[Release] Flyff.a Bypass

woodcuttern · 07/06/2013, 15:26

I have complied the bypass. I have tried basically all the MD5 hash codes..
Nothing will work. Client keeps crashing before login screen.

Here's my steps:
1. I open the client loader.
2. I open the bypass.
3. I put in the MD5 hash(I have tried the Flyff.a, the data.res, the changed data.res)
4. I start the client and it crashes..

If someone would kind enough to explain it in English? I'm trying to learn German but it's hard without living there.

crinklez · 07/07/2013, 08:17

Can you teach me step by step? I don't know how to use the codes.

cookie69 · 07/16/2013, 19:55

Quote:

Originally Posted by CallMeEclipse

Much more efficient, and less work for you.

main.cpp:

Code:

#include <windows.h>
#include <Tlhelp32.h>
#include <iostream>
#include "md5.h"
using namespace std;


BOOL DataCompare( PBYTE pbData, PBYTE pbMask, char * szMask );
DWORD FindPattern( DWORD dwAddress, DWORD dwLen, PBYTE pbMask, char * szMask );

DWORD moduleBase, moduleSize;
HANDLE hFame = NULL;

int main()
{
	MD5 md5;
	char newmd5[33] = "";
	memcpy(newmd5, md5.digestFile("Flyff.a"), 32);

	MODULEENTRY32 me32;
	ZeroMemory(&me32, sizeof(MODULEENTRY32));
	me32.dwSize = sizeof(MODULEENTRY32);

	PROCESSENTRY32 pe32;
	ZeroMemory(&pe32, sizeof(PROCESSENTRY32));
	pe32.dwSize = sizeof(PROCESSENTRY32);

	hFame = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	Process32First(hFame, &pe32);

	DWORD pid = -1;

	do
	{
		if(stricmp(pe32.szExeFile, "neuz.exe") == 0)
		{
			pid = pe32.th32ProcessID;
			break;
		}
	} while(Process32Next(hFame, &pe32));

	CloseHandle(hFame);

	if(pid == -1)
	{
		cout<<"Fame not found! exit in 3 sec\n";
		Sleep(3000);
		return 1;
	}

	hFame = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
	Module32First(hFame, &me32);
	do
	{
		if(stricmp(me32.szModule, "neuz.exe") == 0)
		{
			cout<<"Found neuz module. Base: 0x"<<hex<<(DWORD)me32.modBaseAddr<<", size: 0x"<<(DWORD)me32.modBaseSize<<endl;
			moduleBase = (DWORD)me32.modBaseAddr;
			moduleSize = (DWORD)me32.modBaseSize;
			break;
		}
	} while(Module32Next(hFame, &me32));

	CloseHandle(hFame);

	if(moduleSize == 0)
	{
		cout<<"Fame module not found! exit in 3 sec\n";
		Sleep(3000);
		return 1;
	}

	char *pFile = new char[moduleSize];
	
	hFame = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	DWORD dwOld;
	VirtualProtectEx(hFame, (void*)moduleBase, moduleSize, PAGE_EXECUTE_READWRITE, &dwOld);
	ReadProcessMemory(hFame, (void*)moduleBase, pFile, moduleSize, 0);

	DWORD addy = FindPattern((DWORD)&pFile[0], moduleSize, (PBYTE)"\x68\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x83\xC4\x0C\x8B\x00\x00\x00\x00\x00\x89\x00\x00\x00\x00\x00\x8B\x00\x00\x00\x00\x00\x52", "x????x????xxxx?????x?????x?????x") - (DWORD)pFile + moduleBase; 
	addy += 1;
	DWORD dwBuff;
	char curmd5[33] = "";
	ReadProcessMemory(hFame, (void*)addy, &dwBuff, 4, 0);
	ReadProcessMemory(hFame, (void*)dwBuff, curmd5, 32, 0);

	cout<<"Current MD5:   "<<dec<<curmd5<<endl;
	cout<<"Changing it to: "<<newmd5<<endl<<endl;
	WriteProcessMemory(hFame, (void*)dwBuff, newmd5, 32, 0);
	Sleep(1000);
	ZeroMemory(curmd5, 32);
	ReadProcessMemory(hFame, (void*)dwBuff, curmd5, 32, 0);
	cout<<"Verification:   "<<curmd5<<endl;

