Feature request: More natural mouse movement in automated interactions

[seanthegeek]

One of the few pafish sandbox detections that fire on CAPE is Sandbox traced by missing mouse movement or supernatural speed The source code for this detection is https://github.com/a0rtega/pafish/blob/b497899ff355ea7b9ecc1f5cd34a9fd1def02aec/pafish/rtt.c#L72

[kevoreilly]

I just took a look at Pafish, latest 32-bit release 9e7d694ed87ae95f9c25af5f3a5cea76188cd7c1c91ce49c92e25585f232d98e.

My first observation is that the mouse movement function fails for both zero movement and 'supernatural' movement, so it's difficult to differentiate based solely on the tool's output. I considered recompiling with more output, but instead opted for an instruction trace to see exactly what happens during experimentation:

yarascan=0,bp0=0x4F63,bp1=0x5080,action1=stop

The yarascan option is just to suppress the existing bypass yara from interfering. The other options capture the entire execution of the rtt_mouse_speed_limit() function.

Unfortunately I observed that even with Disable automated interaction selected to suppress the auxiliary human.py this function still fails with 'supernatural' speed:

CAPE Sandbox - Debugger log: Tue Feb  6 14:43:08 2024
Breakpoint 0 hit by instruction at 0x00404F63 (thread 4564) EAX=0x404f63 "U" EBX=0x2000800 ECX=0xffffffff EDX=0x1d ESI=0x2f EDI=0x26911c4 ESP=0x62f93c *ESP=0x402788 EBP=0x62f968
Break at 0x00404F63 in pafish.exe (RVA 0x4f63, thread 4564, ImageBase 0x00400000)
0x00404F63  55                       PUSH      EBP                            ESP=0x62f938 "h" *ESP=0x62f968
0x00404F64  89E5                     MOV       EBP, ESP                       EBP=0x62f938 "h"
0x00404F66  83EC48                   SUB       ESP, 0x48                      ESP=0x62f8f0 *ESP=0x0
0x00404F69  C745F4B80B0000           MOV       DWORD [EBP-0xc], 0xbb8        
0x00404F70  C745EC0A000000           MOV       DWORD [EBP-0x14], 0xa         
0x00404F77  C745F000000000           MOV       DWORD [EBP-0x10], 0x0         
0x00404F7E  C7042410000000           MOV       DWORD [ESP], 0x10             
0x00404F85  A130854100               MOV       EAX, [0x418530]                EAX=0x76874d10
0x00404F8A  FFD0                     CALL      GetSystemMetrics               EAX=0x500 ECX=0x500 EDX=0x30 ESP=0x62f8f4 *ESP=0x0
0x00404F8C  83EC04                   SUB       ESP, 0x4                       ESP=0x62f8f0 *ESP=0x0
0x00404F8F  89C1                     MOV       ECX, EAX                      
0x00404F91  BA67666666               MOV       EDX, 0x66666667                EDX=0x66666667
0x00404F96  89C8                     MOV       EAX, ECX                      
0x00404F98  F7EA                     IMUL      EDX                            EAX=0x300 EDX=0x200
0x00404F9A  89D0                     MOV       EAX, EDX                       EAX=0x200
0x00404F9C  D1F8                     SAR       EAX, 0x1                       EAX=0x100
0x00404F9E  C1F91F                   SAR       ECX, 0x1f                      ECX=0x0
0x00404FA1  89CA                     MOV       EDX, ECX                       EDX=0x0
0x00404FA3  29D0                     SUB       EAX, EDX                      
0x00404FA5  8945E8                   MOV       [EBP-0x18], EAX               
0x00404FA8  C7042411000000           MOV       DWORD [ESP], 0x11             
0x00404FAF  A130854100               MOV       EAX, [0x418530]                EAX=0x76874d10
0x00404FB4  FFD0                     CALL      GetSystemMetrics               EAX=0x2e1 ECX=0x2e1 EDX=0x2e1 ESP=0x62f8f4 *ESP=0x0
0x00404FB6  83EC04                   SUB       ESP, 0x4                       ESP=0x62f8f0 *ESP=0x0
0x00404FB9  89C1                     MOV       ECX, EAX                      
0x00404FBB  BA67666666               MOV       EDX, 0x66666667                EDX=0x66666667
0x00404FC0  89C8                     MOV       EAX, ECX                      
0x00404FC2  F7EA                     IMUL      EDX                            EAX=0xccccce87 EDX=0x126
0x00404FC4  89D0                     MOV       EAX, EDX                       EAX=0x126
0x00404FC6  D1F8                     SAR       EAX, 0x1                       EAX=0x93
0x00404FC8  C1F91F                   SAR       ECX, 0x1f                      ECX=0x0
0x00404FCB  89CA                     MOV       EDX, ECX                       EDX=0x0
0x00404FCD  29D0                     SUB       EAX, EDX                      
0x00404FCF  8945E4                   MOV       [EBP-0x1c], EAX               
0x00404FD2  8D45D4                   LEA       EAX, [EBP-0x2c]                EAX=0x62f90c
