Bypassing the Forgelight Engine’s Anti-Data Tampering Code

Planetside 2 and H1Z1 generate hashes for specific intervals of data within some data structures. In H1Z1, a lot more areas have this type of data tampering protection enabled. If the stored hash is not equal to a recently generated hash, the game will force an exception and crash.

In this example, it’s going to be used to bypass the data tampering protection contained within weapon firemode data for Planetside 2.

Usage:

Pretty silly stuff.

The offsets are not shown, but the hashing for the firemode starts at firemode + 0x10, and ends at firemode + 0x178. The resulting hash always seems to be stored at the end of the hashing interval.

Now, this can be applied to any interval of data that uses this protection. All that’s needed is the address/offset of the beginning of the protected data, and the end (or the size) of the protected data. This is assuming that everywhere this protection is found, the resulting hash is stored at the end of the interval.

A little side note: The game also sets a bool to true when it finds that the hashes do not match eachother. I believe this bool is stored right after the hash.

Pseudo struct layout of the firemode, showing how the anti-data tampering works:

praydog / March 8, 2015 / hacking / 1 Comment