|
You last visited: Today at 16:35
Advertisement
[cSRO] edxSilkroadLoader Beta 3c Testing
Discussion on [cSRO] edxSilkroadLoader Beta 3c Testing within the SRO Hacks, Bots, Cheats & Exploits forum part of the Silkroad Online category.
11/09/2009, 19:21
|
#16
|
elite*gold: 20
Join Date: May 2009
Posts: 2,649
Received Thanks: 475
|
Quote:
Originally Posted by pushedx
I'm on Windows 7 myself atm. Start Silkroad.exe and choose your Division so the Start button appears. Exit the launcher after that. Now start edxSilkroadLoader and try to launch your clients.
The cSRO client is not packed, so you do not need to do anything with that either. Sometimes there is a wait for the client to launch, if you see the console and the patches listed, then the DLL was injected, but the client isn't connecting to the Login server yet.
Try selecting a different login server and use TaskMgr to kill the processes that get stuck. I've had that happen a few times I think before this version of the launcher.
The security thread does not always start. However, if it starts, it will be after you login at the character select screen. If you get in game and it is not running and you restart, chances are it will start the next time. You can see this in the two screenshots. The first time I logged in both accounts, no security thread ran but after I restarted, it ran.
|
I tried selecting different Loginservers, the result was the same. By the way im using WinXP SP3. When i start the edxloader i get the same Informations on the Debug Console like you on your first screen (left side).
|
|
|
11/09/2009, 19:41
|
#17
|
elite*gold: 260
Join Date: Aug 2008
Posts: 560
Received Thanks: 3,751
|
Quote:
Originally Posted by N00bcake
I tried selecting different Loginservers, the result was the same. By the way im using WinXP SP3. When i start the edxloader i get the same Informations on the Debug Console like you on your first screen (left side).
|
Ok, sorry about that, it's actually a bug in my code. I've updated the project again, thanks for reporting the errors! I am uploading the new version right now.
Ok, the new version, 3c4 has been uploaded. Windows 7 has made some changes to how CreateThread/CreateRemoteThread work, so I have to hook a different set of functions for Windows 7 than non-Windows 7 versions.
Everything should be working now.
|
|
|
11/09/2009, 23:57
|
#18
|
elite*gold: 0
Join Date: Feb 2008
Posts: 181
Received Thanks: 46
|
thx for this new loader! *** bless you! Great job!
Btw, i am running win 7, but i have some sort of problem.
With my main acc, it works fine, but with my 2nd char, it freezes very often, so i have to restart it.
PS2 : A suggestion from a friend. Can you make it somehow to change the image with the sro one? xD
|
|
|
11/10/2009, 13:02
|
#19
|
elite*gold: 20
Join Date: May 2009
Posts: 2,649
Received Thanks: 475
|
Quote:
Originally Posted by pushedx
Ok, sorry about that, it's actually a bug in my code. I've updated the project again, thanks for reporting the errors! I am uploading the new version right now.
Ok, the new version, 3c4 has been uploaded. Windows 7 has made some changes to how CreateThread/CreateRemoteThread work, so I have to hook a different set of functions for Windows 7 than non-Windows 7 versions.
Everything should be working now.
|
I tried it today, and it works now, thank you for fast answering and taking care of this issue..keep up the good work
|
|
|
11/11/2009, 00:56
|
#20
|
elite*gold: 260
Join Date: Aug 2008
Posts: 560
Received Thanks: 3,751
|
I've updated the version to 3c5 today. I noticed the security logic can scan the DLL memory, so I faked those results to prevent the DLL from being easily identified.
The "freezes" that you might encounter are not related to this loader (pretty sure) but rather just a problem with CSRO. I'm not sure why it's happening, but I notice it from time to time on a second character only. It's like the server just stops sending packets but does not disconnect your client. It's not an easily reproducible problem, so I can't really look into it more to see why CSRO does this.
If anyone else runs into any issues, please let me know!
|
|
|
11/11/2009, 10:44
|
#21
|
elite*gold: 0
Join Date: Feb 2008
Posts: 181
Received Thanks: 46
|
Quote:
Originally Posted by pushedx
I've updated the version to 3c5 today. I noticed the security logic can scan the DLL memory, so I faked those results to prevent the DLL from being easily identified.
The "freezes" that you might encounter are not related to this loader (pretty sure) but rather just a problem with CSRO. I'm not sure why it's happening, but I notice it from time to time on a second character only. It's like the server just stops sending packets but does not disconnect your client. It's not an easily reproducible problem, so I can't really look into it more to see why CSRO does this.
If anyone else runs into any issues, please let me know!
|
That's exactly what im going through! Just freezes and i get "sro_client" stopped responding etc.
|
|
|
11/11/2009, 14:14
|
#22
|
elite*gold: 0
Join Date: Aug 2008
Posts: 301
Received Thanks: 66
|
I'm getting massive DC with the loader once again
|
|
|
11/11/2009, 19:15
|
#23
|
elite*gold: 260
Join Date: Aug 2008
Posts: 560
Received Thanks: 3,751
|
The new detection started yesterday evening and I am currently looking for a new solution. The current method of patching the security scans is not going to work out because they can just add more code to scan or change them around to break my existing code. That is why the DCs started again, there is more code that was being executed that checked the memory. I managed to get the new code accounted for, but I still got DCs which means there are a couple more now to find.
I have to play with some memory access logic to see if I can find an easy way around this issue. The tricky part is that they are not using any API calls to read the memory, so I can't simply detour a function and call it a day. Hopefully I'll find something, but if not I'll have the thread closed in the mean time while I try to work out a solution.
|
|
|
11/12/2009, 16:52
|
#24
|
elite*gold: 0
Join Date: Mar 2007
Posts: 77
Received Thanks: 111
|
@pushedx:
can you maybe post some information related on the scans. this means how, what and where they scan and what they compare it with to check, if it's the right code?
because i tried to bypass xtrap (vsro) with a very advanced method (writing a driver and using it like a rootkit)
although it does not work yet (xtrap was changed too) it's a good method
and maybe it's possible to change it according to the current protection
|
|
|
11/12/2009, 20:10
|
#25
|
elite*gold: 260
Join Date: Aug 2008
Posts: 560
Received Thanks: 3,751
|
Quote:
because i tried to bypass xtrap (vsro) with a very advanced method (writing a driver and using it like a rootkit)
although it does not work yet (xtrap was changed too) it's a good method
and maybe it's possible to change it according to the current protection
|
Yea, I started learning driver development to be able to work with XTrap and GG on that level, but they are pretty advanced now and were able to defeat the simply stuff I learned. Being on the Kernel level gives you the same access they have, but you still have to work around their logic, so it helps, but it's still really complicated. I figured I need to learn some more stuff in Ring 3 first before I dive into Ring 0 as a result.
The biggest problem with drivers though is that you will have to have a different version for x86 and x64 platforms and then you will have some interoperability issues with XP and Vista/Win7. Usually though, the driver should have an API that the DLL injected into the process or the external process communicates via. For example, this is a good thread on how works.
Quote:
Originally Posted by hack0r89
@pushedx:
can you maybe post some information related on the scans. this means how, what and where they scan and what they compare it with to check, if it's the right code?
|
The scanning function calculates hashes of memory and send it to the server, so the server would know if it is correct or not. The logic is dynamically loaded into the process and then executed as a thread. There are many threads that are created for the scans. In addition, there is scanning logic for the main client scanning logic as well.
Here is the first client scanning function.
Code:
246F439A 55 PUSH EBP
246F439B 8BEC MOV EBP,ESP
246F439D 81EC 00040000 SUB ESP,400
246F43A3 83A5 00FCFFFF 00 AND DWORD PTR SS:[EBP-400],0
246F43AA 56 PUSH ESI
246F43AB C785 04FCFFFF 96300777 MOV DWORD PTR SS:[EBP-3FC],77073096
246F43B5 C785 08FCFFFF 2C610EEE MOV DWORD PTR SS:[EBP-3F8],EE0E612C
246F43BF C785 0CFCFFFF BA510999 MOV DWORD PTR SS:[EBP-3F4],990951BA
246F43C9 C785 10FCFFFF 19C46D07 MOV DWORD PTR SS:[EBP-3F0],76DC419
246F43D3 C785 14FCFFFF 8FF46A70 MOV DWORD PTR SS:[EBP-3EC],706AF48F
246F43DD C785 18FCFFFF 35A563E9 MOV DWORD PTR SS:[EBP-3E8],E963A535
246F43E7 C785 1CFCFFFF A395649E MOV DWORD PTR SS:[EBP-3E4],9E6495A3
246F43F1 C785 20FCFFFF 3288DB0E MOV DWORD PTR SS:[EBP-3E0],0EDB8832
246F43FB C785 24FCFFFF A4B8DC79 MOV DWORD PTR SS:[EBP-3DC],79DCB8A4
246F4405 C785 28FCFFFF 1EE9D5E0 MOV DWORD PTR SS:[EBP-3D8],E0D5E91E
246F440F C785 2CFCFFFF 88D9D297 MOV DWORD PTR SS:[EBP-3D4],97D2D988
246F4419 C785 30FCFFFF 2B4CB609 MOV DWORD PTR SS:[EBP-3D0],9B64C2B
246F4423 C785 34FCFFFF BD7CB17E MOV DWORD PTR SS:[EBP-3CC],7EB17CBD
246F442D C785 38FCFFFF 072DB8E7 MOV DWORD PTR SS:[EBP-3C8],E7B82D07
246F4437 C785 3CFCFFFF 911DBF90 MOV DWORD PTR SS:[EBP-3C4],90BF1D91
246F4441 C785 40FCFFFF 6410B71D MOV DWORD PTR SS:[EBP-3C0],1DB71064
246F444B C785 44FCFFFF F220B06A MOV DWORD PTR SS:[EBP-3BC],6AB020F2
246F4455 C785 48FCFFFF 4871B9F3 MOV DWORD PTR SS:[EBP-3B8],F3B97148
246F445F C785 4CFCFFFF DE41BE84 MOV DWORD PTR SS:[EBP-3B4],84BE41DE
246F4469 C785 50FCFFFF 7DD4DA1A MOV DWORD PTR SS:[EBP-3B0],1ADAD47D
246F4473 C785 54FCFFFF EBE4DD6D MOV DWORD PTR SS:[EBP-3AC],6DDDE4EB
246F447D C785 58FCFFFF 51B5D4F4 MOV DWORD PTR SS:[EBP-3A8],F4D4B551
246F4487 C785 5CFCFFFF C785D383 MOV DWORD PTR SS:[EBP-3A4],83D385C7
246F4491 C785 60FCFFFF 56986C13 MOV DWORD PTR SS:[EBP-3A0],136C9856 ; UNICODE "TC_ARCHEMY_MATERIAL_TK_DEATHKARA_CLON1"
246F449B C785 64FCFFFF C0A86B64 MOV DWORD PTR SS:[EBP-39C],646BA8C0
246F44A5 C785 68FCFFFF 7AF962FD MOV DWORD PTR SS:[EBP-398],FD62F97A
246F44AF C785 6CFCFFFF ECC9658A MOV DWORD PTR SS:[EBP-394],8A65C9EC
246F44B9 C785 70FCFFFF 4F5C0114 MOV DWORD PTR SS:[EBP-390],14015C4F
246F44C3 C785 74FCFFFF D96C0663 MOV DWORD PTR SS:[EBP-38C],63066CD9
246F44CD C785 78FCFFFF 633D0FFA MOV DWORD PTR SS:[EBP-388],FA0F3D63
246F44D7 C785 7CFCFFFF F50D088D MOV DWORD PTR SS:[EBP-384],8D080DF5
246F44E1 C785 80FCFFFF C8206E3B MOV DWORD PTR SS:[EBP-380],3B6E20C8
246F44EB C785 84FCFFFF 5E10694C MOV DWORD PTR SS:[EBP-37C],4C69105E
246F44F5 C785 88FCFFFF E44160D5 MOV DWORD PTR SS:[EBP-378],D56041E4
246F44FF C785 8CFCFFFF 727167A2 MOV DWORD PTR SS:[EBP-374],A2677172
246F4509 C785 90FCFFFF D1E4033C MOV DWORD PTR SS:[EBP-370],3C03E4D1
246F4513 C785 94FCFFFF 47D4044B MOV DWORD PTR SS:[EBP-36C],4B04D447
246F451D C785 98FCFFFF FD850DD2 MOV DWORD PTR SS:[EBP-368],D20D85FD
246F4527 C785 9CFCFFFF 6BB50AA5 MOV DWORD PTR SS:[EBP-364],A50AB56B
246F4531 C785 A0FCFFFF FAA8B535 MOV DWORD PTR SS:[EBP-360],35B5A8FA
246F453B C785 A4FCFFFF 6C98B242 MOV DWORD PTR SS:[EBP-35C],42B2986C
246F4545 C785 A8FCFFFF D6C9BBDB MOV DWORD PTR SS:[EBP-358],DBBBC9D6
246F454F C785 ACFCFFFF 40F9BCAC MOV DWORD PTR SS:[EBP-354],ACBCF940
246F4559 C785 B0FCFFFF E36CD832 MOV DWORD PTR SS:[EBP-350],32D86CE3
246F4563 C785 B4FCFFFF 755CDF45 MOV DWORD PTR SS:[EBP-34C],45DF5C75
246F456D C785 B8FCFFFF CF0DD6DC MOV DWORD PTR SS:[EBP-348],DCD60DCF
246F4577 C785 BCFCFFFF 593DD1AB MOV DWORD PTR SS:[EBP-344],ABD13D59
246F4581 C785 C0FCFFFF AC30D926 MOV DWORD PTR SS:[EBP-340],26D930AC
246F458B C785 C4FCFFFF 3A00DE51 MOV DWORD PTR SS:[EBP-33C],51DE003A
246F4595 C785 C8FCFFFF 8051D7C8 MOV DWORD PTR SS:[EBP-338],C8D75180
246F459F C785 CCFCFFFF 1661D0BF MOV DWORD PTR SS:[EBP-334],BFD06116
246F45A9 C785 D0FCFFFF B5F4B421 MOV DWORD PTR SS:[EBP-330],21B4F4B5
246F45B3 C785 D4FCFFFF 23C4B356 MOV DWORD PTR SS:[EBP-32C],56B3C423
246F45BD C785 D8FCFFFF 9995BACF MOV DWORD PTR SS:[EBP-328],CFBA9599
246F45C7 C785 DCFCFFFF 0FA5BDB8 MOV DWORD PTR SS:[EBP-324],B8BDA50F
246F45D1 C785 E0FCFFFF 9EB80228 MOV DWORD PTR SS:[EBP-320],2802B89E
246F45DB C785 E4FCFFFF 0888055F MOV DWORD PTR SS:[EBP-31C],5F058808
246F45E5 C785 E8FCFFFF B2D90CC6 MOV DWORD PTR SS:[EBP-318],C60CD9B2
246F45EF C785 ECFCFFFF 24E90BB1 MOV DWORD PTR SS:[EBP-314],B10BE924
246F45F9 C785 F0FCFFFF 877C6F2F MOV DWORD PTR SS:[EBP-310],2F6F7C87
246F4603 C785 F4FCFFFF 114C6858 MOV DWORD PTR SS:[EBP-30C],58684C11
246F460D C785 F8FCFFFF AB1D61C1 MOV DWORD PTR SS:[EBP-308],C1611DAB
246F4617 C785 FCFCFFFF 3D2D66B6 MOV DWORD PTR SS:[EBP-304],B6662D3D
246F4621 C785 00FDFFFF 9041DC76 MOV DWORD PTR SS:[EBP-300],76DC4190
246F462B C785 04FDFFFF 0671DB01 MOV DWORD PTR SS:[EBP-2FC],1DB7106
246F4635 C785 08FDFFFF BC20D298 MOV DWORD PTR SS:[EBP-2F8],98D220BC
246F463F C785 0CFDFFFF 2A10D5EF MOV DWORD PTR SS:[EBP-2F4],EFD5102A
246F4649 C785 10FDFFFF 8985B171 MOV DWORD PTR SS:[EBP-2F0],71B18589
246F4653 C785 14FDFFFF 1FB5B606 MOV DWORD PTR SS:[EBP-2EC],6B6B51F
246F465D C785 18FDFFFF A5E4BF9F MOV DWORD PTR SS:[EBP-2E8],9FBFE4A5
246F4667 C785 1CFDFFFF 33D4B8E8 MOV DWORD PTR SS:[EBP-2E4],E8B8D433
246F4671 C785 20FDFFFF A2C90778 MOV DWORD PTR SS:[EBP-2E0],7807C9A2
246F467B C785 24FDFFFF 34F9000F MOV DWORD PTR SS:[EBP-2DC],0F00F934 ; UNICODE "_A_13"
246F4685 C785 28FDFFFF 8EA80996 MOV DWORD PTR SS:[EBP-2D8],9609A88E
246F468F C785 2CFDFFFF 18980EE1 MOV DWORD PTR SS:[EBP-2D4],E10E9818
246F4699 C785 30FDFFFF BB0D6A7F MOV DWORD PTR SS:[EBP-2D0],7F6A0DBB
246F46A3 C785 34FDFFFF 2D3D6D08 MOV DWORD PTR SS:[EBP-2CC],86D3D2D
246F46AD C785 38FDFFFF 976C6491 MOV DWORD PTR SS:[EBP-2C8],91646C97
246F46B7 C785 3CFDFFFF 015C63E6 MOV DWORD PTR SS:[EBP-2C4],E6635C01
246F46C1 C785 40FDFFFF F4516B6B MOV DWORD PTR SS:[EBP-2C0],6B6B51F4
246F46CB C785 44FDFFFF 62616C1C MOV DWORD PTR SS:[EBP-2BC],1C6C6162
246F46D5 C785 48FDFFFF D8306585 MOV DWORD PTR SS:[EBP-2B8],856530D8
246F46DF C785 4CFDFFFF 4E0062F2 MOV DWORD PTR SS:[EBP-2B4],F262004E
246F46E9 C785 50FDFFFF ED95066C MOV DWORD PTR SS:[EBP-2B0],6C0695ED
246F46F3 C785 54FDFFFF 7BA5011B MOV DWORD PTR SS:[EBP-2AC],1B01A57B
246F46FD C785 58FDFFFF C1F40882 MOV DWORD PTR SS:[EBP-2A8],8208F4C1
246F4707 C785 5CFDFFFF 57C40FF5 MOV DWORD PTR SS:[EBP-2A4],F50FC457
246F4711 C785 60FDFFFF C6D9B065 MOV DWORD PTR SS:[EBP-2A0],65B0D9C6
246F471B C785 64FDFFFF 50E9B712 MOV DWORD PTR SS:[EBP-29C],12B7E950
246F4725 C785 68FDFFFF EAB8BE8B MOV DWORD PTR SS:[EBP-298],8BBEB8EA
246F472F C785 6CFDFFFF 7C88B9FC MOV DWORD PTR SS:[EBP-294],FCB9887C
246F4739 C785 70FDFFFF DF1DDD62 MOV DWORD PTR SS:[EBP-290],62DD1DDF
246F4743 C785 74FDFFFF 492DDA15 MOV DWORD PTR SS:[EBP-28C],15DA2D49
246F474D C785 78FDFFFF F37CD38C MOV DWORD PTR SS:[EBP-288],8CD37CF3
246F4757 C785 7CFDFFFF 654CD4FB MOV DWORD PTR SS:[EBP-284],FBD44C65
246F4761 C785 80FDFFFF 5861B24D MOV DWORD PTR SS:[EBP-280],4DB26158
246F476B C785 84FDFFFF CE51B53A MOV DWORD PTR SS:[EBP-27C],3AB551CE
246F4775 C785 88FDFFFF 7400BCA3 MOV DWORD PTR SS:[EBP-278],A3BC0074
246F477F C785 8CFDFFFF E230BBD4 MOV DWORD PTR SS:[EBP-274],D4BB30E2
246F4789 C785 90FDFFFF 41A5DF4A MOV DWORD PTR SS:[EBP-270],4ADFA541
246F4793 C785 94FDFFFF D795D83D MOV DWORD PTR SS:[EBP-26C],3DD895D7
246F479D C785 98FDFFFF 6DC4D1A4 MOV DWORD PTR SS:[EBP-268],A4D1C46D
246F47A7 C785 9CFDFFFF FBF4D6D3 MOV DWORD PTR SS:[EBP-264],D3D6F4FB
246F47B1 C785 A0FDFFFF 6AE96943 MOV DWORD PTR SS:[EBP-260],4369E96A
246F47BB C785 A4FDFFFF FCD96E34 MOV DWORD PTR SS:[EBP-25C],346ED9FC
246F47C5 C785 A8FDFFFF 468867AD MOV DWORD PTR SS:[EBP-258],AD678846
246F47CF C785 ACFDFFFF D0B860DA MOV DWORD PTR SS:[EBP-254],DA60B8D0
246F47D9 C785 B0FDFFFF 732D0444 MOV DWORD PTR SS:[EBP-250],44042D73
246F47E3 C785 B4FDFFFF E51D0333 MOV DWORD PTR SS:[EBP-24C],33031DE5
246F47ED C785 B8FDFFFF 5F4C0AAA MOV DWORD PTR SS:[EBP-248],AA0A4C5F
246F47F7 C785 BCFDFFFF C97C0DDD MOV DWORD PTR SS:[EBP-244],DD0D7CC9
246F4801 C785 C0FDFFFF 3C710550 MOV DWORD PTR SS:[EBP-240],5005713C
246F480B C785 C4FDFFFF AA410227 MOV DWORD PTR SS:[EBP-23C],270241AA
246F4815 C785 C8FDFFFF 10100BBE MOV DWORD PTR SS:[EBP-238],BE0B1010
246F481F C785 CCFDFFFF 86200CC9 MOV DWORD PTR SS:[EBP-234],C90C2086
246F4829 C785 D0FDFFFF 25B56857 MOV DWORD PTR SS:[EBP-230],5768B525
246F4833 C785 D4FDFFFF B3856F20 MOV DWORD PTR SS:[EBP-22C],206F85B3
246F483D C785 D8FDFFFF 09D466B9 MOV DWORD PTR SS:[EBP-228],B966D409
246F4847 C785 DCFDFFFF 9FE461CE MOV DWORD PTR SS:[EBP-224],CE61E49F
246F4851 C785 E0FDFFFF 0EF9DE5E MOV DWORD PTR SS:[EBP-220],5EDEF90E
246F485B C785 E4FDFFFF 98C9D929 MOV DWORD PTR SS:[EBP-21C],29D9C998
246F4865 C785 E8FDFFFF 2298D0B0 MOV DWORD PTR SS:[EBP-218],B0D09822
246F486F C785 ECFDFFFF B4A8D7C7 MOV DWORD PTR SS:[EBP-214],C7D7A8B4
246F4879 C785 F0FDFFFF 173DB359 MOV DWORD PTR SS:[EBP-210],59B33D17
246F4883 C785 F4FDFFFF 810DB42E MOV DWORD PTR SS:[EBP-20C],2EB40D81
246F488D C785 F8FDFFFF 3B5CBDB7 MOV DWORD PTR SS:[EBP-208],B7BD5C3B
246F4897 C785 FCFDFFFF AD6CBAC0 MOV DWORD PTR SS:[EBP-204],C0BA6CAD
246F48A1 C785 00FEFFFF 2083B8ED MOV DWORD PTR SS:[EBP-200],EDB88320
246F48AB C785 04FEFFFF B6B3BF9A MOV DWORD PTR SS:[EBP-1FC],9ABFB3B6
246F48B5 C785 08FEFFFF 0CE2B603 MOV DWORD PTR SS:[EBP-1F8],3B6E20C
246F48BF C785 0CFEFFFF 9AD2B174 MOV DWORD PTR SS:[EBP-1F4],74B1D29A
246F48C9 C785 10FEFFFF 3947D5EA MOV DWORD PTR SS:[EBP-1F0],EAD54739
246F48D3 C785 14FEFFFF AF77D29D MOV DWORD PTR SS:[EBP-1EC],9DD277AF
246F48DD C785 18FEFFFF 1526DB04 MOV DWORD PTR SS:[EBP-1E8],4DB2615
246F48E7 C785 1CFEFFFF 8316DC73 MOV DWORD PTR SS:[EBP-1E4],73DC1683
246F48F1 C785 20FEFFFF 120B63E3 MOV DWORD PTR SS:[EBP-1E0],E3630B12
246F48FB C785 24FEFFFF 843B6494 MOV DWORD PTR SS:[EBP-1DC],94643B84
246F4905 C785 28FEFFFF 3E6A6D0D MOV DWORD PTR SS:[EBP-1D8],0D6D6A3E
246F490F C785 2CFEFFFF A85A6A7A MOV DWORD PTR SS:[EBP-1D4],7A6A5AA8
246F4919 C785 30FEFFFF 0BCF0EE4 MOV DWORD PTR SS:[EBP-1D0],E40ECF0B
246F4923 C785 34FEFFFF 9DFF0993 MOV DWORD PTR SS:[EBP-1CC],9309FF9D
246F492D C785 38FEFFFF 27AE000A MOV DWORD PTR SS:[EBP-1C8],0A00AE27
246F4937 C785 3CFEFFFF B19E077D MOV DWORD PTR SS:[EBP-1C4],7D079EB1
246F4941 C785 40FEFFFF 44930FF0 MOV DWORD PTR SS:[EBP-1C0],F00F9344
246F494B C785 44FEFFFF D2A30887 MOV DWORD PTR SS:[EBP-1BC],8708A3D2
246F4955 C785 48FEFFFF 68F2011E MOV DWORD PTR SS:[EBP-1B8],1E01F268
246F495F C785 4CFEFFFF FEC20669 MOV DWORD PTR SS:[EBP-1B4],6906C2FE
246F4969 C785 50FEFFFF 5D5762F7 MOV DWORD PTR SS:[EBP-1B0],F762575D
246F4973 C785 54FEFFFF CB676580 MOV DWORD PTR SS:[EBP-1AC],806567CB
246F497D C785 58FEFFFF 71366C19 MOV DWORD PTR SS:[EBP-1A8],196C3671
246F4987 C785 5CFEFFFF E7066B6E MOV DWORD PTR SS:[EBP-1A4],6E6B06E7
246F4991 C785 60FEFFFF 761BD4FE MOV DWORD PTR SS:[EBP-1A0],FED41B76
246F499B C785 64FEFFFF E02BD389 MOV DWORD PTR SS:[EBP-19C],89D32BE0
246F49A5 C785 68FEFFFF 5A7ADA10 MOV DWORD PTR SS:[EBP-198],10DA7A5A
246F49AF C785 6CFEFFFF CC4ADD67 MOV DWORD PTR SS:[EBP-194],67DD4ACC
246F49B9 C785 70FEFFFF 6FDFB9F9 MOV DWORD PTR SS:[EBP-190],F9B9DF6F
246F49C3 C785 74FEFFFF F9EFBE8E MOV DWORD PTR SS:[EBP-18C],8EBEEFF9
246F49CD C785 78FEFFFF 43BEB717 MOV DWORD PTR SS:[EBP-188],17B7BE43
246F49D7 C785 7CFEFFFF D58EB060 MOV DWORD PTR SS:[EBP-184],60B08ED5
246F49E1 C785 80FEFFFF E8A3D6D6 MOV DWORD PTR SS:[EBP-180],D6D6A3E8
246F49EB C785 84FEFFFF 7E93D1A1 MOV DWORD PTR SS:[EBP-17C],A1D1937E
246F49F5 C785 88FEFFFF C4C2D838 MOV DWORD PTR SS:[EBP-178],38D8C2C4
246F49FF C785 8CFEFFFF 52F2DF4F MOV DWORD PTR SS:[EBP-174],4FDFF252
246F4A09 C785 90FEFFFF F167BBD1 MOV DWORD PTR SS:[EBP-170],D1BB67F1
246F4A13 C785 94FEFFFF 6757BCA6 MOV DWORD PTR SS:[EBP-16C],A6BC5767
246F4A1D C785 98FEFFFF DD06B53F MOV DWORD PTR SS:[EBP-168],3FB506DD
246F4A27 C785 9CFEFFFF 4B36B248 MOV DWORD PTR SS:[EBP-164],48B2364B
246F4A31 C785 A0FEFFFF DA2B0DD8 MOV DWORD PTR SS:[EBP-160],D80D2BDA
246F4A3B C785 A4FEFFFF 4C1B0AAF MOV DWORD PTR SS:[EBP-15C],AF0A1B4C
246F4A45 C785 A8FEFFFF F64A0336 MOV DWORD PTR SS:[EBP-158],36034AF6
246F4A4F C785 ACFEFFFF 607A0441 MOV DWORD PTR SS:[EBP-154],41047A60
246F4A59 C785 B0FEFFFF C3EF60DF MOV DWORD PTR SS:[EBP-150],DF60EFC3
246F4A63 C785 B4FEFFFF 55DF67A8 MOV DWORD PTR SS:[EBP-14C],A867DF55
246F4A6D C785 B8FEFFFF EF8E6E31 MOV DWORD PTR SS:[EBP-148],316E8EEF
246F4A77 C785 BCFEFFFF 79BE6946 MOV DWORD PTR SS:[EBP-144],4669BE79
246F4A81 C785 C0FEFFFF 8CB361CB MOV DWORD PTR SS:[EBP-140],CB61B38C
246F4A8B C785 C4FEFFFF 1A8366BC MOV DWORD PTR SS:[EBP-13C],BC66831A
246F4A95 C785 C8FEFFFF A0D26F25 MOV DWORD PTR SS:[EBP-138],256FD2A0
246F4A9F C785 CCFEFFFF 36E26852 MOV DWORD PTR SS:[EBP-134],5268E236
246F4AA9 C785 D0FEFFFF 95770CCC MOV DWORD PTR SS:[EBP-130],CC0C7795
246F4AB3 C785 D4FEFFFF 03470BBB MOV DWORD PTR SS:[EBP-12C],BB0B4703
246F4ABD C785 D8FEFFFF B9160222 MOV DWORD PTR SS:[EBP-128],220216B9
246F4AC7 C785 DCFEFFFF 2F260555 MOV DWORD PTR SS:[EBP-124],5505262F
246F4AD1 C785 E0FEFFFF BE3BBAC5 MOV DWORD PTR SS:[EBP-120],C5BA3BBE
246F4ADB C785 E4FEFFFF 280BBDB2 MOV DWORD PTR SS:[EBP-11C],B2BD0B28
246F4AE5 C785 E8FEFFFF 925AB42B MOV DWORD PTR SS:[EBP-118],2BB45A92
246F4AEF C785 ECFEFFFF 046AB35C MOV DWORD PTR SS:[EBP-114],5CB36A04
246F4AF9 C785 F0FEFFFF A7FFD7C2 MOV DWORD PTR SS:[EBP-110],C2D7FFA7
246F4B03 C785 F4FEFFFF 31CFD0B5 MOV DWORD PTR SS:[EBP-10C],B5D0CF31
246F4B0D C785 F8FEFFFF 8B9ED92C MOV DWORD PTR SS:[EBP-108],2CD99E8B
246F4B17 C785 FCFEFFFF 1DAEDE5B MOV DWORD PTR SS:[EBP-104],5BDEAE1D
246F4B21 C785 00FFFFFF B0C2649B MOV DWORD PTR SS:[EBP-100],9B64C2B0
246F4B2B C785 04FFFFFF 26F263EC MOV DWORD PTR SS:[EBP-FC],EC63F226
246F4B35 C785 08FFFFFF 9CA36A75 MOV DWORD PTR SS:[EBP-F8],756AA39C
246F4B3F C785 0CFFFFFF 0A936D02 MOV DWORD PTR SS:[EBP-F4],26D930A
246F4B49 C785 10FFFFFF A906099C MOV DWORD PTR SS:[EBP-F0],9C0906A9
246F4B53 C785 14FFFFFF 3F360EEB MOV DWORD PTR SS:[EBP-EC],EB0E363F
246F4B5D C785 18FFFFFF 85670772 MOV DWORD PTR SS:[EBP-E8],72076785
246F4B67 C785 1CFFFFFF 13570005 MOV DWORD PTR SS:[EBP-E4],5005713
246F4B71 C785 20FFFFFF 824ABF95 MOV DWORD PTR SS:[EBP-E0],95BF4A82
246F4B7B C785 24FFFFFF 147AB8E2 MOV DWORD PTR SS:[EBP-DC],E2B87A14
246F4B85 C785 28FFFFFF AE2BB17B MOV DWORD PTR SS:[EBP-D8],7BB12BAE
246F4B8F C785 2CFFFFFF 381BB60C MOV DWORD PTR SS:[EBP-D4],0CB61B38
246F4B99 C785 30FFFFFF 9B8ED292 MOV DWORD PTR SS:[EBP-D0],92D28E9B
246F4BA3 C785 34FFFFFF 0DBED5E5 MOV DWORD PTR SS:[EBP-CC],E5D5BE0D
246F4BAD C785 38FFFFFF B7EFDC7C MOV DWORD PTR SS:[EBP-C8],7CDCEFB7
246F4BB7 C785 3CFFFFFF 21DFDB0B MOV DWORD PTR SS:[EBP-C4],0BDBDF21
246F4BC1 C785 40FFFFFF D4D2D386 MOV DWORD PTR SS:[EBP-C0],86D3D2D4
246F4BCB C785 44FFFFFF 42E2D4F1 MOV DWORD PTR SS:[EBP-BC],F1D4E242
246F4BD5 C785 48FFFFFF F8B3DD68 MOV DWORD PTR SS:[EBP-B8],68DDB3F8
246F4BDF C785 4CFFFFFF 6E83DA1F MOV DWORD PTR SS:[EBP-B4],1FDA836E
246F4BE9 C785 50FFFFFF CD16BE81 MOV DWORD PTR SS:[EBP-B0],81BE16CD
246F4BF3 C785 54FFFFFF 5B26B9F6 MOV DWORD PTR SS:[EBP-AC],F6B9265B
246F4BFD C785 58FFFFFF E177B06F MOV DWORD PTR SS:[EBP-A8],6FB077E1
246F4C07 C785 5CFFFFFF 7747B718 MOV DWORD PTR SS:[EBP-A4],18B74777
246F4C11 C785 60FFFFFF E65A0888 MOV DWORD PTR SS:[EBP-A0],88085AE6
246F4C1B C785 64FFFFFF 706A0FFF MOV DWORD PTR SS:[EBP-9C],FF0F6A70
246F4C25 C785 68FFFFFF CA3B0666 MOV DWORD PTR SS:[EBP-98],66063BCA
246F4C2F C785 6CFFFFFF 5C0B0111 MOV DWORD PTR SS:[EBP-94],11010B5C
246F4C39 C785 70FFFFFF FF9E658F MOV DWORD PTR SS:[EBP-90],8F659EFF
246F4C43 C785 74FFFFFF 69AE62F8 MOV DWORD PTR SS:[EBP-8C],F862AE69
246F4C4D C785 78FFFFFF D3FF6B61 MOV DWORD PTR SS:[EBP-88],616BFFD3
246F4C57 C785 7CFFFFFF 45CF6C16 MOV DWORD PTR SS:[EBP-84],166CCF45
246F4C61 C745 80 78E20AA0 MOV DWORD PTR SS:[EBP-80],A00AE278
246F4C68 C745 84 EED20DD7 MOV DWORD PTR SS:[EBP-7C],D70DD2EE
246F4C6F C745 88 5483044E MOV DWORD PTR SS:[EBP-78],4E048354
246F4C76 C745 8C C2B30339 MOV DWORD PTR SS:[EBP-74],3903B3C2
246F4C7D C745 90 612667A7 MOV DWORD PTR SS:[EBP-70],A7672661
246F4C84 C745 94 F71660D0 MOV DWORD PTR SS:[EBP-6C],D06016F7
246F4C8B C745 98 4D476949 MOV DWORD PTR SS:[EBP-68],4969474D
246F4C92 C745 9C DB776E3E MOV DWORD PTR SS:[EBP-64],3E6E77DB
246F4C99 C745 A0 4A6AD1AE MOV DWORD PTR SS:[EBP-60],AED16A4A
246F4CA0 C745 A4 DC5AD6D9 MOV DWORD PTR SS:[EBP-5C],D9D65ADC
246F4CA7 C745 A8 660BDF40 MOV DWORD PTR SS:[EBP-58],40DF0B66
246F4CAE C745 AC F03BD837 MOV DWORD PTR SS:[EBP-54],37D83BF0
246F4CB5 C745 B0 53AEBCA9 MOV DWORD PTR SS:[EBP-50],A9BCAE53
246F4CBC C745 B4 C59EBBDE MOV DWORD PTR SS:[EBP-4C],DEBB9EC5
246F4CC3 C745 B8 7FCFB247 MOV DWORD PTR SS:[EBP-48],47B2CF7F
246F4CCA C745 BC E9FFB530 MOV DWORD PTR SS:[EBP-44],30B5FFE9
246F4CD1 C745 C0 1CF2BDBD MOV DWORD PTR SS:[EBP-40],BDBDF21C
246F4CD8 C745 C4 8AC2BACA MOV DWORD PTR SS:[EBP-3C],CABAC28A
246F4CDF 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
246F4CE2 85C9 TEST ECX,ECX
246F4CE4 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
246F4CE7 8B06 MOV EAX,DWORD PTR DS:[ESI]
246F4CE9 C745 C8 3093B353 MOV DWORD PTR SS:[EBP-38],53B39330
246F4CF0 C745 CC A6A3B424 MOV DWORD PTR SS:[EBP-34],24B4A3A6
246F4CF7 C745 D0 0536D0BA MOV DWORD PTR SS:[EBP-30],BAD03605
246F4CFE C745 D4 9306D7CD MOV DWORD PTR SS:[EBP-2C],CDD70693
246F4D05 C745 D8 2957DE54 MOV DWORD PTR SS:[EBP-28],54DE5729
246F4D0C C745 DC BF67D923 MOV DWORD PTR SS:[EBP-24],23D967BF
246F4D13 C745 E0 2E7A66B3 MOV DWORD PTR SS:[EBP-20],B3667A2E
246F4D1A C745 E4 B84A61C4 MOV DWORD PTR SS:[EBP-1C],C4614AB8
246F4D21 C745 E8 021B685D MOV DWORD PTR SS:[EBP-18],5D681B02
246F4D28 C745 EC 942B6F2A MOV DWORD PTR SS:[EBP-14],2A6F2B94
246F4D2F C745 F0 37BE0BB4 MOV DWORD PTR SS:[EBP-10],B40BBE37
246F4D36 C745 F4 A18E0CC3 MOV DWORD PTR SS:[EBP-C],C30C8EA1
246F4D3D C745 F8 1BDF055A MOV DWORD PTR SS:[EBP-8],5A05DF1B
246F4D44 C745 FC 8DEF022D MOV DWORD PTR SS:[EBP-4],2D02EF8D
246F4D4B 74 24 JE SHORT 246F4D71
246F4D4D 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
246F4D51 74 1C JE SHORT 246F4D6F
246F4D53 33D2 XOR EDX,EDX
246F4D55 8A11 MOV DL,BYTE PTR DS:[ECX]
246F4D57 33D0 XOR EDX,EAX
246F4D59 81E2 FF000000 AND EDX,0FF
246F4D5F C1E8 08 SHR EAX,8
246F4D62 338495 00FCFFFF XOR EAX,DWORD PTR SS:[EBP+EDX*4-400]
246F4D69 41 INC ECX
246F4D6A FF4D 0C DEC DWORD PTR SS:[EBP+C]
246F4D6D ^ 75 E4 JNZ SHORT 246F4D53
246F4D6F 8906 MOV DWORD PTR DS:[ESI],EAX
246F4D71 F7D0 NOT EAX
246F4D73 5E POP ESI
246F4D74 C9 LEAVE
246F4D75 C3 RETN
The code at address 246F4D53 - 246F4D6D is the hash calculation logic. ECX has the address to get the byte of and then the hash is calculated for the region of memory. If you codecave this logic and fake the results, you can essentially fake the results, but there is a problem.
There is another scanning function that runs in another thread that will scan this logic to make sure it has not changed. If you only change that logic, the second thread will detect changes in the code as the hashes sent to the server will not match.
Here is a snippet from the second byte scanning function:
Code:
24774C82 D0EC SHR AH,1
24774C84 FF7424 08 PUSH DWORD PTR SS:[ESP+8]
24774C88 F9 STC
24774C89 0FB617 MOVZX EDX,BYTE PTR DS:[EDI]
24774C8C D2FC SAR AH,CL
24774C8E 3F AAS
24774C8F 0FB647 FF MOVZX EAX,BYTE PTR DS:[EDI-1]
24774C93 890C24 MOV DWORD PTR SS:[ESP],ECX
24774C96 F8 CLC
24774C97 FF3424 PUSH DWORD PTR SS:[ESP]
24774C9A 23D1 AND EDX,ECX
24774C9C F8 CLC
In this case, EDI will have the address to get the value of. I had missed the second EDI - 1 access earlier but I fixed that in version 5.
Now, there are a few other places that I managed to get triggered accessing memory, but who knows how many possible locations there are. As you can see by the code, it's not really straightforward at all.
The only ways to easily identify the logic is to set hardware breakpoint on memory access on the memory of the client and then the security memory. I think it's possible to get them all, but it'd be nice to find an alternative method of tracking each access without a driver.
So for anything you patch, you have to find all the security logic that eventually checks that memory. I noticed the security memory scans start about 15-30s after you get in game, so it's possible that you might not get a DC for a few minutes but eventually get one, and then you have to go back to hardware breakpoints to see what code you missed.
I noticed there was a memcpy like function that I need to patch since it reads important memory, but then I need to find the code that scans the integrity of that function. It's a lot of cat and mouse work or needles in haystacks.
To figure out which thread was the main security thread, I first found the main client scanning logic from the first paste and took note of which thread ID it had. I then found the entry point of that thread and came up with a byte signature to uniquely identify that thread. In my loader I hook the CreateRemoteThread/Ex family of functions and then check the entry point of the threads with the byte signature, which does have to use some wildcards.
Then you can call VirtualQuery on the thread entry point to get the entire page of memory and then do signature searching to make your patches. That's pretty much what I do. However as I previously mentioned, it's not that great of a long term solution since the logic can change and you have to re-find the new logic. In addition, some threads can be given a long Sleep and only execute at longer time intervals, which makes catching all the memory accesses impractical, since the security logic that is executed will vary based on when you login.
The security logic also makes a patch in the client to start execution of their code, so you can catch that if you detour VirtualProtectEx and look for an address inside the client's code section. If you then set a HWBP on write on the address, you can catch the logic that does it.
It is quite a challenge to work with. I was hoping to find a solution that I could just control all memory accesses and fake the results, but that gets tricky. I'm working with VirtualQuery, VirtualProtect, and Vectored Exception Handlers trying to come up with something that would work.
|
|
|
11/12/2009, 20:46
|
#26
|
elite*gold: 20
Join Date: Jul 2007
Posts: 1,617
Received Thanks: 574
|
Quote:
Originally Posted by pushedx
...
|
what do i have to study to know (and also understand) all that... kind of amazing... what did u do to get all this knowledge? is it just the years of expierience or more?
|
|
|
11/12/2009, 23:10
|
#27
|
elite*gold: 0
Join Date: Mar 2007
Posts: 77
Received Thanks: 111
|
thanks for telling.
this is indeed quite tricky. i messed a bit more with memory protection systems.
there is one main advantage of a driver: you can patch kernel memory
i made a driver with a quite good interface and a little demo app that is loaded and where you are able to register changed memory
the driver will intercept all ReadProcessMemory (or better: ZwReadVirtualMemory) and patch their return values.
so its impossible for an external program to find any changes
i also unhooked any kernel hooks from xtrap. so i was able to write to sro_client via WriteProcessmemory
the problem: i said "external" programm.
the process can read its own memory without using RPM
and unhooking kernel hooks ith also possible from a ring3 programm (yes, you can enter ring0 with a usermode app without a driver...i could terminate my AV without being detected...just for testing)
i could imagine 3 ways for fully getting around it:
first: get these scanning function calls and get their address they are trying to scan. if its a region, where you made a patch: change this region to a clean copy of the region. could be possible...but very hard
2nd: maybe its possible to get accesses to the adresses. than you can check its origin and temporary undo the patch or again fake the results...
this is what i wanted to do with my driver...
3rd: dont let any thread execute: if you prevent any thread from being executed there is no check...you'd only have to make a "whitelist" for the main thread and some others.
Problem: if in the main thread a scanning takes places it's not affected
also if the server requests a scan and there is no answer, it will be bad
Do you have some information on the packets?
in vsro the server sends a request and xtrap answers it almost instantly
but stupid themida prevents me from attaching my debugger even i use a kernelmode hiding driver...
how are they send and what is in them?
also: how is the adress to be scanned calculated and stored?
Edit: i just looked at the Hackshield bypass...the last quote is the best. ssdt hooks can be undone even by usermode apps. but these memchecks are almost the same as we have here. but there it is only one check...
however: i think my method of registering changed memory could be used...
the "only" thing to do is, intercepting all read attempts...
|
|
|
11/13/2009, 00:20
|
#28
|
elite*gold: 0
Join Date: Sep 2008
Posts: 439
Received Thanks: 122
|
You 2 ppl need to share msn/skype/qq so that u can help each other
All i understood from both posts is this: "freaking AWESOME codes involved, and days at tracking and re-coding and **** like that over and over and over again."
|
|
|
11/13/2009, 15:47
|
#29
|
elite*gold: 20
Join Date: Jul 2007
Posts: 1,617
Received Thanks: 574
|
Quote:
dont make them angry ... quite best thread on epvpers since ages...
|
|
|
11/16/2009, 06:32
|
#30
|
elite*gold: 260
Join Date: Aug 2008
Posts: 560
Received Thanks: 3,751
|
Just a little status update, since I've not replied for a few days. I'm currently working on reversing the entire cSRO security system, so it will be a short while longer as I work out how the entire thing is setup. I'll have a little article that explains it all when it's all said and done and hopefully have a new method to get around the detection, as my latest patches are still getting detected somehow.
I'll get around to more specific replies made in this thread later on after I'm done. So far though, everything is going 'good', it just takes a lot of time to reverse this stuff and to work through what is going on! It's pretty tedious since it's all loaded at run-time dynamically.
|
|
|
Similar Threads
|
[ALL SRO] edxSilkroadLoader Beta
09/09/2009 - SRO Hacks, Bots, Cheats & Exploits - 149 Replies
Please note this thread is long and some of the posts are outdated. I'll be making a new thread that is more cleaned up and organized on the next release, so please be patient in the mean time. If you need any help, just send me a PM!
edxSilkroadLoader_Lite (w/ source) -- Open the 'bin' folder for the executable!
The rest of this post is OLD now, please read the post linked above.
About
It's finally done and ready for some beta testing! edxSilkroadLoader is a generic loader for all...
|
All times are GMT +2. The time now is 16:35.
|
|