Bypassing SCUE4 anticheat (for example Killsquad)

[BruteForce]

Some games for Unreal engine are using marketplace anticheat named SCUE4. I came across this while toying around with Killsquad.

The latest update of the game, this anticheat is being used (as well as the developers are encrypting data with some strange convoluted method, which I also was able to overcome, but that's a different discussion).

What it does is detect over 165 different programs (cheats, memory searchers, debuggers, trainers, etc.) and when it detects them it shuts them down. Imagine you have the game running then you run cheatengine and it closes immediately. Or x64dbg, or windbg, or most trainers, etc.

At any rate, it took awhile to discover what was the culprit, but firing up x64dbg and running the game through it until it reached loading first .dll, I did string search for x64dbg (since running that while the game is already running would close it). Sure enough there was a text for it. However, breakpoint there proved useless as 'something else' was detecting x64dbg. And as I allowed the game to load and progress more through x64dbg eventually x64dbg was closed by this anticheat somehow and that instantly also closed the game. So I used a method to 'freeze' the program completely with one of my home-made and undetected tools, and when I ran s64dbg to test, the x64dbg would STILL close. I also force closed the game, and even though the game was not running (i.e. it closed down improperly/forced) x64dbg and cheatengine could not run.

SO, what we find here is that some other program is running in the background, and sadly this program doesn't detect that the game isn't running any more and shut itself off.

So, doing a little check using nothing more than Task Manager, we can see a program running from here:

C:\Steam\steamapps\common\KillSquad\Engine\Plugins\Marketplace\SCUE4\Source\ThirdParty\x64

Named:

SCUE4x64.exe

I force closed it, and voila.. you can run cheatengine and other tools again without them closing.

So I did some digging online and here is a link for it:

[Link]

and the github is here:

[Link]

Anyways, the solution to this is actually quite simple. Repalce the:

SCUE4x64.exe

In that folder with this:

[Link]

Which basically is a program with a timer for 10 seconds then closes itself.

Also added as an attachment here.

The game will run that, check it's running, then move on. The program will close in 10 seconds, and nothing is doing anything to prevent running your tools, debuggers, trainers, etc.

I mean, we can ratchet this up if the developers choose to do so, by actually modifying the .exe where it runs that program, if we have to in the future, as it's pretty clear what is being run.

Perhaps this will help some people in the future if this seems to be happening in your Unreal engine game. You won't be able to use cheatengine or any scripts with Killsquad if this anticheat isn't bypassed.

[STN]

..

I've removed your attachment for breaking forum rules. Might upload it later when i get on PC if i don't forget or you can upload it yourself by following the big text that's shown next to attachment uploader or reading up the rules.

[BruteForce]

Some games for Unreal engine are using marketplace anticheat named SCUE4. I came across this while toying around with Killsquad.

The latest update of the game, this anticheat is being used (as well as the developers are encrypting data with some strange convoluted method, which I also was able to overcome, but that's a different discussion).

What it does is detect over 165 different programs (cheats, memory searchers, debuggers, trainers, etc.) and when it detects them it shuts them down. Imagine you have the game running then you run cheatengine and it closes immediately. Or x64dbg, or windbg, or most trainers, etc.

At any rate, it took awhile to discover what was the culprit, but firing up x64dbg and running the game through it until it reached loading first .dll, I did string search for x64dbg (since running that while the game is already running would close it). Sure enough there was a text for it. However, breakpoint there proved useless as 'something else' was detecting x64dbg. And as I allowed the game to load and progress more through x64dbg eventually x64dbg was closed by this anticheat somehow and that instantly also closed the game. So I used a method to 'freeze' the program completely with one of my home-made and undetected tools, and when I ran s64dbg to test, the x64dbg would STILL close. I also force closed the game, and even though the game was not running (i.e. it closed down improperly/forced) x64dbg and cheatengine could not run.

SO, what we find here is that some other program is running in the background, and sadly this program doesn't detect that the game isn't running any more and shut itself off.

So, doing a little check using nothing more than Task Manager, we can see a program running from here:

C:\Steam\steamapps\common\KillSquad\Engine\Plugins\Marketplace\SCUE4\Source\ThirdParty\x64

Named:

SCUE4x64.exe

I force closed it, and voila.. you can run cheatengine and other tools again without them closing.

So I did some digging online and here is a link for it:

[Link]

and the github is here:

[Link]

Anyways, the solution to this is actually quite simple. Repalce the:

SCUE4x64.exe

In that folder with this:

[Link]

Which basically is a program with a timer for 10 seconds then closes itself.

Also added as an attachment here. Password is fearless

The game will run that, check it's running, then move on. The program will close in 10 seconds, and nothing is doing anything to prevent running your tools, debuggers, trainers, etc.

I mean, we can ratchet this up if the developers choose to do so, by actually modifying the .exe where it runs that program, if we have to in the future, as it's pretty clear what is being run.

Perhaps this will help some people in the future if this seems to be happening in your Unreal engine game. You won't be able to use cheatengine or any scripts with Killsquad if this anticheat isn't bypassed.

[Launchpad]

Hey BruteForce,

I ended up looking at this some today too. I did notice you could kill the anti-cheat EXE and it would just relaunch, but I also noticed it wasn't signed, checked or whatnot and could be replaced. I didn't go any further with it however like you did. According to documentation, replacing the EXE with a fake one should trigger another UE-based anti-cheat trigger, but that keeps to be circumvented by your "app crash" method. This isn't some super professional anti-cheat, but I'd be curious studying that later just "for fun".

