You last visited: Today at 22:58
Advertisement
4Story Global - OEP Fixer
Discussion on 4Story Global - OEP Fixer within the 4Story Hacks, Bots, Cheats & Exploits forum part of the 4Story category.
11/01/2013, 17:12
#1
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
4Story Global - OEP Fixer
Hi,
im currently testing some games for reverse engineering and i wanted to take a look into 4Story. Since the Global 4Story is packed with ASProtect, and got a broken EP after unpacking it with _stripperX, did i decided to create a patcher for the Client. It's
not a bypass! To bypass GameGuard you have to reverse it by yourself.
This is how the EntryPoint of TClient.exe looks like after unpacking it with _stripperX:
This is a picture of my Fixer:
Just put it into your Global 4Story Folder ( or wherever your _TClient.exe ( unpacked after _stripperX ) ), start it and press Fix ( Maybe you want to create a Backup just check the checkbox ).
to get the _stripperX for ASProtect take a look on exetools or google it.
.rar password ( for both .rar files ): epvp_tension
Fixer.asm:
Code:
;4Story OEP Fixer, Ten$ion 2013
;Coded in MASM, everything has been reversed by Ten$ion
;=============> CONST <=============;
.const
;ProtoTypes
FindData proto :DWORD, :DWORD, :DWORD, :DWORD
CheckFile proto :DWORD
PatchClient proto :DWORD, :DWORD
;===================================;
;==============> DATA <=============;
.data
;Strings
szBackupName db '_TClient.bak',0
;DWORDs
dwOEP DWORD 0
dwOEPPatch DWORD 0
dwCmdPatch DWORD 0
;Bytes
;SearchMasks
bOEP db 059h, 059h, 0C3h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
;Patches
bOEP_Patch db 06Ah, 060h, 06Ah, 00h, 90h, 90h, 90h
bCmd_Patch db 0B8h, 00h, 00h, 00h, 00h, 90h
;===================================;
;==============> CODE <=============;
.code
;=================;
;FindData
;=================;
FindData proc input:DWORD, search:DWORD, len:DWORD, s_len:DWORD
LOCAL cnt:DWORD, result:DWORD, i:DWORD, j:DWORD
mov i, 0
mov cnt, 0
@main_loop:
pushad
mov cnt, 0
mov eax, dword ptr ds:[input]
add eax, i
movzx edx, byte ptr ds:[eax]
mov eax, dword ptr ds:[search]
add eax, cnt
movzx ecx, byte ptr ds:[eax]
cmp edx, ecx
jne @Next
mov j, 0
@second_loop:
mov eax, dword ptr ds:[input]
add eax, i
add eax, j
movzx edx, byte ptr ds:[eax]
mov eax, dword ptr ds:[search]
add eax, cnt
movzx ecx, byte ptr ds:[eax]
cmp edx, ecx
jne @Next
mov edx, i
mov result, edx
inc cnt
mov edx, s_len
inc j
cmp j, edx
jl @second_loop
jmp @End
@Next:
popad
mov edx, len
inc i
cmp i, edx
jl @main_loop
@End:
mov eax, result
ret
FindData endp
;=================;
;CheckFile
;=================;
CheckFile proc szFileName:DWORD
LOCAL fData:WIN32_FIND_DATA
LOCAL fHandle:DWORD
invoke FindFirstFile, szFileName, addr fData
mov fHandle, eax
cmp fHandle, INVALID_HANDLE_VALUE
je @not_found
pushad
invoke FindClose, fHandle
popad
mov eax, fHandle
ret
@not_found:
xor eax, eax
ret
CheckFile endp
;=================;
;PatchClient
;=================;
PatchClient proc szFileName:DWORD, dwBackup:DWORD
LOCAL hFile:DWORD, dwSize:DWORD, dwRW:DWORD, dwBuffer:DWORD
LOCAL IDH:IMAGE_DOS_HEADER
LOCAL INH:IMAGE_NT_HEADERS
LOCAL IOH:IMAGE_OPTIONAL_HEADER
invoke CheckFile, szFileName
cmp eax, 0
je @Error_NotFound
;Zero the Vars else we get disgusting crashes...
mov dwRW, 0
;Check if we want to create a Backup.
