OllyDBG & CO

[tanelipe]

[Removing the popup(s)]

1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)

3. Right click -> Search for -> All referenced text strings -> "co.91.com" > Double click it > You should see lines like this

Code:

00477A9F   > 68 F4E05500    PUSH Conquer.0055E0F4                    ;  ASCII "http://co.91.com/signout/"
00477AA4   . E9 DB000000    JMP Conquer.00477B84
00477AA9   > FFD7           CALL EDI
00477AAB   . 8B10           MOV EDX,DWORD PTR DS:[EAX]

4. Click this line

Code:

00477AA4   . E9 DB000000    JMP Conquer.00477B84

5. Push enter (It follows the jmp)
6. Now you should see lines like this

Code:

00477B84     53             PUSH EBX                                 ; |Operation
00477B85     FF76 20        PUSH DWORD PTR DS:[ESI+20]               ; |hWnd
00477B88     FF15 78565200  CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; ShellExecuteA

7. Select all of those lines > Right Click > Binary > Fill with NOPs

8. After that the view in ollydbg should be like this

Code:

00477B84     90             NOP                                      ; |Operation
00477B85     90             NOP                                      ; |hWnd
00477B86     90             NOP
00477B87     90             NOP
00477B88     90             NOP                                      ; ShellExecuteA
00477B89     90             NOP
00477B8A     90             NOP
00477B8B     90             NOP
00477B8C     90             NOP
00477B8D     90             NOP

9. Right click > Search for > All refenced text strings > Search for next

10. Double click the line and you should see lines like this

Code:

00477FED   > 68 F4E05500    PUSH Conquer.0055E0F4                    ;  ASCII "http://co.91.com/signout/"
00477FF2   . E9 DB000000    JMP Conquer.004780D2

11. Click this line

Code:

00477FF2   . E9 DB000000    JMP Conquer.004780D2

12. Hit enter to follow the jmp and you should come to lines like these

Code:

004780D2     53             PUSH EBX                                 ; |Operation
004780D3     FF76 20        PUSH DWORD PTR DS:[ESI+20]               ; |hWnd
004780D6     FF15 78565200  CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; ShellExecuteA

13. Select those lines > Right Click > Binary > Fill with NOPs the lines should look like this

Code:

004780D2     90             NOP                                      ; |Operation
004780D3     90             NOP                                      ; |hWnd
004780D4     90             NOP
004780D5     90             NOP
004780D6     90             NOP                                      ; ShellExecuteA
004780D7     90             NOP
004780D8     90             NOP
004780D9     90             NOP
004780DA     90             NOP
004780DB     90             NOP

14. Now just save the file (Right click > Copy to executable > All modifications > Copy all > Right click > Save file > Browser for save location)

[32991304]

Quote:

I'm not sure why it would cause that, have you tried other multiclients and were you able to open more than 8 ?

Yeah , i already tried with all multiclients possible , i tested on windows xp SP2 & SP3 , and tested it in more 2 friends computer , and same thing happen ,
and here is the pc config from pcs where i tested:

PC 1(mine): Athlon X2 2.2 Ghz , memory ram 2 GB, HD 160 GB,VGA GeForce 8500 GT 256 mb. Windows xp SP3
PC2: Athlon X2 2.5 Ghz , memory ram 4 GB , HD 160 GB, VGA GeForce 6800 XT
256 mb. Windows xp SP2
PC3: Intel Core 2 Duo 2.0 Ghz , memory ram 2 GB , HD 250 GB, VGA GerForce 8500 GT 512 mb

im asking that for u , because nobody know how to fix it , before patch 5022 was possible login a lot of accounts , now they did something and we just can login 8 , with multiclient.

If u can do something it will help a lot , if u can't no problems , Thank u for ur time again

PS: If u need , i can make a video for u see what really happen

[unknownone]

Removing the "server.dat is damaged" message so we can connect to private servers/proxies.
Do it manually rather than downloading those patched binaries.

1. Open Conquer in OllyDbg, then load the conquer module into the main CPU window.
2. Right click->Search for->All intermodular calls
3. Click the Destination header to sort alphabetically, then scroll down till you see WS2_32.inet_addr in the destination column (There should be more than one instance of it.)
4. Click on each instance and look at the code. In my version, there 3 are calls to inet_addr, but we only need 2 of those.

