COD AW 1.05 Antiban Offsets

//Credits: Prom1ses @NGU http://www.nextgenupdate.com/forums/call-of-duty-advanced-warfare-modding-tools/787648-1-05-eboot-builder.html

/*
1: 0x3B3518 --> NOP (0x60 0x00 0x00 0x00)
2: 0x597220 --> LI R3, 0 (0x38 0x60 0x00 0x00)
3: 0x599848 --> BLR (0x4E 0x80 0x00 0x20)
4: 0x642800 --> NOP; LI R31, 0 (0x60 0x00 0x00 0x00 0x3B 0xE0)
5: 0x642D74 --> NOP (0x60 0x00 0x00 0x00)
6: 0x7BFBBC --> NULL (0x00)
7: 0x642DEC --> LI R30, 0 (0x3B 0xC0 0x00 0x00)
*/


AntiBan/CFW Notice
It seems people with CFW are getting server-side bans issued (even people who are not cheating). These bans seem to be done every few days and are done in waves (ban queues). Please disable CFW calls with something like PSNPatch/PSNinja prior to running the game to prevent yourself from getting added to a ban queue. AntiBan++ seems to be going strong for those :)

This is an EBOOT Builder for 1.05.

Just browse for the ELF, apply desired options, replace EBOOT.BIN in /dev_hdd0/game/X/USRDIR.

Kudos to MegaMister, Eddie Mac, 1Austin112, and RatchetBooty for the hack offsets.

Screenshot:
http://i.imgur.com/SfR0Pvs.png

First, I wanted to talk a little bit about AntiBan. I'm not putting anyone down, but just NOP'ing all the calls within the ban functions is not the best thing to do... I want to fix that. To do that... I am releasing the offsets and technical details of my AntiBan that I named AntiBan++, below:

1Austin112's AntiBan is pretty good. But the use of NOPs everywhere can have unexpected results (it is appropriate at some times)... Specifically relating to the stack. For example... If NOP'ing a ban function call, the proceeding opCodes that follow may require specific results from that call. Which is not the best thing in the world... It might result in a freezes as it'll have unexpected register values.

I also don't really like the steps recommended to apply the antiBan via RTM tools... Just like on Black Ops 2, antiBan via RTM timing is not a good thing to rely on... EBOOTS are a lot more reliable as they're patched before the game executable is even ran. Making it the most effective.

Here's what I did... (Subtract 0x10000 for file/eboot offset).

TL;DR (Offsets):1: 0x3B3518 --> NOP (0x60 0x00 0x00 0x00)
2: 0x597220 --> LI R3, 0 (0x38 0x60 0x00 0x00)
3: 0x599848 --> BLR (0x4E 0x80 0x00 0x20)
4: 0x642800 --> NOP; LI R31, 0 (0x60 0x00 0x00 0x00 0x3B 0xE0)
5: 0x642D74 --> NOP (0x60 0x00 0x00 0x00)
6: 0x7BFBBC --> NULL (0x00)
7: 0x642DEC --> LI R30, 0 (0x3B 0xC0 0x00 0x00)
Technical Details on AntiBan++:
First offset: 0x3B3518 --> Patch this to NOP (0x60 0x00 0x00 0x00)

Over here is a call to a function that performs nothing but a ban check. I've seen other AntiBans NOP stuff /within/ this function such as at 0x597914. Its much safer and cleaner to just prevent this entire function from being called in the first place. So NOP it at the branch to this function ( 0x3B3518 ).

Second offset: 0x597220 --> Patch this to LI R3, 0 (0x38 0x60 0x00 0x00)

This is the major function that performs bans (its obvious by the strings ;P). Other AntiBans also NOP all the calls following the strings (e.g "EXE_COD_ONLINE_PERM_BAN_PLAYER"). If you look around the beginning of the function: 0x597228, there is a (IF R3 == 0) { GOTO 0x597490; }. If you look at 0x597490, you will see it gracefully exits the function. Just apply the bytes above and the code will look like this:

R3 = 0;
if(R3 == 0) {
    GOTO GRACEFUL_EXIT();
} else {
    performBanChecks();
}

Thus ALWAYS gracefully exiting the ban function and not requiring all the numerous NOPs that follow if R3 is NOT 0.

