ARK: Survival Evolved Cheats and Trainer for Steam

@Apostate Either a kernel driver or a way of injecting a DLL without having to open a process handle. There are a few ways to do that, but the ones I know about aren’t ideal.

You cannot do that, it has DLLs and programs whitelisted based off of their certificate.

Kernel routines battleye uses to protect its games:

ObRegisterCallbacks: Used to strip handles of their access rights upon handle creation. Returns access denied.

PsSetCreateThreadNotifyRoutine: Routine registers a driver-supplied callback that is subsequently notified when a new thread is created and when such a thread is deleted. Basically if it’s not called from a whitelisted application, the thread is not created. (circumvent with thread hijacking injection techniques, still need to get around obregistercallbacks).

PsSetLoadImageNotifyRoutine: Routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory). (prevents load library, again, still need a handle to the process for this)

More about battleye: They blacklist digital signatures, so basically lets say @Frank was to release a build of Infinity with kernel injection, they’ll blacklist the certificate. Appinit_dlls isn’t ideal, not sure if they’re doing anything to prevent that, I think they might be. SetWindowHookEx is prevented. Also they do have a heartbeat system for checking to see if their callbacks are in place. So just simply unregistering their callbacks is not sufficient.

I left a few hints in this message about getting around their callbacks.

1 Like

Thanks for the info.

What if a handle to, say, explorer.exe was opened and a small amount of executable code was written to its main module that opens the game’s process and manually maps the trainer DLL into it, bypassing the kernel callbacks. Assuming Infinity isn’t blacklisted.

Unless every game starts using kernel mode anti cheat drivers, Infinity is definitely going to stay in user land.

They do something to prevent it I believe.

Fraps is whitelisted, overwolf is whitelisted, and you cannot proxy a dll with either one of those. I’ve tried.

I use a driver to do something a bit different, if you want I can PM you it, but i’d rather not post it publicly as it’s fairly undiscovered by the cheating scene.

I know there are ways to manipulate csrss to give you a process_all_access handle.

I’d post more details, but the battle-spy (intentional misspelling) developer has a massive grudge against me from another site.

1 Like

The csrss bit is interesting, but don’t you have to be in kernel mode to touch that process? I’m trying to stick with user-mode solutions because I like Infinity running without needing Admin privileges. This is really only an issue with games that are primarily multiplayer, like ARK, so I’m not worried about anti-cheat drivers just yet.

I don’t know the details of csrss too much, I might look into it because it’s interesting.

Worst part is so many games are getting these drivers. Nice thing though, because of patch guard they’re still limited to what they can do in the kernel. At least they can’t hook every single last thing and make it nearly impossible to do anything. Battlespy is known for being somewhat invasive. Banning for test mode, ability to send arbitrary code to the client for execution (and the ability to send it to specific clients). the list goes on…

Yeah patch guard is a lifesaver. The drivers are worthless if you can run your own code in kernel mode.

I don’t like that remote execution thing…

Where did you learn about Windows’ Internals? The book? Class?

I’ve looked over the book, haven’t really read it in detail. I’ve just kind of accumulated information in my head from all sorts of sources, but i’m still far from being any sort of expert.

Edit: an acquantance of mine has TONS of information regarding kernel memory hacking, Darthtons blackbone driver: https://github.com/DarthTon/Blackbone

Well written, well documented. Good stuff.

Any chance we’ll see an update to ARK’s infinity trainer with the help of some of this stuff?

That’s sick. I’m definitely going to use this for some personal projects.

Unfortunately not. Battleye has to be completely uninstalled or the service has to be disabled in order for Infinity to work.

1 Like

Any advice for trying to disable it? I’ve poked around and didn’t find much, should I just re-install ARK?

Have you restarted your computer since the uninstall?

1 Like

I’ve not restarted my computer since deleting the BattlEye files.

Should I try it and see if it does anything?

I think the driver still needs to be deleted. I never installed Battleye, so I’m not sure on the proper way to uninstall it.

1 Like

Try deleting this folder too:
C:\Program Files (x86)\Common Files\BattlEye

1 Like

Should be able to just launch it without battleye…

1 Like

Deleted the folder and was able to try to start it up, the terminal did not appear.

Although instead it timed out due to an update.

I’ll edit this post and update it as I keep trying

@Sunkist, I thought you had to launch the program via Infinity?

Update: Tried starting it through Infinity and timed out

Oh maybe, thought you could just attach (thought it was like that on civ 5 at least).

Maybe I was thinking wrong.

1 Like