Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Archlord
You last visited: Today at 06:59

  • Please register to post and access all features, it's quick, easy and FREE!


[Source C/C++] x64 GameGuard DLL

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Oct 2015
Posts: 112
Received Thanks: 74
[Source C/C++] Bypass GameGuard [x64]

hi,
Since I'm most likely leaving the scene of making these tools (apart from my macro if anyone is interested.), I'll be releasing a library that can be used to bypass all of GameGuard's protection methods on x64 Win7+.

I've document the 2 files in there as much as I could.
The source code also contains a rather useful header containing some native functions and some custom C and NT/WIN API functions.

Note that you need to compile in x86, I haven't tested it in x64 and most likely something will go wrong.

So this means that you need your AutoIt, C# or whatever other compiler to compile for x86 otherwise LdrLoadDll/LoadLibraryA won't return a handle.

Edit: I'll make a x64 version of this soon.
Edit 2: I forgot that VS Inline ASM does not support x64, so nevermind, 64bit wont be around.

If you don't want to compile the dll, you can go to Release/ and pick it up there.

The exported functions are:
  • extCloseHandle
  • extGetCursorPos
  • extGetProcessActive
  • extGetProcessBaseAddress
  • extGetProcessImageSize
  • extGetWindowThreadProcessId
  • extOpenProcess
  • extPostMessageA/W
  • extSendMessageA/W
  • extWriteMemory
  • extReadMemory
  • extGetModuleHandleA/W

Note that I called this DLL "GameGuard" but well that doesn't really matter at all. I'm not very creative.

Quick and simple example use for C# coming up.

Import the library exports.
Code:
[DllImport("GameGuard.dll")]
private static extern bool extSendMessageA(IntPtr hWnd, uint msg, uint wParam, IntPtr lParam);

[DllImport("GameGuard.dll")]
private static extern IntPtr extOpenProcess(uint processId);

[DllImport("GameGuard.dll")]
private static extern bool extReadMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize,
    out int lpNumberOfBytesRead);

[DllImport("GameGuard.dll")]
private static extern bool extWriteMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten);

[DllImport("GameGuard.dll")]
private static extern IntPtr extGetProcessBaseAddress(IntPtr hProcess);

[DllImport("GameGuard.dll")]
private static extern IntPtr extGetProcessImageSize(IntPtr hProcess);

[DllImport("GameGuard.dll")]
private static extern bool extCloseHandle(IntPtr hObject);
        
[DllImport("user32.dll", CharSet = CharSet.Auto)]
private static extern int MapVirtualKey(int uCode, int uMapType);

[DllImport("user32.dll", CharSet = CharSet.Unicode)]
private static extern int VkKeyScan(char ch);
Typedef some game addresses:
Code:
public static class Defines
{
    public static IntPtr AddressTargetBase = new IntPtr(0xD00C84); /* VA */
    public static IntPtr AddressCharacterBase = new IntPtr(0xD00B14); /* VA */
        
    public static IntPtr LocalBar = new IntPtr(0x5412B0); /* RVA */
}
Declare our helper functions:
Code:
private static string GetString(byte[] buffer)
{
    if (buffer.Length == 0 || buffer[0] == '\0')
    {
        return string.Empty;
    }

    var strBuilder = new StringBuilder();
    foreach (var b in buffer)
    {
        if (b == '\0')
        {
            break;
        }

        strBuilder.Append((char)b);
    }
    return strBuilder.ToString();
}

/* gets the VK equivalent of the '~' key. */
private static byte GetUpKey()
{
    return (byte)MapVirtualKey(0x29, 1);
}

private static byte[] ToByteArray(object value, uint maxLength)
{
    int rawsize = Marshal.SizeOf(value);
    byte[] rawdata = new byte[rawsize];
    GCHandle gcHandle;

    if ((gcHandle = GCHandle.Alloc(rawdata,
        GCHandleType.Pinned)) == null)
    {
        throw new Exception("Not enough RAM memory available.");
    }

    Marshal.StructureToPtr(value,
        gcHandle.AddrOfPinnedObject(),
        false);

    gcHandle.Free();

    if (maxLength < rawdata.Length)
    {
        byte[] temp = new byte[maxLength];
        Array.Copy(rawdata, temp, maxLength);
        return temp;
    }
    else
    {
        return rawdata;
    }
}
Declare our reading and writing functions for pointers.
Code:
private static T Read<T>(IntPtr hProcess, IntPtr dwBaseAddress, int[] offsets = null, bool IsRVA = false)
{
    int bytesRead;
    object ret;
    var size = typeof(T) != typeof(string) ? (uint)Marshal.SizeOf(typeof(T)) : 30;

    if (offsets == null)
    {
        offsets = new int[0];
    }

    if (IsRVA)
    {
        IntPtr ImageBaseAddress;
        if ((ImageBaseAddress = extGetProcessBaseAddress(hProcess)) == IntPtr.Zero)
        {
            return default(T);
        }