	CloseHandle(hFame);

	delete pFile;

	Sleep(5000);

	return 1;
}

BOOL DataCompare( PBYTE pbData, PBYTE pbMask, char * szMask )
{
	for( ; *szMask; ++szMask, ++pbData, ++pbMask )
	{
		if( *szMask == 'x' && *pbData != *pbMask )
		return FALSE;
	}

	return ( *szMask == NULL );
}

DWORD FindPattern( DWORD dwAddress, DWORD dwLen, PBYTE pbMask, char * szMask )
{
	for( DWORD i = 0; i < dwLen; i++ )
	{
		if( DataCompare( (PBYTE)( dwAddress + i ), pbMask, szMask ) )
			return (DWORD)( dwAddress + i );
	}

	return 0;
}

md5.h:

Code:

#ifndef MD5_H
#define MD5_H

// Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
// rights reserved.

// License to copy and use this software is granted provided that it
// is identified as the "RSA Data Security, Inc. MD5 Message-Digest
// Algorithm" in all material mentioning or referencing this software
// or this function.
//
// License is also granted to make and use derivative works provided
// that such works are identified as "derived from the RSA Data
// Security, Inc. MD5 Message-Digest Algorithm" in all material
// mentioning or referencing the derived work.
//
// RSA Data Security, Inc. makes no representations concerning either
// the merchantability of this software or the suitability of this
// software for any particular purpose. It is provided "as is"
// without express or implied warranty of any kind.
//
// These notices must be retained in any copies of any part of this
// documentation and/or software.



// The original md5 implementation avoids external libraries.
// This version has dependency on stdio.h for file input and
// string.h for memcpy.
#include <stdio.h>
#include <string.h>

#pragma region MD5 defines
// Constants for MD5Transform routine.
#define S11 7
#define S12 12
#define S13 17
#define S14 22
#define S21 5
#define S22 9
#define S23 14
#define S24 20
#define S31 4
#define S32 11
#define S33 16
#define S34 23
#define S41 6
#define S42 10
#define S43 15
#define S44 21






static unsigned char PADDING[64] = {
  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

// F, G, H and I are basic MD5 functions.
#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
#define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~z)))

// ROTATE_LEFT rotates x left n bits.
#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))

// FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
// Rotation is separate from addition to prevent recomputation.
#define FF(a, b, c, d, x, s, ac) { \
  (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
  (a) = ROTATE_LEFT ((a), (s)); \
  (a) += (b); \
  }
#define GG(a, b, c, d, x, s, ac) { \
  (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
  (a) = ROTATE_LEFT ((a), (s)); \
  (a) += (b); \
  }
#define HH(a, b, c, d, x, s, ac) { \
  (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
  (a) = ROTATE_LEFT ((a), (s)); \
  (a) += (b); \
  }
#define II(a, b, c, d, x, s, ac) { \
  (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
  (a) = ROTATE_LEFT ((a), (s)); \
  (a) += (b); \
  }
#pragma endregion

typedef unsigned char BYTE ;

// POINTER defines a generic pointer type
typedef unsigned char *POINTER;

// UINT2 defines a two byte word
typedef unsigned short int UINT2;

// UINT4 defines a four byte word
typedef unsigned long int UINT4;


// convenient object that wraps
// the C-functions for use in C++ only
class MD5
{
private:
  struct __context_t {
    UINT4 state[4];                                   /* state (ABCD) */
    UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
    unsigned char buffer[64];                         /* input buffer */
  } context ;

  #pragma region static helper functions
  // The core of the MD5 algorithm is here.
  // MD5 basic transformation. Transforms state based on block.
  static void MD5Transform( UINT4 state[4], unsigned char block[64] )
  {
    UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];

