[Tutorial] Channel Bypass (ChannelNoLvl) after patch

[gοd]

edit: addresses are outdated, method is shit.
if you still want to use it, make a pattern out of it?

 old thread

Eyyo, after they decided to strengthen the level check (channel selection) a bit, I decided to share this little "exploit method" with you. Might be useful for some1. It's pretty simple.
We're going to focus on this function;

 Function

Code:

S4Client.exe+9367E0 - 55                    - push ebp
S4Client.exe+9367E1 - 8B EC                 - mov ebp,esp
S4Client.exe+9367E3 - 83 EC 0C              - sub esp,0C { 12 }
S4Client.exe+9367E6 - 89 4D F4              - mov [ebp-0C],ecx
S4Client.exe+9367E9 - A1 ECED2502           - mov eax,[S4Client.exe+16BEDEC] { [00000000] }
S4Client.exe+9367EE - 89 45 FC              - mov [ebp-04],eax
S4Client.exe+9367F1 - 8B 4D FC              - mov ecx,[ebp-04]
S4Client.exe+9367F4 - 8B 51 10              - mov edx,[ecx+10]
S4Client.exe+9367F7 - 89 55 F8              - mov [ebp-08],edx
S4Client.exe+9367FA - 8B 45 F8              - mov eax,[ebp-08]
S4Client.exe+9367FD - 50                    - push eax
S4Client.exe+9367FE - E8 4D8877FF           - call S4Client.exe+AF050
S4Client.exe+936803 - 8B C8                 - mov ecx,eax
S4Client.exe+936805 - E8 C61F2200           - call S4Client.exe+B587D0
S4Client.exe+93680A - 68 00040000           - push 00000400 { 1024 }
S4Client.exe+93680F - 6A 05                 - push 05 { 5 }
S4Client.exe+936811 - 8B 0D 78D42502        - mov ecx,[S4Client.exe+16BD478] { [00000000] }
S4Client.exe+936817 - E8 449E78FF           - call S4Client.exe+C0660
S4Client.exe+93681C - 8B E5                 - mov esp,ebp
S4Client.exe+93681E - 5D                    - pop ebp
S4Client.exe+93681F - C3                    - ret

Let's look at the calls first.

Code:

S4Client.exe+9367FD - 50                    - push eax
S4Client.exe+9367FE - E8 4D8877FF           - call S4Client.exe+AF050
S4Client.exe+936803 - 8B C8                 - mov ecx,eax
S4Client.exe+936805 - E8 C61F2200           - call S4Client.exe+B587D0

^this will send the packet "Channel_Enter_Req". EAX (at the push) contains the ChannelID. This is going to be important.
and then there is this call;

Code:

S4Client.exe+93680A - 68 00040000           - push 00000400 { 1024 }
S4Client.exe+93680F - 6A 05                 - push 05 { 5 }
S4Client.exe+936811 - 8B 0D 78D42502        - mov ecx,[S4Client.exe+16BD478] { [00000000] }
S4Client.exe+936817 - E8 449E78FF           - call S4Client.exe+C0660

this will just show the "Requesting" MessageBox, we don't care about this.

--

We could now do a pretty simple trick, we could modify what's inside of eax (at the push from the packet call), so we send a different channelID.
Example: We click on beginner, but send a channelID of netsphere, so we will get the channel-information for netsphere (and we're in it)
Does this work? Yes, but there is a little problem. There is a global var which stores the channelID and if you now join a room, no players will appear.

How could we fix that?
Still, pretty simple. We just need to modify the global var after joining the channel. It's used here;

Code:

S4Client.exe+9367F4 - 8B 51 10              - mov edx,[ecx+10]

So just set a breakpoint there, join the channel, read out whats inside of ecx, add 10 to it and you got the address which stores the channelID.
After joining the channel, just change it to the "real" channelID (the one you've sent with the push eax bla).

So that's it. Pretty simple, right?
If you do want to make a better method, I give you a hint. Look at "Channel_Leave_Req" and leave a room while using this "exploit"

Oh and here are some channelID's:

Code:

Beginner  - 01
Netsphere 1 - 02
Netsphere 2 - 03
Netsphere 3 - 04

Have fun and I hope you could understand the shit I wrote down here.
Please don't flame me for the shitty method ~
My first tut. here, surrey for the bad explanation.
See you soon.

[fromansur]

i didnt understand a thing but nice work SAFSDF

[RingleRangleRob]

Can u plz make a tool?!

Gj m8

[TheMokkо]

I NEED AN EXE AND NOT THIS SH*T!
oh and can you please make an itc?

[3isa]

Thank you

[anonymous-29742]

Danke dir

[Syc.]

Make pls itccc zyntex :c

[Ⓜiku Ⓗatsune]

itc nerde abi lütfen download ya

[mortal3540]

@ hacı sen neden yapamıyormusun la

[JonziExCAPE]

make itc!111!!1 *** a7a.

Just kidding, this actually works really nice, thanks

[Cyrex']

Quote:

Originally Posted by JonziExCAPE

make itc!111!!1 *** a7a.

Just kidding, this actually works really nice, thanks

I doubt you tested and are able to test it.

Also what global var are you talking about? A global var is static data which, usually, is not contained in a reg.
If it really was a global var you would neither need a bp nor a hook to read out the value it is containing.

Furthermore, I wouldn't consider this a tutorial because the approach is really vague, precisely because of not accounting this community's standards.

[gοd]

Quote:

Originally Posted by Cyrex'

I doubt you tested and are able to test it.

Also what global var are you talking about? A global var is static data which, usually, is not contained in a reg.
If it really was a global var you would neither need a bp nor a hook to read out the value it is containing.

Also I wouldn't consider this a tutorial because the approach is really vague, precisely because of not accounting this community's standards.

I meant it like its a var which is being accessed at things like joining a room. And this tutorial was meant to give ppl a easy way / a first approach if they want to try it. I didn't have the time to look much into it, just spend 5mins after some requested it and that's the result. Thought it would maybe useful for someone who would like to take a look at it.

[Cyrex']

Quote:

Originally Posted by TheMokkο

I NEED AN EXE AND NOT THIS SH*T!
oh and can you please make an itc?

 Spoiler

Code:

#include <Windows.h>
#include <iostream>
#include <process.h>
#include <cstdint>

class _idk
{
public:
	char _unused0[ 0x10 ];
	DWORD channel_id;
};

DWORD ret_place, spoof_id;
bool joined = false;

void __declspec( naked ) leHook( )
{
	__asm
	{
		push edx;
		mov eax, spoof_id;

		mov dl, joined;
		test dl, dl;
		jz blub;
		mov [ ecx + 0x10 ], eax;

	blub:
		pop edx;
		jmp ret_place;
	}
}

void mainThread( void* unused )
{
	while ( !AllocConsole( ) )
		Sleep( 200 );

	SetConsoleTitleA( "Channel Bypass" );

	FILE *conin, *conout;
	freopen_s( &conin, "conin$", "r", stdin );
	freopen_s( &conout, "conout$", "w", stdout );
	freopen_s( &conout, "conout$", "w", stderr );

	system( "cls" );

	uintptr_t S4Client = reinterpret_cast< uintptr_t >( GetModuleHandleA( "S4Client.exe" ) );
	while ( !S4Client )
	{
		S4Client = reinterpret_cast< uintptr_t >( GetModuleHandleA( "S4Client.exe" ) );
		Sleep( 20 );
	}

	while ( *reinterpret_cast< byte* >( S4Client + 0x9367E0 ) != 0x55 )
		Sleep( 20 );

	std::cout << "What channel id to spoof? ";
	std::cin >> spoof_id;

	if ( spoof_id < 1 || spoof_id > 4 )
	{
		std::cout << "Bad input." << std::endl;
		TerminateProcess( GetCurrentProcess( ), 0 );
	}

	std::shared_ptr<HookLib::X86Detour> hook( new HookLib::X86Detour );
	hook->Init( ( uint8_t* )( S4Client + 0x9367FD ), ( uint8_t* )&leHook );
	hook->Hook( );
	ret_place = hook->GetOriginal<DWORD>( );

	std::cout << "Once you joined the channel press F4\n\n";
	while ( true )
	{
		if ( GetAsyncKeyState( VK_F4 ) & 1 )
		{
			joined = !joined;
			if ( joined )
				std::cout << "true\n";
			else
				std::cout << "false\n";
		}

		Sleep( 10 );
	}
}

BOOL APIENTRY DllMain( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
	if ( dwReason == DLL_PROCESS_ATTACH )
		_beginthread( mainThread, 0, nullptr );

	return TRUE;
}

compile.

[VeriuzArtz]

Thank you for the release

[cezakimbilir]

NE DİYO BU MK ELLE TUTULUR BİŞİ VER