheat itself.

- Code mutation does not exist.
- The ring0 part is actually performed from ring3 (read 4. Bypass)
- After looking for the many undisclosed ones we were unable able to find anything except VMProtect and the Launcher.exe being removed from the Windows prefetch folders, which should not be counted as proper Security.

4. Bypass

4.1. General

This is from Readme-lg.txt:
Code:
- Start Netlimiter and make sure its minimized into tray
- Start Lauchner.exe as ADMIN (important)
- Follow the instructions in the command prompt
- A Message Box should appear that indicates Success, press ok(else contact the support with provided error code)
- Disconnect the usb stick
- Start the Anti-Cheat + Game
- Enjoy and dont play obvious ;)
The first thing that got us suspicious was the fact that a user needs to install and run thirdparty software in order to use the hack. The next thing that we noticed was, Netlimiter is using a driver.
Why this is so suspicious is the fact, that earlier this year an exploit was released on *************, which lets you in order to inject into processes like csrss.exe.

4.2. Magic (not really)

The creator of the UC post also mentioned the following:
Code:
Keep stealth in mind
[...]
- Rename the genuine driver as *.sys.tmp
- Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved
- Load driver, get your handle, unload driver
- Delete MalwareFox driver from where we copied it
- Rename the genuine driver back to its original name
Here's where Netlimiter gets interesting, because their driver could potentially be used for the above.

In the ************* thread, you can find some sample code to get a Handle.

and after a quick look we found the exact same code inside DreamBoard.exe.

With this information, it was obvious that the hack simply exploits a public vulnerability to hide itself.
The fact that the bypass is public and the cheat got released way after the exploit, clearly shows the sketchy mentality of the provider and makes this product basically worthless.

5. Hack

This will be very short, as the hack itself is very basic and nothing that we found was worth mentioning.
The hack does what it's supposed to do. It uses OpenAL, which is the Audio Library counterpart of OpenGL, to properly position the sounds in 3D space.

6. Conclusion
Even though the cheat itself works and is doing what it's supposed to do, the bypass used is public since early 2018 and the provider is blatantly lying about the security.
The product appears to be written by someone with little to no knowledge about what he/she does while still trying to look somewhat legit to the naked eye.

Due to the fact that all the valuable parts of the cheat are public, this is not worth a single cent in our opinion, but definitely not worth 150€ per month.

greetings,
imi-tat0r, aequabit and the ev0lve.xyz Team

Good Job uses Public Bypass and wants Money for it ^^
BTW i have heard that some people got Banned with it?

imi-tat0r · 10/29/2018, 16:59

Quote:

Originally Posted by FaceMyFizz

Good Job uses Public Bypass and wants Money for it ^^
BTW i have heard that some people got Banned with it?

So far we've heard rumors of people getting banned but nothing confirmed yet.

burncode · 10/29/2018, 17:19

Quote:
Originally Posted by imi-tat0r
1. General

Today we want to show you our analysis of .
The provider also offers an which probably uses the exact same bypass, so this analysis is suitable for both his products.

status0 didn't want to hand out a vouch copy to us, even though we agreed on signing anything that would prevent us from leaking his cheat and said he doesn't trust us.
This was the first sign that the cheat is a scam, as a proper analysis would only benefit him if the product was well made.

Shortly after this discussion, one of his SoundESP customers contacted us, providing us with all the information and files he received.

In the next paragraphs we're going to analyze the ESEA Bypass he is offering and point out why his cheat is not worth any money.

2. Protection

The whole thing is barely protected at all.
DreamBoard.exe, which is the cheat loader, is protected with a simple password check which can easily be patched.

helper.dll, which is the actual cheat itself, is protected with VMProtect but the coder didn't use the VMProtect SDK, resulting in a generally unprotected dll with only a mutated Entrypoint.
This can be "undone" by simply performing a runtime dump.

3. Security

The provider claims to have a lot of security features in his cheat and lists a few examples:[code=code]
Security

Unique signatures
String encryption
Code mutation
ring0
&many undisclosed ones
[/code]
- We can't verify the unique signatures as we only have one build available, but it is highly unlikely that anything in here is unique per customer.
- String encryption is not present in the cheat loader, only in the cheat itself.

