release Understanding M2Bob & Effective Anti-Cheat Strategies

[Queen]

Hello everyone,

I'm Narvikz, and I've been part of the Metin2 community for a long time—honestly, I feel a bit like an old relic at this point, collecting dust over the years.

This will be one of my few contributions to metin2dev. I decided to step away from the scene some time ago as the game's popularity waned, yet it appears some still support it, which isn’t really the focal point of this discussion. Let's steer clear of that topic for the moment.

The Ongoing Demand for Game Hacks

Despite the reduced player base, there remains a surprising demand for game hacks. It's a fundamental principle of gaming: the larger the player community, the more opportunities arise for hacking tools, making them more profitable.

Recently, a friend of mine from Runah Services reached out to me, explaining that he has been unable to find a way to detect M2Bob effectively. He mentioned that only a handful of individuals are working on this issue, and most who could develop detection methods are keeping their findings private. Unfortunately, he’s yet to discover a reliable service that can safeguard against these tools.

What Are Your Thoughts?

It's perplexing to see how uninformed some people can be.

So, let’s be honest; many of you seem to be quite lost regarding this subject.

From the get-go, I could easily list multiple strategies to detect M2Bob operating on a system, particularly when considering its underlying architecture.

Diving Into the Architecture

M2Bob - Patcher.exe:

When you first launch M2Bob, this is the executable that runs. It generates a 128-bit digest (likely an MD5 hash) for each file to be scanned on the disk and sends this data via a POST request to an API that compares the client files against the latest server files. If there are discrepancies, it promptly downloads and replaces the outdated files using the HTTP protocol.

The patcher connects to a web server located at the subdomain ni220471_1.vweb02.nitrado.net. As you'll infer, there’s little doubt about the contents hosted there.

After everything has been updated, it launches M2Bob.exe, which we’ll examine next.

M2Bob.exe:

When this file is executed from a location outside of the Program Files directory, it generates a randomly named folder (consistently 10 characters long) within the Program Files directory and replicates itself again with another randomly chosen name. It also alters M2Bob_Dll.dll's extension from ".dll" to ".e".

Then, it launches the executable with the new name to run the program.

Once you hit the button to begin the game, it generates an instance of metin2client and injects its module directly into the game’s memory.

However, it neglects to close the open HANDLE to the game, which opens up a significant detection vector.

M2Bob_Dll.dll:

Upon injection into metin2client, this module performs several signature scans to identify the game’s subroutines necessary for simulating player actions. A cursory look at the module's memory will reveal identifiable patterns and their masks, relying on a standard FindPattern function that has been in use since the inception of game cheating.

This module subsequently automates player actions using complex algorithms that are peripheral to our focus here.

In terms of security, M2Bob employs hooking of Module32Next. Whenever the iteration through the module list encounters the randomly named M2Bob module, it skips to the next entry—effectively concealing its module from simplistic enumeration methods. Kudos to Slait for always aiming for minimal compliance yet failing to innovate.

System Overview

The entire system is inherently weak. It bypasses existing protection mechanisms, such as Hackshield and GameGuard, which are lackluster at best. Slait wouldn’t stand a chance if GameForge invested in a genuinely competent service provider who understands how to counteract these issues—honestly, even Bastian Suter would outshine this effort.

There's no robust DRM, and the system overall is feeble, making it vulnerable to skilled reverse engineers who could crack it in just a few hours.

Detection Strategies

Identifying detection methods can be quite daunting. The system is riddled with flaws, so I will outline several detection vectors that I've successfully tested.

Method #1 - Hidden Memory Pages (Tested & Working)

By iterating through memory pages and utilizing VirtualQuery, you can identify those that are 4096 bytes long (the size of the PE Header). When a DOS MZ executable signature is detected in these memory pages, it’s likely you have found a PE Header memory page. You can then cast that memory address to an NT Header and check constant parameters like TimeDateStamp or SizeOfCode, among others, to uniquely identify M2Bob.

Method #2 - Open Handles to Game Process (Tested & Working)

This method involves using the Native API and some undocumented structures and functions, a task which is quite straightforward. It shouldn't take you longer than an hour to enumerate the necessary handles.

By calling NtQuerySystemInformation with SystemHandleInformation as the parameter, while ensuring the function returns anything other than STATUS_INFO_LENGTH_MISMATCH or STATUS_BUFFER_OVERFLOW, you can fill a SYSTEM_HANDLE_INFORMATION object with information. This object provides a count of SYSTEM_HANDLE objects in an accompanying array.