0x00404FD5  890424                   MOV       [ESP], EAX                    
0x00404FD8  A120854100               MOV       EAX, [0x418520]                EAX=0x76865750
0x00404FDD  FFD0                     CALL      GetCursorPos                   EAX=0x1 ECX=0x2a410001 EDX=0xc0000029 ESP=0x62f8f4 *ESP=0x0
0x00404FDF  83EC04                   SUB       ESP, 0x4                       ESP=0x62f8f0 *ESP=0x0
0x00404FE2  EB7F                     JMP       0x81                          
0x00405063  837DF400                 CMP       DWORD [EBP-0xc], 0x0          
0x00405067  0F8577FFFFFF             JNZ       0xffffff7d                    
0x00404FE4  8B45EC                   MOV       EAX, [EBP-0x14]                EAX=0xa
0x00404FE7  890424                   MOV       [ESP], EAX                    
0x00404FEA  A1EC834100               MOV       EAX, [0x4183ec]                EAX=0x754f0f00
0x00404FEF  FFD0                     CALL      Sleep                          EAX=0x0 ECX=0x2df3a281 EDX=0x2b8000 "P" ESP=0x62f8f4 *ESP=0x0
0x00404FF1  83EC04                   SUB       ESP, 0x4                       ESP=0x62f8f0 *ESP=0x0
0x00404FF4  8D45CC                   LEA       EAX, [EBP-0x34]                EAX=0x62f904
0x00404FF7  890424                   MOV       [ESP], EAX                    
0x00404FFA  A120854100               MOV       EAX, [0x418520]                EAX=0x76865750
0x00404FFF  FFD0                     CALL      GetCursorPos                   EAX=0x1 ECX=0x2a410001 EDX=0xc00002f8 ESP=0x62f8f4 *ESP=0x0
0x00405001  83EC04                   SUB       ESP, 0x4                       ESP=0x62f8f0 *ESP=0x0
0x00405004  8B45D4                   MOV       EAX, [EBP-0x2c]                EAX=0x2de
0x00405007  8B55CC                   MOV       EDX, [EBP-0x34]                EDX=0x44f
0x0040500A  29D0                     SUB       EAX, EDX                       EAX=0xfffffe8f
0x0040500C  8945E0                   MOV       [EBP-0x20], EAX               
0x0040500F  8B45D8                   MOV       EAX, [EBP-0x28]                EAX=0x8
0x00405012  8B55D0                   MOV       EDX, [EBP-0x30]                EDX=0x2f8
0x00405015  29D0                     SUB       EAX, EDX                       EAX=0xfffffd10
0x00405017  8945DC                   MOV       [EBP-0x24], EAX               
0x0040501A  837DE000                 CMP       DWORD [EBP-0x20], 0x0         
0x0040501E  7506                     JNZ       0x8                           
0x00405026  8345F001                 ADD       DWORD [EBP-0x10], 0x1         
0x0040502A  8B45E0                   MOV       EAX, [EBP-0x20]                EAX=0xfffffe8f
0x0040502D  99                       CDQ                                      EDX=0xffffffff
0x0040502E  89D0                     MOV       EAX, EDX                       EAX=0xffffffff
0x00405030  3345E0                   XOR       EAX, [EBP-0x20]                EAX=0x170
0x00405033  29D0                     SUB       EAX, EDX                       EAX=0x171
0x00405035  3945E8                   CMP       [EBP-0x18], EAX               
0x00405038  7D17                     JGE       0x19                          
0x0040503A  8B45DC                   MOV       EAX, [EBP-0x24]                EAX=0xfffffd10
0x0040503D  99                       CDQ                                     
0x0040503E  89D0                     MOV       EAX, EDX                       EAX=0xffffffff
0x00405040  3345DC                   XOR       EAX, [EBP-0x24]                EAX=0x2ef
0x00405043  29D0                     SUB       EAX, EDX                       EAX=0x2f0
0x00405045  3945E4                   CMP       [EBP-0x1c], EAX               
0x00405048  7D07                     JGE       0x9                           
0x0040504A  B801000000               MOV       EAX, 0x1                       EAX=0x1
0x0040504F  EB2E                     JMP       0x30                          
0x0040507F  C9                       LEAVE                                   Breakpoint 1 hit by instruction at 0x00405080 (thread 4564) ESP=0x62f93c *ESP=0x402788 EBP=0x62f968
0x00405080  C3                       RET                                     
ActionDispatcher: stopping trace.

Here the jge at the end corresponds to the source abs(dy) > my which shows that the checks for excessive movement between subsequent calls to GetCursorPos is failing, despite there being no automated interaction at all!

I am currently stumped as to why this is occurring which has temporarily scuppered my attempts to fix this with changes to human.py.