Mortal Kombat 11 - table v: 1.0.8 CT

[Vader4k]

Hello can Somone Make a New MK11 Exe whitout Cheat Engine blocker? I Tryed the old one but it dosent work whit the new Patch. Thankyou

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[MrAntiFun]

Hello can Somone Make a New MK11 Exe whitout Cheat Engine blocker? I Tryed the old one but it dosent work whit the new Patch. Thankyou

viewtopic.php?f=4&t=9291&start=555#p91787

[thethiny]

The Anti-Cheat Engine patch works but game still crashes if you modify anything.

So apparently the game creates a thread every second, runs checks, then terminates itself, and repeats. This makes it hard for me to crack down on their checks because I'm not experienced.

[dkunit]

Can confirm this is working post-5/31 patch. Have not received a ban yet, so we'll see if that holds up.

How did you get it to work?... When I hit "unlock char", it gives me some error then says it worked. After that, I hit the unlock gear tab, and it spits out...

Spoiler

"AutoIt Error
Line 18341 (File "C:\Users\[...]\Desktop\mk11unlock_v1.1.exe"):
Error: Can not initialize a variable with itself.

...and then the game closes with:

Spoiler

Content validation error
Game data is corrupted, please verify game instalation integrity. File: Asset\BGND_KronikaHourGlass.xxx

PS: I've noticed others have similar errors, and it seems to correlate to ver. 1.1 of the unlocker -- whereas 1.0 may still work (to some degree). As such, if anyone has the 1.0 unlocker, re-uploading it would be much appreciated

I was using the v1.0 version, and just followed along with the instruction video on YouTube. Haven't tested the v1.1 version yet.

[LeoNatan]

What morons. Meanwhile, everyone is crying that their CPU usage is at 100%, game is stuttering and fps is low. All this for client-side security, which is absurd in and of itself. All this could have been blocked in server side, but that requires some security awareness and NRS are a bunch of clowns. So now, due to their entire server infrastructure being insecure (as evident by the unlocked posted previously), they are breaking the PC version with all this shit, which will also be solved soon.

[LeoNatan]

PS: I've noticed others have similar errors, and it seems to correlate to ver. 1.1 of the unlocker -- whereas 1.0 may still work (to some degree). As such, if anyone has the 1.0 unlocker, re-uploading it would be much appreciated

From the comments on the video:
http://fearlessrevolution.com/mk11unlock_v1z

[Holdo]

What morons. Meanwhile, everyone is crying that their CPU usage is at 100%, game is stuttering and fps is low. All this for client-side security, which is absurd in and of itself. All this could have been blocked in server side, but that requires some security awareness and NRS are a bunch of clowns. So now, due to their entire server infrastructure being insecure (as evident by the unlocked posted previously), they are breaking the PC version with all this shit, which will also be solved soon.

Implementing proper server-side takes time and money... and they would need to do it only because of the PC version so they probably decided to burden QLOC with these client-side shitting on performance checks.

[LeoNatan]

What morons. Meanwhile, everyone is crying that their CPU usage is at 100%, game is stuttering and fps is low. All this for client-side security, which is absurd in and of itself. All this could have been blocked in server side, but that requires some security awareness and NRS are a bunch of clowns. So now, due to their entire server infrastructure being insecure (as evident by the unlocked posted previously), they are breaking the PC version with all this shit, which will also be solved soon.

Implementing proper server-side takes time and money... and they would need to do it only because of the PC version so they probably decided to burden QLOC with these client-side shitting on performance checks.

Had those morons designed their server-side properly, they would have built it secure from the ground-up. It's not just PC. If you put your console behind a proxy server, the same request hijacking can be performed there. Especially on Xbox One, you can even install your SSL inspection certificate on the machine and make broken HTTPS traffic appear trusted, which will make it even less difficult to catch (not like the clowns at NRS even thought of validating certificates in the client ).

[LeoNatan]

Haha, found this image on Twitter, fully demonstrating the QLOC efforts at securing the game:

[SunBeam]

...

I'll give that ThreadEntry a go. Re-installing this fucking piece of crap. 60GB. It's the last time I do this.

[thethiny]

...

I'll give that ThreadEntry a go. Re-installing this fucking piece of crap. 60GB. It's the last time I do this.

Thank you for trying. Can you tell me why you're uninstalling the game if I may ask?

