Skip to content
/ CWHook Public

Proof of concept circumventing arxan's integrity checks.

15 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mallgrab/CWHook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits
include/NT
include/NT
 
 
libs
libs
 
 
plugins/pmove_hook
plugins/pmove_hook
 
 
.gitignore
.gitignore
 
 
NOTES.md
NOTES.md
 
 
README.md
README.md
 
 
arxan.cpp
arxan.cpp
 
 
arxan.h
arxan.h
 
 
defaulthook.sln
defaulthook.sln
 
 
defaulthook.vcxproj
defaulthook.vcxproj
 
 
defaulthook.vcxproj.filters
defaulthook.vcxproj.filters
 
 
defaulthook.vcxproj.user
defaulthook.vcxproj.user
 
 
dllmain.cpp
dllmain.cpp
 
 
exceptions.cpp
exceptions.cpp
 
 
exceptions.h
exceptions.h
 
 
instrumentationCallbacks.cpp
instrumentationCallbacks.cpp
 
 
instrumentationCallbacks.h
instrumentationCallbacks.h
 
 
main.cpp
main.cpp
 
 
main.h
main.h
 
 
notes.h
notes.h
 
 
paths.h
paths.h
 
 
pluginloader.cpp
pluginloader.cpp
 
 
pluginloader.h
pluginloader.h
 
 
powrprof.asm
powrprof.asm
 
 
powrprof.def
powrprof.def
 
 
restorentdll.cpp
restorentdll.cpp
 
 
restorentdll.h
restorentdll.h
 
 
syscalls.cpp
syscalls.cpp
 
 
syscalls.h
syscalls.h
 
 
systemhooks.cpp
systemhooks.cpp
 
 
systemhooks.h
systemhooks.h
 
 
utils.cpp
utils.cpp
 
 
utils.h
utils.h
 
 

Repository files navigation

Integrity Check Bypass For COD:CW

CWHook is a proof of concept that bypasses Arxan's integrity checks, avoids detection of reverse engineering software, a plugin loader that hot reloads modules when file modifications are detected and allowing debugging software to be (somewhat) used.

The current version of CW that this PoC targets is the one Donetsk Defcon supports.

MD5: 4e6af26183709d58ffb20925e76eb461

For individuals that are only interested in bypassing the checksum checks

Check out arxan.cpp, key functions:

FixChecksum

CreateInlineAsmStub

ArxanHealingChecksum

CreateChecksumHealingStub

I would highly recommend for people that are interested to learn how this works by reading up on the bo3 blog post by momo5502. There are a few extra things that Arxan does which prevents the integrity check fixes from momo to work on Cold War. For that reason alone I have made a page documenting all the things I've learned from reverse engineering Arxan while working on this project.

You can read it here.

While this does circumvent the integrity checks for the most part, on very rare occasions at startup Arxan does some extra additional checks on the locations where the inline hooks are placed resulting in the program crashing. I've described the details about it in the page documenting Arxan's behavior.

Plugin Loader

Working on Donetsk, something I did not enjoy was having to restart the game every time I wanted to do changes to functions etc. There is a lot of development time wasted by having to wait for the game to boot up, loading into a match and then testing whether your changes worked or not. Which is the reason why I also shipped a fully working plugin loader which hot reloads modules on recompilation. This should ease development productivity for anyone who's interested in writing mods etc for the game.

Demonstration:

2024-11-13.18-58-51.webm

Credits

momo5502

Geoff Chappell

http://undocumented.ntinternals.net/
https://github.com/winsiderss/phnt
https://www.pinvoke.dev/
https://anti-debug.checkpoint.com/
https://secret.club/
https://0xpat.github.io/
https://unprotect.it/
https://www.vergiliusproject.com/

https://github.com/x64dbg/x64dbg
https://github.com/ReClassNET/ReClass.NET
https://github.com/cheat-engine/cheat-engine
https://hex-rays.com/ida-pro

About

Proof of concept circumventing arxan's integrity checks.

Resources

Readme
Activity

Stars

15 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages