- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 297
- Reaction score
- 7
Anyone currently looking into ARC Raiders? Had to deal with Theia anti-tamper recently, and it's definitely not your average VMProtect paste.
Theia uses aggressive page-level encryption, marking the entire ~243MB binary as PAGE_NOACCESS. It patches KiUserExceptionDispatcher to intercept every access violation, decrypting on the fly. Standard dumping tools get completely nuked here because the pages re-encrypt instantly.
The Technical Breakdown
The Bypass Strategy
The key is that the game must execute its code eventually. I built a direct syscall engine to bypass monitoring, then suspended all game threads to kill the integrity checker. By synthesizing artificial STATUS_ACCESS_VIOLATION execute faults with a perfectly crafted CONTEXT (Rip pointing to the game page), Theia thinks it's a legitimate decrypt request. It does the heavy lifting for you, decrypts the page, and you just swipe the data.
A note on risks: This isn't for main accounts. The integrity checker is cycle-based (total ~106 seconds), but if you freeze the threads, you avoid the kill-flag window entirely.
Has anyone else messed with theia-protected builds? Curious if others found a way to resolve those obfuscated syscall numbers without constant pattern scanning.
Theia uses aggressive page-level encryption, marking the entire ~243MB binary as PAGE_NOACCESS. It patches KiUserExceptionDispatcher to intercept every access violation, decrypting on the fly. Standard dumping tools get completely nuked here because the pages re-encrypt instantly.
The Technical Breakdown
- Theia maps an invisible runtime.dll that isn't present in any standard PEB module list.
- It uses 7 layers of exception handling inside that DLL.
- It employs a 3-copy mapping strategy (on-disk image, heap copy, and high-VA active instance), and you have to hook all of them.
- It monitors VirtualProtect and has its own integrity timer threads that will freeze your threads via NtSuspendThread if they catch a JMP hook.
The Bypass Strategy
The key is that the game must execute its code eventually. I built a direct syscall engine to bypass monitoring, then suspended all game threads to kill the integrity checker. By synthesizing artificial STATUS_ACCESS_VIOLATION execute faults with a perfectly crafted CONTEXT (Rip pointing to the game page), Theia thinks it's a legitimate decrypt request. It does the heavy lifting for you, decrypts the page, and you just swipe the data.
- Find the 3 hidden copies of runtime.dll.
- Sig-scan for the decrypt handler (Look for E8 ?? ?? ?? ?? 83 F8 ?? 76).
- Suspend all ~200 game threads to stop the integrity timer.
- Install JMP hooks via direct syscall NtProtectVirtualMemory.
- Loop through protected pages, synthesize faults, and copy decrypted results.
- Cleanup and resume.
A note on risks: This isn't for main accounts. The integrity checker is cycle-based (total ~106 seconds), but if you freeze the threads, you avoid the kill-flag window entirely.
Has anyone else messed with theia-protected builds? Curious if others found a way to resolve those obfuscated syscall numbers without constant pattern scanning.