[SunBeam]

^ -> viewtopic.php?p=91830#p91830

That also means I don't play the game. And to make room for others. Sorry, don't have 256TB SSDs like you fuckers do.

[SunBeam]

The anti-CE thread function is here:

Code: Select all

MK11.exe+18D6A20 - E9 5B334311           - jmp MK11.exe+12D09D80
..
MK11.exe+12D09D80 - 48 8D 64 24 F8        - lea rsp,[rsp-08]
MK11.exe+12D09D85 - 48 89 3C 24           - mov [rsp],rdi
MK11.exe+12D09D89 - F9                    - stc 
MK11.exe+12D09D8A - 48 83 D4 CF           - adc rsp,-31 { 207 }
MK11.exe+12D09D8E - 48 83 C4 F8           - add rsp,-08 { 248 }
MK11.exe+12D09D92 - 48 89 2C 24           - mov [rsp],rbp
MK11.exe+12D09D96 - 48 87 6C 24 28        - xchg [rsp+28],rbp
MK11.exe+12D09D9B - 48 C7 C5 FEFFFFFF     - mov rbp,FFFFFFFE { -2 }
MK11.exe+12D09DA2 - 48 87 6C 24 28        - xchg [rsp+28],rbp
MK11.exe+12D09DA7 - 5D                    - pop rbp
MK11.exe+12D09DA8 - 41 51                 - push r9
MK11.exe+12D09DAA - 4C 8D 4C 24 48        - lea r9,[rsp+48]
MK11.exe+12D09DAF - 49 81 C1 6F3045CD     - add r9,CD45306F { -851103633 }
MK11.exe+12D09DB6 - 49 89 99 91CFBA32     - mov [r9+32BACF91],rbx
..
MK11.exe+12D0A05B - 48 8D 15 0E3AC5EE     - lea rdx,[MK11.exe+195DA70] { (1438944072) } // antiCE_callback_1
MK11.exe+12D0A062 - F7 D1                 - not ecx
MK11.exe+12D0A064 - 48 8D 64 24 08        - lea rsp,[rsp+08]
MK11.exe+12D0A069 - FF 15 59EBC905        - call qword ptr [MK11.exe+189A8BC8] { ->USER32.EnumChildWindows }

The thread is created here:

Code: Select all

MK11.exe+12E60FDA - 48 8D 64 24 08        - lea rsp,[rsp+08]
MK11.exe+12E60FDF - 48 8D 4C 24 20        - lea rcx,[rsp+20]
MK11.exe+12E60FE4 - 83 F2 FF              - xor edx,-01 { 255 }
MK11.exe+12E60FE7 - 48 8D 89 EDE38652     - lea rcx,[rcx+5286E3ED]
MK11.exe+12E60FEE - C7 81 131C79AD 00000000 - mov [rcx-5286E3ED],00000000
MK11.exe+12E60FF8 - 29 C9                 - sub ecx,ecx
MK11.exe+12E60FFA - FF 15 5875B405        - call qword ptr [MK11.exe+189A8558] { ->KERNEL32.CreateThread }

^ Code above is obfuscated. If you follow the logic:

lea rcx,[rsp+20]
// this loads the effective address of [rsp+20] into rcx
lea rcx,[rcx+5286E3ED]
// this puts rcx+5286E3ED into rcx
mov [rcx-5286E3ED],00000000
// and this mov basically says "mov [rcx],0" because there's a - that does the exact opposite of the + above

So change C7 81 13 1C 79 AD [00 00 00 00] to C7 81 13 1C 79 AD [04 00 00 00].

However, you may want to change it manually via hardware breakpoints, as they've enabled integrity checks over the VM code in Denuvo. Another setting in the actual protection software

Will be back with the rest.

P.S.: To all idiots bitching that by me posting this analysis I give Nether ideas on how to up their game, that's the whole fucking point. I give a rat's ass on your trainer business! You know who you are.

[SunBeam]

Wow. And LOL. The retarded level just hit 9000 I'll post the screenshot, then we talk:



I've set a simple hardware breakpoint on the first byte found at start of game module. Those are the checks that popped up, from "first one" to "last one". The reason I labeled them like that is these pieces of code are executed sequentially, every 4212 ms (with one exception). That means every 4s there is a different loop that reads the game memory, producing hashes and comparing these hashes against pre-computed values. I didn't dig deeper into the actual process, but I'm assuming this is how it's done.

