Bypassing SCUE4 anticheat (for example Killsquad)

BruteForce

BruteForce

Noobzor
Joined
Jul 10, 2019
Messages
13
Some games for Unreal engine are using marketplace anticheat named SCUE4. I came across this while toying around with Killsquad.

The latest update of the game, this anticheat is being used (as well as the developers are encrypting data with some strange convoluted method, which I also was able to overcome, but that's a different discussion).

What it does is detect over 165 different programs (cheats, memory searchers, debuggers, trainers, etc.) and when it detects them it shuts them down. Imagine you have the game running then you run cheatengine and it closes immediately. Or x64dbg, or windbg, or most trainers, etc.

At any rate, it took awhile to discover what was the culprit, but firing up x64dbg and running the game through it until it reached loading first .dll, I did string search for x64dbg (since running that while the game is already running would close it). Sure enough there was a text for it. However, breakpoint there proved useless as 'something else' was detecting x64dbg. And as I allowed the game to load and progress more through x64dbg eventually x64dbg was closed by this anticheat somehow and that instantly also closed the game. So I used a method to 'freeze' the program completely with one of my home-made and undetected tools, and when I ran s64dbg to test, the x64dbg would STILL close. I also force closed the game, and even though the game was not running (i.e. it closed down improperly/forced) x64dbg and cheatengine could not run.

SO, what we find here is that some other program is running in the background, and sadly this program doesn't detect that the game isn't running any more and shut itself off.

So, doing a little check using nothing more than Task Manager, we can see a program running from here:

C:\Steam\steamapps\common\KillSquad\Engine\Plugins\Marketplace\SCUE4\Source\ThirdParty\x64

Named:

SCUE4x64.exe

I force closed it, and voila.. you can run cheatengine and other tools again without them closing.

So I did some digging online and here is a link for it:

https://forums.unrealengine.com/unreal-engine/marketplace/69015-plugin-anti-cheat-system

and the github is here:

https://github.com/BrUnOXaVIeRLeiTE/SCUE4-Plugin

Anyways, the solution to this is actually quite simple. Repalce the:

SCUE4x64.exe

In that folder with this:

https://ufile.io/fztfkwze

Which basically is a program with a timer for 10 seconds then closes itself.

Also added as an attachment here.

The game will run that, check it's running, then move on. The program will close in 10 seconds, and nothing is doing anything to prevent running your tools, debuggers, trainers, etc.

I mean, we can ratchet this up if the developers choose to do so, by actually modifying the .exe where it runs that program, if we have to in the future, as it's pretty clear what is being run.

Perhaps this will help some people in the future if this seems to be happening in your Unreal engine game. You won't be able to use cheatengine or any scripts with Killsquad if this anticheat isn't bypassed.
 
STN

STN

Founder
Administrator
Joined
Mar 2, 2017
Messages
3,759
BruteForce said:
I've removed your attachment for breaking forum rules. Might upload it later when i get on PC if i don't forget or you can upload it yourself by following the big text that's shown next to attachment uploader or reading up the rules.
 
BruteForce

BruteForce

Noobzor
Joined
Jul 10, 2019
Messages
13
BruteForce said:
Some games for Unreal engine are using marketplace anticheat named SCUE4. I came across this while toying around with Killsquad.

The latest update of the game, this anticheat is being used (as well as the developers are encrypting data with some strange convoluted method, which I also was able to overcome, but that's a different discussion).

What it does is detect over 165 different programs (cheats, memory searchers, debuggers, trainers, etc.) and when it detects them it shuts them down. Imagine you have the game running then you run cheatengine and it closes immediately. Or x64dbg, or windbg, or most trainers, etc.

At any rate, it took awhile to discover what was the culprit, but firing up x64dbg and running the game through it until it reached loading first .dll, I did string search for x64dbg (since running that while the game is already running would close it). Sure enough there was a text for it. However, breakpoint there proved useless as 'something else' was detecting x64dbg. And as I allowed the game to load and progress more through x64dbg eventually x64dbg was closed by this anticheat somehow and that instantly also closed the game. So I used a method to 'freeze' the program completely with one of my home-made and undetected tools, and when I ran s64dbg to test, the x64dbg would STILL close. I also force closed the game, and even though the game was not running (i.e. it closed down improperly/forced) x64dbg and cheatengine could not run.

