Breaking the SQF Firewall

SQF Execution Exploit

So, we’ve bypassed the SQF firewall. Not only that, but our code is automatically triggered the second we start loading into the server.

Obviously, this is one of the most complex exploits I’ve built for Arma. It takes multiple history lessons in SQF exploiting & a long-standing hidden mistake within the engine to create. I haven’t pushed the limits of this exploit yet. To be honest, it’s quite overwhelming how intricate it is. From exploiting Draw event handlers to abusing the order in which the firewall kills events and threads, small changes to the code could completely alter how it operates (or if it works!). I can imagine ways of making the code harder to detect, randomizing the uiNamespace variables, making some of the variables hidden as I’ve shown in past posts.

This exploit I would argue is much worse than others that I have posted about in the past. The SQF code that is snuck through the firewall can be executed before any SQF anticheat (like InfiStar) has a chance to start on the client. This provides ample ways to cripple server-side SQF based anticheats. As well, firewall bypassing is not something a server can “block”. They have to detect it. I would recommend using BattlEye filters to catch this style of bypassing. By including inGameUISetEventHandler into the scripts.txt, I think, and I emphasize think, this method could be detected by a server. However, by proving that the firewall can be bypassed this way, I am confident that there are other means of bypassing it.

Bohemia needs to take a very good look at the order in which they kill events and sqf threads when connecting to an MP session.

My next post will cover another method of bypassing the firewall that is a little easier to detect but has a much larger impact on the security for servers.

Liked it? Take a second to support Lystic on Patreon!
About Lystic 23 Articles
ArmA Scripter. Former cheater. Always have security in mind.