Once a cycle is complete (reaching "last one"), the loop is reset and "first one" is ran again, then then next one and so on

The fun part about it is every time x64dbg threw an exception due to my hardware breakpoint set in CE, it always stopped in a single thread. And this thread's entry point is here:

Code: Select all

MK11.exe+18D6C10 - E9 6B394311           - jmp MK11.exe+12D0A580
..
MK11.exe+12D0A580 - 48 8B 44 24 08        - mov rax,[rsp+08]
MK11.exe+12D0A585 - 48 89 C8              - mov rax,rcx
MK11.exe+12D0A588 - 48 89 44 24 08        - mov [rsp+08],rax
MK11.exe+12D0A58D - 48 83 C4 F8           - add rsp,-08 { 248 }
MK11.exe+12D0A591 - 48 89 34 24           - mov [rsp],rsi
MK11.exe+12D0A595 - 48 83 C4 F8           - add rsp,-08 { 248 }
MK11.exe+12D0A599 - 48 89 3C 24           - mov [rsp],rdi
MK11.exe+12D0A59D - 51                    - push rcx
MK11.exe+12D0A59E - 89 C8                 - mov eax,ecx
..
MK11.exe+12D0A6A4 - 4C 8D BC 24 101D0000  - lea r15,[rsp+00001D10]
MK11.exe+12D0A6AC - 49 89 07              - mov [r15],rax
MK11.exe+12D0A6AF - 41 5F                 - pop r15
MK11.exe+12D0A6B1 - 49 8D 04 10           - lea rax,[r8+rdx]
MK11.exe+12D0A6B5 - EB 24                 - jmp MK11.exe+12D0A6DB
MK11.exe+12D0A6B7 - 48 8D 0D 79836EEF     - lea rcx,[MK11.exe+23F2A37] { (0) }
MK11.exe+12D0A6BE - FF 15 9CDFC905        - call qword ptr [MK11.exe+189A8660] { ->KERNEL32.GetModuleHandleA }

GetModuleHandleA with NULL parameter will always get the current game's module (start of game's memory, usually 140000000). So that's the start address.

Note I've not said anything about any other scanners which I didn't determine via hardware breakpoint-ing some other address. There might be, there might not be, who knows. But this is a starting point.

Of course their logic is "timed checks every 4s never hurt anyone" We'll see

BR,
Sun

[SunBeam]

OK, this is stupid on so many levels. Killing the thread kills the scanners The ones in my screenshot. Again, dunno if there are any others.



EDIT #1: Yeaps, there aren't any others.

EDIT #2: Spoke too soon. There are some others that check-up on the Denuvo anti-tamper thread functions. As in verifying if you put a RET at the epilogue of the thread function Tim taught you in his video But this is non-obfuscated code within MK11 itself. The developers thought it's not that important to do anything about it Here it is:

Code: Select all

MK11.exe+9D9200 - 8B 02                 - mov eax,[rdx]
MK11.exe+9D9202 - 48 33 D8              - xor rbx,rax
MK11.exe+9D9205 - 48 8B CB              - mov rcx,rbx
MK11.exe+9D9208 - 48 D1 E9              - shr rcx,1
MK11.exe+9D920B - 48 F7 DB              - neg rbx
MK11.exe+9D920E - 48 C1 E3 3F           - shl rbx,3F { 63 }
MK11.exe+9D9212 - 48 03 D9              - add rbx,rcx
MK11.exe+9D9215 - 48 8D 52 04           - lea rdx,[rdx+04]
MK11.exe+9D9219 - 49 FF C0              - inc r8
MK11.exe+9D921C - 4D 3B C1              - cmp r8,r9
MK11.exe+9D921F - 72 DF                 - jb MK11.exe+9D9200
MK11.exe+9D9221 - 48 85 FF              - test rdi,rdi
MK11.exe+9D9224 - 74 54                 - je MK11.exe+9D927A
MK11.exe+9D9226 - 4C 8B C7              - mov r8,rdi

Just simple CRC32.

EDIT #3: And this somehow tells me it's a check done through Steam API. Back-tracing leads to Steam_Init followed by this hash done on the whole code.

EDIT #4: Actually no, it's part of the main execution loop; part of the thread profiling main loop Time to kill it.