SO, what we find here is that some other program is running in the background, and sadly this program doesn't detect that the game isn't running any more and shut itself off.

So, doing a little check using nothing more than Task Manager, we can see a program running from here:

C:\Steam\steamapps\common\KillSquad\Engine\Plugins\Marketplace\SCUE4\Source\ThirdParty\x64

Named:

SCUE4x64.exe

I force closed it, and voila.. you can run cheatengine and other tools again without them closing.

So I did some digging online and here is a link for it:

https://forums.unrealengine.com/unreal-engine/marketplace/69015-plugin-anti-cheat-system

and the github is here:

https://github.com/BrUnOXaVIeRLeiTE/SCUE4-Plugin

Anyways, the solution to this is actually quite simple. Repalce the:

SCUE4x64.exe

In that folder with this:

https://ufile.io/fztfkwze

Which basically is a program with a timer for 10 seconds then closes itself.

Also added as an attachment here. Password is fearless

The game will run that, check it's running, then move on. The program will close in 10 seconds, and nothing is doing anything to prevent running your tools, debuggers, trainers, etc.

I mean, we can ratchet this up if the developers choose to do so, by actually modifying the .exe where it runs that program, if we have to in the future, as it's pretty clear what is being run.

Perhaps this will help some people in the future if this seems to be happening in your Unreal engine game. You won't be able to use cheatengine or any scripts with Killsquad if this anticheat isn't bypassed.
 

Attachments

L

Launchpad

What is cheating?
Joined
Aug 3, 2019
Messages
2
Hey BruteForce,

I ended up looking at this some today too. I did notice you could kill the anti-cheat EXE and it would just relaunch, but I also noticed it wasn't signed, checked or whatnot and could be replaced. I didn't go any further with it however like you did. According to documentation, replacing the EXE with a fake one should trigger another UE-based anti-cheat trigger, but that keeps to be circumvented by your "app crash" method. This isn't some super professional anti-cheat, but I'd be curious studying that later just "for fun".

I'm able to use cheat programs fine with the actual EXE in place. In my experience, it only checks for Window Titles and also Win32 window class names as far as I can tell so far. I didn't read all the source yet however. In fact, it's very loosely coded where it'll close on false positives if you have some other Pascal/Lazarus compiled programs open, for example.

I started to investigate value editing. I noticed complex structures like your inventory is not "encrypted". I'm still easily able to change vector levels and enchantments on my gear. However credits and materials seem to use this encryption method. I haven't spent long on it yet, but haven't figured it out. Mind sharing? Appears things like numbers get treated like strings, swapped out with the same position in the key (or is there shifting?), and converted back to an INT from a string. Not sure if they are using the default KEY or a custom one I need to dig up. Anyways, if you're willing to share to save me the time I'd appreciate it. Let me know if I can be of any help to you.
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,483
Here's how to do it for Cheat Engine (been using this for a while, for games like StarCraft - the revamped one):
  • Settings > Debugger Options > User kernelmode debugger
  • Settings > Debugger Options > Use Global Debug routines
  • Settings > Extras > all 3 up top (Query, Read/Write, Open)
  • while in Settings, click on 'About CE', then in the window that opens RIGHT-CLICK "Your system supports DBVM"
  • slowly offload each CPU into DBVM (click on CPU0, wait a bit; repeat with the rest)
  • run the LUA script below (in Memory View > Ctrl+L)

Code:
dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
dbk_writesIgnoreWriteProtection(true)

openProcess('cheatengine-x86_64.exe')

autoAssemble([[
kernelbase.SetProcessMitigationPolicy:
xor rax,rax
ret
]])
  • open Process List
  • run the script below to change window names
Code:
for i=0, getFormCount()-1 do
  getForm(i).Caption="Minesweeper"
end

getApplication().Title="WEEEE"

r=registerFormAddNotification(function(f)
  local t=createTimer()
  t.Interval=1
  t.Enabled=true
  t.OnTimer=function(tmr)
    f.Caption="Whoopdeedoo"
    tmr.destroy()
  end 
end)
Here's me having scanned and debugging StarCraft with Cheat Engine. A game that has a ton shit of more professional detection mechanisms :)



