[Tutorial] Multiclient Howto

08/12/2009 14:58 _--_#31
undwas bitte ist ein multiclient? in diesem Link, in dem es daum geht wie man einen bypass macht, verweist du auf diese Seit! [Only registered and activated users can see links. Click Here To Register...]

PS: so richtig erklärt wurde das dort auch nicht
08/12/2009 22:41 Akorn#32
Mit einen multiclient kann man das Spiel mehrfach starten.
Wenn du versuchst Hackshield zu bypassen dan kuck in die section des entsprechenden spiels anstatt in irgendwelchen threads zu spammen.
09/26/2009 02:13 3nergiz3r#33
das funktioniert nicht mit shaiyatr
10/01/2009 23:35 Shenshen#34
Hallo!
Ist diese Arbeit an Rappelz Spiel? Danke.
10/15/2009 13:01 bhabydashley#35
any english guide? ^^
10/17/2009 10:27 mahip#36
Can we get this in english
10/17/2009 12:24 Adroxxx#37
I will not translate it in english. It's to much work. If you want english guides you can google. There are a few in english.

Quote:
Originally Posted by Shenshen View Post
Hallo!
Ist diese Arbeit an Rappelz Spiel? Danke.
Don't know what you mean. If you want to make the multiclient with Rappelz, it should work. This Guide work on nearly 99% of all games!
10/17/2009 13:35 buFFy!#38
Multiclient Howto
Creating a Multiclient is simple, nevertheless impossible for beginners, quite simply because they see no point.
In this tutorial im going to show you how to create an Multiclient with a technic which is useable for the most games.


#content:
[-]Prerequisites & Programms
[-]Theory
[-]Patching
[-]Conclusion



[-]Prerequisites & Programms

Prerequisites:
  • Basics in using a Debugger
  • Basic Knowledge in ASM
  • Your Brain


Programms:
As sacrifice, i choose Dark Ages (2D MMO). But you can also choose any game else. Of course you can also choose another Debugger, but Olly is the best one on XP. To the Oldschoolers: Yes SoftICE is better but troubling on XP :P



[-]Theory

To create a Multiclient, we have to know what limit's our Instances. They Magic Word is: CreateMutex()

excerpts from MSDN:

Quote:
HANDLE WINAPI CreateMutex(
__in_opt LPSECURITY_ATTRIBUTES lpMutexAttributes,
__in BOOL bInitialOwner,
__in_opt LPCTSTR lpName
);
CreateMutex() Can be found in the Kernel32.dll / lib. Moreover dont wonder: Depending on Unicode or ANSI the Function can also be called CreateMutexA or CreateMutexW.

In rare cases also: CreateProcess()

Quote:
BOOL WINAPI CreateProcess(
__in_opt LPCTSTR lpApplicationName,
__inout_opt LPTSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCTSTR lpCurrentDirectory,
__in LPSTARTUPINFO lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation
);
The important thing here is: bInheritHandles

Quote:
Zitat von MSDN
bInheritHandles [in]

If this parameter TRUE, each inheritable handle in the calling process is inherited by the new process. If the parameter is FALSE, the handles are not inherited. Note that inherited handles have the same value and access rights as the original handles.


[-]Patching

So, enough Theroy. Lets get started! At first, we open Darkages in Ollydbg.exe. Then we Press CTRL+A or rightclick into the CPU window and click "Analyze -> Analyze Code". Best case is, if you have the Analyze This! Plugin, click there.

[Only registered and activated users can see links. Click Here To Register...]

Then we rightclick again: Search for -> All intermodular calls.
[Only registered and activated users can see links. Click Here To Register...]

Now we see all API calls. unfortunately somewhat confused, but we'll get it yet :)
Rightclick -> Sort by -> Destination
[Only registered and activated users can see links. Click Here To Register...]

Now we've to find CreateMutex(A/W). Cuz we know the Function is located in the Kernel32, the search is going to be easy.

Tadaaaa we have 2 CreateMutexA() and 3 CreateProcessA() Function's.
[Only registered and activated users can see links. Click Here To Register...]

We double-click the CreateMutex Function and come out here:

[Only registered and activated users can see links. Click Here To Register...]

Now we can see, where CreateMutex is called from
PHP Code:
00518290   .  6A 00         PUSH 0                                   ; /MutexName NULL
00518292   .  6A 00         PUSH 0                                   ; |InitialOwner FALSE
00518294   .  6A 00         PUSH 0                                   ; |pSecurity NULL
00518296   .  FF15 8CD26800 CALL DWORD PTR DS:[<&
Also, we obviously can see the Structure of CreateMutex, how its defined in the MSDN.

