[Release]Silkroad C++ Dll Client Protection (Anti Unpacking)

07/02/2013 06:31 MeGaMaX#1
Hey guys miss ya all <3

this is a small dll source code that i coded in the past when i was interesting in silkroad development.

What does the job: protecting from sniffing the BFK of the .PK2 files ;)

Code:
#include <windows.h>
#include <stdio.h>
#include <string.h>
#include "xorstr.h"
#include "detours.h"

#pragma comment(lib,"detours.lib")

#define ARRAYSIZE(x) sizeof(x)/sizeof(x[0])

DWORD g_ProtectAddress[] =
{
	0x004978B8,
	0x004CCC4A,
	0x004CCE1F,
	0x0083A84D,
	0x0083A8B1,
	0x0083A90D,
	0x0083A9C5,
	0x0083A969,
	0x0083AE69
};
DWORD RandomKey;
char* pszKey;
DWORD GetRandomValue()
{
	DWORD value;
	__asm
	{
		rdtsc
		mov value ,eax
	}
	return value;
}
DWORD GetJmpAddr(PBYTE pJmp)
{
	DWORD m_Addr;
	__asm
	{
		mov eax,pJmp
		add eax,[eax+1]
		add eax,5
		mov m_Addr,eax
	}
	return m_Addr;
}
__declspec(naked) void _protectme()
{
	__asm
	{
		pushfd
		push edx
		push eax

		mov eax,RandomKey
		not eax
		xor eax,pszKey
		not eax
		mov edx,[esp+0xC]
		mov [esp+0xC],eax
		mov     eax, edx
		pop     edx
		push    eax
		mov     eax, dword ptr [esp+0x8]
		push    eax
		popfd
		mov     eax, dword ptr [esp+0x4]
		retn    0x8
	}
}
void Initialize()
{
	RandomKey = GetRandomValue();
	pszKey = new char[20];
	strcpy(pszKey,/*MeGaMaX*/XorStr<0x7A,8,0x1F16EAF3>("\x37\x1E\x3B\x1C\x33\x1E\xD8"+0x1F16EAF3).s);
	__asm
	{
		not pszKey
		mov eax,RandomKey
		not eax
		xor pszKey,eax
	}
	DWORD oldProtect;
	for(int i=0;i<ARRAYSIZE(g_ProtectAddress);i++)
	{
		DWORD oldAddress = g_ProtectAddress[i];
		DetourTransactionBegin();
		DetourUpdateThread(GetCurrentThread());
		DetourAttach((void**)&g_ProtectAddress[i],&_protectme);
		DetourTransactionCommit();
		VirtualProtect((PVOID)oldAddress,4,PAGE_EXECUTE_READWRITE,&oldProtect);
		((PBYTE)oldAddress)[0] = 0xE8;
	}
}
BOOLEAN WINAPI DllMain(HINSTANCE hDllHandle,DWORD nReason,LPVOID Reserved    )
{
	switch(nReason)
	{
		case DLL_PROCESS_ATTACH:
			Initialize();
			break;
		case DLL_PROCESS_DETACH:
			break;
	}
	return TRUE;
}
How to use:

First of all you must get the push address from the client .exe files aka (sro_client.exe , replacer.exe , silkroad.exe)

i will provide here the vsro 188 address

sro_client.exe:
Code:
0x004978B8,
0x004CCC4A,
0x004CCE1F,
0x0083A84D,
0x0083A8B1,
0x0083A90D,
0x0083A9C5,
0x0083A969,
0x0083AE69
silkroad.exe:
Code:
0x00430FD3,
0x00408C15,
0x00408A17
replacer.exe:
Code:
0x00403B23
now what i have to do after i got the address i will replace them in this function:
Code:
DWORD g_ProtectAddress[] =
{
	

};
now i have to generate the xor key o.o this is example and change it in the dll source code
Code:
/*MeGaMaX*/XorStr<0x7A,8,0x1F16EAF3>("\x37\x1E\x3B\x1C\x33\x1E\xD8"+0x1F16EAF3).s
now what ?, you have to compile the dll, and add call to the dll in the exes by Import REConstructor 1.7e FINAL, remove the old bfk in the exe files like 169841 make it 90 90 90 90 90 90 or 00 00 00 00 00 00 cuz after you are importing this dll there is no use for the real bfk in the client anymore

note: i didnt provide how to generate the xor key, cuz i want this section to think how to do that, use your brain , and try to be more respectful in silkroad community, google is your friend

note2: this method have nothing to do with any other methods i used in any servers development i was in, for example Ludoworks

note3: after some days i will provide how to generate the xor key but like i said above i would like to see development instead of creating servers...

note4: you have to recompile the dll 3 times to change the address for every .exe file :)

source code in attachments, enjoy love ya guys , new hope, crayu , perry , pokemon man , synx , caipi , PowerPoint , and all of my friends and sro community ;)

Greetings: MeGaMaX
07/02/2013 13:01 PortalDark#2
#approved
07/02/2013 13:06 Alexiuns#3
thanks
07/02/2013 13:43 鳳凰城#4
Now what, no one's able to unpack such clients? HHHHH.
07/02/2013 14:43 PortalDark#5
Quote:
Originally Posted by Phoenix 1337 View Post
Now what, no one's able to unpack such clients? HHHHH.
well, knowing the method used(since it is posted) it is easy to reverse it(in theory) but I'm pretty sure owners that use this method will use theirs too so it is not gonna be the same for evey server
inb4 noob server will die
07/02/2013 15:34 鳳凰城#6
Quote:
Originally Posted by PortalDark View Post
well, knowing the method used(since it is posted) it is easy to reverse it(in theory) but I'm pretty sure owners that use this method will use theirs too so it is not gonna be the same for evey server
inb4 noob server will die
If it's the method that megamax used in ludoworks, so its unpacked.
07/02/2013 16:10 Nezekan#7
Quote:
Originally Posted by Phoenix 1337 View Post
Now what, no one's able to unpack such clients? HHHHH.
no, it means it is harder to unpack the client files, there is not a single thing made by humans that is 'unpackable'.

pokemon man :(

@OT: good job, now let's see who will be able to actually get it working :D
07/02/2013 16:49 pushipu#8
Will they be able or not, at least some of "download/unzip/start bot" will not be able to figure it out. But let's be realists.. this will kill your online hardly xD
07/02/2013 16:52 caine_neros#9
Good to see you back Androw.
If you would've just release the Agent server exploit fix .. *dream*
Still , good to see you back!
07/03/2013 08:12 magicanoo#10
Thank you,bookmarked :)

p.s. I think that you have to find the xor cipher in order to unpack the binaries,correct?
11/15/2016 02:08 ersers2#11
Apologies for posting to an old thread, will mbot still work after a PK2 key is changed using a method like this?
10/09/2017 06:44 zeies#12
Help please. can't complie dll from vs2010 , it show this error
[Only registered and activated users can see links. Click Here To Register...]

Error 2 error C2440: '<function-style-cast>' : cannot convert from 'System::String ^' to 'XorStr<XORSTART,BUFLEN,XREFKILLER>'

Error 3 error C2228: left of '.s' must have class/struct/union