Request Halo Infinite

[wasptube1]

Why would they use such a complex anti-cheat system on the singleplayer part of the game ?
On the multi i understand completely but on the other end it's kinda overkill for singleplayer i feel

Its because to play the Singleplayer part which officially is classed as a DLC, you first require the Free2Play Multiplayer to have specific assets required by the Singleplayer part, so the Complex anti-cheat is made for the Multiplayer but also covers any and all DLC present and future, including the Singleplayer Campaign, they'll find a way around the Anti-cheat but then comes the issue of "will it work in multiplayer" which for many of us that want a fair Multiplayer, we won't want cheaters in that area of the game as its more likely they'll abandon it or alternatively Perma Ban, the problem with running a game the way 343 are is that if you are Perma Banned from the F2P Multiplayer because the Singleplayer is DLC you will likely no longer be able to get on Singleplayer either, also as the game require internet access to play, you will not even be able to play in full Offline mode (aka disconnecting for the net).
So you'd have to add prevention methods to prevent use of the table in multiplayer to make it exclusive to Singleplayer DLC only.

[caliber1942]

some information from another forum (Not sure if this will help any or not but thought I'd post what other people have been finding and posting elsewhere):

Game detects some things just on launch, like Process Hacker
Renamed Cheatengine 7.1 seems to be able to be running
Game detects VEH breakpoints eventually
Game detects changes to game code.

Game code is mirrored in non .text area

example..

AOB search: 49 8D 4E 10 48 03 C8

041188F9 - 49 8D 4E 10 - lea rcx,[r14+10]
041188FD - 48 03 C8 - add rcx,rax
04118900 - E8 3B6F1500 - call 0426F840
04118905 - 44 0FBF E0 - movsx r12d,ax
04118909 - 33 C0 - xor eax,eax
0411890B - 66 39 03 - cmp [rbx],ax
0411890E - 76 07 - jna 04118917
04118910 - 0FB7 43 02 - movzx eax,word ptr [rbx+02]

matches:

HaloInfinite.exe+5F88F9 - 49 8D 4E 10 - lea rcx,[r14+10]
HaloInfinite.exe+5F88FD - 48 03 C8 - add rcx,rax
HaloInfinite.exe+5F8900 - E8 3B6F1500 - call HaloInfinite.exe+74F840
HaloInfinite.exe+5F8905 - 44 0FBF E0 - movsx r12d,ax
HaloInfinite.exe+5F8909 - 33 C0 - xor eax,eax
HaloInfinite.exe+5F890B - 66 39 03 - cmp [rbx],ax
HaloInfinite.exe+5F890E - 76 07 - jna HaloInfinite.exe+5F8917
HaloInfinite.exe+5F8910 - 0FB7 43 02 - movzx eax,word ptr [rbx+02]

FURTHER! Any change to one of the above code, the other will mirror it, BUT will also trigger game lockup.

Game SCANS the .text in non .text and non module code, likely manual mapped. Here is code that scans game .exe..

02DA81B0 - 48 8B C1 - mov rax,rcx
02DA81B3 - 4D 85 C0 - test r8,r8
02DA81B6 - 74 1F - je 02DA81D7
02DA81B8 - 0FB6 0A - movzx ecx,byte ptr [rdx]
02DA81BB - 48 33 C8 - xor rcx,rax
02DA81BE - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
02DA81C8 - 48 0FAF C8 - imul rcx,rax
02DA81CC - 49 FF C8 - dec r8
02DA81CF - 48 FF C2 - inc rdx
02DA81D2 - E9 D9FFFFFF - jmp 02DA81B0
02DA81D7 - C3 - ret

Further the manually mapped code is called by multiple places, which take the result of this and check it vs. a value.

FURTHER! the manually mapped code is also scanned for integrity by Arbiter.dll, here, and maybe elsewhere:

Arbiter.dll+3000 - 48 8B C1 - mov rax,rcx
Arbiter.dll+3003 - 4D 85 C0 - test r8,r8
Arbiter.dll+3006 - 74 1F - je Arbiter.dll+3027
Arbiter.dll+3008 - 0FB6 0A - movzx ecx,byte ptr [rdx]
Arbiter.dll+300B - 48 33 C8 - xor rcx,rax
Arbiter.dll+300E - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
Arbiter.dll+3018 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+301C - 49 FF C8 - dec r8
Arbiter.dll+301F - 48 FF C2 - inc rdx
Arbiter.dll+3022 - E9 D9FFFFFF - jmp Arbiter.dll+3000
Arbiter.dll+3027 - C3 - ret


Example call:

Arbiter.dll+25EC96 - 41 0FB6 0F - movzx ecx,byte ptr [r15]
Arbiter.dll+25EC9A - 48 B8 25232284E49CF2CB - mov rax,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECA4 - 48 33 C8 - xor rcx,rax
Arbiter.dll+25ECA7 - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
Arbiter.dll+25ECB1 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+25ECB5 - 4D 8D 46 FF - lea r8,[r14-01]
Arbiter.dll+25ECB9 - 49 8D 57 01 - lea rdx,[r15+01]
-----> Arbiter.dll+25ECBD - E8 3E43DAFF - call Arbiter.dll+3000 <----------
Arbiter.dll+25ECC2 - 48 8B D8 - mov rbx,rax
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECD1 - F3 0F10 0D 976A0600 - movss xmm1,[Arbiter.dll+2C5770] { (Nan) }


I've been unable to beat this, as mainly using PAGE EXCEPTIONS allowed me to breakpoint in places that were hard to get breakpoint without instant lockup.