    Decode (x, block, 64);

    /* Round 1 */
    FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
    FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
    FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
    FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
    FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
    FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
    FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
    FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
    FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
    FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
    FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
    FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
    FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
    FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
    FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
    FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */

    /* Round 2 */
    GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
    GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
    GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
    GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
    GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
    GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
    GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
    GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
    GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
    GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
    GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
    GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
    GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
    GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
    GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
    GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */

    /* Round 3 */
    HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
    HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
    HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
    HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
    HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
    HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
    HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
    HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
    HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
    HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
    HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
    HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
    HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
    HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
    HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
    HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */

    /* Round 4 */
    II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
    II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
    II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
    II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
    II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
    II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
    II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
    II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
    II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
    II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
    II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
    II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
    II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
    II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
    II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
    II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */

    state[0] += a;
    state[1] += b;
    state[2] += c;
    state[3] += d;

    // Zeroize sensitive information.
    memset((POINTER)x, 0, sizeof (x));
  }

  // Encodes input (UINT4) into output (unsigned char). Assumes len is
  // a multiple of 4.
  static void Encode( unsigned char *output, UINT4 *input, unsigned int len )
  {
    unsigned int i, j;

    for (i = 0, j = 0; j < len; i++, j += 4) {
      output[j] = (unsigned char)(input[i] & 0xff);
      output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
      output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
      output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
    }
  }

  // Decodes input (unsigned char) into output (UINT4). Assumes len is
  // a multiple of 4.
  static void Decode( UINT4 *output, unsigned char *input, unsigned int len )
  {
    unsigned int i, j;

    for (i = 0, j = 0; j < len; i++, j += 4)
      output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
      (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
  }
  #pragma endregion


public:
  // MAIN FUNCTIONS
  MD5()
  {
    Init() ;
  }

  // MD5 initialization. Begins an MD5 operation, writing a new context.
  void Init()
  {
    context.count[0] = context.count[1] = 0;
  
    // Load magic initialization constants.
    context.state[0] = 0x67452301;
    context.state[1] = 0xefcdab89;
    context.state[2] = 0x98badcfe;
    context.state[3] = 0x10325476;
  }

  // MD5 block update operation. Continues an MD5 message-digest
  // operation, processing another message block, and updating the
  // context.
  void Update(
    unsigned char *input,   // input block
    unsigned int inputLen ) // length of input block
  {
    unsigned int i, index, partLen;

    // Compute number of bytes mod 64
    index = (unsigned int)((context.count[0] >> 3) & 0x3F);

    // Update number of bits
    if ((context.count[0] += ((UINT4)inputLen << 3))
      < ((UINT4)inputLen << 3))
      context.count[1]++;
    context.count[1] += ((UINT4)inputLen >> 29);

    partLen = 64 - index;

    // Transform as many times as possible.
    if (inputLen >= partLen) {
      memcpy((POINTER)&context.buffer[index], (POINTER)input, partLen);
      MD5Transform (context.state, context.buffer);

      for (i = partLen; i + 63 < inputLen; i += 64)
        MD5Transform (context.state, &input[i]);

      index = 0;
    }
    else
      i = 0;

    /* Buffer remaining input */
    memcpy((POINTER)&context.buffer[index], (POINTER)&input[i], inputLen-i);
  }

  // MD5 finalization. Ends an MD5 message-digest operation, writing the
  // the message digest and zeroizing the context.
  // Writes to digestRaw
  void Final()
  {
    unsigned char bits[8];
    unsigned int index, padLen;

    // Save number of bits
    Encode( bits, context.count, 8 );

    // Pad out to 56 mod 64.
    index = (unsigned int)((context.count[0] >> 3) & 0x3f);
    padLen = (index < 56) ? (56 - index) : (120 - index);
    Update( PADDING, padLen );

    // Append length (before padding)
    Update( bits, 8 );

