[Guide] How to crack SEA GUARD (lol fail).

jM3 · 05/13/2010, 19:02

It's not hard. I will omit how to hex the file to make the changes permanent but this will overview how to patch it at run-time in olly so that sea-guard is completely disabled.

First, open sea in VB Decompiler (the lite version is fine). You see 2 sections named "SeaGuard#", these two are the sea guard functions. I've given a simple description of what each function does in the image, but this is what there is. Only the first and last here are important (starred). The first is the function which sends the e-mail with your personal information, it calls every other function here except the last. The last is used to check the key to see if it's valid.

So we begin by going to the address of that first SG function in olly.

Here we see this relationship I mentioned where the first function calls the others. We don't want this function to execute, EVER, because it's just plain evil. So we'll do a quick search for the command 'call 5bcb50' since that's what its invocation will look like:

This takes us to this little area of code, where we see the invocation is pushing 1 variable on the stack then calling, which tells us it has 1 argument.

So to fix this, we'll go back to that function and put 'retn 4' as the first instruction. This will return to caller doing NOTHING, which is what we want.

Finally, we need to patch out this check on the key. So if we navigate to that function, looking at it it's quite large and we see lots of InternetOpenURL shit being called. We want to jump over all this mess to the area where the key has been validated (thus never actually checking the key AND never opening a URL, making this an offline crack too). So I found a nice little area that's just some arithmetic on a register that we can use to insert the required jump, it's right at the top of the function after a few string operations so nothing has actually happened that's interesting (but the function's stack frame and exception handling has been setup):

Scrolling way down, we find the code that verifies the key's validity and the jump that's taken if it isn't good:

So we want to jump to the address at this star which is where the code after successful validation begins.

We do that at the previous place like so:

Now, if we just hit 'run' and let the program run, it'll startup and work fine as we've completely circumvented this "sea guard" crap.

In any case, you easily see his "guard" is an e-mailer and a check on a key which simply downloads a file with keys in it, then loads the contents of that file into a string, then does a string compare to see if the hardcoded key is valid and in that list. This isn't much of a safety measure as the key is hardcoded.. so lol.

There you go, now you can crack future versions of sea, because PAX isn't likely to implement a good system, ever.

Enjoy.

xcoom · 05/13/2010, 19:04

Noob.hahahha

~~Iorveth~~ · 05/13/2010, 19:10

Thanks for tut.
BBCODE copied because I bet it's going to get deleted most likely so I'd better keep it saved ^^

Of course,+1 thanks for your hard work mate ^^

marius1000 · 05/13/2010, 19:27

+1 lol=))

InvincibleNoOB · 05/13/2010, 19:28

#Moved to "Private SRO Exploits/Hacks/Bots/Guides".
#Added tag "[Guide] "

-Burton- · 05/13/2010, 20:40

+1 for this awesome work cracking guide.

well done

thank you.

ahmed_ahmed9889 · 05/14/2010, 00:12

nice work

thx alot

supertrilo · 05/14/2010, 04:05

what do u know just upgraded too super noob coder learned something new thanks dude looking forward to more guides

jM3 · 05/14/2010, 08:00

So here's an idea for someone to try, since I don't want to load up a windows box in vbox to test it, someone with olly who's not afraid to try it give it a go:

The limit imposed on you I'm pretty sure is in the form of a switch, something like:

Code:

// in some function handling player connections...

switch(num_connected_players){
  case 1..15:
    // connect normally here...
  default:
    // throw an error
}

So what you need to do is open up olly with the cracked sea, search for the code:

"cmp ecx,f"

(try 14 too, which is hex for 20)

Olly should take you to a switch statement where it's cases 1 through 15 (or 20) are one thing and everything else is another (which looks like it's throwing an error). Modify that cmp so that it's ff, which is -1 (it's signed). This should fix the comparison so that no amount of players will ever trigger a failure (since positive numbers are never going to be "below" -1). This should essentially remove the limit of the number of players that can connect.

Further, if you search, there will be a 'push 14' somewhere near the end of the program that's immediately preceeded by a push of a unicode string like " " (just empty space), that's the code that prints the number of max players to the text box on the form, you can also change that if you like, to push ff, and it will show the max players as -1 on the form.

Someone try it, let me know if more than 15 people can connect

.

MeJIbHuKoB · 05/14/2010, 08:26

Quote:
Originally Posted by jM3
So here's an idea for someone to try, since I don't want to load up a windows box in vbox to test it, someone with olly who's not afraid to try it give it a go:

The limit imposed on you I'm pretty sure is in the form of a switch, something like:
Code:
// in some function handling player connections...

switch(num_connected_players){
  case 1..15:
    // connect normally here...
  default:
    // throw an error
}
So what you need to do is open up olly with the cracked sea, search for the code:

"cmp ecx,f"

(try 14 too, which is hex for 20)

Olly should take you to a switch statement where it's cases 1 through 15 (or 20) are one thing and everything else is another (which looks like it's throwing an error). Modify that cmp so that it's ff, which is -1 (it's signed). This should fix the comparison so that no amount of players will ever trigger a failure (since positive numbers are never going to be "below" -1). This should essentially remove the limit of the number of players that can connect.

Further, if you search, there will be a 'push 14' somewhere near the end of the program that's immediately preceeded by a push of a unicode string like " " (just empty space), that's the code that prints the number of max players to the text box on the form, you can also change that if you like, to push ff, and it will show the max players as -1 on the form.

Someone try it, let me know if more than 15 people can connect .

Can't understand .

clearscreen · 05/14/2010, 08:37

Quote:

Originally Posted by MeJIbHuKoB

Can't understand .

derp

jM3 · 05/14/2010, 08:39

Quote:

Originally Posted by clearscreen

derp

jumalauta · 05/14/2010, 18:24

Here is the patched sea binary, someone else try it please since i'm not playing silkroad anymore.

Biber155 · 05/14/2010, 19:16

Quote:

Originally Posted by jumalauta

Here is the patched sea binary, someone else try it please since i'm not playing silkroad anymore.

Do you already make a new crack for new db bot version?

jumalauta · 05/14/2010, 19:29

Quote:

Originally Posted by Biber155

Do you already make a new crack for new db bot version?

Not yet. Please don't go off topic.