[Intermediate?]How a loader is made.

_fobos_ · 09/23/2008, 01:22

Hello, Im not new i been around for a long time, on another name,
just figured why not use my game name now.
but that's beside the point, back to topic..

So you have seen those tutorials about how to make a Multi/Bypass exe/etc..
Well im gonna show you how to make a loader like *M* has made, im just not going in depth here

(some people might be interested in making their own)
First thing what you want to do is get MASM if you dont have it yet you can find it

.
Alright load it up it looks like a text editor pretty much:

this is where your gonna code in, now im not gonna teach you ASM, but simply gonna show you the basic things like how to make a multi, bypass the play.exe and delete virus scanner and pop ups.

So you opened up the editor? good.

Code:

.586
.model flat,stdcall
option casemap:none

include C:masm32includewindows.inc
include C:masm32includeuser32.inc
include C:masm32includekernel32.inc
includelib C:masm32libuser32.lib
includelib C:masm32libkernel32.lib

.data
  Process db "Conquer.exe",0
  Error db "Error:",0
  ErrorMessage db "Process Could not be loaded, but fobos still loves you.",0

;So first we need to define a few things

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; MultiClient
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
  MultiSize dd 2 ;<-- ammount of bytes 2 in this case
  MultiAddy dd 00469AE5h ;<-- this is the memory address of "PUSH 2" wich you want to change into PUSH 7F
  ReplaceMulti db 06Ah,07Fh ;<-- The replace hex opcode (a 0 infront, and a h meaning hex afterwards)
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; End MultiClient
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Antivirus
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
  AntiVir1 dd 00468725h ;<-- address
  AntiVir2 dd 00468727h ;<-- address
  AntiVir3 dd 00468728h ;<-- address
  AntiVir4 dd 00468729h ;<-- address
  AntiVir5 dd 0046872Ah ;<-- address
  AntiVir6 dd 0046872Fh ;<-- address
  AntiVir7 dd 00468730h ;<-- address

  AntiVirSize1 dd 2 ;<-- Size
  AntiVirSize2 dd 1 ;<-- Size
  AntiVirSize3 dd 5 ;<-- Size
  AntiVirSize4 dd 6 ;<-- Size
  
  ReplaceAnti1 db 090h,090h ;<-- Opcodes
  ReplaceAnti2 db 090h ;<-- Opcodes
  ReplaceAnti3 db 090h,090h,090h,090h,090h ;<-- Opcodes
  ReplaceAnti4 db 090h,090h,090h,090h,090h,090h ;<-- Opcodes
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; End AntiVirus
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; Bypass Exe
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
  BypassSize dd 2 ;<-- Size
  BypassAddy dd 004687C8h ;<-- Address
  ReplaceBypass db 0EBh,041h ;<-- Opcodes

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; End Bypass Exe
; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« 

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; popup
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
  PopupSize1 dd 1 ;<-- Size
  PopupSize2 dd 3 ;<-- Size
  PopupSize3 dd 6 ;<-- Size

  Popup1 dd 00477A25h ;<-- Address
  Popup2 dd 00477A26h ;<-- Address
  Popup3 dd 00477A29h ;<-- Address

  Popup4 dd 00477F73h ;<-- Address
  Popup5 dd 00477F74h ;<-- Address
  Popup6 dd 00477F77h ;<-- Address
  
  ReplacePopup1 db 090h ;<-- Opcodes
  ReplacePopup2 db 090h,090h,090h ;<-- Opcodes
  ReplacePopup3 db 090h,090h,090h,090h,090h,090h ;<-- Opcodes
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
; End Popup
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

  Startup STARTUPINFO <>
  processinfo PROCESS_INFORMATION <>

.data?
  byteswritten dd ?

.code
  start:
    invoke CreateProcess, ADDR Process, NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, ADDR Startup, ADDR processinfo
    cmp eax, 0
    jne ProcessCreated
    push 0
    push offset Error
    push offset ErrorMessage
    push 0
    call MessageBox
    push 0
    call ExitProcess

    ProcessCreated:
    
    ; this is where you actually change the memory remember before where we defined Multi well time to get it written
    
    ; Multi
        invoke WriteProcessMemory, processinfo.hProcess, MultiAddy, ADDR ReplaceMulti, MultiSize, byteswritten

    ; AntiVir
    
        invoke WriteProcessMemory, processinfo.hProcess, AntiVir1, ADDR ReplaceAnti2, AntiVirSize2, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, AntiVir2, ADDR ReplaceAnti1, AntiVirSize1, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, AntiVir3, ADDR ReplaceAnti1, AntiVirSize1, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, AntiVir4, ADDR ReplaceAnti1, AntiVirSize1, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, AntiVir5, ADDR ReplaceAnti3, AntiVirSize3, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, AntiVir6, ADDR ReplaceAnti1, AntiVirSize1, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, AntiVir7, ADDR ReplaceAnti4, AntiVirSize4, byteswritten

   ;Bypass Exe

        invoke WriteProcessMemory, processinfo.hProcess, BypassAddy, ADDR ReplaceBypass, BypassSize, byteswritten

   ;Anti Popup

        invoke WriteProcessMemory, processinfo.hProcess, Popup1, ADDR ReplacePopup1, PopupSize1, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, Popup2, ADDR ReplacePopup2, PopupSize2, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, Popup3, ADDR ReplacePopup3, PopupSize3, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, Popup4, ADDR ReplacePopup1, PopupSize1, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, Popup5, ADDR ReplacePopup2, PopupSize2, byteswritten
        invoke WriteProcessMemory, processinfo.hProcess, Popup6, ADDR ReplacePopup3, PopupSize3, byteswritten



      
    invoke ResumeThread, processinfo.hThread
    push 0
    call ExitProcess
  end start

Save it as whateveryouwant.asm in ur Conquer folder then go project->Build all and your done.

Okay as I said i didnt go to in depth,
I commented out a few things so you can see what I did,
This will only work for patch 5065 so in 1 and a half hours you will need to update it yourself

Have fun! and I hope this helped someone

To update this for next patch is easy, I recommend using Tanelipe's guide found

And then use that as a reference to update this

mahmoudtayealove · 09/23/2008, 02:12

ineed speed hak

speedhak

speedhaek

speedhak zom

haker

_fobos_ · 09/23/2008, 02:45

Can some mod remove the 5 responses?

*M* · 09/23/2008, 03:29

Nice nice, there is room for optimization tho mainly in the patching method eg, anti virus and pop up filter can be done with a one byte JMP patch instead of calling writeprocessmemory multiple times to nop

Real~Death · 09/23/2008, 03:31

Quote:

Originally Posted by _fobos_

Can some mod remove the 5 responses?

alomst zero chance of a mod removing ANYTHING around here.
Very nice guide,well commented ,thanks for posting

_fobos_ · 09/23/2008, 03:44

Quote:

Originally Posted by *M*

Nice nice, there is room for optimization tho mainly in the patching method eg, anti virus and pop up filter can be done with a one byte JMP patch instead of calling writeprocessmemory multiple times to nop

True, true, but this exactly shows whats being done a jump would look nicer youre right about that but eitherway works, maybe you can release yours aswell

I know how I do it i wonder how you do it hehe.

Quote:

Originally Posted by Real~Death

alomst zero chance of a mod removing ANYTHING around here.
Very nice guide,well commented ,thanks for posting

thanks

emmanication · 09/24/2008, 16:55

i ned spedhak!

_fobos_ · 09/24/2008, 18:18

Quote:

Originally Posted by emmanication

i ned spedhak!

0057B58E <- All you need.

*M* · 09/25/2008, 07:56

Quote:

Originally Posted by _fobos_

True, true, but this exactly shows whats being done a jump would look nicer youre right about that but eitherway works, maybe you can release yours aswell I know how I do it i wonder how you do it hehe.

thanks

Yeah ill probably post my source, but considering its made in Masm if you load it up in olly you'll pretty much see the source.

_fobos_ · 09/25/2008, 16:39

Quote:

Originally Posted by *M*

Yeah ill probably post my source, but considering its made in Masm if you load it up in olly you'll pretty much see the source.

Yes i did see it but always nicer to see the whole deal you know

Vyndariel · 09/25/2008, 19:47

#merged postings
#No infraction given cause new member

Best regards

Vyn

Attention:

Please watch our forum-rules.
You can find our forum-rules at:

Jemy · 10/04/2008, 21:24

Hello

I need the right address from Running Conquer.exe direct...

anyone got?

_fobos_ · 10/06/2008, 12:39

Quote:

Originally Posted by Jemy

Hello

I need the right address from Running Conquer.exe direct...

anyone got?

Well open up Tanelipe's pretty guide, and start updating the addresses,
I wont mind to help you update it, but what do u learn from a simple copy and paste if i hand u the addresses right away.
The point is that you can make your own, not that someone hands you it.