Quote:
Originally Posted by Layka0
of coz u can doubt ,
but myself i have same problems connecting and playing russian server with original exe and with fixed exe.
russian sever is just sucking all the way ,ive tried playing there, i have 26 lvl SH
and i cant play ther even with orig exe same shit happens DC - unable to connect etc
ill repeat myself its just a server, offsets working pretty nice,
|
logic tells me you have connection problems (bad routing for example) AND protection issues, and i have protection issues only. :)
anyway, i changed j(n)z at these locations (as you can see it's 0x90 bytes away from english version.. if i remember correctly):
384402
3845B2
3bb800
nops placed here:
386B27
and there is a cycle with peekmessage(), which in some case goes to checking again:
38488f
could you upload original russian requiem.exe here please, cause I can't.
have anyone tried MzBot (v2) API? did it work? i am unable to make it work.
by MzBot v2 they mean proof of concept code, that supposedly bypasses NtUserSendInput hook
the code of dll is this:
Code:
.386
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.DATA
varSSID dd 0
sDeviceName db 92, 92, 46, 92, 116, 111, 66, 122, 77, 0 ; //./toBzM
buffDrvOutput dq 0
.CODE
start:
LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
mov varSSID, 0
.if reason == DLL_PROCESS_ATTACH
.elseif reason == DLL_PROCESS_DETACH
.elseif reason == DLL_THREAD_ATTACH
.elseif reason == DLL_THREAD_DETACH
.endif
mov eax, 1
ret
LibMain endp
InitMzBot proc
; Open File it
push 0
push 0
push 3 ; OPEN_EXISTING
push 0
push 3 ; FILE_SHARE_READ | FILE_SHARE_WRITE,
push 0C0000000h ; GENERIC_READ | GENERIC_WRITE
push OFFSET sDeviceName
call CreateFile
cmp eax, 0FFFFFFFFh ; INVALID_HANDLE_VALUE
jne ContactDriver1
; Oh sh*t? A funny error occurred!
mov eax, -1
ret
ContactDriver1:
; So we got it?
push eax ; Backup the handle as usual
; Time to IOCTL it!
push 0 ; Reserve 4 byte for the OutputSize
mov ebx, esp ; Yes, I have a habit of using random registers.. erm... not eax and not ecx...
; Call IOCTL
push 0
push ebx
push 8 ; QWord, remember?
push OFFSET buffDrvOutput; The content?
push 0 ; No, there is ~~
push 0 ; no input data!
push 0A9002A40h ; #define IOCTL_GET_STARTING_SERVICEID CTL_CODE(0xA900, 0x0A90, METHOD_BUFFERED, FILE_ANY_ACCESS)
push eax
call DeviceIoControl
cmp eax, 0
jne ContactDriver2
; Screw it, another error!
add esp, 4 ; Clean off the OutputSize as well!
call CloseHandle ; Backup.. backup...
mov eax, -2
ret
ContactDriver2:
add esp, 4
call CloseHandle
mov eax, OFFSET buffDrvOutput ; **** it! Who cares if it is a QWord or DWord?! As far as I see, it won't be zero
mov eax, [eax]
add eax, 01000h
mov varSSID, eax ; Set varSSID as well...
ret
InitMzBot endp
AltSendInput proc
mov eax, varSSID
cmp eax, 0
je Alt_SendInput_Err
call IntCallGate
ret 0Ch
Alt_SendInput_Err:
mov eax, -1
ret 0Ch
IntCallGate:
; Erm.. no, they won't be dumb enough to detect this!
mov edx, esp
db 00Fh
db 034h ; Yeah, sysenter
ret
AltSendInput endp
end start
I fail to get results with this code even with no hooks on NtUserSendInput. I've tried myself - no result. Found a C++ wrap for the dll:
Code:
#ifndef MZBOT2_DLL_VERSION_HEADER
#define MZBOT2_DLL_VERSION_HEADER
#include <windows.h>
unsigned int MzBot_Init() {
HMODULE m = LoadLibrary( "amz.dll" );
if ( !m ) {
return -3;
}
unsigned long addr = (unsigned long) GetProcAddress( m, "InitMzBot" );
if ( !addr ) {
return -4;
}
__asm {
mov eax, addr
call addr
mov addr, eax
}
return addr;
};
unsigned int MzBot_SendInput( UINT nInputs, LPINPUT pInputs, int cbSize )
{
HMODULE m = LoadLibrary( "amz.dll" );
unsigned long addr = (unsigned long) GetProcAddress( m, "AltSendInput" );
__asm {
mov eax, addr
push cbSize
push pInputs
push nInputs
call addr
mov addr, eax
}
return addr;
};
#endif //#ifndef MZBOT2_DLL_VERSION_HEADER
and again, no result.
well, the error occures during init. return val is -1, so CreateFile isn't working well. who remembers what can be \\.\toBzM? like mailslot, but it's not... stream?