[Release]ObverseFlyff-Bypass

07/22/2016 06:59 /Aiden\#1
[Only registered and activated users can see links. Click Here To Register...]

I was playing around with the Client of [Only registered and activated users can see links. Click Here To Register...]. [Only registered and activated users can see links. Click Here To Register...] was working fine as i expected it to work. The "normal" Cheat Engine was not working at all. The strange thing about their "Antihack-System" is that they are not only using an internal client Antihack. They use "[Only registered and activated users can see links. Click Here To Register...]" in addition. I never saw this before so i decided to look into that. I found out that it connects to a remote server and sends data:

[Only registered and activated users can see links. Click Here To Register...]



I donīt like that at all. So i decided to create a bypass as solution for this "problem". It is based on "Senpai greyb1tīs ( ͡° ͜ʖ ͡°)" [Only registered and activated users can see links. Click Here To Register...].

Quick "How to use":
[Only registered and activated users can see links. Click Here To Register...]

In case someone wants to know the IP&Port "Shark Shield" connects to:
[Only registered and activated users can see links. Click Here To Register...]
Don't you dare to fire any packets to that destination ;)

Here you can see how simple it is to use (with the same explanation):


Sorry if this gets patched :<

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]
exe is packed.




Have fun,
-/Aiden\
07/22/2016 11:37 greyb1t#2
It's easy to tell they're not experienced at all. If you're allowed to kill their so called "Anti-Cheat" with a simple TerminateProcess call, you know they don't know shit =)

Creating an "Anti-Cheat" in .NET is not a good idea either ;/

Good job!
07/22/2016 11:51 Devisory#3
Putting so much effort in something u can bypass way easier.

Just make a shortcut of the Game.exe and add the word 'release' at the end like this:

[Only registered and activated users can see links. Click Here To Register...]

and now you are free to use all hacktools.

You can just use a customized cheat engine as well and it wont detect it or even Sandboxie.

Probably there are more methods to use cheat engine but what would you expect of server hosted by EvilSlayer? XD
07/22/2016 12:03 greyb1t#4
Quote:
Originally Posted by Devisory View Post
Putting so much effort in something u can bypass way easier.

Just make a shortcut of the Game.exe and add the word 'release' at the end like this:

[Only registered and activated users can see links. Click Here To Register...]

and now you are free to use all hacktools.

You can just use a customized cheat engine as well and it wont detect it or even Sandboxie.

Probably there are more methods to use cheat engine but what would you expect of server hosted by EvilSlayer? XD
Using that method you descibed above will not bypass their internal "anti-cheat", only the Shark Shield.
The reason he put such effort into bypassing it was not only to bypass Shark Shield, but also the internal in-game anti-cheat for those who do not have an undetected cheat engine. That was just a guess, not sure if that's why.
07/22/2016 12:08 Devisory#5
Quote:
Originally Posted by greyb1t View Post
Using that method you descibed above will not bypass their internal "anti-cheat", only the Shark Shield.
The reason he put such effort into bypassing it was not only to bypass Shark Shield, but also the internal in-game anti-cheat for those who do not have an undetected cheat engine. That was just my guess, not sure if that's why :)

Yup.
Still trying to block cheat engine is almost impossible.
Its better to fix the bugs then putting up some useless shield.

There are still so many critical bugs working on this server.


I just figured out he added a string-check.
So for those trying to bypass the anti-hack with my method, should title change the cheat engine window to something else.
07/22/2016 16:49 /Aiden\#6
Quote:
Originally Posted by greyb1t View Post
Creating an "Anti-Cheat" in .NET is not a good idea either ;/
Good job!
Well if there is a crypted synch between the Game & the "Anti-Cheat" then you can use any language. Some years ago i used to do that with my guard too. Of course you could still try to emulate packets and create a "GG-Emulator" as the God himself nForce aka. dBased did with the Official GG.

Oh and i forgot to mention this: I had a bit trouble at the beginning with your source code. The client was always frozen. I had to exclude one thread suspension:
[Only registered and activated users can see links. Click Here To Register...]
I know it is pretty obvious to exclude that one:rolleyes:
You may want to add that feature to your Base Source aswell :)
07/22/2016 17:53 greyb1t#7
Quote:
Originally Posted by /Aiden\ View Post
Well if there is a crypted synch between the Game & the "Anti-Cheat" then you can use any language. Some years ago i used to do that with my guard too. Of course you could still try to emulate packets and create a "GG-Emulator" as the God himself nForce aka. dBased did with the Official GG.

Oh and i forgot to mention this: I had a bit trouble at the beginning with your source code. The client was always frozen. I had to exclude one thread suspension:
[Only registered and activated users can see links. Click Here To Register...]
I know it is pretty obvious to exclude that one:rolleyes:
You may want to add that feature to your Base Source aswell :)
What I meant with .NET being bad in that case, was that anyone's able to view the raw code and simply edit the IL code to break it. Of course, you're able to do that with any language just by asm, it's just that .NET languages are the most vulnerable ones regarding the simplicity to do it.

Now the issue you had was probably due to using the method on a different server than I did.
Now regarding the issue you had, it was probably due to you using the same method I used on Thai, on Obverse.
As you can see from the code, I filtered out the good and bad threads by the module name and the wait reason.