I'm able to use cheat programs fine with the actual EXE in place. In my experience, it only checks for Window Titles and also Win32 window class names as far as I can tell so far. I didn't read all the source yet however. In fact, it's very loosely coded where it'll close on false positives if you have some other Pascal/Lazarus compiled programs open, for example.

I started to investigate value editing. I noticed complex structures like your inventory is not "encrypted". I'm still easily able to change vector levels and enchantments on my gear. However credits and materials seem to use this encryption method. I haven't spent long on it yet, but haven't figured it out. Mind sharing? Appears things like numbers get treated like strings, swapped out with the same position in the key (or is there shifting?), and converted back to an INT from a string. Not sure if they are using the default KEY or a custom one I need to dig up. Anyways, if you're willing to share to save me the time I'd appreciate it. Let me know if I can be of any help to you.

[SunBeam]

Here's how to do it for Cheat Engine (been using this for a while, for games like StarCraft - the revamped one):

• Settings > Debugger Options > User kernelmode debugger

• Settings > Debugger Options > Use Global Debug routines

• Settings > Extras > all 3 up top (Query, Read/Write, Open)

• while in Settings, click on 'About CE', then in the window that opens RIGHT-CLICK "Your system supports DBVM"

• slowly offload each CPU into DBVM (click on CPU0, wait a bit; repeat with the rest)

• run the LUA script below (in Memory View > Ctrl+L)

Code: Select all

dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
dbk_writesIgnoreWriteProtection(true)

openProcess('cheatengine-x86_64.exe')

autoAssemble([[
kernelbase.SetProcessMitigationPolicy:
xor rax,rax
ret
]])

• open Process List

• run the script below to change window names

Code: Select all

for i=0, getFormCount()-1 do
  getForm(i).Caption="Minesweeper"
end

getApplication().Title="WEEEE"

r=registerFormAddNotification(function(f)
  local t=createTimer()
  t.Interval=1
  t.Enabled=true
  t.OnTimer=function(tmr)
    f.Caption="Whoopdeedoo"
    tmr.destroy()
  end 
end)

Here's me having scanned and debugging StarCraft with Cheat Engine. A game that has a ton shit of more professional detection mechanisms



But yeah, bottom line is understanding what is it they detect. For example, Denuvo in MK11 also detects the "Add Address manually" button/window

BR,
Sun

[BruteForce]

Here's how to do it for Cheat Engine (been using this for a while, for games like StarCraft - the revamped one):

• Settings > Debugger Options > User kernelmode debugger

• Settings > Debugger Options > Use Global Debug routines

• Settings > Extras > all 3 up top (Query, Read/Write, Open)

• while in Settings, click on 'About CE', then in the window that opens RIGHT-CLICK "Your system supports DBVM"

• slowly offload each CPU into DBVM (click on CPU0, wait a bit; repeat with the rest)

• run the LUA script below (in Memory View > Ctrl+L)

Code: Select all

dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
dbk_writesIgnoreWriteProtection(true)

openProcess('cheatengine-x86_64.exe')

autoAssemble([[
kernelbase.SetProcessMitigationPolicy:
xor rax,rax
ret
]])

• open Process List

• run the script below to change window names

Code: Select all

for i=0, getFormCount()-1 do
  getForm(i).Caption="Minesweeper"
end

getApplication().Title="WEEEE"

r=registerFormAddNotification(function(f)
  local t=createTimer()
  t.Interval=1
  t.Enabled=true
  t.OnTimer=function(tmr)
    f.Caption="Whoopdeedoo"
    tmr.destroy()
  end 
end)

Here's me having scanned and debugging StarCraft with Cheat Engine. A game that has a ton shit of more professional detection mechanisms



But yeah, bottom line is understanding what is it they detect. For example, Denuvo in MK11 also detects the "Add Address manually" button/window

BR,
Sun

Nice tips for future games, thanks!
For now at least for Killsquad, simply replacing that .exe with the phony seems to do the trick, mainly I think because nothing gets loaded from that plugin at all.

[Striker]

Not sure if they changed something server side but even with replacing that file it still immediately closes the game when I open cheat engine.

[BruteForce]

Not sure if they changed something server side but even with replacing that file it still immediately closes the game when I open cheat engine.

Just tested it here. No problems here. Works

[route0000]

doesnt work anymore... as mentioned before, game is crashing

[mighty825]

SCUE4x64.exe keep close and run itself

[Veggy]

Bruteforce,

You mentioned some games are using this anticheat system, which other games you refer to?

[SunBeam]

As far as I know, UE4 - if you bothered to - is available to be downloaded from github and compiled on your own PC. Where I'm going with this: once you do that, you have access to several demo games which you can get from free from the Marketplace. Once installed, you can compiled them along with .the pdb information, which will give you access to function names and any other crap that would help you to determine how a certain function looks like. Using this information you can map those functions back to your UE4 games. Example: "UCheatManager::God" - - let's say the stock function toggles a bool value; then this value is protected with this SKUE crap. What you can easily discover from how "God" function looks like is where's the extra "insertion" from SCUE into the "blueprints" (the functions). Then I hope by then you'll know what you have to do.

[Veggy]

Sounds like a plan;).

[BruteForce]

Bruteforce,

You mentioned some games are using this anticheat system, which other games you refer to?

Well let me say it this way. I never seen it until this Killsquad game, which then I assume since it's on the Unreal marketplace, that it's being used by people who are low budget and including it in their Unreal games. I personally don't have a list of games using it.

If I launch an Unreal game and it closes all my tools, then I am probably going to start looking at this first.

Maybe some other people seen this before or know of more games using it.

It's pretty effective when it's working. However, at least in this game, it's pretty comically simple to destroy it as well.

[SunBeam]

I'll get this game and let you know; sounds interesting.