    // Store state in digest
    Encode( digestRaw, context.state, 16);

    // Zeroize sensitive information.
    memset((POINTER)&context, 0, sizeof (context));

    writeToString() ;
  }

  /// Buffer must be 32+1 (nul) = 33 chars long at least 
  void writeToString()
  {
    int pos ;

    for( pos = 0 ; pos < 16 ; pos++ )
      sprintf( digestChars+(pos*2), "%02x", digestRaw[pos] ) ;
  }


public:
  // an MD5 digest is a 16-byte number (32 hex digits)
  BYTE digestRaw[ 16 ] ;

  // This version of the digest is actually
  // a "printf'd" version of the digest.
  char digestChars[ 33 ] ;

  /// Load a file from disk and digest it
  // Digests a file and returns the result.
  char* digestFile( char *filename )
  {
    Init() ;

    FILE *file;
    
    int len;
    unsigned char buffer[1024] ;

    if( (file = fopen (filename, "rb")) == NULL )
      printf( "%s can't be opened\n", filename ) ;
    else
    {
      while( len = fread( buffer, 1, 1024, file ) )
        Update( buffer, len ) ;
      Final();

      fclose( file );
    }

    return digestChars ;
  }

  /// Digests a byte-array already in memory
  char* digestMemory( BYTE *memchunk, int len )
  {
    Init() ;
    Update( memchunk, len ) ;
    Final() ;
    
    return digestChars ;
  }

  // Digests a string and prints the result.
  char* digestString( char *string )
  {
    Init() ;
    Update( (unsigned char*)string, strlen(string) ) ;
    Final() ;

    return digestChars ;
  }
} ;

#endif

Instructions:
1. Fully patch fame/whatever server you want to use this on(if it uses flyff.a it should work)
2. Copy their Flyff.a to the folder where this bypass is.
3. Remove the contents of Flyff.a and edit the .res files to your liking
4. Run the game and use the bypass at the login screen.

now log in and you're done.

All the code except for FindPattern, DataCompare and md5.h is mine.

~ CallMeEclipse

It would be nice if you explain me how do you get the following pattern:
(PBYTE)"\x68\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x 83\xC4\x0C\x8B\x00\x00\x00\x00\x00\x89\x00\x00\x00 \x00\x00\x8B\x00\x00\x00\x00\x00\x52", "x????x????xxxx?????x?????x?????x"

memelovememe · 07/30/2013, 02:06

Anyone can translate this into english and put the steps on how to this ? i want to try it on the server i was playing . thanks a lot ! and put the apps needed on this .

Kevbo. · 07/30/2013, 04:15

Nice

JoostVanGrost · 08/06/2013, 12:01

Can anyone please make this post in English? I tried to translate it but I don't understand what I have to do....

barrion60 · 09/11/2013, 18:05

Hi. It's too hard to understand! I mean, I don't speak your language so it would be better if you make a/an english version of this tutorial, though i can barely understand it. I really don't know where to put those "PHP code".. maybe you could be more brief. do we need to use C++ on this thing? I'm hoping for your reply.. thanks in advance.

~~Areyoureadingthis?~~ · 09/13/2013, 14:41

This is very rare

reanimator1 · 09/13/2013, 15:49

Can someone make a english tutorial please?is hard with google translate =) i do not understand nothing!Thx

reanimator1 · 09/20/2013, 18:21

Ok all worked but when i try to login they say: Version mismatch.Try to patch again....mmmmm some one can help me?

derberndlol · 10/27/2013, 20:55

Kann mir das wer mal für dumme erklären was ich da nun machen muss :7
pn wäre nc

~~Among'~~ · 10/31/2013, 23:44

tutorial

Sinnersoul · 12/17/2013, 19:20

Can someone translate this into English please ? It would be much appreciated.

ramosss · 12/24/2013, 13:57

Could you please do one in English?

Lightings · 12/27/2013, 15:17

Sind damit Maps verändern wierder möglich ?