InsanityFlyff Bypass

12/27/2012 17:11 +Yazzn#1

Code:

	memcpy((LPVOID)0x480F21, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x480F90, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x480FFF, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x481079, (const void *)"\x90\x90\x90\x90\x90\x90", 6);

Bypasses their "mega" check for QueryPerformanceCounter and WSASend/WSARecv hooks by replacing the exitprocess call with NOP.

12/28/2012 01:21 Flyff_Service#2

You could also NOP the CreateThread call which creates this check thread.

12/28/2012 19:02 xMootie#3

Quote:
Originally Posted by Yazzn (:
Code:
	memcpy((LPVOID)0x480F21, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x480F90, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x480FFF, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x481079, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
Bypasses their "mega" check for QueryPerformanceCounter and WSASend/WSARecv hooks by replacing the exitprocess call with NOP.

ExitProcess? Seriously, what are the "geniuses" at InsanityFlyff thinking? Guess they finally went Insane...

Watch them change the call to use the standard library "exit" function and get bypassed again just as easily.

12/28/2012 21:35 Fremo..#4

Found that shit before too, i thought flyff is jus shitty coded(well it is) but its jus insanityflyff

12/29/2012 14:20 ChinkyCheek#5

Kind of new with this, what is NOP?
Sorry if this is a bothersome question from a newbie like me!

12/30/2012 04:05 xMootie#6

Quote:

Originally Posted by ChinkyCheek

Kind of new with this, what is NOP?
Sorry if this is a bothersome question from a newbie like me!

\x90.

12/30/2012 08:35 ChinkyCheek#7

And what do we use to edit this? and edit which file/s? :|
Forgot to include it into my last post. (Hex Editor or?)

12/30/2012 11:30 +Yazzn#8

Quote:

Originally Posted by Flyff_Service

You could also NOP the CreateThread call which creates this check thread.

Yes but then you can't interrupt it whenever you want.

Quote:

Originally Posted by XorLethal

ExitProcess? Seriously, what are the "geniuses" at InsanityFlyff thinking? Guess they finally went Insane...

Watch them change the call to use the standard library "exit" function and get bypassed again just as easily.

As you will see in the code below you could just hook QPC, WSASend, etc 5 bytes later and reconstruct the overwritten opcodes or use hot patching or fake the IAT or (...)

Spoiler

Code:

void __cdecl StartAddress()
{
  HMODULE v0; // eax@5
  HMODULE v1; // eax@5
  DWORD flOldProtect; // [sp+0h] [bp-18h]@6
  HMODULE hModule; // [sp+4h] [bp-14h]@5
  FARPROC v4; // [sp+8h] [bp-10h]@5
  LPVOID lpAddress; // [sp+Ch] [bp-Ch]@5
  FARPROC v6; // [sp+10h] [bp-8h]@5
  FARPROC v7; // [sp+14h] [bp-4h]@5

  while ( 1 )
  {
    if ( GetModuleHandleA("kernel32.dll") )
    {
      if ( GetModuleHandleA("WINMM.dll") )
      {
        if ( GetModuleHandleA("Ws2_32.dll") )
        {
          v0 = GetModuleHandleA("kernel32.dll");
          lpAddress = GetProcAddress(v0, "QueryPerformanceCounter");
          memcpy(&byte_AC8820, lpAddress, 5u);
          hModule = GetModuleHandleA("Ws2_32.dll");
          v4 = GetProcAddress(hModule, "send");
          v7 = GetProcAddress(hModule, "WSASend");
          memcpy(&byte_AC8830, v4, 5u);
          memcpy(&byte_AC8840, v7, 5u);
          v1 = GetModuleHandleA("WINMM.dll");
          v6 = GetProcAddress(v1, "timeGetTime");
          memcpy(&byte_AC8850, v6, 5u);
          while ( 1 )
          {
            VirtualProtect(lpAddress, 5u, 0x40u, &flOldProtect);
            memcpy(&byte_AC8828, lpAddress, 5u);
            if ( strcmp(&byte_AC8820, &byte_AC8828) )
              break;
            if ( byte_AC8820 == 0xFFFFFFE9 || byte_AC8828 == 0xFFFFFFE9 )
              break;
            VirtualProtect(lpAddress, 5u, flOldProtect, &flOldProtect);
            VirtualProtect(v4, 5u, 0x40u, &flOldProtect);
            memcpy(&byte_AC8838, v4, 5u);
            if ( strcmp(&byte_AC8830, &byte_AC8838) || byte_AC8830 == 0xFFFFFFE9 || byte_AC8838 == 0xFFFFFFE9 )
              ExitProcess(1u);
            VirtualProtect(v4, 5u, flOldProtect, &flOldProtect);
            VirtualProtect(v7, 5u, 0x40u, &flOldProtect);
            memcpy(&byte_AC8848, v7, 5u);
            if ( strcmp(&byte_AC8840, &byte_AC8848) || byte_AC8840 == 0xFFFFFFE9 || byte_AC8848 == 0xFFFFFFE9 )
              ExitProcess(1u);
            VirtualProtect(v7, 5u, flOldProtect, &flOldProtect);
            Sleep(3000u);
            VirtualProtect(v6, 5u, 0x40u, &flOldProtect);
            memcpy(&byte_AC8858, v6, 5u);
            if ( strcmp(&byte_AC8850, &byte_AC8858) || byte_AC8850 == 0xFFFFFFE9 || byte_AC8858 == 0xFFFFFFE9 )
              ExitProcess(1u);
            VirtualProtect(v6, 5u, flOldProtect, &flOldProtect);
            Sleep(3000u);
          }
          ExitProcess(1u);
        }
      }
    }
    Sleep(100u);
  }
}

Conclusion: The guys from InsanityFlyFF don't know what they're doing.

12/30/2012 20:01 xMootie#9

By the way, you might want to look into hooking other functions to modify or read packet data. If you use the functions below, you won't need to reverse the encryption routine.

void CClientSock::Send(char* lpData, DWORD dwDataSize, DPID dpidTo)

- Just send it data for easy packet sending, no encryption necessary

CBuffer* CClientSock::Fetch(DWORD dwBytes)

- Detour call and use return to read packet data decrypted.

Note that both methods are non-static member functions, thus you need to find the address of g_DPlay(global non-static object), which can be obtained by hooking its initialization between the entry point and WinMain().

01/01/2013 22:35 xBleak#10

Could some1 build a Bypass , dunno what I have to do haha :)

01/31/2013 06:01 naomiclark#11

can i ask what if the function of this code?