Hello everyone, I am currently conducting reverse engineering analysis on the latest anti-cheat update for SCP:SL and have hit a wall. I am looking for some advice on analysis strategies.
To bypass the recent anti-cheat updates, I initially attempted to write a manually mapped DLL injector to inject before the anti-cheat initialized and hook Windows APIs. However, blind API hooking proved to be inefficient and failed to bypass detection completely, resulting in bans.
I then shifted my focus to network traffic. To verify the communication behavior of the anti-cheat module, I directly hooked the send function in the underlying ws2_32.dll , which confirmed that the anti-cheat does transmit packets. I proceeded to statically analyze the binary in IDA Pro and successfully located references to strings and functions related to OpenSSL, cURL, and Crypto. I attempted to hook these networking functions, but unfortunately, the hooks were never triggered, or they had no effect on the data flow.
The primary obstacle right now is that the majority of the critical code sections appear to be protected by Themida 3 virtualization. This results in fragmented code logic in IDA, making it extremely difficult to trace the true execution flow and validation logic.
My main confusion now is: how can I extract their detection signatures? Whether it's memory scan signatures or behavioral detection logic, they are difficult to locate under virtualization protection.
My question is: When facing an anti-cheat solution protected by Themida 3 virtualization with encrypted network communication, what are the most effective static or dynamic analysis methods besides blind API hooking? Especially regarding how to extract detection signatures, should I prioritize finding a de-virtualization solution, or is there a different entry point I should consider?
To bypass the recent anti-cheat updates, I initially attempted to write a manually mapped DLL injector to inject before the anti-cheat initialized and hook Windows APIs. However, blind API hooking proved to be inefficient and failed to bypass detection completely, resulting in bans.
I then shifted my focus to network traffic. To verify the communication behavior of the anti-cheat module, I directly hooked the send function in the underlying ws2_32.dll , which confirmed that the anti-cheat does transmit packets. I proceeded to statically analyze the binary in IDA Pro and successfully located references to strings and functions related to OpenSSL, cURL, and Crypto. I attempted to hook these networking functions, but unfortunately, the hooks were never triggered, or they had no effect on the data flow.
The primary obstacle right now is that the majority of the critical code sections appear to be protected by Themida 3 virtualization. This results in fragmented code logic in IDA, making it extremely difficult to trace the true execution flow and validation logic.
My main confusion now is: how can I extract their detection signatures? Whether it's memory scan signatures or behavioral detection logic, they are difficult to locate under virtualization protection.
My question is: When facing an anti-cheat solution protected by Themida 3 virtualization with encrypted network communication, what are the most effective static or dynamic analysis methods besides blind API hooking? Especially regarding how to extract detection signatures, should I prioritize finding a de-virtualization solution, or is there a different entry point I should consider?
