Example:

String decryption code:

C++: size_t i = 0; char random_shit = 0; do { random_shit = ( ( 3 - i ) ^ *pString & 0x7F ) - i * i; ++i; *pString++ = random_shit & 0x7F; } while ( i < strlen( pString ) );

Here's where the driver registers the call-backs:

Inside RegisterShittyCallbacks:

C++: struct _PROCESS_INFO { DWORD ProcessId; DWORD Unknown; DWORD Type; DWORD Flags; };

Code: TYPE PROCESS 1 Normal Process 2 csrss.exe 3 lsass.exe 4 svchost.exe 5 Multi Theft Auto.exe or MULTIT~1.EXE 6 mta_sa.exe or proxy_sa.exe 7 raidcall.exe 8 LVPrcSrv.exe or LWEMon.exe 9 Action_x86.bin or Action_x64.bin

What basically happens here is this:

Check if target is gta_sa.exe or proxy_sa.exe Check‬ if it isn't gta_sa/proxy_sa that's doing the operation Check the operation (create/duplicate) Check if some bits representing write access or other operations are set. Go to step 5 if true. Check if the process that's creating/duplicating the handle is of type 1, 5, or 6. Go to step 5 if true. Strip handle..

FairplayKD.sys IDA Database

So in the past few days I've been reversing MTA: SA's anti cheat and I decided to start out with the driver FairplayKD.sys because I wanted to be able to inject my stuff without any problem. Here I'm gonna show you why the Fairplaykd.sys driver is a joke.Multi Theft Auto (MTA) is a multiplayer modification for Grand Theft Auto: San Andreas that adds online multiplayer. For Grand Theft Auto: San Andreas, the mod also serves as a derivative engine to Rockstar's interpretation of RenderWare.To dynamically import functions, the driver builds encrypted stack strings, decrypts them and convert them to Unicode and calls MmGetSystemRoutineAddress , which get the address of exported functions from ntoskrnl.exe (the kernel and executive) and hal.dll (HAL).So after knowing about that, I easily found where it grabs the address of ObRegisterCallbacks (DecryptStringAndGetRoutineAddress is a function that does exactly what I said)(you can also see PsSetCreateProcessNotifyRoutine there).You can see they register 2 pre-operation call-backs - which are called by ObpCallPreOperationCallbacks, one for process and the other for thread. I'm gonna only show the process one since both call-backs are basically the same shit.Before getting into the pre-operation call-back, let's see how the driver store information about process like itself. MTA: SA's driver stores information about some processes in a global array that I called SpecialProcessesInfo and. Example of it being accesed:Each entry in that array is represented by this structure:The type member can be one of the following numbers:I named that global array as "SpecialProcessesInfo" because type 1 processes (normal processes) won't be added to the list. From PcreateProcessNotifyRoutine (the callback set by PsSetCreateProcessNotifyRoutine ):That means we can use type 7 (raidcall.exe) to inject our stuff in there. I've coded a basic manual mapping injector (thx @Broihon ) to test it and look what happened:Get rekt shitty driver.Moral of the story: raidcall is the real MVPFound this old IDB for FairplayKD.sys in my PC so I'm posting it. It's not fully reversed (I've lost my fully reversed one) but I'm sure this will help someone as the driver didn't change a lot.That's it for fairplaykd. Still gotta see the user mode part but at least I can inject my shit. Rake posted some stuff below so keep reading.