Tamper-Protection Bypass × Arxan integrity protection (as used in Call of Duty: Cold War)

A publicly-reported instance of Tamper-Protection Bypass bypassing Arxan integrity protection (as used in Call of Duty: Cold War), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Arxan integrity protection (as used in Call of Duty: Cold War)

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-08-31

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-08-31 · original source · via exa

Reported as

CWHook is a proof-of-concept tool that circumvents Arxan's integrity checks in Call of Duty: Cold War

Mechanism

Bypasses Arxan's integrity checks by fixing checksums and creating inline assembly stubs to heal checksums, preventing detection of reverse engineering tools and allowing debugging software to attach. Targets the specific game version supported by Donetsk Defcon.

Detection & mitigation

Monitor for unexpected modifications to game binaries or memory regions protected by integrity checks, such as checksum mismatches or inline hook stubs, using file integrity monitoring and memory scanning. Mitigate by enforcing application whitelisting and keeping anti-tamper solutions updated to detect healing techniques.

Tamper-Protection Bypass has also been recorded against

AppSealing BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.