Code:

00432A16  |. FF15 50375200  CALL DWORD PTR DS:[<&WS2_32.#11>]; inet_addr
00432A1C  |. 83F8 FF        CMP EAX,-1
00432A1F  |. 74 08          JE SHORT Conquer.00432A29
[color=orange]00432A21     3C 7F          CMP AL,7F[/color]
00432A23  |. 75 04          JNZ SHORT Conquer.00432A29
00432A25  |. 6A 01          PUSH 1
00432A27  |. 58             POP EAX
00432A28  |. C3             RETN

Code:

004E251C   . E8 6BCCF9FF    CALL <JMP.&WS2_32.#11>; inet_addr
004E2521   . 83F8 FF        CMP EAX,-1
004E2524   . 74 79          JE SHORT Conquer.004E259F
[color=orange]004E2526     3C 7F          CMP AL,7F[/color]
004E2528   . 74 75          JE SHORT Conquer.004E259F
004E252A   . 8B86 04040000  MOV EAX,DWORD PTR DS:[ESI+404]
004E2530   . 8BCB           MOV ECX,EBX
004E2532   . FF70 1C        PUSH DWORD PTR DS:[EAX+1C]

The inet_addr function converts an IP string into a 32-bit integer, for example, 127.0.0.1 becomes 7f 00 00 01.
In the above code, the comparison to localhost is done on the highlighted line, CMP AL,7F. To skip this comparison we can just replace this code with NOP (no operation). Make sure you check "Fill with NOPs" in Olly, because the original instruction is 2 bytes, and thus you need to place 2 NOP instructions there to cover it.

The new code will look like this:

Code:

00432A16  |. FF15 50375200  CALL DWORD PTR DS:[<&WS2_32.#11>]; inet_addr
00432A1C  |. 83F8 FF        CMP EAX,-1
00432A1F  |. 74 08          JE SHORT Conquer.00432A29
[COLOR="Blue"]00432A21     90             NOP
00432A22     90             NOP[/COLOR]
00432A23  |. 75 04          JNZ SHORT Conquer.00432A29
00432A25  |. 6A 01          PUSH 1
00432A27  |. 58             POP EAX
00432A28  |. C3             RETN

Do the same for the second one. Job done.

[tanelipe]

It's not just the 127.*.*.* checks anymore, they check wether it's a valid TQs Server IP (So I think atleast)

[Real~Death]

I decided to try the server.dat remover and couldent find WS2_32.inet_addr?
I >Search for->All intermodular calls and sorted alphabetically,and couldent find it?
there is
ws2_32.msac = 4 of them
ws2_32.wsaf
ws2_32.wsag = 6 of them
ws2_32.wsas = 2 of them

what am i doing wrong?did i miss somthing?or what version are you looking at?

::EDIT::I got the gm/pm to work.So am I just wasting my time by doing what unknown said?

[unknownone]

Hmm. I was using an old client, but I just updated and it still works. My guess is you don't have the conquer module in the CPU window. Go to view->Executable modules, and then select conquer from the list.
The alphabetical sorting doesn't include the module name, in this case WS2_32, so just look for inet_addr in there.

Quote:

Originally Posted by tanelipe

It's not just the 127.*.*.* checks anymore, they check wether it's a valid TQs Server IP (So I think atleast)

That wouldn't really make sense, the whole point on having a text file containing the IP addresses is it's easy to update without releasing patched binaries each time. They wouldn't hard code any specific IP checks, only discard certain IP ranges and such. Try it anyway, works fine for any IP i've tried (loopback, private lan addresses etc)

[Real~Death]

My fault I was looking for WS2_32.inet_addr thinking that the ws2_32 was in alphabetical order,this time i found it :P and it worked
thanks

[khaled_10]

all what i can say is


thanks thanks thanks thanks thanks alooooooooooooooooooooooooooooooooooooooot

+K

the best thread ever seen

sorry for my english :S

[tanelipe]

Quote:

Originally Posted by unknownone

That wouldn't really make sense, the whole point on having a text file containing the IP addresses is it's easy to update without releasing patched binaries each time. They wouldn't hard code any specific IP checks, only discard certain IP ranges and such. Try it anyway, works fine for any IP i've tried (loopback, private lan addresses etc)

If that's the case I apologize, it probably was my ignorance that caused me to think that there was other checks (I only noticed the first of the 127 check and bypassed that and excepted it to work, since it didn't > I thought there was other checks too)

Nice example however.