        dwBaseAddress = IntPtr.Add(dwBaseAddress, (int)ImageBaseAddress);
    }

    var buffer = new byte[size];
    extReadMemory(hProcess, dwBaseAddress, buffer, size, out bytesRead);
    foreach (int offset in offsets)
    {
        dwBaseAddress = new IntPtr(BitConverter.ToInt32(buffer, 0));
        extReadMemory(hProcess, dwBaseAddress + offset, buffer, size, out bytesRead);
    }

    switch (Type.GetTypeCode(typeof(T)))
    {
        case TypeCode.Boolean:
            ret = BitConverter.ToBoolean(buffer, 0);
            break;
        case TypeCode.Char:
            ret = BitConverter.ToChar(buffer, 0);
            break;
        case TypeCode.Byte:
            ret = buffer[0];
            break;
        case TypeCode.Int16:
            ret = BitConverter.ToInt16(buffer, 0);
            break;
        case TypeCode.UInt16:
            ret = BitConverter.ToUInt16(buffer, 0);
            break;
        case TypeCode.Int32:
            ret = BitConverter.ToInt32(buffer, 0);
            break;
        case TypeCode.UInt32:
            ret = BitConverter.ToUInt32(buffer, 0);
            break;
        case TypeCode.Int64:
            ret = BitConverter.ToInt64(buffer, 0);
            break;
        case TypeCode.UInt64:
            ret = BitConverter.ToUInt64(buffer, 0);
            break;
        case TypeCode.Single:
            ret = BitConverter.ToSingle(buffer, 0);
            break;
        case TypeCode.Double:
            ret = BitConverter.ToDouble(buffer, 0);
            break;
        case TypeCode.String:
            ret = GetString(buffer);
            break;
        default:
            throw new NotSupportedException(
                $"{typeof(T).FullName} is not currently supported by this function.");
    }
            
    return (T)ret;
}
Code:
private static bool Write<T>(T value, IntPtr hProcess, IntPtr dwBaseAddress, int[] offsets, bool IsRVA = false)
{
    int bytesRead;

    if (IsRVA)
    {
        IntPtr ImageBaseAddress;
        if ((ImageBaseAddress = extGetProcessBaseAddress(hProcess)) == IntPtr.Zero)
        {
            return false;
        }

        dwBaseAddress = IntPtr.Add(dwBaseAddress, (int)ImageBaseAddress);
    }

    var buffer = new byte[4];
    extReadMemory(hProcess, dwBaseAddress, buffer, 4, out bytesRead);
    for (int i = 0; i < offsets.Length - 1; i++)
    {
        dwBaseAddress = new IntPtr(BitConverter.ToInt32(buffer, 0) + offsets[i]);
        extReadMemory(hProcess, dwBaseAddress, buffer, 4, out bytesRead);
    }

    dwBaseAddress = new IntPtr(BitConverter.ToInt32(buffer, 0) + offsets[offsets.Length - 1]);

    var size = (uint)Marshal.SizeOf(typeof(T));
    byte[] val = ToByteArray(value, size);

    IntPtr lpBytesWritten;
    bool retn = extWriteMemory(hProcess, dwBaseAddress, val, val.Length, out lpBytesWritten);

    return retn;
}
And finally some example use for some things you might want to use in archlord.
Code:
public static void Main(string[] args)
{
    var alefClients = Process.GetProcessesByName("alefclient");
    if (alefClients.Length == 0)
    {
        Console.WriteLine("Archlord is not running.");
        return;
    }

    var client = alefClients[0];

    IntPtr windowHandle = client.MainWindowHandle;
    if (windowHandle == IntPtr.Zero)
    {
        Console.WriteLine($"Could not get window handle of {client.Id}");
        return;
    }

    IntPtr hProcess;
    if ((hProcess = extOpenProcess((uint)client.Id)) == IntPtr.Zero)
    {
        Console.WriteLine($"Could not open the process {client.Id}");
        return;
    }

    IntPtr ImageSize;
    if ((ImageSize = extGetProcessImageSize(hProcess)) == IntPtr.Zero)
    {
        Console.WriteLine($"Could not get image size {client.Id}");
        extCloseHandle(hProcess);
        return;
    }

    IntPtr ImageBaseAddress;
    if ((ImageBaseAddress = extGetProcessBaseAddress(hProcess)) == IntPtr.Zero)
    {
        Console.WriteLine($"Could not get image base address {client.Id}");

        extCloseHandle(hProcess);
        return;
    }

    int currentBarIndex = Read<int>(hProcess, Defines.LocalBar, new[] { 0x1440 }, true);
    Console.WriteLine($"Current bar number: {currentBarIndex + 1}.");

    /* let's go up 1 bar */
    byte keyUp = GetUpKey();

    extSendMessageA(windowHandle, 0x100, keyUp, new IntPtr((MapVirtualKey(keyUp, 0) << 16) & 0x00FF0000));

