The findings documented here are associated with the technical deep-dive article published on back.engineering, which provides a comprehensive analysis of how Ring-1.io operates at a low level.
We provide this level of deep reverse engineering to anti-cheat vendors and game studios. Our work focuses on identifying, dissecting, and helping mitigate sophisticated cheat platforms operating at the kernel, firmware, and virtualization layers. Organizations interested in these services are encouraged to reach out: contact@back.engineering.
| Contributor | Profiles | Role |
|---|---|---|
| IDontCode | X | Analysis Lead |
| noahware | Hypervisor Analysis, DLL Injection Analysis, Detections | |
| Eggsy | Cheat Components, Kernel Hook Analysis | |
| AVX | GitHub | Detections |
bootloader-implant-deobfuscated.i64- IDA Pro database containing the fully deobfuscated bootloader implantapex-cheat.bin- Game cheat module injected into Apex Legendsbattlebit-cheat.bin- Game cheat module injected into BattleBit Remasteredbootloader-implant-deobfuscated.bin- Decompressed, decrypted, and partially deobfuscated bootloader implant.bootloader-implant-deobfuscated.i64- IDA Database containing full analysis of the implant.bootloader-implant-obfuscated.bin- Obfuscated version of the implantbootmgfw.bin- Modified bootmgfw.eficod6-cheat.bin- Game cheat module injected into COD6eft-cheat.bin- Game cheat module injected into EFTgrayzone-cheat.bin- Game cheat module injected into grayzoneloader-deobfuscated.bin- Deobfuscated loaderr6-cheat.bin- Game cheat module injected into R6
The deobfuscation of the bootloader implant and loader was performed using our in-house BLARE2 framework. BLARE2 is a binary manipulation platform that we have developed and actively maintain.
BLARE2 is the same framework we leverage to build:
- CodeDefender - Our enterprise-grade binary obfuscation solution
- SigBreaker - Advanced signature evasion toolkit
This material is provided for educational and research purposes only. The analysis and artifacts contained in this repository are intended to advance the security community's understanding of advanced threats and bootkit technologies.