[Real~Death]

Any more tut's on using olly coming?

[tanelipe]

I could probably try explaining how the "NON-DC" speedhack method works and how to apply it to one of the programming languages. However I'd like that it doesn't start a shitloads of threads in the Exploits/Hacks/Tools section.

Other than that, anyone else got ideas what to write tutorial(s) about?

[Real~Death]

yeah i wanted to know how that worked,but also dident want to ask because its not realy public yet,And everyone will just try and release "their own".


How about a tut on making .dll files for CO in C#?
Coder62 made one a long time ago in delphi and i sort of understood but not realy,high6 was suposto write up a tut on it but never got around to it.

anyway thanks for all help and info this explained alot,I never realy understood most of the thing olly did or how to use them,but Im starting to get it.

[tanelipe]

.DLL files for CO in C#, I'm not going to do that before we get __asm (=Never?) to C# and I'm not that experienced with making .DDLs (Ones that you inject, I yesterday managed to implement my own /commands but it ****** up the normal chat was too lazy to figure out what caused it (probably the registers ******* up.) I could however show how to do this for Service chat, I'd have to remove the 2 min waiting thing though.) I'm not gonna do the .DLL in C# though, I'll be using C++

I'll start writing tutorial on the NON-DC method should be released today.

[Real~Death]

Quote:

Originally Posted by tanelipe

I'll start writing tutorial on the NON-DC method should be released today.

any update on this or did you decide not to release it?

[tanelipe]

Sorry about the delay, had a fever for the most of the week (-> I was laying down most of the time)

I won't go in that much of details in this one, I'll give you guys the "tools" to keep it patched though.

[Making Conquer.exe NON-DC]
0. Backup the Conquer.exe
1. Open Conquer in OllyDBG and let it analyze the code.

2. Find a code block that looks like this

Code:

004A6830  |. 8B10                       MOV EDX,DWORD PTR DS:[EAX]
004A6832  |. 6A 00                      PUSH 0
004A6834  |. 6A 00                      PUSH 0
004A6836  |. 68 0000FF00                PUSH 0FF0000
004A683B  |. 68 D5070000                PUSH 7D5
004A6840  |. 68 B7860100                PUSH 186B7
004A6845  |> 8BC8                       MOV ECX,EAX

3. Easiest way to find that is, find command (Ctrl + F) for that PUSH 186B7

4. Couple lines above that there should be codeblock that looks like this

Code:

004A67FD  |. 89BD ECFEFFFF              MOV DWORD PTR SS:[EBP-114],EDI
004A6803  |. 8985 F8FEFFFF              MOV DWORD PTR SS:[EBP-108],EAX
004A6809  |. 899D FCFEFFFF              MOV DWORD PTR SS:[EBP-104],EBX
004A680F  |. E8 30560400                CALL <JMP.&WINMM.timeGetTime>
004A6814  |. 8D8D ECFEFFFF              LEA ECX,DWORD PTR SS:[EBP-114]
004A681A  |. 8985 14FFFFFF              MOV DWORD PTR SS:[EBP-EC],EAX

5. Notice the CALL to winmm jmp.

6. Next what we need to do is make the exe jump to our own code instead of that call.

7. We need to search a place that can have 20 bytes (example from 500000 to 500020)

8. Scroll to almost the bottom of the Conquer.exe module and you should see lines like this (note the addresses)

Code:

00524C54   . 8B4D F0                    MOV ECX,DWORD PTR SS:[EBP-10]
00524C57   . 83C1 08                    ADD ECX,8
00524C5A   .^E9 3B31FBFF                JMP Conquer.004D7D9A
00524C5F   . B8 108C5500                MOV EAX,Conquer.00558C10
00524C64   .^E9 C1B2FCFF                JMP <JMP.&MSVCRT.__CxxFrameHandler>
00524C69     00                         DB 00
00524C6A     0000                       ADD BYTE PTR DS:[EAX],AL
00524C6C     0000                       ADD BYTE PTR DS:[EAX],AL
00524C6E     0000                       ADD BYTE PTR DS:[EAX],AL
00524C70     0000                       ADD BYTE PTR DS:[EAX],AL
00524C72     0000                       ADD BYTE PTR DS:[EAX],AL
00524C74     0000                       ADD BYTE PTR DS:[EAX],AL
00524C76     0000                       ADD BYTE PTR DS:[EAX],AL
00524C78     0000                       ADD BYTE PTR DS:[EAX],AL
00524C7A     0000                       ADD BYTE PTR DS:[EAX],AL
00524C7C     0000                       ADD BYTE PTR DS:[EAX],AL

9. ADD BYTES PTR DS:[EAX],AL might be DB 00 for you guys ignore that.

10. We start writing our own code at 00524C6A

11. Hit Ctrl + E and write these to the HEX part of the window just came. You can't put those 0x's or the ','s

Code:

0x81, 0x05, 0xB0, 0xEF, 0x56, 0x00, 0x6A, 0x04, 
0x00, 0x00, 0xA1, 0xB0, 0xEF, 0x56, 0x00, 0xE9, 
0x96, 0x1B, 0xF8, 0xFF

12. So just write 81 05 B0 EF and so on..

13. After that the codeblock should look like this

Code:

00524C6A     8105 B0EF5600 6A040000     ADD DWORD PTR DS:[56EFB0],46A
00524C74     A1 B0EF5600                MOV EAX,DWORD PTR DS:[56EFB0]
00524C79    ^E9 961BF8FF                JMP Conquer.004A6814

14. Note that we add the 46A (hex) into a static location, after that we mov it to eax

15. Note the address it jumps to, it should be exactly one line BELOW the call to timeGetTime()

16. It jumps to code that looks like this (Should be familiar from before)

Code:

004A6814  |. 8D8D ECFEFFFF              LEA ECX,DWORD PTR SS:[EBP-114]

17. What we now need to do is, change the CALL thing to jump to our own code that we just wrote. Remember the address?

18. We replace this

Code:

004A680F  |. E8 30560400                CALL <JMP.&WINMM.timeGetTime>

with

Code:

004A680F     E9 56E40700                JMP Conquer.00524C6A

19. Now every time the jump function "trys" to call the old timeGetTime, it jumps to our code that holds the lastjumptime+46A and then moves it to eax at somepoint it'll add it to the packet (lazy mofos not doing server side check)

20. Now it'd be really nice if people didn't start making shitloads of these nondc things here, already couple working so.

If there is anything you'd like to ask me about, please go ahead


EDIT* Applying this to a programming language (C#)

Code:

uint JumpLoc = 0x4A680F;
uint CodeLoc = 0x524C6A;

byte[] JumpEnabled = { 0xE9, 0x56, 0xE4, 0x07, 0x00 }; 
byte[] JumpDisabled = { 0xE8, 0x30, 0x56, 0x04, 0x00 }; 
byte[] CodeNormal = new byte[20]; 
byte[] CodeNDC = 
{ 
    0x81, 0x05, 0xB0, 0xEF, 0x56, 0x00, 0x6A, 0x04, 
    0x00, 0x00, 0xA1, 0xB0, 0xEF, 0x56, 0x00, 0xE9, 
    0x96, 0x1B, 0xF8, 0xFF 
};

public static void WriteNONDc(bool Enabled)
{
   if(Enabled)
   {
      WriteProcessMemory(HWND, JumpLoc, JumpEnabled, JumpEnabled.Length, null);
      WriteProcessMemory(HWND, CodeLoc, CodeNDC, CodeNDC.Length, null);
   }
   else
   {
      WriteProcessMemory(HWND, JumpLoc, JumpDisabled,  JumpDisabled.Length, null);
      WriteProcessMemory(HWND, CodeLoc, CodeNormal,CodeNormal.Length, null);
   }
}