Then we take a look at the code below and see, how something is moved.
PHP Code:
0051829C   .  8B4D FC           MOV ECX,DWORD PTR SS:[EBP-4]
0051829
F   .  8941 04           MOV DWORD PTR DS:[ECX+4],EAX
005182A2   .  8B55 FC           MOV EDX,DWORD PTR SS:[EBP-4
Especially as beginner, you don't have a clue what's happnin there. There's no need yet, it'll come with the time. Now let's look a bit deeper into the code.
PHP Code:
005182A5   .  837A 04 00        CMP DWORD PTR DS:[EDX+4],0
005182A9   .  75 0E             JNZ SHORT 005182B9 
There, we can see that something is compared with 0. A JNZ follows (Jump if not Zero). That means, it just jumps, if the comparison is not 0. It's an Conditional Jump: it has a condition.
Now we look where we are jumping to.

We can see: It's overjumping the
PHP Code:
005182B5   . /EB 53             JMP SHORT 0051830A
005182B7   . |EB 51             JMP SHORT 0051830
And those are continueing to jump.
Long story short sense: The Badboy is the JNZ. We want that he's always jump.

So we click the
PHP Code:
JNZ SHORT 005182B9 
And press Space. Then we change from JNZ to JMP and press Assemble

[Only registered and activated users can see links. Click Here To Register...]

So, we finished? Ah yes, there were 2 CreateMutex and 3 CreateProcess which can bring us in trouble.

We minimize the CPU window and go into the "Found Intermodular calls" - Window. We double-click the 2nd CreateMutex and come out here:

[Only registered and activated users can see links. Click Here To Register...]

What are our eyes seeing?! :eek: Another JNZ !
double-click -> JNZ -> JMP -> Assemble

We remember the CreateProcess Function. So we go again to the "Found Intermodular calls" - Window and doubleclick the first CreateProcess.

We see:
[Only registered and activated users can see links. Click Here To Register...]

We remember, the importest thing was bInheritHandle. Its false here!
PHP Code:
00535E98  |.  6A 00             PUSH 0                                   ; |InheritHandles FALSE 
We just would've problems with this, if the PUSH 0 is a PUSH 1. If this would be the case, we would've to change the PUSH 1 into a PUSH 0.

Now we check the other CreateProcess Functions, but in our case at every Function bInheritHandles is false !

Now we rightlick -> Copy to executeable -> All modifications.

[Only registered and activated users can see links. Click Here To Register...]

Copy All!

[Only registered and activated users can see links. Click Here To Register...]

Rightlick -> Save to file

[Only registered and activated users can see links. Click Here To Register...]

We rename it to Darkages[fix].exe, because it shouldn't overwrite our already existing executable. Otherwise maybe it won't work. Now start it 2 times.

If everything is working you can rename the fix into Darkages.exe. But backup your original exe before !


[-]Nachwort

The latter has become somewhat more detail than I thought :)
You will encounter quite so all the games on CreateMutex and CreateProcess
suche. Now you know how to defeat it.

It's Basic. I hope you understood it :)

--------------------------------------------------------------
Ich hoffe das geht so.. ich mit meinem schlechten Schulenglisch xD
10/17/2009 15:26 Adroxxx#39
Hast du das mit Google Translator gemacht? Also einige sachen sind sinnverfremdet :D
10/19/2009 15:00 buFFy!#40
Nö alles selbst gemacht.. hab halt kein gutes Englisch :p
10/23/2009 04:34 A1C3A1B2#41
Hi Leutz

ihr schreibt das es zu 99% bei allen Spielen klappt jetzt hab ich das mal bei Shot-Online versucht nur leider is das ganz anders :confused:

Da ich mir gedacht habe vielleicht kann mir ja einer helfen hab ich hier mal die beiden EXE dateien hochgeladen

[Only registered and activated users can see links. Click Here To Register...]

Falls ihr jetzt denkt hier will mal wieder einer seine Viren verteilen nein das will ich nicht ich will nur endlich nen Multiclient von SO hier noch ein VT Scan

Sag Schon mal danke im Vorraus
10/23/2009 12:51 Adroxxx#42
Tu die Engine.dll mal mit rein, dann schau ich es mir an.
10/23/2009 13:07 A1C3A1B2#43
Hi Adroxxx

hab den Link oben geändert da is nun auch die Engine.DLL drin!

Ich danke dir das du da mal drüberschaust:handsdown:

Gruss Ruebi
10/23/2009 13:15 Adroxxx#44
Hm, der greift wohl noch auf andere DLL zu ohne die man die exe wohl nicht analysieren kann.

Wo kommst du denn nicht weiter?
10/23/2009 13:23 A1C3A1B2#45
Ich komm eben überhaupt nicht weit weil es ja ganz anders aussieht wie in deinem Tutorial ich schieb mal die anderen DLL wo mit im SO ordner sind hoch

[Only registered and activated users can see links. Click Here To Register...]