After populating this list, you will obtain all handles opened in your environment, covering Files, Registry Keys, Processes, and Threads.

To identify the type of HANDLE, use QueryObject with ObjectTypeInformation on that handle to obtain a UNICODE string detailing the HANDLE type. Focus on those listed as "Process" to filter out extraneous information.

After identifying the HANDLE for your game’s process ID (accessible from the PEB of your own process), open a HANDLE to it using OpenProcess with PROCESS_QUERY_LIMITED_INFORMATION to determine if it’s legitimate or if it has been blacklisted.

You can discover the executable path using QueryFullProcessImageName. Following that, read the first 4096 bytes from that file, cast them to an NT Header, and conduct your checks as previously mentioned.

Alternatively, you might simply open the handle with PROCESS_VM_READ privileges and use ReadProcessMemory to retrieve the PE Header. However, PROCESS_QUERY_LIMITED_INFORMATION is reliable, even when the process runs as an administrator or a system process, and since M2Bob lacks any dynamic forking technique, further complexity isn’t necessary.

Method #3 - Integrity Checks at Module32Next (Tested & Working)

This method may seem unconventional; malware can sometimes replicate this technique to evade detection using user-mode rootkits that hook Module32Next. Yet, due to the ineptness of Slait’s hooking, the likelihood of false positives is slim

This is the hidden content, please

• Sign In
• or
• Sign Up

Method #4 - DNS Cache (Untested but Viable)

Whenever you resolve a domain name, a UDP request is dispatched to your DNS server, which responds with records containing the IP address. Your operating system caches these resolutions to speed up future requests. This feature can potentially be used against M2Bob.

Instead of searching for m2bob.net, which may flag innocent players visiting that site, focus on their patch server subdomain, which could accurately indicate players using M2Bob.

Remember that ni220471_1.vweb02.nitrado.net? Yes, keep an eye on it.

Method #5 - USN Journal (Untested but Promising)

The USN Journal, an NTFS feature, keeps track of changes in files on the user’s system, logging timestamps, filenames, and reasons for the changes. You could examine entries within the past 15 minutes for M2Bob.exe, noticing if a different executable in the Program Files folder is opened shortly after. This could allow you to eject players whenever you detect such activity.

Additional Detection Methods

The landscape of detection options is rife with opportunities. It’s amusing to see how many individuals have failed to grasp these concepts over time:

• Though Module32Next is hooked, Module32NextW remains intact, yielding unfiltered results; great job Slait, your incompetence shines through.
• While Windows API module enumeration might be hooked to spoof outcomes, utilizing alternatives like InInitializationOrderModuleList or InLoadOrderModuleList could offer insights into the module's presence.
• For those brave enough, employing Syscalls is an option. Consider implementing native API functions without direct calls—you could do this with minimal inline assembly to ensure stack stability.
• Additionally, the presence of two windows for a Metin2 game process raises red flags; it’s wise to take action against that.
• Signature scans may seem useless given the system’s flaws, but they could serve as a reliable backup.
• There’s likely some exported data in the PE Header—scan for it using the hidden PE Header detection method discussed earlier.

Closing Thoughts

I’m quite exhausted after penning this extensive overview, unlike anything previously seen here or anywhere in public forums. I won’t delve any deeper into detection vectors; the system is riddled with weaknesses, and I think I've made my point.

This is primarily a rant aimed at those running Metin2 servers for quick profits. It’s a shame how many lack the necessary skills and continue to appropriate others’ work while passing it off as their own.

You’re offering paid public services in a field you barely understand, deceiving customers and selling illusions.

I find this incredibly frustrating, especially since I left the community while still quite young, possessing limited English skills, and focused primarily on local forums. My early contributions were solely in translations, followed by assisting others with general Linux/BSD matters. However, it was disheartening to witness an influx of Metin2 private servers constructed from stolen or leaked materials. This led me to start ridiculing the individuals asking for help with straightforward BSD issues.

Have fun, everyone! I understand that many of you may not utilize this information effectively, but perhaps there’s someone out there who can benefit from these insights. Since I shared these tips privately before, I’m now offering them publicly for everyone’s benefit.

I was approached by SandMann016 to collaborate, and while I regret releasing this information now, I feel it necessary to share it. I never managed to proceed with those plans, yet he appeared to be a decent person when we first met. Regardless, here it is, for all to see.