Code:
if (modInfo.name.find("Neuz") != std::string::npos)
	if (thread.getWaitReason() == DelayExecution)
		SuspendThread(thread.getHandle().getRaw());
By viewing the image you attached, I can see that the main thread also has the wait reason set to DelayExecution.
Meaning that the method I used, will not work it'll suspend the main thread aswell. But I guess you fixed the issue by not suspending the one thread that has the earliest Create Time?

I won't bother adding a comment saying that the method to filter the good and bad threads might vary based on server, if you're experienced enough, you should be able to figure it out on your own.
07/22/2016 18:27 Sammyz#8
I'm happy you bypassed this, i don't play on this server but...

The person who created this anti-hack is prolly the most egotistical prick in the world who backdoors and rootkits people for his MAC bans. He has even bragged about it and claims its unbypassable.

Great release lol.
07/22/2016 19:17 /Aiden\#9
Quote:
Originally Posted by greyb1t View Post
By viewing the image you attached, I can see that the main thread also has the wait reason set to DelayExecution.
Meaning that the method I used, will not work it'll suspend the main thread aswell. But I guess you fixed the issue by not suspending the one thread that has the earliest Create Time?

I won't bother adding a comment saying that the method to filter the good and bad threads might vary based on server, if you're experienced enough, you should be able to figure it out on your own.
Your code loops throuh all threads. Windows is giving always the same information about threads. This means that when you list all the threads with ProcessThreadsView the loop of your Source will get the same information in the same row. I just needed to add a blacklist filer to it and "blacklist" the first suspension loop. With this method the main thread keeps running, while all the other "DelayExecution" threads get suspended.


Quote:
Originally Posted by Sammyz View Post
I'm happy you bypassed this, i don't play on this server but...

The person who created this anti-hack is prolly the most egotistical prick in the world who backdoors and rootkits people for his MAC bans. He has even bragged about it and claims its unbypassable.

Great release lol.
You are welcome :)

Edit: Ladies and gentlemen, I wish you a good weekend :cool:
07/22/2016 19:25 macroseller#10
[Only registered and activated users can see links. Click Here To Register...]
How is this connecting to remote server.
Its obviously function to send event messages to app windows. For example killing window, sending clicks...
07/22/2016 19:36 /Aiden\#11
Quote:
Originally Posted by macroseller View Post
[Only registered and activated users can see links. Click Here To Register...]
How is this connecting to remote server.
Its obviously function to send event messages to app windows. For example killing window, sending clicks...
You are absolutely right. That happens when you do stuff at 6 am :p
Used the wrong Screenshot. But as you can see from the other screenshot it is connecting to a remote server, wich can send commands to the client. Such as listing the clients process list etc. Wich is even shown in an advertisement?! video:
07/22/2016 20:04 greyb1t#12
Quote:
Originally Posted by /Aiden\ View Post
Your code loops throuh all threads. Windows is giving always the same information about threads. This means that when you list all the threads with ProcessThreadsView the loop of your Source will get the same information in the same row. I just needed to add a blacklist filer to it and "blacklist" the first suspension loop. With this method the main thread keeps running, while all the other "DelayExecution" threads get suspended.
That was basically what I said in the following quote:
Quote:
But I guess you fixed the issue by not suspending the one thread that has the earliest Create Time?
The code runs through each thread in order of the create time, with the first thread being the first created.
So I guess the answer to my question is yes since you're doing exactly what I asked if you did.
That can be proved with the following code.

Code:
	gWin::ProcessEnumerator procEnum;

	for (auto &process : procEnum.getProcesses()) {
		if (process.getName() == "Neuz.exe") {

			for (auto &thread : process.getThreads()) {
				auto modInfo = process.getAssociatedModule(&thread);

				FILETIME fileTime;
				fileTime.dwLowDateTime = thread.getPtr()->CreateTime.LowPart;
				fileTime.dwHighDateTime = thread.getPtr()->CreateTime.HighPart;

				SYSTEMTIME sysTime;

				FileTimeToSystemTime(
					&fileTime,
					&sysTime
				);

				printf("%d-%d-%d %d:%d:%d\n", sysTime.wYear, sysTime.wMonth, 
                                	sysTime.wDay, sysTime.wHour, sysTime.wMinute, sysTime.wSecond);
			}
		}
	}
10/26/2016 14:18 Pkersawboy#13
Hey, thanks for the bypass :), I know Obverse shutted down but I'm playing on a pserver called Dravelinex which basically is a copy with the same Sharkshield.
I was wondering which Cheat engine you were using for Obverse flyff and if you could develope a new one for Dravelinex flyff :) ( New server).
10/28/2016 23:52 /Aiden\#14
Quote:
Originally Posted by Pkersawboy View Post
Hey, thanks for the bypass :), I know Obverse shutted down but I'm playing on a pserver called Dravelinex which basically is a copy with the same Sharkshield.
I was wondering which Cheat engine you were using for Obverse flyff and if you could develope a new one for Dravelinex flyff :) ( New server).
Jesus, that server sucks even more than my ExGf. But well okay, some people just like nasty stuff.

1)Start Client - Do NOT log in
2)Start Bypass - AS ADMIN
3)Log in
4)Have Fun

Download: [Only registered and activated users can see links. Click Here To Register...]
10/29/2016 19:54 EliteGermanremix#15
What can ido with cheat engine after that idont have any knowledge or ideas if any one could help me