[Question] The new client protection

{ Angelius } · 07/21/2013, 14:34

This can be closed.

~~Smaehtin~~ · 07/21/2013, 16:32

That hooked NtProtectVirtualMemory you're looking at is because of your Avast Anti-Virus software. It has nothing to do with TQ's anti-cheat system.

{ Angelius } · 07/21/2013, 17:32

Quote:

Originally Posted by Smaehtin

That hooked NtProtectVirtualMemory you're looking at is because of your Avast Anti-Virus software. It has nothing to do with TQ's anti-cheat system.

Yeah thanks Einstein :|

Like i didn't think about that before i include it in my post... i have checked that call on my PC and on 2 different VM's All has the same antivirus installed.

And the only way you would be right is if the OS type itself matter which i doubt.

And by the way regardless of the fact that your answer is useless to me you didn't have to be a **** about it posting that silly image of yours.

~~Smaehtin~~ · 07/21/2013, 17:49

Quote:

Originally Posted by { Angelius }

Well TQ team decided to change that route a bit to their advantage and this is what they came up with.

ntdll.NtProtectVirtualMemory
Before:

PHP Code:

MOV EAX, 0x4E CALL DWORD PTR FS:[0C0] RETN 14

After:

PHP Code:

JMP 00030A08 CALL DWORD PTR FS:[0C0] RETN 14

No, TQ didn't hook ntdll.NtProtectVirtualMemory. Avast Anti-Virus did.
Am I being clear enough now?

{ Angelius } · 07/21/2013, 17:53

Quote:

Originally Posted by Smaehtin

No, TQ didn't hook ntdll.NtProtectVirtualMemory. Avast Anti-Virus did.
Am I being clear enough now?

And you are saying that based on what ?

Or do i have to take it on faith and trust you lol.

~~Smaehtin~~ · 07/21/2013, 18:00

Quote:

Originally Posted by { Angelius }

And you are saying that based on what ?

Or do i have to take it on faith and trust you lol.

Quote:

Originally Posted by { Angelius }

The (JMP 00030A08) eventually leads to this function.

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
7272A890  /.  55            PUSH EBP
7272A891  |.  8BEC          MOV EBP,ESP
7272A893  |.  83E4 F8       AND ESP,FFFFFFF8                         ; QWORD (8.-byte) stack alignment
7272A896  |.  81EC 8C000000 SUB ESP,8C
7272A89C  |.  53            PUSH EBX
7272A89D  |.  56            PUSH ESI
7272A89E  |.  57            PUSH EDI
7272A89F  |.  68 84000000   PUSH 84                                  ; /Arg3 = 84
7272A8A4  |.  33F6          XOR ESI,ESI                              ; |
7272A8A6  |.  8D4424 18     LEA EAX,[LOCAL.33]                       ; |
7272A8AA  |.  56            PUSH ESI                                 ; |Arg2 => 0
7272A8AB  |.  50            PUSH EAX                                 ; |Arg1 => OFFSET LOCAL.33
7272A8AC  |.  E8 3F0F0100   CALL 7273B7F0                            ; \[B][SIZE="7"][COLOR="Red"]snxhk[/COLOR][/SIZE][/B].7273B7F0

Fragaria · 07/21/2013, 18:01

Quote:

Originally Posted by { Angelius }

And you are saying that based on what ?

Or do i have to take it on faith and trust you lol.

Search the snxhk.dll thats being called on google, or even better do a search on your computer and you'll find it in avast's directory. It's an avast dll.

p.s. omgawd I was slow

{ Angelius } · 07/21/2013, 18:13

Quote:

Originally Posted by DragonHeart~V4

Search the snxhk.dll thats being called on google, or even better do a search on your computer and you'll find it in avast's directory. It's an avast dll.

p.s. omgawd I was slow

****... You guys are right... I failed to do a simple search before i jump into the depth of the assembly code.

Oh well. Albert Einstein failed to ride a bicycle :P

Spirited · 07/21/2013, 20:45

Closed, as requested.