Jump to content











- - - - -

Hide Test-Signing Mode From Application?

Started by Guest_AnonVendetta_* , Apr 29 2015 06:37 AM

  • Please log in to reply
5 replies to this topic

#1 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 29 April 2015 - 06:37 AM

I have a game, or rather, several games, that use the BattlEye anti-cheat technology, created and maintained by a company called Bohemia. However, I also have a driver which wont run on 7/8/8.1 if Test-Signing mode isnt activated. No updated driver is available anywhere. BattlEye checks to see if this mode is turned on, and refuses to let me run several legally obtained games if TSM is on. Their reasoning is that game hackers oftentimes use TSM to cheat, and so they recently (as of several monthes ago) instituted a blanket ban against it.

 

I have no intention of cheating, I simply want to run my driver my driver without TSM being on, and without having to constantly toggle it on/off.

 

Is there an easy way to accomplish this, or does it largely depend on the detection method that BattlEye uses? I'm also thinking that running my driver in kernel mode is a possibility, since it provides nearly absolute privilidges on the system. Or perhaps running it under the guise of being another driver, i.e. using another driver's valid certificate.

 

This info would also be useful for informational/learning purposes.

 

Thanks in advance!


#2 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 02 May 2015 - 04:03 PM

96 views and no replies...............someone here  probably thinks I plan to hack a game for an unfair advantage over other players (assuming the worst in others, ya know). You have my assurance that this isn't the case. Cheaters are some of the people I hate most.

 

With that said, Bohemia has no right to block people from using Test-Signing Mode to load legit drivers, just because a minority of people use that same method to break rules. The games are theirs and they can do as they wish, but still.

 

Anyway, I really just want to load my driver. On the other hand, I do wonder what method they use for detecting TSM, and how it can be blocked/tricked. I'm sure it's just some common call procedure that it does. Although if I can get the driver to load without TSM, that's really all I care about. No other online game I play checks for TSM, although MMO game devs may follow suit and do so in the future.

 

Thanks!


#3 v77

v77

    Silver Member

  • Team Reboot
  • 602 posts
  •  
    France

Posted 02 May 2015 - 05:47 PM

Even if you wanted to cheat, I would have been happy to help you because I dislike when some assume the way I use my hardware. For instance, this is because of this that we have in much countries the "private copying levy"...

If you cannot run your driver without TSM, then you can't. But with the fact that BattlEye uses a kernel mode driver, I am not very optimistic.
You can try to create a script where you stop the driver of BattlEye (see the sc command), change the content of the SystemStartOptions registry value, and then restart the driver. But I doubt this works, because if I had to develop an anti-cheat software, I would never rely on a simple registry value to test something like this...


#4 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 12 May 2015 - 04:03 PM

I'm currently running Windows 8.1 Enterprise x64, I can't find the SystemStartOptions value in my Registry, it simply isn't present. Is it not a valid value for Windows 8/8.1? Perhaps it only exists in 7 and below? I had no idea that BattlEye uses a kernel-mode driver, though looking back it kind of makes sense, since it installs itself as a Service. It makes sense that Bohemia wouldn't rely on something as easily manipulated as a Registry value.

Perhaps someone with more experience can chime in on this. I'm still thinking that running my driver in kernel mode or disguising it as another driver might work, possibly by piggybacking on another driver's valid, signed certificate. Perhaps maybe even a self signed driver with a certificate. Or would all this still require TSM to be enabled?

I read elsewhere in these forums that a driver's cert can be easily modified without invalidating the cert, as long as the cert uses MD5 rather than something more secure like SHA-1

Edit: One device is a rather interesting Nostromo gaming keypad with ergonomic, remappable buttons (on of the much older variants). The other device is a USB Alfa WiFi adapter, for which I would like to use modded drivers. It's not so old, but it seems modded drivers require TSM. The adapter is primarily for penetration testing, WiFi hacking, etc, and the modded drivers extend its' capabilities quite a bit. I'm just looking for a solution that doesnt require toggling TSM on/off every time I want to use these devices.

Edited by AnonVendetta, 12 May 2015 - 04:12 PM.

#5 cdob

cdob

    Gold Member

  • Expert
  • 1469 posts

Posted 12 May 2015 - 06:44 PM

I'm currently running Windows 8.1 Enterprise x64, I can't find the SystemStartOptions value in my Registry

There is SystemStartOptions here at Windows 8.1 x64.
And it's working at a relating PE too http://reboot.pro/to...ve/#entry185366
reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control" /v "SystemStartOptions"
.
 

It makes sense that Bohemia wouldn't rely on something as easily manipulated as a Registry value.

Can you try nontheless?

#6 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3042 posts
  • Location:Nantes - France
  •  
    France

Posted 12 May 2015 - 06:52 PM

I am not certain about that but i kinda remember that there are windows api (hidden?) tp check whether the system booted with TSM or not.

 

But defo, checking the registry key is one way.

 

Registry monitor (ex sysinternals) can help assert this behavior.


Back to Community forum


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. reboot.pro
  2. Groups
  3. Community forum
  4. Privacy Policy
  5. Site policies ·