Found yet another bug in VAC module family 20150609-214236, and again it can be used to prevent VAC from successfully scanning a file.[1] This time it’s a divide-by-zero exception (EXCEPTION_INT_DIVIDE_BY_ZERO). The problem lies in the function used by VAC to read the headers and overlay (to initialize the PE file class). Basically, VAC is attempting to add the file overlay (if any) as a fake section in its PE class (presumably to make the hashing/scanning/etc logic simpler as no special handling for overlays is needed after doing this), and to do so it needs to align the new section correctly. However the alignment calculation function involves a division and it doesn’t check whether IMAGE_OPTIONAL_HEADER::SectionAlignment is non-zero before using it as the divisor.
Alignment function here:
.text:10002782 mov eax, [esp+value] .text:10002786 xor edx, edx .text:10002788 mov ecx, [esp+alignment] .text:1000278C dec eax .text:1000278D add eax, ecx .text:1000278F div ecx .text:10002791 imul eax, ecx .text:10002794 retn
[1] Just a note that I haven’t actually tested what the backend reaction is to this. I was thinking about it and I’m guessing it will probably result in a kick (i.e. “VAC Authentication Error”), but I’d have to test it to be sure.
Not particularly surprised.
I recall there were a whole slew of VAC Authentication Errors in CS:GO earlier this year. I’m guessing the fix was to stop shipping that VAC module.
I’ll dig through the history a bit later.
Interesting, if you happen to remember which module it was I’d love to know. This particular module is still active.
Pingback: Two more bugs in VAC module family 20150609-214236 | The Raptor Factor