BattlEye detects virtual environment #80
Comments
|
shocker, I'm telling you... |
|
Do HyperV configurations still work with BattlEye? |
|
Unfortunately, I clearly do not have any reverse technology on Windows, and in this case, it can only be analyzed by others. I am indeed powerless, and I just started by proposing a way to bypass detection. In fact, if you really want to get rid of it once and for all, it is better to get a cheap integrated graphics gpu computer |
|
@zhaodice why so dramatic lol. Even if we don't know the exact cause, we have a list of things we could improve. I would start there and when all checks on al-khazer are green, I would try again. |
|
@Weather-OS, the Hyper-V method will always work against timing based detections, but there are also other ways to deobfuscate VMs. It's worth a shot, but I doubt it will fix everything. Not only that, but nested-virtualization is kinda slow especially on AMD processors. |
|
I took inspiration from your project and improved a lot, I've made a very useful advanced script that automates multiple tasks. I try keeping it updated as much as I can and add as much as I can. My project is for bypassing Anti Cheats and Proctoring exam software. I just focus on the main branch for patching instead of indivisual versions. |
It is by no means useful, you just re-edited some strings and added a beautiful README, that's about it... Instead of adding compiletime randomization of the static strings, you instead just replaced them with "FUCKFUCKFUCKFUCK", anyone who will use that will also get banned, if they use it for evading exam software they will also get banned if manually reviewed and they see strings like FUCK... wtf is in your head? |
Didn't know assholes used |
|
@deprale, I think you looked at the wrong patch. The v8.2.2.patch is the one I assume was created using regular expressions or a script and the master.patch has more real sounding names albeit without 100% coverage. It's still a great jump from ASUS HARDDISK, ASUS KEYBOARD, ASUS PROCESSOR etc. |
|
The reason I added "FUCK" is because I was just messing around, also no AC or Proctoring software is gonna be looking for that string. You guys need to check out my |
That's where you're wrong, I don't waste my time with linux first of all, and second of all I wouldn't game in a VM becuase I'm not autistic, third of all apologies to @Scrut1ny as the rest of the repo is actually useful. The only thing that linux will touch is my macbook, or my servers, I'm only here just for the laughs, let me know when your repo let's you run any serious software like vanguard anti-cheat. |
|
vanguard anti-cheat could be detecting something that hides in plain site, like Windows
# Generating a random date between Jan 1, 2011, and Dec 31, 2022
$start = [datetime]::new(2011, 1, 1)
$end = [datetime]::new(2022, 12, 31)
$randomDate = $start.AddSeconds((Get-Random -Maximum (($end - $start).TotalSeconds)))
# Converting the DateTime object to Unix timestamp
$unixTimestamp = [int][double]::Parse(($randomDate.ToUniversalTime() - [datetime]'1970-01-01T00:00:00').TotalSeconds)
# Calculating LDAP/FILETIME timestamp directly
$LDAP_FILETIME_timestamp = ($unixTimestamp + 11644473600) * 10000000
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "InstallDate" -Value "$unixTimestamp" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "InstallTime" -Value "$LDAP_FILETIME_timestamp" -Force
if ((Get-Service w32time).Status -eq 'Stopped') {
Start-Service -Name w32time
}
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /update
Restart-Service -Name w32time -Force ; w32tm /resync |
|
Bro, you are 20 years of age. Instead of working, studying or helping people, you are calling the users of this repo names. Isn't that an "autistic" waste of time and depraVed 😉😉😉 (the name speaks of itself). |
You use qemu anti detection to cheat in KVM VFIO setups. Yes, you are an autist, and all of you that use this to cheat (95%), the other 5% using this is probably just a homelab enthusiast that wants to make a gaming pc hidden in a closet somewhere because space is a concern for their home, so their kid can play fortnite. There's 0 reason for this thing to exist outside avoiding anti-cheats, proctoring software, exam software, and so on. |
|
Fan fictions upon fan fictions, wow. How did you deduce that I were (hides sign of disagreement clevery like my VM (fedora tap)) a hacker? PS: I think you shouldn't use "acoustic" as an insult as it is discriminating and shows bad character. Would you also use "gay" as a synonym of "lame"? I already edited my message using a similar word (I'm not a native speaker btw, so I didn't know the exact meaning, but now I do) |
|
Either respond to my points, contribute to this issue or stfu |
Jesus Christ you are insufferable. Get a life and stop being a nuisance. Anyway:
|
|
@ProgrammedInsanity add me on discord, want to talk. |
|
This thread is wild. Your repo is useful Scrut1ny, thanks for the work. Have you tried your patch on 9.1 yet with Fortnite? If not, I'm going to create a patch (I'll kick over a PR) and compile / give it a go. |
Did you manage to get it working? |
Dear @zhaodice,
I hope this message finds you well. I unfortunately have to inform you that BattlEye has had an update that improved their VM detection mechanisms to the point where they are able to unmask our patched QEMU.
After the new Fortnite season update there is an error message telling me to stop the process "Virtual Machine", indicating that the virtual machine is in fact at fault. This happens when I try to join a match, which means that EAC (which checks for VMs on game startup) is working, but BattlEye (which runs during matches) is not. It is also reasonable to assume that the new attack is timing based, because these type of methods need to be run a lot of times to accurately determine if the CPU is fake and I am stuck for minutes in the loading screen until the kick (that could be Fortnite being slow though). It is also possible that they added "ASUS HARDDISK" etc. and the default serial numbers of this patch to their black list. Last but not least I want to redirect to #77. There I described the imperfections of this patch and my exact setup.
I assume that the people at BattlEye just googled "hide qemu", which also resurfaces the moral question of maintaining a public Github repo that is 100% used by some if not most people to cheat (although I am not one of them). If you - Dice - or anybody else is willing to do dynamic analysis on BattlEye/Fornite, I would greatly appreciate it, because that would enable us to fix the root cause more precisely.
Yours sincerely,
Samuil1337
The text was updated successfully, but these errors were encountered: