InsanityFlyff Bypass

[+Yazzn]

Code:

	memcpy((LPVOID)0x480F21, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x480F90, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x480FFF, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x481079, (const void *)"\x90\x90\x90\x90\x90\x90", 6);

Bypasses their "mega" check for QueryPerformanceCounter and WSASend/WSARecv hooks by replacing the exitprocess call with NOP.

[Flyff_Service]

You could also NOP the CreateThread call which creates this check thread.

[xMootie]

Quote:

Originally Posted by Yazzn (:

Code:

	memcpy((LPVOID)0x480F21, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x480F90, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x480FFF, (const void *)"\x90\x90\x90\x90\x90\x90", 6);
	memcpy((LPVOID)0x481079, (const void *)"\x90\x90\x90\x90\x90\x90", 6);

Bypasses their "mega" check for QueryPerformanceCounter and WSASend/WSARecv hooks by replacing the exitprocess call with NOP.

ExitProcess? Seriously, what are the "geniuses" at InsanityFlyff thinking? Guess they finally went Insane...

Watch them change the call to use the standard library "exit" function and get bypassed again just as easily.

[Fremo..]

Found that **** before too, i thought flyff is jus ****** coded(well it is) but its jus insanityflyff

[ChinkyCheek]

Kind of new with this, what is NOP?
Sorry if this is a bothersome question from a newbie like me!

[xMootie]

Quote:

Originally Posted by ChinkyCheek

Kind of new with this, what is NOP?
Sorry if this is a bothersome question from a newbie like me!

\x90.

[ChinkyCheek]

And what do we use to edit this? and edit which file/s? :|
Forgot to include it into my last post. (Hex Editor or?)

[+Yazzn]

Quote:

Originally Posted by Flyff_Service

You could also NOP the CreateThread call which creates this check thread.

Yes but then you can't interrupt it whenever you want.

Quote:

Originally Posted by XorLethal

ExitProcess? Seriously, what are the "geniuses" at InsanityFlyff thinking? Guess they finally went Insane...

Watch them change the call to use the standard library "exit" function and get bypassed again just as easily.

As you will see in the code below you could just hook QPC, WSASend, etc 5 bytes later and reconstruct the overwritten opcodes or use hot patching or fake the IAT or (...)

 Spoiler

Code:

void __cdecl StartAddress()
{
  HMODULE v0; // eax@5
  HMODULE v1; // eax@5
  DWORD flOldProtect; // [sp+0h] [bp-18h]@6
  HMODULE hModule; // [sp+4h] [bp-14h]@5
  FARPROC v4; // [sp+8h] [bp-10h]@5
  LPVOID lpAddress; // [sp+Ch] [bp-Ch]@5
  FARPROC v6; // [sp+10h] [bp-8h]@5
  FARPROC v7; // [sp+14h] [bp-4h]@5

  while ( 1 )
  {
    if ( GetModuleHandleA("kernel32.dll") )
    {
      if ( GetModuleHandleA("WINMM.dll") )
      {
        if ( GetModuleHandleA("Ws2_32.dll") )
        {
          v0 = GetModuleHandleA("kernel32.dll");
          lpAddress = GetProcAddress(v0, "QueryPerformanceCounter");
          memcpy(&byte_AC8820, lpAddress, 5u);
          hModule = GetModuleHandleA("Ws2_32.dll");
          v4 = GetProcAddress(hModule, "send");
          v7 = GetProcAddress(hModule, "WSASend");
          memcpy(&byte_AC8830, v4, 5u);
          memcpy(&byte_AC8840, v7, 5u);
          v1 = GetModuleHandleA("WINMM.dll");
          v6 = GetProcAddress(v1, "timeGetTime");
          memcpy(&byte_AC8850, v6, 5u);
          while ( 1 )
          {
            VirtualProtect(lpAddress, 5u, 0x40u, &flOldProtect);
            memcpy(&byte_AC8828, lpAddress, 5u);
            if ( strcmp(&byte_AC8820, &byte_AC8828) )
              break;
            if ( byte_AC8820 == 0xFFFFFFE9 || byte_AC8828 == 0xFFFFFFE9 )
              break;
            VirtualProtect(lpAddress, 5u, flOldProtect, &flOldProtect);
            VirtualProtect(v4, 5u, 0x40u, &flOldProtect);
            memcpy(&byte_AC8838, v4, 5u);
            if ( strcmp(&byte_AC8830, &byte_AC8838) || byte_AC8830 == 0xFFFFFFE9 || byte_AC8838 == 0xFFFFFFE9 )
              ExitProcess(1u);
            VirtualProtect(v4, 5u, flOldProtect, &flOldProtect);
            VirtualProtect(v7, 5u, 0x40u, &flOldProtect);
            memcpy(&byte_AC8848, v7, 5u);
            if ( strcmp(&byte_AC8840, &byte_AC8848) || byte_AC8840 == 0xFFFFFFE9 || byte_AC8848 == 0xFFFFFFE9 )
              ExitProcess(1u);
            VirtualProtect(v7, 5u, flOldProtect, &flOldProtect);
            Sleep(3000u);
            VirtualProtect(v6, 5u, 0x40u, &flOldProtect);
            memcpy(&byte_AC8858, v6, 5u);
            if ( strcmp(&byte_AC8850, &byte_AC8858) || byte_AC8850 == 0xFFFFFFE9 || byte_AC8858 == 0xFFFFFFE9 )
              ExitProcess(1u);
            VirtualProtect(v6, 5u, flOldProtect, &flOldProtect);
            Sleep(3000u);
          }
          ExitProcess(1u);
        }
      }
    }
    Sleep(100u);
  }
}

Conclusion: The guys from InsanityFlyFF don't know what they're doing.

[xMootie]

By the way, you might want to look into hooking other functions to modify or read packet data. If you use the functions below, you won't need to reverse the encryption routine.

void CClientSock::Send(char* lpData, DWORD dwDataSize, DPID dpidTo)

- Just send it data for easy packet sending, no encryption necessary

CBuffer* CClientSock::Fetch(DWORD dwBytes)

- Detour call and use return to read packet data decrypted.

Note that both methods are non-static member functions, thus you need to find the address of g_DPlay(global non-static object), which can be obtained by hooking its initialization between the entry point and WinMain().

[xBleak]

Could some1 build a Bypass , dunno what I have to do haha

[naomiclark]

can i ask what if the function of this code?