Third offset: 0x599848 --> PATCH THIS TO BLR (0x4E 0x80 0x00 0x20)

This function performs bans as well (e.g "EXE_COD_ONLINE_PERM_BAN_CONSOLE"). It is called way too many times (you can check with IDA by pressing x on the function). There are 16 xrefs. Don't apply 16 NOPs. Just make the function return immediately if its called. 4 Bytes versus 16 * 4 Bytes always sounds much cleaner to me :)

Fourth offset: 0x642800 --> Patch this to NOP; LI R31, 0 (0x60 0x00 0x00 0x00 0x3B 0xE0)

This is the one I did not see anyone patch... Every time you join a lobby, a task called "anticheat" is spawned. I don't know about you... But I don't want anything with that running ;P

By applying the NOP you are overwriting the call to start the task. The proceeding bytes (0x3B 0xE0) are to make R31 = 0. There is a compare condition right after the call. If start_task made R31 = 0, it assumes the task started successfully. So in addition to NOP'ing the call, we make R31 = 0 to ensure the BEQ condition at 0x64280C is called and not the nasty "Failed to start task" error getting printed to console and possibly refuse online game play. Moving on... :)

Fifth offset: 0x642D74 --> Patch this to NOP (0x60 0x00 0x00 0x00)

This one I felt like patching just because it also had anticheat and a check to make sure the console ID is NOT full of zeros. This just NOPs the if(R31 == 0) { err("Failed to read Console ID"); }. This is an optional patch, but is useful.

Sixth offset: 0x7BFBBC --> Patch this to 0x00

This is the "anticheat" string. It is used to specify which task to start. Since this is a null-terminated string, if we apply a null (0x00) to the beginning of the string, the string is effectively empty when referenced. I patched this because at 0x642D88, when the if(R3 == 0) condition runs... it also starts the task 'anticheat'. I couldn't NOP out the call at 0x642DE8 like how I did in the fourth offset because this seems to get called for other tasks that are essential for the game to run. So killing the string effectively stops the task from being spawned at that point. However... NULL is not a valid task, so the condition at 0x642DF0 will fail and say "Failed to start task".

if(R30 == 0) {
      weGood();
} else {
       somethingWentWrong();
}

Which brings me to my final offset...

Seventh offset: 0x642DEC --> Patch this to LI R30, 0 (0x3B 0xC0 0x00 0x00)

This will effectively assume all tasks successfully started (by making R30 = 0; right before the if condition). and not log the failure to spawn the inexistent task that we NULL'd. :P
And that is an effective proper antiban. Been using this along with a few friends for the past few days. Dozens of games. Even idling in lobbies for hours at a time (which commonly results in bans, since 'anticheat' task is spawned in the lobby. Refer to technical notes above for more info).

Anyone is free to use my AntiBan++ implementation as long as credit is given.
I also did not encrypt or attempt to hide any of the source of this... So it can easily be reflected with .NET disassemblers. :tiphat:

https://mega.co.nz/#!DtpmDKgL!sk0o02GayLehb9o6diHlurhs-kzXdrn1F9j3x2XMFj4"]Download AW 1.05 EBOOT Builder v1.5[/URL] (https://www.mediafire.com/?y1h5j599d52jg14"]Mirror[/URL])
https://www.virustotal.com/en/file/5dee7ff9c6077d212f7b380f7024a8bee27e5ed24c08db40d625d40ee12b8452/analysis/1419073495/"]Virus Total Scan[/URL]

https://mega.co.nz/#!25Bg1LaL!OSDvqVJZoQiwJz1-VOAw_GR465IW-jotI0Do61GvlBw"]Download CLEAN AW 1.05 .ELF[/URL] (http://www.mediafire.com/?roelwvltko41dtc"]Mirror[/URL])

MD5 Hashes:

ZIP = 7ea6b4fe8a7f14ba00573cadc40f1643
ELF = c4a19d6555dc52fbb39d9f8c5f78b3b4

Getting Error 0x80010017?
I've been told that people experiencing this issue have been able to resolve this by using 'Iris Man'.

RTM Builders Notice
If you're going to build an AntiBan into an RTM... Tell the user to apply it BEFORE they login. Not while or after.

Change Log:

v1.5 - Fixed BLES build issues and added alert for working around 0x80010017 if experienced.
v1.4 - Advanced UAV tab in previous versions was just UAV, corrected the offset and added normal UAV functionality. Added NPUB/NPES support as well. Also adjusted the way the EBOOT is built to help prevent error 0x80010017. Let me know you had that error and if this resolves it.
v1.3 - Added Attach Freeze Fix - Credits to Tustin!
v1.2 - Turns out err 8001007 was for DEX/DEBUG EBOOTs. Was spitting out 3kb EBOOTS, lol. Fixed.
v1.1 - Adjusted some vars for building the EBOOT. Might fix err 8001007.
v1.0 - Initial Release