    /* wait a bit */
    Thread.Sleep(50);

    currentBarIndex = Read<int>(hProcess, Defines.LocalBar, new[] { 0x1440 }, true);
    Console.WriteLine($"new bar number: {currentBarIndex + 1}.");

    /* we can set back the number through memory, however this wont update it graphically */
    bool success = Write(currentBarIndex - 1, hProcess, Defines.LocalBar, new[] { 0x1440 }, true);
    if (success)
    {
        currentBarIndex = Read<int>(hProcess, Defines.LocalBar, new[] { 0x1440 }, true);
        Console.WriteLine($"We're back on bar {currentBarIndex + 1}.");
    }
    else
    {
        Console.Write($"Couldn't write the memory.");
    }

    string targetName = Read<string>(hProcess, Defines.AddressTargetBase, new[] { 0xca4, 0x5c, 0x54, 0x74, 0xb8, 0x0 });
    if (targetName == string.Empty)
    {
        /* monsters have this set to null so lets grab their name */
        targetName = Read<string>(hProcess, Defines.AddressTargetBase, new[] { 0xc94, 0x34, 0x30 });
    }

    if (targetName != string.Empty)
    {
        Console.WriteLine($"Your target's name is: {targetName}");
    }
    else
    {
        Console.WriteLine("You have no target.");
    }

    /* cleanup */
    extCloseHandle(hProcess);
}
In AutoIt it should work exactly the same, import the exports, and use them similarly how I presented them in C#.

For C/C++ you can just take a look at the source code and do whatever you like.

That'll be all, have fun; hope somebody makes tools out of this.

Update: added a nicer example for c#.
Attached Files
File Type: rar External Library.rar (1.41 MB, 233 views)



Synestraa is offline  
Thanks
9 Users
Old 08/08/2016, 21:01   #2
 
elite*gold: 0
Join Date: Oct 2015
Posts: 112
Received Thanks: 74
The library is now called Highcall.

I'll post it in github in a few days.

Lots of new features added including manual mapping 32bit dlls.



Currently a .lib for C++.

Added support for x64, still undergoing testing though. Wow64 is re-done as well, new way of calling those.

x86 Is being worked on.


Synestraa is offline  
Thanks
2 Users
Old 11/09/2016, 03:23   #3
 
elite*gold: 0
Join Date: May 2011
Posts: 4
Received Thanks: 0
how to use . Extrenal Library
kiyaz666 is offline  
Old 11/09/2016, 13:21   #4
 
elite*gold: 0
Join Date: Oct 2015
Posts: 112
Received Thanks: 74
Quote:
Originally Posted by kiyaz666 View Post
how to use . Extrenal Library
For what language? There is an example shown for C#. On github there is an example for C/C++.


Synestraa is offline  
Old 11/09/2016, 14:48   #5
 
elite*gold: 0
Join Date: May 2011
Posts: 4
Received Thanks: 0
i'm not have C#, you want share ?
or u have bypass for all version Gameguard for 12sky2 thailand.
i try trick suspend, 10 minute before suspend, after suspend from 10 minute, game disconnect and crash bro.
u have dll. gameguard ?
thanks
kiyaz666 is offline  
Old 11/09/2016, 17:42   #6
 
elite*gold: 0
Join Date: Oct 2015
Posts: 112
Received Thanks: 74
If you are looking to get around gameguard's protection methods against reading, writing protection, you can just use this dll or highcall library. If you want me to make you a bypass to remove gameguard itself, that's not gonna happen as long as it has a heartbeat. I do not have an emulator for the beat.


Synestraa is offline  
Reply



« how to make alefpatch ? | WTB BOT Classic AL »

Similar Threads
[Selling] Source V19 like official + Multilanguage + GameGuard
12/16/2014 - Fly For Fun Trading - 8 Replies
#1-Source Like v19 + GameGuard(OnlyClient) Special Remaining : OUT OF SELL Server + Client + Source v19 (98% of all system official) + GameGuard ENGLISH(No Source of this) + NO BACKDOOR http://www11.pic-upload.de/02.12.14/1i3hjdzipcor.jpg http://www11.pic-upload.de/02.12.14/tvzoqxa4cz.jpg http://www11.pic-upload.de/02.12.14/ewk496psadc1.jpg
GoH Source Gameguard error...
05/17/2014 - Flyff PServer - Discussions / Questions - 3 Replies
wegen dem Error kann ich mich glaub nicht in die world einloggen. NO_GAMEGUARD ist auskommentiert und habe auf Release Compiled http://i.epvpimg.com/UXJMc.png
[Release] Itak Gameguard Source
04/14/2013 - Flyff PServer Guides & Releases - 9 Replies
close
[Release] Source Gameguard
11/08/2012 - Flyff PServer Guides & Releases - 5 Replies
Hallo Leute Hier ein Source Gameguard von Yoshii hab ich auf meinem Root gefunden Anleitung ist in der Rar Datei Download: Klick Hier Have Fun



All times are GMT +1. The time now is 06:59.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2018 elitepvpers All Rights Reserved.