But yeah, bottom line is understanding what is it they detect. For example, Denuvo in MK11 also detects the "Add Address manually" button/window :)

BR,
Sun
 
BruteForce

BruteForce

Noobzor
Joined
Jul 10, 2019
Messages
13
SunBeam said:
Here's how to do it for Cheat Engine (been using this for a while, for games like StarCraft - the revamped one):
  • Settings > Debugger Options > User kernelmode debugger
  • Settings > Debugger Options > Use Global Debug routines
  • Settings > Extras > all 3 up top (Query, Read/Write, Open)
  • while in Settings, click on 'About CE', then in the window that opens RIGHT-CLICK "Your system supports DBVM"
  • slowly offload each CPU into DBVM (click on CPU0, wait a bit; repeat with the rest)
  • run the LUA script below (in Memory View > Ctrl+L)

Code:
dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
dbk_writesIgnoreWriteProtection(true)

openProcess('cheatengine-x86_64.exe')

autoAssemble([[
kernelbase.SetProcessMitigationPolicy:
xor rax,rax
ret
]])
  • open Process List
  • run the script below to change window names
Code:
for i=0, getFormCount()-1 do
  getForm(i).Caption="Minesweeper"
end

getApplication().Title="WEEEE"

r=registerFormAddNotification(function(f)
  local t=createTimer()
  t.Interval=1
  t.Enabled=true
  t.OnTimer=function(tmr)
    f.Caption="Whoopdeedoo"
    tmr.destroy()
  end 
end)
Here's me having scanned and debugging StarCraft with Cheat Engine. A game that has a ton shit of more professional detection mechanisms :)



But yeah, bottom line is understanding what is it they detect. For example, Denuvo in MK11 also detects the "Add Address manually" button/window :)

BR,
Sun
Nice tips for future games, thanks!
For now at least for Killsquad, simply replacing that .exe with the phony seems to do the trick, mainly I think because nothing gets loaded from that plugin at all.
 
S

Striker

What is cheating?
Joined
Mar 30, 2019
Messages
4
Not sure if they changed something server side but even with replacing that file it still immediately closes the game when I open cheat engine.
 
BruteForce

BruteForce

Noobzor
Joined
Jul 10, 2019
Messages
13
Striker said:
Not sure if they changed something server side but even with replacing that file it still immediately closes the game when I open cheat engine.
Just tested it here. No problems here. Works
 
R

route0000

What is cheating?
Joined
Aug 5, 2019
Messages
1
doesnt work anymore... as mentioned before, game is crashing
 
M

mighty825

What is cheating?
Joined
Mar 3, 2017
Messages
1
SCUE4x64.exe keep close and run itself
 
V

Veggy

Noobzor
Joined
Apr 28, 2017
Messages
5
Bruteforce,

You mentioned some games are using this anticheat system, which other games you refer to?
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,483
As far as I know, UE4 - if you bothered to - is available to be downloaded from github and compiled on your own PC. Where I'm going with this: once you do that, you have access to several demo games which you can get from free from the Marketplace. Once installed, you can compiled them along with .the pdb information, which will give you access to function names and any other crap that would help you to determine how a certain function looks like. Using this information you can map those functions back to your UE4 games. Example: "UCheatManager::God" - - let's say the stock function toggles a bool value; then this value is protected with this SKUE crap. What you can easily discover from how "God" function looks like is where's the extra "insertion" from SCUE into the "blueprints" (the functions). Then I hope by then you'll know what you have to do.
 
V

Veggy

Noobzor
Joined
Apr 28, 2017
Messages
5
Sounds like a plan;).
 
