DayZ Arbitrary Enforce Execution

In computer security, arbitrary code execution (ACE) is an attacker’s ability to execute arbitrary commands or code on a target machine or in a target process.

So recently, I have been working with Fini on his Anticheat. By “I have been working with”, I mean that he has done most of the work, and I solved this small little step here. In order for his Anticheat to function effectively, we need to do our best to “hide” code from clients. It wouldn’t be a great Anticheat, or easy to update, if everyone had the Anticheat source code on their PCs. We need to find a way to implement his Anticheat in a way that allows us to run arbitrary code during gameplay, so the server can tell the client “This is the Anticheat, run it”.

The king of arbitrary execution is being able to load new script modules into DayZ during runtime. But first, what is a script module? Most of you will be familiar with DayZ’s new concept of “Modules”. Everything in the game is included in one of 5 modules: 1_Core, 2_Gamelib, 3_Game, 4_World, and 5_Mission. These modules are compiled at startup and have access to lower modules, where 5_Mission can interact with types defined in 3_Game, but not so in reverse. A script module wraps up classes, and other data structures, into a sort of ring. The higher up we go (think 5_Mission), the more “Helper” code we have to make cool things and interact with the game.

Thankfully, the developers of DayZ have left us a definition for these “Modules” in Enforce. Here is the definition found in 1_core/proto/enscript.c. Let’s go through each entry in this object.

First, we can see the deconstructor. This is marked as private. In terms of enforce, this means we cannot delete Script Modules. It also means we can’t store them with the ref keyword. Next, we have the Call method. This allows us to call a function on a new thread. Now comes CallFunction and CallFunctionParams. These two methods allow us to call a function and retrieve its return value, and because of this, they run on the same thread. Then there is this Release method, which I assume is used to unload modules at shutdown. Finally we get to LoadScript which is a static function.

On the next page, we’ll figure out how to make use of this object.

Pages: 1 2 3