Sorry about the delay, had a fever for the most of the week (-> I was laying down most of the time)
I won't go in that much of details in this one, I'll give you guys the "tools" to keep it patched though.
[Making Conquer.exe NON-DC]
0. Backup the Conquer.exe
1. Open Conquer in OllyDBG and let it analyze the code.
2. Find a code block that looks like this
Code:
004A6830 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
004A6832 |. 6A 00 PUSH 0
004A6834 |. 6A 00 PUSH 0
004A6836 |. 68 0000FF00 PUSH 0FF0000
004A683B |. 68 D5070000 PUSH 7D5
004A6840 |. 68 B7860100 PUSH 186B7
004A6845 |> 8BC8 MOV ECX,EAX
3. Easiest way to find that is, find command (Ctrl + F) for that PUSH 186B7
4. Couple lines above that there should be codeblock that looks like this
Code:
004A67FD |. 89BD ECFEFFFF MOV DWORD PTR SS:[EBP-114],EDI
004A6803 |. 8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX
004A6809 |. 899D FCFEFFFF MOV DWORD PTR SS:[EBP-104],EBX
004A680F |. E8 30560400 CALL <JMP.&WINMM.timeGetTime>
004A6814 |. 8D8D ECFEFFFF LEA ECX,DWORD PTR SS:[EBP-114]
004A681A |. 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC],EAX
5. Notice the CALL to winmm jmp.
6. Next what we need to do is make the exe jump to our own code instead of that call.
7. We need to search a place that can have 20 bytes (example from 500000 to 500020)
8. Scroll to almost the bottom of the Conquer.exe module and you should see lines like this (note the addresses)
Code:
00524C54 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00524C57 . 83C1 08 ADD ECX,8
00524C5A .^E9 3B31FBFF JMP Conquer.004D7D9A
00524C5F . B8 108C5500 MOV EAX,Conquer.00558C10
00524C64 .^E9 C1B2FCFF JMP <JMP.&MSVCRT.__CxxFrameHandler>
00524C69 00 DB 00
00524C6A 0000 ADD BYTE PTR DS:[EAX],AL
00524C6C 0000 ADD BYTE PTR DS:[EAX],AL
00524C6E 0000 ADD BYTE PTR DS:[EAX],AL
00524C70 0000 ADD BYTE PTR DS:[EAX],AL
00524C72 0000 ADD BYTE PTR DS:[EAX],AL
00524C74 0000 ADD BYTE PTR DS:[EAX],AL
00524C76 0000 ADD BYTE PTR DS:[EAX],AL
00524C78 0000 ADD BYTE PTR DS:[EAX],AL
00524C7A 0000 ADD BYTE PTR DS:[EAX],AL
00524C7C 0000 ADD BYTE PTR DS:[EAX],AL
9. ADD BYTES PTR DS:[EAX],AL might be DB 00 for you guys ignore that.
10. We start writing our own code at 00524C6A
11. Hit Ctrl + E and write these to the HEX part of the window just came. You can't put those 0x's or the ','s
Code:
0x81, 0x05, 0xB0, 0xEF, 0x56, 0x00, 0x6A, 0x04,
0x00, 0x00, 0xA1, 0xB0, 0xEF, 0x56, 0x00, 0xE9,
0x96, 0x1B, 0xF8, 0xFF
12. So just write 81 05 B0 EF and so on..
13. After that the codeblock should look like this
Code:
00524C6A 8105 B0EF5600 6A040000 ADD DWORD PTR DS:[56EFB0],46A
00524C74 A1 B0EF5600 MOV EAX,DWORD PTR DS:[56EFB0]
00524C79 ^E9 961BF8FF JMP Conquer.004A6814
14. Note that we add the 46A (hex) into a static location, after that we mov it to eax
15. Note the address it jumps to, it should be exactly one line BELOW the call to timeGetTime()
16. It jumps to code that looks like this (Should be familiar from before)
Code:
004A6814 |. 8D8D ECFEFFFF LEA ECX,DWORD PTR SS:[EBP-114]
17. What we now need to do is, change the CALL thing to jump to our own code that we just wrote. Remember the address?
18. We replace this
Code:
004A680F |. E8 30560400 CALL <JMP.&WINMM.timeGetTime>
with
Code:
004A680F E9 56E40700 JMP Conquer.00524C6A
19. Now every time the jump function "trys" to call the old timeGetTime, it jumps to our code that holds the lastjumptime+46A and then moves it to eax at somepoint it'll add it to the packet (lazy mofos not doing server side check)
20. Now it'd be really nice if people didn't start making shitloads of these nondc things here, already couple working so.
If there is anything you'd like to ask me about, please go ahead