BruteForce

BruteForce

Noobzor
Joined
Jul 10, 2019
Messages
13
Veggy said:
Bruteforce,

You mentioned some games are using this anticheat system, which other games you refer to?
Well let me say it this way. I never seen it until this Killsquad game, which then I assume since it's on the Unreal marketplace, that it's being used by people who are low budget and including it in their Unreal games. I personally don't have a list of games using it.

If I launch an Unreal game and it closes all my tools, then I am probably going to start looking at this first.

Maybe some other people seen this before or know of more games using it.

It's pretty effective when it's working. However, at least in this game, it's pretty comically simple to destroy it as well.
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,483
I'll get this game and let you know; sounds interesting.
 
BruteForce

BruteForce

Noobzor
Joined
Jul 10, 2019
Messages
13
route0000 said:
doesnt work anymore... as mentioned before, game is crashing
I just played solo with cheatengine open and attached for 15 minutes using the file I posted here.

not sure what is causing your issue, and I don't doubt you, but I have a different outcome here as I am not experiencing any issues.
 
BruteForce

BruteForce

Noobzor
Joined
Jul 10, 2019
Messages
13
Launchpad said:
Hey BruteForce,

I ended up looking at this some today too. I did notice you could kill the anti-cheat EXE and it would just relaunch, but I also noticed it wasn't signed, checked or whatnot and could be replaced. I didn't go any further with it however like you did. According to documentation, replacing the EXE with a fake one should trigger another UE-based anti-cheat trigger, but that keeps to be circumvented by your "app crash" method. This isn't some super professional anti-cheat, but I'd be curious studying that later just "for fun".

I'm able to use cheat programs fine with the actual EXE in place. In my experience, it only checks for Window Titles and also Win32 window class names as far as I can tell so far. I didn't read all the source yet however. In fact, it's very loosely coded where it'll close on false positives if you have some other Pascal/Lazarus compiled programs open, for example.

I started to investigate value editing. I noticed complex structures like your inventory is not "encrypted". I'm still easily able to change vector levels and enchantments on my gear. However credits and materials seem to use this encryption method. I haven't spent long on it yet, but haven't figured it out. Mind sharing? Appears things like numbers get treated like strings, swapped out with the same position in the key (or is there shifting?), and converted back to an INT from a string. Not sure if they are using the default KEY or a custom one I need to dig up. Anyways, if you're willing to share to save me the time I'd appreciate it. Let me know if I can be of any help to you.
Sorry that I did not respond to this sooner, as am not in here that much. If you haven't figured this out or need some help, PM me and I can send you some info to help, although the method they are using and how to write to it and when are tricky, at least it was for me.
 
BruteForce

BruteForce

Noobzor
Joined
Jul 10, 2019
Messages
13
SunBeam said:
I'll get this game and let you know; sounds interesting.
You will have to actually buy it and get the latest iteration of it, since they added all this stuff (encryption, anti cheat tools, etc.) in the last past. Best I can tell their last patch, honestly, was mostly anti-cheat patch.

I am not familiar with Launchpad, so I am discussing PM with him before I post anything about the encryption of values here. Been too many developers and anti-cheat moles running around many of the forums I look at.
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,483
You know a good reverser when they tell you they don't care. Your statements above imply you kind of want to keep information private and fear developers roaming the popular cheating forums :D Welp, it's only a matter of time till I get my hands on the game. Then.. well.. you've seen my posts :D If they up their game, I up mine, and so on. What some people here and in other places don't understand is there's reciprocity in the evolution of both the product and personas. In short, you learn a lot by challenging the other party to do better. Then you do better and so on. A cycle of.. let's say.. cock-chesting (am talking about hens) :D
 
S

S7A599D4

What is cheating?
Joined
Oct 31, 2018
Messages
3
Anti cheat checks in Game-Win64-Shipping.exe:
https://github.com/BrUnOXaVIeRLeiTE/SCUE4-Plugin/blob/030554638df01774ff2d5d8c2d3cea63a8c650e7/Plugins/SCUE4/Source/SCUE4/Public/SCUE4.h#L4124

Anti cheat checks in SCUE4x64.exe:
https://i.imgur.com/T8onPIU.png
 
Top