Okay. Let's finally start this off because not many people seem to be reversing these games.
I WANT TO MAKE THIS CLEAR
1. I DO NOT CONDONE THE USE OF CHEATING ONLINE AT ALL! IF YOU DO, YOU SUCK. AS YOU RUIN THE GAME!
2. THIS INFORMATION SHOULD ONLY BE USED FOR OFFLINE & EDUCATIONAL USE ONLY!
3. This information should be free.
4. I Got tired of seeing people selling tools off other people's work.
Here's what I got so far
- It's the same as 2k23 last year.
2K23 Information
- Basic Steam DRM checks
- Detects cheat engine / custom builds of CE that does not remove or rename certain parameters, that will be discussed below.
Module Protections
They have basic
- CRC32
- retAddr
- Debug checks (like isDebuggerPresent and from the applications executable PEB->IsPEBDebugged).
- Meaning: If the bool returns ‘1’ then the game will call ExitProcess(0); and exit the process in the new season update resulting in a crashed game.
Game Packer Information
- Never seen this packer before on the executable. It’s not Arxan, and that actually surprised me.
- Seems to be packed with VirtualProtect/Themida.
- Considering how each sub_ is apart of their linked vtable method. Didn’t look too much into it.
- Nifty for us that most pointers are static when they use it in the way they do as they are basically passing the pointer in their calling functions. Easily found.
Cheat Engine Detection's
They check the following:
- exe signature (of official ce)
- mutex creation
- debugoutputA msgs
- window title (cheat engine)
- process name (cheat engine)
- driver check (dbvm.sys)
- certificate check (signed signatures of files)
2K24 Information
INFO
- Same as the above
- Game is packed
- Virtualized instructions VMP3
- NO ORIGINAL OEP as it is destroyed even in a dump.
DETECTION DIFFERENCES
This will detect cheat engine strings such as the signature, and adds the following blacklisted strings:
- Code: Select all
"Starting CE", // Upon opening CE this string is fired every time.
"calling peinfo_getEntryPoint", // When you attach to the process This string is fired.
"calling peinfo_getdatabase", // When you attach to the process This string is fired.
"getProcessPathFromProcessID", // When you attach to the process This string is fired.
"TSavedScanHandler.InitializeScanHandler" // When you attach to the process and start to search a value. This string is fired.
IF YOU ARE DETECTED
- The game puts a request to the following webpage (https://support.2k.com/hc/en-us/article ... -Fair-Play)
- Then finally calls the following Kernel32.dll import function
- Code: Select all
ExitProcess
With the parameters of (-1)
- Only if you are detected outside an online-only game (MainMenu/MyCareer only).
BANNING
- Automatically game bans the steam profile if detected multiple times within a online game only and applies a game ban for the server and on the steam account.
Builds without a packer
This build linked below was the last one shipped without their custom packer.
- internal Anti-debug checks (Checking for PEB isDebugged / IsDebugPresent) and shuts the game down 10 minutes later.
- Windows debugger checks. If using a non-VEH debugger.
- Basic Steam DRM checks
- .Text / .Data patching checks
Build Information:
- This build also has `MyCareer` gamemode locked behind Online only checks`that will display the following message if clicked: "You must be online to play MyCareer".
- Which isn't possible as if you bypass this in the wrong way, and go online anyways the game will shut down as it'll update this executable.
- This can however actually be patched out. As a Chinese team made a tool of doing this. The mode is fully playable offline on this build and other builds.
- You can check the discord for the exe as I don't wish to post it here.
Thank you for reading, hope you learned something new!
Have a good day,
- FS69