- Code mutation does not exist.
- The ring0 part is actually performed from ring3 (read 4. Bypass)
- After looking for the many undisclosed ones we were unable able to find anything except VMProtect and the Launcher.exe being removed from the Windows prefetch folders, which should not be counted as proper Security.

4. Bypass

4.1. General

This is from Readme-lg.txt:
Code:
- Start Netlimiter and make sure its minimized into tray
- Start Lauchner.exe as ADMIN (important)
- Follow the instructions in the command prompt
- A Message Box should appear that indicates Success, press ok(else contact the support with provided error code)
- Disconnect the usb stick
- Start the Anti-Cheat + Game
- Enjoy and dont play obvious ;)
The first thing that got us suspicious was the fact that a user needs to install and run thirdparty software in order to use the hack. The next thing that we noticed was, Netlimiter is using a driver.
Why this is so suspicious is the fact, that earlier this year an exploit was released on *************, which lets you in order to inject into processes like csrss.exe.

4.2. Magic (not really)

The creator of the UC post also mentioned the following:
Code:
Keep stealth in mind
[...]
- Rename the genuine driver as *.sys.tmp
- Move & rename MalwareFox driver to be at the exact location of the genuine driver that we just moved
- Load driver, get your handle, unload driver
- Delete MalwareFox driver from where we copied it
- Rename the genuine driver back to its original name
Here's where Netlimiter gets interesting, because their driver could potentially be used for the above.

In the ************* thread, you can find some sample code to get a Handle.

and after a quick look we found the exact same code inside DreamBoard.exe.

With this information, it was obvious that the hack simply exploits a public vulnerability to hide itself.
The fact that the bypass is public and the cheat got released way after the exploit, clearly shows the sketchy mentality of the provider and makes this product basically worthless.

5. Hack

This will be very short, as the hack itself is very basic and nothing that we found was worth mentioning.
The hack does what it's supposed to do. It uses OpenAL, which is the Audio Library counterpart of OpenGL, to properly position the sounds in 3D space.

6. Conclusion

Even though the cheat itself works and is doing what it's supposed to do, the bypass used is public since early 2018 and the provider is blatantly lying about the security.
The product appears to be written by someone with little to no knowledge about what he/she does while still trying to look somewhat legit to the naked eye.

Due to the fact that all the valuable parts of the cheat are public, this is not worth a single cent in our opinion, but definitely not worth 150€ per month.

greetings,
imi-tat0r, aequabit and the ev0lve.xyz Team

Damit die Bilder zu sehen sind.

Wollte ebend auf HM fragen, ob ich das teilen kann

skadro · 10/29/2018, 17:20

I actually dont have the time to focus on such a bad try of discrediting therefore i just write the most important stuff:
It is only one of my bypasses and it worked. I had a dispute with this guy on High Minded because he was discrediting me since beginning just for his own sake.
Someone leaked him one version i had and he now analysed it to discredit me once more. Here, I use a vulnerable driver to load my cheat which is nothing bad. The hack was UD since leak so he didnt proof that im scam nor that the hack is not working. He is a rat and after this statement, i will just leak his hack and his users should asap stop using his hacks to avoid a ban. I am still undetected and got two other bypasses ready. He by is own is using a public tdl loader which he never managed to stay ud on bigger AC´s because he really uses public stuff that got proven to be detected hundreds of times.

Additional stuff out of my thread:

"He just opened one of my unpacked installer(=not running ingame) in a debugger and declared it as reverse engeneered. It is not loaded while playing therefore your security findings are useless and you even skipped the only file which is run while ingame and compatible with the security feautures i name in my thread in your wannabe analysis, because it was packed which actually would have required reversing skills. Finally this is no security analysis rather than a bypass Leak and this is the worst stuff you can do to yourself. You are a meme and a rat and like i already said, karma is a ***** and will hit you back. Harder than you tried to hit me.

I do not send the same bypass to all users to avoid risks of multiple bans, something you will never understand with your real public tdl vac/mm hack ev0lve.xyz, which gets sigged soon and continously from now on, which is just one thing i will care of.

burncode · 10/29/2018, 17:23

Quote:

Originally Posted by skadro

I actually dont have the time to focus on such a bad try of discrediting therefore i just write the most important stuff:
It is only one of my bypasses and it worked. I had a dispute with this guy on High Minded because he was discrediting me since beginning just for his own sake.
Someone leaked him one version i had and he now analysed it to discredit me once more. Here, I use a vulnerable driver to load my cheat which is nothing bad. The hack was UD since leak so he didnt proof that im scam nor that the hack is not working. He is a rat and after this statement, i will just leak his hack and his users should asap stop using his hacks to avoid a ban. I am still undetected and got two other bypasses ready.

