[Question] The new client protection

07/21/2013 14:34 { Angelius }#1
This can be closed.
07/21/2013 16:32 Smaehtin#2
[Only registered and activated users can see links. Click Here To Register...]

That hooked NtProtectVirtualMemory you're looking at is because of your Avast Anti-Virus software. It has nothing to do with TQ's anti-cheat system.
07/21/2013 17:32 { Angelius }#3
Quote:
Originally Posted by Smaehtin View Post
[Only registered and activated users can see links. Click Here To Register...]

That hooked NtProtectVirtualMemory you're looking at is because of your Avast Anti-Virus software. It has nothing to do with TQ's anti-cheat system.
Yeah thanks Einstein :|

Like i didn't think about that before i include it in my post... i have checked that call on my PC and on 2 different VM's All has the same antivirus installed.

And the only way you would be right is if the OS type itself matter which i doubt.

And by the way regardless of the fact that your answer is useless to me you didn't have to be a DICK about it posting that silly image of yours.
07/21/2013 17:49 Smaehtin#4
Quote:
Originally Posted by { Angelius } View Post
Well TQ team decided to change that route a bit to their advantage and this is what they came up with.

ntdll.NtProtectVirtualMemory
Before:
PHP Code:
MOV EAX0x4E
CALL DWORD PTR FS:[0C0]
RETN 14 
After:
PHP Code:
JMP 00030A08
CALL DWORD PTR FS:[0C0]
RETN 14 
No, TQ didn't hook ntdll.NtProtectVirtualMemory. Avast Anti-Virus did.
Am I being clear enough now?
07/21/2013 17:53 { Angelius }#5
Quote:
Originally Posted by Smaehtin View Post
No, TQ didn't hook ntdll.NtProtectVirtualMemory. Avast Anti-Virus did.
Am I being clear enough now?
And you are saying that based on what ?

Or do i have to take it on faith and trust you lol.
07/21/2013 18:00 Smaehtin#6
Quote:
Originally Posted by { Angelius } View Post
And you are saying that based on what ?

Or do i have to take it on faith and trust you lol.
Quote:
Originally Posted by { Angelius } View Post
The (JMP 00030A08) eventually leads to this function.
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
7272A890  /.  55            PUSH EBP
7272A891  |.  8BEC          MOV EBP,ESP
7272A893  |.  83E4 F8       AND ESP,FFFFFFF8                         ; QWORD (8.-byte) stack alignment
7272A896  |.  81EC 8C000000 SUB ESP,8C
7272A89C  |.  53            PUSH EBX
7272A89D  |.  56            PUSH ESI
7272A89E  |.  57            PUSH EDI
7272A89F  |.  68 84000000   PUSH 84                                  ; /Arg3 = 84
7272A8A4  |.  33F6          XOR ESI,ESI                              ; |
7272A8A6  |.  8D4424 18     LEA EAX,[LOCAL.33]                       ; |
7272A8AA  |.  56            PUSH ESI                                 ; |Arg2 => 0
7272A8AB  |.  50            PUSH EAX                                 ; |Arg1 => OFFSET LOCAL.33
7272A8AC  |.  E8 3F0F0100   CALL 7273B7F0                            ; \[B][SIZE="7"][COLOR="Red"]snxhk[/COLOR][/SIZE][/B].7273B7F0
[Only registered and activated users can see links. Click Here To Register...]
07/21/2013 18:01 Fragaria#7
Quote:
Originally Posted by { Angelius } View Post
And you are saying that based on what ?

Or do i have to take it on faith and trust you lol.
Search the snxhk.dll thats being called on google, or even better do a search on your computer and you'll find it in avast's directory. It's an avast dll.

p.s. omgawd I was slow :(
07/21/2013 18:13 { Angelius }#8
Quote:
Originally Posted by DragonHeart~V4 View Post
Search the snxhk.dll thats being called on google, or even better do a search on your computer and you'll find it in avast's directory. It's an avast dll.

p.s. omgawd I was slow :(
Fuck... You guys are right... I failed to do a simple search before i jump into the depth of the assembly code.

Oh well. Albert Einstein failed to ride a bicycle :P
07/21/2013 20:45 Spirited#9
Closed, as requested.