HOT My solution to Kill GameGuard

Page 4 of 5

03/08/2006 07:17 mauiz#46

FU************ YOU GAME GUARDDDDDD!!!!!!!

03/08/2006 07:29 Move_Wind#47

and then u can launch the game without Nprotect and then u can use SRO bots. but it only last for 10 mins and then SRO will shut down. The only way to get that off is by... figuring out which .dat or any other kind of format sends to SRO_client to look for gameguard and if it isnt on shut down. then modify it and make it so it doesnt shut down SRO, thats only way we can.

whats this<---------------

03/09/2006 00:34 seller1#48

Quote:

Originally posted by jMerliN@Mar 8 2006, 05:54
[Only registered and activated users can see links. Click Here To Register...]

:o

Well I got the bot to load around gameguard ( yes that image is with gamegaurd running )...

But apparently it needs its client running because it can't "login" or whatever...

The autopotting doesn't work.. if I hit Insert/Home/End it gives me that "Bot Login Failure" error and disconnects me from the server. So I'm gonna need to figure out why the hack does that ( I need to unpack the actual hack and the silkbot loader ).

But the good news -- I can inject past gameguard.

i recommand u to try the chinese bot.
i believe theres a redirection in the english bot thats created for future pay to bot system.
they could have taken that redirection down and that could cause the bot to fail.

all just speculations though so please do not flame at me =))

03/09/2006 04:39 DamoniousB#49

i dont know if you already thought about that. but how about adding the content of the silk.dll to another dll thats used by the client itself ?

03/09/2006 05:05 jMerliN#50

Apparently the client itself ( silkbot ) interfaces with the .dll via the driver when it is loaded into SRO. The bot calls this action a 'login'.. and since my injecting silk.dll into the game successfully does not allow the dll and the client to establish said link, it cannot 'login' as it says. I'm working on my driver-based hooking interface but if anyone else wants to give it a shot, here's what I'd suggest trying:

Inject your own .dll file into the sro_client.exe when it is loaded ( hijack silkroad.exe.. or launch it yourself using CreateProcess.. look at the ASM to see what cases it fails under and make it work.. and inject a .dll into it which intercepts calls made to CreateProcess and when the call is made on sro_client.exe, simply create it in a suspended state then inject your dll into the suspended process and resume it ). Once your file is injected into sro_client, hijack control of CreateProcess and when the gamegaurd.des process is created, append the suspended flag to the creation flags and leave it suspended ( in the preliminary test ). Watch to see how long it takes silkbot to attach to the sro_client.exe application while it's naked and vulnerable. Recode the .dll which suspends gameguard to sleep for so many seconds as necessary for silkbot to attach and then just run silkroad.exe with your dll injected in it each time and you should have a working sro bot.

03/09/2006 05:10 2wire#51

are you working of a program that help us do this, because i can follow some parts but some other parts i dont understand it

03/09/2006 05:12 DamoniousB#52

i guess ill wait for the driver-basd hooking interface :P

damn i wish id be able to do somethin ^^

03/09/2006 06:51 jMerliN#53

my driver driven hooking interface is a project i'm working on to bypass security tools to debug and/or extend functionality of software ( ie i could make a simple debugger plugin for it using an open-souce debugger similar to OllyDbg and debug games protected by nProtect or powerful packers like ASProtect ).. nothing to do with this game however, it will be used to make my 2D client and my server emulator

03/09/2006 12:51 Khyl#54

Hmm... When do we can bot again ? Or what...

03/09/2006 13:04 crome#55

I have a complete noob question:
GG provide some kind of protection of game, it does not allow third party software to interfere with game.
it has to be away around, it has to be a backdoor. I understand a normal macro cannot function. Is there another way
to make a macro functioning , in another programming language ?
I mean, not to make those macro to function, make a complete new macro who gg cannot block it.

03/09/2006 15:38 terryho#56

why 5-10min auto shut down? why??"

03/09/2006 16:37 mx0#57

Quote:

Originally posted by terryho@Mar 9 2006, 15:38
why 5-10min auto shut down? why??"

LOL... try to read here first before posting crap :bandit:

03/10/2006 03:09 jMerliN#58

Since people have been asking me how to do what I said up there, here's some simple C++ talk on how to do it:

First download the detours package from microsoft ( google "microsoft detours" ). Include the detour header & C++ file accompanying that into your .dll project.

