Fix for Anti-Hacks/Plugins Bypass Injectors

[fratika]

[IMPORTANT] Fix for Anti-Hacks/Plugins Bypass Injectors

Hello, everyone!

As some of you may know, there is a method to bypass any Anti-Hack/Plugin by injecting a DLL with the same name as the Anti-Hack or Plugin as soon as the game starts. This can create serious vulnerabilities, allowing malicious users to inject unwanted code.

The Problem
The vulnerability lies in the way `Main.dll` checks and loads plugins. The current check only verifies the plugin's CRC when loading it, but it does not confirm if the plugin was already loaded or if the loaded plugin matches the expected CRC.

Let's take a look at the initial code snippet:

Code Select Expand

void CProtect::CheckPluginFile() // OK
{
    if(this->m_MainInfo.PluginCRC32 == 0)
        return;

    CCRC32 CRC32;
    DWORD PluginCRC32;

    if(CRC32.FileCRC(this->m_MainInfo.PluginName,&PluginCRC32,1024) == 0)
        ExitProcess(0);

    if(this->m_MainInfo.PluginCRC32 != PluginCRC32)
        ExitProcess(0);

    HMODULE module = LoadLibrary(this->m_MainInfo.PluginName);

    if(module == 0)
        ExitProcess(0);

    void (*EntryProc)() = (void(*)())GetProcAddress(module,"EntryProc");

    if(EntryProc != 0)
        EntryProc();
}


The Solution
To address this, we need to introduce additional checks to verify if the plugin has already been loaded and to recheck the CRC after the plugin is loaded. This ensures that only the correct version of the plugin is running and that no unauthorized DLLs are injected.

Updated Code for Main.dll Check

Code Select Expand

void CProtect::CheckPluginFile() // OK
{
    if(this->m_MainInfo.PluginCRC32 == 0)
        return;

    CCRC32 CRC32;
    DWORD PluginCRC32;

    if(CRC32.FileCRC(this->m_MainInfo.PluginName,&PluginCRC32,1024) == 0) // Verify the CRC of the plugin in the game's directory
        ExitProcess(0);

    if(this->m_MainInfo.PluginCRC32 != PluginCRC32) // If the CRC does not match, exit
        ExitProcess(0);

    HMODULE loadedmodule = GetModuleHandle(this->m_MainInfo.PluginName); // Check if it has already been loaded

    if(loadedmodule != 0) // If loaded, exit
        ExitProcess(0);

    HMODULE module = LoadLibrary(this->m_MainInfo.PluginName); // Load the plugin

    if(module == 0) // If unable to load, exit
        ExitProcess(0);

    char filename[MAX_PATH];
    GetModuleFileName(module,filename,MAX_PATH); // Get the loaded plugin's directory

    if(CRC32.FileCRC(filename,&PluginCRC32,1024) == 0) // Verify CRC of the loaded plugin
        ExitProcess(0);

    if(this->m_MainInfo.PluginCRC32 != PluginCRC32) // If CRC does not match, exit
        ExitProcess(0);

    void (*EntryProc)() = (void(*)())GetProcAddress(module,"EntryProc"); // Get the entry point

    if(EntryProc != 0) // If the entry point exists, call it
        EntryProc();
}


Additional Fix for Camera.dll
Similarly, you can apply the same logic to `Camera.dll` to prevent bypass vulnerabilities. Here is the updated code for `CheckCameraFile()`:

Code Select Expand

void CProtect::CheckCameraFile() // OK
{
    if(this->m_MainInfo.CameraCRC32 == 0)
        return;

    CCRC32 CRC32;
    DWORD CameraCRC32;

    if(CRC32.FileCRC(this->m_MainInfo.CameraName,&CameraCRC32,1024) == 0)
        ExitProcess(0);

    if(this->m_MainInfo.CameraCRC32 != CameraCRC32)
        ExitProcess(0);

    HMODULE loadedmodule = GetModuleHandle(this->m_MainInfo.CameraName);

    if(loadedmodule != 0) // If already loaded, exit
        ExitProcess(0);

    HMODULE module = LoadLibrary(this->m_MainInfo.CameraName);

    if(module == 0)
        ExitProcess(0);

    char filename[MAX_PATH];
    GetModuleFileName(module,filename,MAX_PATH);

    if(CRC32.FileCRC(filename,&CameraCRC32,1024) == 0)
        ExitProcess(0);

    if(this->m_MainInfo.CameraCRC32 != CameraCRC32)
        ExitProcess(0);

    void (*EntryProc)() = (void(*)())GetProcAddress(module,"EntryProc");

    if(EntryProc != 0)
        EntryProc();
}


You require the following to view this post content:

• To see this content, please click the "-SAY THANKS-" button located on the bottom-right of this post.