I have no idea how the game is writing or matching the two areas (mapped and .text)

Writing over the game code causes eventual lockup due to integrity check by the manually mapped code.

It also appears that Arbiter.dll, and possibly the manually mapped loop are separate threads from the main game thread, Although making HARD JMP in the manually mapped code causes game to pause/lock.

For instance:

02DA81B0 - 48 8B C1 - mov rax,rcx
to:
02DA81B0 - EB FE - jmp 02DA81B0
02DA81B2 - 90 - nop

Game instantly locks, so that code must be called regularly or part of the main game loop?

and also this: [Link]

I posted this there. Haven't checked yet to see if anyone responded, but the stuff at the github is the gist of the issue. At any rate, I don't have endless time to devote to one title and their novel approach to keeping people from modding it or training it. Perhaps Sunbeam or someone else here will put more time into it with this info. The solution could take 100 forms so who knows. Might just end up having to do pointer chain BS but that's annoying. You CAN use VEH but eventually, if left on for too long, or there is some 'check' that is done every so often that will catch that the registers were used (my guess). It may be that all of this is done by one or more threads that are running in the background and can be prevented from continuing without some heartbeat checking for them. Again, I have 10000 other titles to contend with.

If I find anything it will be posted there, or maybe here, or likely the 'solution' will be widespread by whomever finds something that works.

best,
Cal

[SunBeam]

From the looks of it, by just reading (currently installing), it resembles a lot the crappy protection Rockstar and Blizzard use (minus the driver detection stuff). Lots of code mutation, junk bytes and SEHs that catch NtQuery APIs (or the sorts), as well as common UD2, INT3, etc. type of breakpoints. I'm surprised no one fucking mentioned a thing about DBVM; it's been around for years, yet every time I read talks of only VEH and DBK. Come on, people.. seriously.

[IFireflyl]

I'm surprised no one fucking mentioned a thing about DBVM; it's been around for years, yet every time I read talks of only VEH and DBK. Come on, people.. seriously.

I know nothing about DBVM. Guess I'll go Google this.

Edit: Apparently DBVM doesn't want to load for me. I get a DBK error saying the driver couldn't be opened. Rebooting did not resolve it. This is occurring with both the undetected CE I created as well as CE 7.3.2. I'm not sure where to even go from here, but DBVM does sound pretty interesting.

[garcia_ange]

+1 Xbox Game Pass

[AceOfSpades]

Yeah mine's Xbox Game Pass, I guess DBVM could work, probably is the only way given what I read, however not sure, and with trainers still not being out, I wish I had insight on this, so that I could help. Sucks.

Massive thank you to everyone trying still. Cheers mates!

[LiamLi]

I'm surprised no one fucking mentioned a thing about DBVM; it's been around for years, yet every time I read talks of only VEH and DBK. Come on, people.. seriously.

I know nothing about DBVM. Guess I'll go Google this.

Edit: Apparently DBVM doesn't want to load for me. I get a DBK error saying the driver couldn't be opened. Rebooting did not resolve it. This is occurring with both the undetected CE I created as well as CE 7.3.2. I'm not sure where to even go from here, but DBVM does sound pretty interesting.

hi,

there are several games that are loading kernel drivers as anti cheat that will prevent the loading from DBVM.
e.g Valorant does this shit
the driver (vanguard) will block lots of stuff on your computer, even if the game is not running.
so you need to uninstall OR stop the driver.

there are more games but I can't remember all of them

but maybe this helps you

and if a anti cheat driver blocks DBVM than you will exactly get the message "that it couldn't be opened" without any info why.

[IFireflyl]

hi,

there are several games that are loading kernel drivers as anti cheat that will prevent the loading from DBVM.
e.g Valorant does this shit
the driver (vanguard) will block lots of stuff on your computer, even if the game is not running.
so you need to uninstall OR stop the driver.

there are more games but I can't remember all of them

but maybe this helps you

and if a anti cheat driver blocks DBVM than you will exactly get the message "that it couldn't be opened" without any info why.

I'm not going to hunt-and-peck to see which game or program is causing this, but that's a load of hot garbage. This anti-cheat crap goes way to far sometimes.

[AceOfSpades]

Right on Firefly.

[Erinch]

Perhaps a bit off topic but still a request. Kinda hoping someone could find a way to increase the bots count for custom games, the 8 limit is really a blow off. (the bot options allows 16 bots but sadly only 8 will spawn.) Read about that in previous versions of the game people were able to bypass that limit through a glitch or something.

[Rhark]

From the looks of it, by just reading (currently installing), it resembles a lot the crappy protection Rockstar and Blizzard use (minus the driver detection stuff). Lots of code mutation, junk bytes and SEHs that catch NtQuery APIs (or the sorts), as well as common UD2, INT3, etc. type of breakpoints. I'm surprised no one fucking mentioned a thing about DBVM; it's been around for years, yet every time I read talks of only VEH and DBK. Come on, people.. seriously.

Game detects CE and crashes for me without even attaching any debugger (was going to try DBVM).

[smashbro596]

why do multiplayer cheaters have to ruin it for everyone?!

[AceOfSpades]

Exavtly man. Exavtly.

[dejebo12]

fearlessrevolution released a trainer, however its at your own risk. So if you want to test it out go ahead. We don't know if 343/Microsoft is still collecting info to ban people at a later date, since they haven't even banned any MP cheaters yet.

[AceOfSpades]

Still setting up my desktop.