In the first .dll project, use the CreateProcess API ( google "msdn CreateProcess" ) to launch silkroad.exe ( the silkroad loader ) and make sure the CREATE_SUSPENDED flag is specified as a flag in the dwCreationFlags parameters. An example of this CreateProcess call would look like this:

Code:

PROCESS_INFORMATION pi;
ZeroMemory&#40; pi, sizeof&#40; PROCESS_INFORMATION &#41; &#41;;

if&#40; FALSE == CreateProcessW&#40; NULL, L&#34;C&#58;&#092;&#092;Program Files&#092;&#092;Silkroad&#092;&#092;silkroad.exe&#34;, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, NULL, &pi &#41; &#41;
{
MessageBoxW&#40; NULL, L&#34;Unable to create the silkroad process.&#34;, L&#34;Silkbot Error.&#34;, MB_OK &#41;;
return FALSE;
}

Next, since the process is created in a suspended state and not even the first byte has been executed and the PROCESS_INFORMATION structure has been filled with a handle to the process & the primary thread, you can proceed to inject the .dll you want into the suspended process and finally resume the process.

Code:

//Write the buffer/parameter to LoadLibraryW
wchar_t* LibraryFile = L&#34;C&#58;&#092;&#092;Program Files&#092;&#092;Silkroad&#092;&#092;Silkbot&#092;&#092;silkroadhijack.dll&#34;;

//First allocate the memory
void* DataPointer = VirtualAllocEx&#40; pi.hProcess, NULL, MAX_PATH * sizeof&#40; wchar_t &#41;, MEM_COMMIT, PAGE_READWRITE &#41;;
if&#40; DataPointer == NULL &#41;
{
MessageBoxW&#40; NULL, L&#34;Unable to allocate memory in the target process. Closing process.&#34;, L&#34;Silkbot Error.&#34;, MB_OK &#41;;
TerminateProcess&#40; pi.hProcess, 0 &#41;;
CloseHandle&#40; pi.hProcess &#41;;
CloseHandle&#40; pi.hThread &#41;;
return FALSE;
}

//Next write the data in
DWORD Written = 0;
if&#40; FALSE == WriteProcessMemory&#40; pi.hProcess, DataPointer, &#40;void*&#41;LibraryFile, lstrlenW&#40; LibraryFile &#41; * sizeof&#40; wchar_t &#41;, &Written &#41; || Written != &#40; lstrlenW&#40; LibraryFile &#41; * sizeof&#40; wchar_t &#41; &#41; &#41;
{
MessageBoxW&#40; NULL, L&#34;Unable to write library file name into allocated memory. Closing process.&#34;, L&#34;Silkbot Error.&#34;, MB_OK &#41;;
TerminateProcess&#40; pi.hProcess, 0 &#41;;
CloseHandle&#40; pi.hProcess &#41;;
CloseHandle&#40; pi.hThread &#41;;
return FALSE;
}

//Next load the library
DWORD LibraryThreadId = 0;
HANDLE LibraryThread = CreateRemoteThread&#40; pi.hProcess, NULL, 0, &#40;LPTHREAD_START_ROUTINE&#41;LoadLibraryW, DataPointer, 0, &LibraryThreadId &#41;;
if&#40; LibraryThread == NULL &#41;
{
MessageBoxW&#40; NULL, L&#34;Unable to create thread. Closing process.&#34;, L&#34;Silkbot Error&#34;, MB_OK &#41;;
TerminateProcess&#40; pi.hProcess, 0 &#41;;
CloseHandle&#40; pi.hProcess &#41;;
CloseHandle&#40; pi.hThread &#41;;
return FALSE;
}

//Wait for the thread to terminate so we can clean up
WaitForSingleObject&#40; LibraryThread, INFINITE &#41;;

//Clean up
VirtualFreeEx&#40; pi.hProcess, DataPointer, MAX_PATH * sizeof&#40; wchar_t &#41;, MEM_DECOMMIT &#41;;

//Close unneeded handles
CloseHandle&#40; LibraryThread &#41;;
CloseHandle&#40; pi.hProcess &#41;;

//Resume the process we created in a suspended state
ResumeThread&#40; pi.hThread &#41;;

//Close handle
CloseHandle&#40; pi.hThread &#41;;

=o.

A similar method ( use the detours to create a detour on CreateProcess ( i believe the loader will use CreateProcessA but you can detour both A and W ) then append the CREATE_SUSPENDED flag onto the attributes using the or ( |= ) operand ) can be used to keep the sro_client.exe process suspended until the user presses a certain key at which time the process will resume and load gameguard.

03/10/2006 16:33 Move_Wind#59

dunt understand

03/10/2006 16:40 Khyl#60

When its gonna work without crashing ?

Page 4 of 5

« First

*HOT* My solution to Kill GameGuard

HOT My solution to Kill GameGuard