a guest Jun 19th, 2019 131 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- TL;DR: TacoNBanana employs a LUA script called gcap that can not only view your screen, but your steam overlay and any window sitting in front of it, enabling them to read your chats. This has been utilized for years (possibly dating back to the beginning of the last HL2 iteration) to eavesdrop on personal conversations.
- I know about this because Bennet Dyson showed me my own screen a few years ago as a joke. I kept it under my hat, and I acknowledge that this was a poor decision on my part; people should have known, long ago, that the owner of their community voyeurs on their personal discourse. However, I don’t expect my word alone to stand as evidence, particularly given recent turbulence. Proof is required. Scilicet:
- My first attempt at working out which script was being used was to look for similar functionality. ServerGuard was my first stop.
- ServerGuard is a Garry’s Mod steam administration tool similar to ULX, but with some additional features. One of these features is the ability to capture a user's screen. The purpose of this feature is to allow admins to view snapshots of the entire space in front of the game to detect overlays that may give them an advantage, however it can also be utilized to view the Steam or Discord overlay and allow conversations to be eavesdropped on in close to real time.
- In order to test this, I spun up my own server running an older version of ServerGuard, as newer ones removed Steam overlay viewing over privacy concerns.
- I didn’t hide anything in order to make it as noisy as possible and find as many ways to passively detect the script as I could. It turns out that when you don’t make an effort to hide the tool’s use, it prints in console, chat, saves data to your garry’s mod configuration, and generally makes a lot of noise.
- Most of these are easy to modify the source code to disable, but after digging through a dump of my RAM, I found a section of live memory with a very well labeled section of variables. This is on my test box:
- ServerGuard’s presence, cleanly labeled, very distinct, and unlikely to have been scrubbed during Bennet’s efforts to obfuscate ServerGuard’s use. Through this effort, I discovered that sometime in 2016-2017, “render.Capture”, the function used to pull a user's full screen, was patched to only capture the game window if it’s not buffered with “PostRender”. This meant that the old version I had would only return a black screen.
- However, I pushed on just to see if there was any evidence of use. To test, I cleaned my machine of all the local files and restarted to clear my RAM from the indicators I already found. I made sure there wasn’t any trace of it in my memory by running a fresh dump, and found two symlinks much further down the heap. I made a note to discount these if they were the only thing I could find while on TnB’s server, as they would have been false positives:
- I hopped on TRP and dumped my memory:
- Nothing but the false positive from earlier. I figured I’d have to dive a little deeper to find the information I was looking for. I loaded up a handy little injection to pull down all of TRP’s files (some information is redacted to avoid personal attribution, others because I don’t want to detail my exact methodology for dumping a server’s files - however, to cover my ass: there was no unauthorized access of TnB’s box to acquire these files).
- Proof that these are indeed TRP’s files:
- I started searching around for anything related for ServerGuard, including render.Capture and come up with nothing. I then start manually crawling through the files I pulled down. Among the addons I find gcap:
- Gcap is more or less a standalone version of ServerGuard’s screencap function, whereby the user’s screen is captured, and it’s sent back to the caller via chunked, base-64 encoded binary and decoded into a pretty HTML wrapper.
- To check this script out I grabbed myself a copy of gcap to port the code over to its modern implementation:
- Immediately, I noticed massive differences between TnB’s version and the standard distribution:
- The basic framework remained the same, with some minor differences in variables, such as victim -> gcapvictim, the HTML wrapper being unfurled, and leaving some notification functionality out of the script so as not to alert the aptly named “victim”, but the primary change is how the screen is actually captured. Where gcap uses render.Capture and PostRender to avoid capturing overlays, TnB’s version scans each individual pixel on the screen and saves the binary output to a file. That file’s data is then read off, the file is deleted, and the data is sent off using the standard mechanism of transport.
- I had to rebuild the script functionality in the modern implementation of gcap to test it. Here’s the default version of gcap:
- And here’s the version of gcap that was merged with TnB’s per-pixel capture in place of render.Capture:
- This is why the modified gcap’s use is hidden from the average user, administrators, and even some developers - it’s not used, typically, as anti-cheat, in which its presence would be a deterrent alone: every other feature has been disabled and any console log of the script’s running has been removed from its functionality because Bennet Dyson does not want the playerbase to know that he spends the vast majority of his time sitting in observe on the server while reading private conversations happening over Discord, Steam Chat, or anything else you use an overlay for.
- This custom developed solution has been used for such cute acts as eavesdropping on Gangleider and his partner’s intimate chats about their relationship (yes, Gang, hello, Bennet lied that he accidentally sent those conversations out, and didn’t intentionally tell anyone about them, let alone sent people multiple screenshots of them, myself included - sorry you had to hear it like this), watching numerous people ERP, as well as catching wind of gossip to propagate later, typically through word of mouth rather than screenshot so as to keep his source private, although with specific people in the loop he was never shy about sharing actual pictures.
- If you’ve ever wondered how something you’ve shared in confidence became public knowledge, why you had been pegged as a “troublemaker” with nebulous crimes such as “causing problems”, or simply indicted with an “ah lad” and no elaboration, it’s because Taco N Banana runs live memory spyware on your machine while you’re connected to their server in order to allow its owner to read your private chats, and has done so for close to half a decade.
- Some people may attempt to discredit this analysis with claims against my character. Admittedly, I’ve been burned by recent developments, like the repeated cloning of our servers, and am somewhat spiteful. I probably would have sat on this information indefinitely otherwise. Unfortunately, we find ourselves at this crossroads, and whatever the surrounding circumstances or recriminations are, they don’t nullify this testimony, or the facts therein.
- Good luck with Half-Life. Remember not to put anything in front of your window.
- Hugs and Kisses,
RAW Paste Data