{"id":30596084,"url":"https://github.com/islipnot/vackit","last_synced_at":"2025-08-29T21:15:00.799Z","repository":{"id":310474709,"uuid":"1039922507","full_name":"islipnot/VacKit","owner":"islipnot","description":"Valve Anti-Cheat analysis kit. Automatic parameter decryption and module identification. String/ICE decryption included.","archived":false,"fork":false,"pushed_at":"2025-08-25T16:42:32.000Z","size":262,"stargazers_count":6,"open_issues_count":0,"forks_count":2,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-08-25T18:30:36.064Z","etag":null,"topics":["cs2","gamehacking","reverse-engineering","vac","valve-anti-cheat"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/islipnot.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-18T07:30:43.000Z","updated_at":"2025-08-25T16:42:35.000Z","dependencies_parsed_at":"2025-08-18T11:35:40.261Z","dependency_job_id":"1e92a0f2-8788-4aa7-8282-111b5a5401ea","html_url":"https://github.com/islipnot/VacKit","commit_stats":null,"previous_names":["islipnot/vackit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/islipnot/VacKit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/islipnot%2FVacKit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/islipnot%2FVacKit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/islipnot%2FVacKit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/islipnot%2FVacKit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/islipnot","download_url":"https://codeload.github.com/islipnot/VacKit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/islipnot%2FVacKit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272765516,"owners_count":24989397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-29T02:00:10.610Z","response_time":87,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cs2","gamehacking","reverse-engineering","vac","valve-anti-cheat"],"created_at":"2025-08-29T21:15:00.278Z","updated_at":"2025-08-29T21:15:00.793Z","avatar_url":"https://github.com/islipnot.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VacLogger\n\nThis VAC logger must be injected into `steam.exe` (steam must have admin) before any game is launched. It will log various WinApi\nfunctions used in VAC modules, more importantly though, it hooks steam's call to `_runfunc@20`. When runfunc is called, it will \nuse pattern scanning to detect which module it is in. It will then hook into the modules ICE decryption routine, where it will\ndump ONLY the decrypted module parameters, ignoring import decryption. The `IceKey::decrypt` hook tracks the routine progress \nallowing for automatic seperation and labeling of output, and like I already said, allowing for it to ignore import decryption. \nIt should also be noted that the call to runfunc is logged on its own along with the other API logs, and logs which module the \nfunction belongs to. The encrypted parameters are also dumped because there are technically a few bytes that aren't encrypted \nand are used, though it's not very relevant.\n\nThis is of course all based on my personal dumps of the anti-cheat, and if the pattern scanning fails for you, you simply need \nto update the patterns. First off, in hooks.cpp, make sure the pattern used to locate the runfunc call works. Next, check tools.cpp \nand make sure all of the patterns in `ModuleIndexFromPtr` are good. If these aren't working for you simply get a unique pattern \nfrom your own dumps that can be used to identify the modules. The way to tell if the module signatures are outdated is by looking at \n`vLog.txt`, and if the runfunc log doesn't have a number next to it indicating which module it is, that means it failed to identify it.\n\nAPI/runfunc call logs are logged in `vLog.txt`, decrypted parameters are logged in `pdLog.txt`, and encrypted parameters are logged \nin `pLog.txt`. All of these log files are in the steam directory. It should also be noted you can adds your own API logs very easily \nby just adding a new `CreateHookApi` call in `ThreadEntry`, which obviously requires that you write a hook in hooks.cpp.\n\n# SigTester\n\nThis allows you to easily create unique module signatures, which can be used for self identification within the hooks in the \nVAC logger. You must place every VAC dll in the directory of the compiled binary, and they must be named VAC-1.dll - VAC-14.dll, \nor however many dlls you want to scan. The number of dlls should match the number of signatures. \n\nA really good way to get unique signatures is copying the bytes of encrypted strings, which are entirely unique to the modules \nthey're present in. Another good way is finding register based calls to encrypted imports, because most modules have at least a \ncouple functions that only they call.\n\n# StrDecrypt\n\nThis allows you to easily decrypt strings found in VAC modules. You must identify the key and decryption type (XOR or ROL), \nwhich can be done by xrefing the encrypted string and looking for a while loop that looks like one of the two below.\n\n### ROL decryption\n```C\nv7 = Advapi32dll[0];\nif ( Advapi32dll[0] )\n{\n  v8 = Advapi32dll;\n  do\n  {\n    *v8++ = __ROL1__(v7, 3);\n    v7 = *v8;\n  }\n  while ( *v8 );\n}\n```\n\n### XOR decryption\n```C\nv42 = NtReadVirtualMemory;\nv43 = 104;\ndo\n{\n  *v42++ = v43 ^ 38;\n  v43 = *v42;\n}\nwhile ( *v42 );\n```\n\n## Usage\nArgument format: \\\u003cstring\\\u003e \\\u003ctype\\\u003e \\\u003ckey\\\u003e \u003c/br\u003e\nTypes: r == ROL, x == XOR \u003c/br\u003e\nString should be surrounded by quotes for safety.\n\n# IceDecrypt\n\nThis allows you to take a block of ICE encrypted memory and decrypt it easily. It's a little harder to use than StrDecrypt, first \nyou must get a BYTE array of the encrypted block (use ChatGPT to format it after pasting from IDA or x64dbg), which you then must \npaste into ice.hpp in place of the \"data\" variable at the end of the file. You also must dump the decryption key, which can be done \nvery easily by using VacLogger to dump the encryption key, though you'll have to change the code a bit to have it do that.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fislipnot%2Fvackit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fislipnot%2Fvackit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fislipnot%2Fvackit/lists"}