Amlegit - reverse engineering of

Since we know the parameters and return type of getdriver, we can actually call this function with our own code. For clarity, the function prototype looks like this: std::uintptr_t GetDriver(unsigned* size);

//--- amlegit dll functions.
namespace amlegit
    //--- function is only for extracting the driver
    static std::tuple<std::uintptr_t, std::size_t> get_driver()
        auto get_driver_temp =
                GetProcAddress(LoadLibrary(L"buffer.dll"), "GetDriver"));
        unsigned driver_size;
        if (get_driver_temp)
            return { get_driver_temp(&driver_size), driver_size };
        return { {}, {} };

//--- calling example.
auto [driver_ptr, driver_size] = amlegit::get_driver();


Now that we have the driver, let's see how it communicates with the cheating user mode counterpart. This spoofing IOCTL hook points to their IOCTL functions by changing the main function pointers of legitimate Windows drivers. They also change the uninstall function to point to them, so if / when the driver is uninstalled, they can remove the IOCTL hook.

INIT:000000014000C268 ; ---------------------------------------------------------------------------
INIT:000000014000C268 loc_14000C268:  ; CODE XREF: ioctl_hook_setup+FFA
INIT:000000014000C268                 lea     rax, IRP_MJ_CREATE
INIT:000000014000C26F                 mov     [rbx+70h], rax
INIT:000000014000C273                 lea     rax, IRP_MJ_CLOSE
INIT:000000014000C27A                 mov     [rbx+80h], rax
INIT:000000014000C281                 lea     rax, IOCTL_HOOK_FUNCTION
INIT:000000014000C288                 mov     [rbx+0E0h], rax
INIT:000000014000C28F                 mov     rcx, cs:hooked_driver_object_ptr
INIT:000000014000C296                 mov     cs:pdriver_obj, rbx
INIT:000000014000C29D                 call    create_symbolic_link
INIT:000000014000C2A2                 or      eax, eax
INIT:000000014000C2A4                 jns     short loc_14000C2B2
INIT:000000014000C2A6                 lea     rcx, aFailedToCreate_0 ; "Failed to create symlink\n"
INIT:000000014000C2AD                 call    debug_with_prefix

Considering that we know how drivers communicate with user mode processes, let's look at the IOCTL hook function itself. IOCTL supports reading from the process of a given PID, writing to the process according to its PID, allocating memory in the process of a given PID, and spoofing hwid. The two most prominent options for me are hwid spoofing and memory allocation, because remember, this cheating is internal, so they have to hide their own memory, right? Errors, as you will see, call ZwAllocateVirtualMemory only after calling ZwOpenProcess. They don't hide their memories at all.

if (IOCTL_CODE == 0x224986) 
  v18 = * (unsigned int ** )(PIRP_1 + 24);
  PsLookupProcessByProcessId( * v18, & v25);
  debug_with_prefix((__int64) "Allocating with size %llu...\n", v18[4]);
  v19 = * (_QWORD * )(PIRP_1 + 8);
  if ( * (_BYTE * )(v19 + 10) & 5)
    v20 = * (_QWORD ** )(v19 + 24);
    v20 = MmMapLockedPagesSpecifyCache((PMDL) v19, 0, MmCached, 0 i64, 0, (MM_PAGE_PRIORITY) 0x40000010);
  v26 = * v18;
  v27 = 0 i64;
  v28 = 48;
  v29 = 0 i64;
  v31 = 0;
  v30 = 0 i64;
  _mm_storeu_si128((__m128i * ) & v32, (__m128i) 0 i64);
  v4 = (unsigned int) ZwOpenProcess( & v34, 0x1FFFFF i64, & v28, & v26);
    "Got process handle %x with status %x\n", v34, v4);
  v21 = 0 i64;
  v33 = 0 i64;
  v35 = v18[4];
  if ((int) v4 >= 0) {
    v4 = (unsigned int) ZwAllocateVirtualMemory(v34, & v33, 0 i64, & v35, 4096, 64);
      "Allocated at %llx with status %x\n", v33, v4);
    v21 = v33;
  }* v20 = v21;
  v20[2] = 0 i64;
  v20[1] = 0 i64;

Before I delve into fraudsters, I just want to say that the developers of amlegit have not found a new way to cheat hwid. In other words, they just paste the public code together and start selling. If you don't want to read about the github repository, you can skip this section and move on to the next section.

The cheater in this driver is public code that can be found here. It is by no means undiscovered, and its use will lead to a ban. Let's first look at the IOCTL option to deceive hwid. The debug print statement tells us what each subsequent function is related to. This makes it easy to cross reference the public github repository to ensure that what we're looking for is really someone else's work.

if (IOCTL_CODE == 0x235C42) 
  spoof_nic(0 i64);
  v22 = "Done\n";

Let's take a look at spoof first_ disk. As you can see, this function is 1:1 with the common source. Since this function is very large, I'll put it on another page so that you can cross reference it with the github repository.


This is a youtube video copy of the demo launcher in case it becomes private or deleted. As you will see in the video, the open console contains the same information as the cheater you ran btbd and printed when you openly pasted it. (1:50)

This is a video of cheating. Due to the detection of cheating, the account proving this cheating has been banned. As you can see, it's nothing special.

Posted on Thu, 18 Nov 2021 23:01:22 -0500 by naskar