Mach halt und quatsch nicht rum.
Nebenbei ist es eine Analyse.

imi-tat0r · 10/29/2018, 17:24

Quote:

Originally Posted by skadro

I actually dont have the time to focus on such a bad try of discrediting therefore i just write the most important stuff:
It is only one of my bypasses and it worked. I had a dispute with this guy on High Minded because he was discrediting me since beginning just for his own sake.
Someone leaked him one version i had and he now analysed it to discredit me once more. Here, I use a vulnerable driver to load my cheat which is nothing bad. The hack was UD since leak so he didnt proof that im scam nor that the hack is not working. He is a rat and after this statement, i will just leak his hack and his users should asap stop using his hacks to avoid a ban. I am still undetected and got two other bypasses ready.

The fact that you used a public bypass, even if it would only be one of many you have, is sad enough.

The Hack has many detection vectors. I'll just name a few:
- Handle can be enumerated
- DLL is loaded via LoadLibrary into csrss.exe meaning ESEA can easily dump the memory

Also you will not leak ****

skadro · 10/29/2018, 17:29

Quote:

Originally Posted by imi-tat0r

The fact that you used a public bypass, even if it would only be one of many you have, is sad enough.

The Hack has many detection vectors. I'll just name a few:
- Handle can be enumerated
- DLL is loaded via LoadLibrary into csrss.exe meaning ESEA can easily dump the memory

Also you will not leak ****

Holy cow he thinks im using loadlibrary on csrss.exe. lmao. Additionally no, there is no handle when they scan. **** it. you are as unqualified as possible. I will not continue reading this, i got work to do. you are a rat and karma is a *****, i told you already.

imi-tat0r · 10/29/2018, 17:32

Quote:

Originally Posted by skadro

Holy cow he thinks im using loadlibrary on csrss.exe. lmao. Additionally no, there is no handle when they scan. **** it. you are as unqualified as possible. I will not continue reading this, i got work to do. you are a rat and karma is a *****, i told you already.

- So you're getting this just for fun?
Even if you manual map the hack into the process, your bypass still is public

Ossus · 10/29/2018, 19:32

Quote:

Originally Posted by imi-tat0r

- So you're getting this just for fun?
Even if you manual map the hack into the process, your bypass still is public

He probably doesn't even know what your screenshot means cuz he is lacking a lot of knowledge about coding in general and just c&p a public bypass

skadro · 10/30/2018, 00:56

Quote:

Originally Posted by imi-tat0r

- So you're getting this just for fun?
Even if you manual map the hack into the process, your bypass still is public

It is used to fix the imports on manual mapping the hack, not even bypass related. You goddamn liar.

Proof:

Oh man, you dont fk with me. You will enjoy what will happen

Quote:

Originally Posted by Ossus

He probably doesn't even know what your screenshot means cuz he is lacking a lot of knowledge about coding in general and just c&p a public bypass

Guess you´re wrong, idiot.

One more statement:

I will not read any more stuff that will be posted. Its discrediting with proven lies, half knowledge and i will not put any more time into proofing anything to full retards.

EDIT: There we go:

imi-tat0r · 10/30/2018, 02:22

Quote:

Originally Posted by skadro

It is used to fix the imports on manual mapping the hack, not even bypass related. You ******* liar.

Proof:

Oh man, you dont fk with me. You will enjoy what will happen

Guess you´re wrong, idiot.

I will not read any more stuff that will be posted. Its discrediting with proven lies, half knowledge and i will not put any more time into proofing anything to full retards.

As I said, your bypass still is public though

AZLGOOD · 10/30/2018, 18:28

the 3d sound esp works well，and aimbot can be set like Kjaerbye aim style
But you can also set it to a perfectly legit aimbot,very profect to get a headshot

imi-tat0r · 11/02/2018, 15:58

push

JyBit · 11/07/2018, 18:16

It wouldn't be so sad if the price wasnt that high, push btw