Disable Gameguard with OllyDbg

[m0rti]

Die Leute die Plan haben verstehens, vielleicht haben die dummen auch Glück und einer uppt ne sframe.exe ohne keylogger.

Punkt:
3). Rappelz <- are switching to GameGuard, this means they will be checking packets.

erklärt alles.

Link:


Ansonst Viel Spaß beim Acc verlieren

greetz m0rti
aka zinsan

[RaZoriX]

Bringt nix das ist von 12. September 2008 war da das neue epic überhaput schon raus ?!
Das Problem ist man muss die exe erst entpacken und das ist schon nicht einfach aber vielleicht hat das ja schon jemd geschafft ... BTW die sind gewechselt von aramdillo auf ASProtect 1.23 RC4 Ich hab selbst auch was entpackt nur Starten wills nicht ... die Datei müsste so um die 8mb sein ...

[tfBullet]

Disable GAME GUARD und GG haben se erst seit Epic5 part2 -.-
nicht nur drücken beim sche*ßen auch denken

mfg
Bullet

[RaZoriX]

was laberst du da ?! es gab auch mit e4 GG!
kommt bei dir immer erst mal flame? oder biste nen kiddi?

[serafincro]

I would like to participate but you are talking in German .. and web translation tools sux!

thanks!

[brotherjohn]

Hi , i'd like to help / learn how to too, but I don't understand german any more, i haven't heard or talk for a very very long time.

I found a UCE, GG doesn't detect it, it' s called "DA Engine", 5.4 released, an undetectable cheat engine.

The matter now is to find the process attached to rappelz : Sframe. exe seems to be ...... "absorbed" ??? by a "svchost. exe" process, named "wmiprvse.exe"
That happen just after the GG's ".des" has been lauched.

So, even if GG doesn't detect DaEngine, i don't know how to use it to look in the game memory, there's no process " rappelz" or "sframe", can't read in svchost.exe, and there's not attached process to the Rappelz'game window.

can somebody help me ?

thank , Cu

Brotherjohn

[jasonxa]

Hmm i am not sure if your engine is really undetectable by GG since u just run it without open the sframe process... To make sure if it is undetectable u must first find a way to open/scan/modify the sframe process and then we will be sure... And here is the way to do it.... Use Process explorer... Execute rappelz and check the process tree of the Sframe.exe... First U will notice that sframe executes GameGuard.des[the GG updater] after some seconds sframe loads GameMon.des[GG Engine or something] Suspend GameMon.des and quickly Open your cheat engine... attach sframe.exe and then resume GameMon to let it continue client loading... Now logon and start scan/mod memory and tell us results..and also tell us when to find the engine... GL

[brotherjohn]

hi
thank a lot jasonxa

i've done what you told : suspend gamemon.des, and scan Sframe.exe

the matter now is that i can see data before SFrame is "absorbed" , but not after that , the "memview" option show only "?" after that .....
I tried to "attache to process" but when i do that, the pc always reboot :/

so i didn't find value to modify in SFrame because, I think, the scanned memory area is not the good one :/

The good thing is that gameguard didn't detect DAEngine .

[brotherjohn]

As my computer's very slow, i succeed in opening "wmiprvse.exe" process (the process which is loaded after "SFrame.exe" has been "absorbed").

The matter is the same, before the game start the "memview" option shows data, but after the game has been lauched, it shows only "?" at adresses.

That's exactly the same matter with wmiprvse.exe and Sframe.exe.

So i' didn't find value to scan / modify ...
:/

[serafincro]

You just attached to wrong process!
Above DIY approach is excellent but that is beyond my knowledge

disabling GG would be best choice..

[brotherjohn]

so how to attach the good process ???
as i can't attach SFrame or the process in which it's absorbed ....:/

[jasonxa]

Well i used MHS to search in-game values, for example the p.attack [weapon equiped] was ((24)) (for a noob char ofc ) i search these values... i get some million of results then i [unequiped weapon] so the p.attack value become ((8)) or something so i search between last results and i didnt get any value equal to ((8))... so GG give us fake results or something that i cant explain.. Now.. if u stop GG service while u r in game and u redo the procedure above veeery fast then u get the value ((8)) succesfully and it is modificable... Of course this was just an example , dont try to change the p.att because all these values are server side so u may get the mod effect local on client but unfortunately it will be fake... so all these its waste of time...main target is to emulate packet OR to remove the ((GG Alive Check)) routine of sframe...

[serafincro]

Well, from experience from Maple Story, I usually catch to right process in 2-3 second period when game is loading in transition from GG upload & black screen..
Switch to Windowed mode 1st. then try to attach to right process while game is booting, be quick..


And regarding search of memory.

It is not necessary that value in game is 24 or 8 value..

Some games use different approach

P.ATAK = patak *1231/PI or
P.ATAK = (patak *192) +10

so when you search memory start with unknown initial Value, and when it changes switch to search of changed Value.....

P.S.
In Epic3 I had made mem address change with which I could equip lvl 60 heat shot on bow fighter hotkey that was 1hit kill
but problem was with skills that it took all MP from character for real..
I never hacked Rappelz after that...
never got chance to do it, I had enjoyed game too much to hack it.

[Malivictus]

ok first things first most if not everything is server side I had the Hackshield Free Sframe.exe a few months back before the big update and switch to GG and I had everything I turned all my States to 65525 and even my pets and nothing no 1hit kills or anything I even tryed a skill cool down hack but nothing I am going to try to remove GG so I can RE the client so I can start getting the server files so I can start some kind of Private server or something.

[brotherjohn]

thank all for your help & advices,
let me know if you find something else

Cu