cmp dwBackup, 1
jne @no_backup
invoke CopyFile, szFileName, addr szBackupName, 0
@no_backup:
;Our File
invoke CreateFile, szFileName, GENERIC_READ + GENERIC_WRITE, FILE_SHARE_READ + FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0
cmp eax, INVALID_HANDLE_VALUE
je @Error_Open
mov hFile, eax
invoke GetFileSize, hFile, 0
mov dwSize, eax
invoke VirtualAlloc, 0, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov dwBuffer, eax
invoke ReadFile, hFile, dwBuffer, dwSize, addr dwRW, 0
invoke FindData, dwBuffer, addr bOEP, dwSize, 8
add eax, 3h ;Cause we are in another function
mov dwOEPPatch, eax
mov dwCmdPatch, eax
add dwCmdPatch, 105h
sub eax, 400h ;=> Offset
add eax, 1000h ;=> Size
mov dwOEP, eax
;Patch the Data
invoke SetFilePointer, hFile, dwOEPPatch, 0, FILE_BEGIN
invoke WriteFile, hFile, addr bOEP_Patch, 7, addr dwRW, 0
invoke SetFilePointer, hFile, dwCmdPatch, 0, FILE_BEGIN
invoke WriteFile, hFile, addr bCmd_Patch, 6, addr dwRW, 0
;Patch the EntryPoint
invoke SetFilePointer, hFile, 0, 0, FILE_BEGIN
invoke ReadFile, hFile, addr IDH, sizeof(IMAGE_DOS_HEADER), addr dwRW, 0
cmp IDH.e_magic, IMAGE_DOS_SIGNATURE
jne @Error_DOS_Sig
invoke SetFilePointer, hFile, IDH.e_lfanew, 0, FILE_BEGIN
invoke ReadFile, hFile, addr INH, sizeof(IMAGE_NT_HEADERS), addr dwRW, 0
cmp INH.Signature, IMAGE_NT_SIGNATURE
jne @Error_NT_Sig
mov edi, dwOEP
mov INH.OptionalHeader.AddressOfEntryPoint, edi
invoke SetFilePointer, hFile, IDH.e_lfanew, 0, FILE_BEGIN
invoke WriteFile, hFile, addr INH, sizeof(IMAGE_NT_HEADERS), addr dwRW, 0
invoke CloseHandle, hFile
mov eax, 1
jmp @end
@Error_NotFound:
mov eax, 0
jmp @end
@Error_DOS_Sig:
invoke CloseHandle, hFile
mov eax, -1
jmp @end
@Error_NT_Sig:
invoke CloseHandle, hFile
mov eax, -2
jmp @end
@Error_Open:
invoke CloseHandle, hFile
mov eax, -3
jmp @end
@end:
ret
PatchClient endp
;===================================;
Virustotal ( False positiv ):
4SFix:
Attached Files
4SFix.rar
(3.0 KB, 109 views)
TClient(s).rar
(2.39 MB, 141 views)
11/01/2013, 18:03
#2
elite*gold: 0
Join Date: Dec 2009
Posts: 29
Received Thanks: 10
I am sorry, But what this should do ?
11/01/2013, 18:11
#3
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
I've wrote what it does, right in the first sentence. If you don't understand it, then it's nothing special for you.
11/01/2013, 21:23
#4
elite*gold: 192
Join Date: May 2009
Posts: 2,227
Received Thanks: 3,262
Na das ist aber ein Zufall ;o
11/01/2013, 21:43
#5
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
Hatte das Projekt schon vor ein paar Tagen angefangen jedoch hatte ich nicht genug Zeit es so schnell fertig zu schreiben wegen der Schule
Und wie du weißt ist MASM meine Hauptsprache.
11/06/2013, 22:48
#6
elite*gold: 5
Join Date: Dec 2009
Posts: 1,090
Received Thanks: 434
Kannst du vllt. hier eine unpacked posten oder mir per pn schicken? Kann mir 4StoryGSP nicht runterladen ( **** PC
)
11/07/2013, 19:19
#7
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
Ich habe einmal die _TClient.exe Datei hochgeladen nachdem _stripperX verwendet wurde und einmal nachdem mein Fixer drüber gelaufen ist.
01/18/2014, 20:56
#8
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
Hab mal die Fixer.asm Datei reingepackt, ob ihr was damit anfangen könnt ist nicht meine Sache
01/19/2014, 01:02
#9
elite*gold: 192
Join Date: May 2009
Posts: 2,227
Received Thanks: 3,262
Quote:
Originally Posted by
Ten$ion
Hab mal die Fixer.asm Datei reingepackt, ob ihr was damit anfangen könnt ist nicht meine Sache
Das Copyright könntest du eigentlich nun aus der ersten Zeile entfernen, weil der Code ja nun für fast alle verfügbar ist
01/25/2014, 06:46
#10
elite*gold: 0
Join Date: May 2013
Posts: 2
Received Thanks: 1
tu as mis un mot de passe ?
01/26/2014, 16:45
#11
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
What do you mean?
All times are GMT +2. The time now is 22:58 .
Und wie du weißt ist MASM meine Hauptsprache.
)
