[Release]Silkroad C++ Dll Client Protection (Anti Unpacking)

[MeGaMaX]

Hey guys miss ya all <3

this is a small dll source code that i coded in the past when i was interesting in silkroad development.

What does the job: protecting from sniffing the BFK of the .PK2 files

Code:

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include "xorstr.h"
#include "detours.h"

#pragma comment(lib,"detours.lib")

#define ARRAYSIZE(x) sizeof(x)/sizeof(x[0])

DWORD g_ProtectAddress[] =
{
	0x004978B8,
	0x004CCC4A,
	0x004CCE1F,
	0x0083A84D,
	0x0083A8B1,
	0x0083A90D,
	0x0083A9C5,
	0x0083A969,
	0x0083AE69
};
DWORD RandomKey;
char* pszKey;
DWORD GetRandomValue()
{
	DWORD value;
	__asm
	{
		rdtsc
		mov value ,eax
	}
	return value;
}
DWORD GetJmpAddr(PBYTE pJmp)
{
	DWORD m_Addr;
	__asm
	{
		mov eax,pJmp
		add eax,[eax+1]
		add eax,5
		mov m_Addr,eax
	}
	return m_Addr;
}
__declspec(naked) void _protectme()
{
	__asm
	{
		pushfd
		push edx
		push eax

		mov eax,RandomKey
		not eax
		xor eax,pszKey
		not eax
		mov edx,[esp+0xC]
		mov [esp+0xC],eax
		mov     eax, edx
		pop     edx
		push    eax
		mov     eax, dword ptr [esp+0x8]
		push    eax
		popfd
		mov     eax, dword ptr [esp+0x4]
		retn    0x8
	}
}
void Initialize()
{
	RandomKey = GetRandomValue();
	pszKey = new char[20];
	strcpy(pszKey,/*MeGaMaX*/XorStr<0x7A,8,0x1F16EAF3>("\x37\x1E\x3B\x1C\x33\x1E\xD8"+0x1F16EAF3).s);
	__asm
	{
		not pszKey
		mov eax,RandomKey
		not eax
		xor pszKey,eax
	}
	DWORD oldProtect;
	for(int i=0;i<ARRAYSIZE(g_ProtectAddress);i++)
	{
		DWORD oldAddress = g_ProtectAddress[i];
		DetourTransactionBegin();
		DetourUpdateThread(GetCurrentThread());
		DetourAttach((void**)&g_ProtectAddress[i],&_protectme);
		DetourTransactionCommit();
		VirtualProtect((PVOID)oldAddress,4,PAGE_EXECUTE_READWRITE,&oldProtect);
		((PBYTE)oldAddress)[0] = 0xE8;
	}
}
BOOLEAN WINAPI DllMain(HINSTANCE hDllHandle,DWORD nReason,LPVOID Reserved    )
{
	switch(nReason)
	{
		case DLL_PROCESS_ATTACH:
			Initialize();
			break;
		case DLL_PROCESS_DETACH:
			break;
	}
	return TRUE;
}

How to use:

First of all you must get the push address from the client .exe files aka (sro_client.exe , replacer.exe , silkroad.exe)

i will provide here the vsro 188 address

sro_client.exe:

Code:

0x004978B8,
0x004CCC4A,
0x004CCE1F,
0x0083A84D,
0x0083A8B1,
0x0083A90D,
0x0083A9C5,
0x0083A969,
0x0083AE69

silkroad.exe:

Code:

0x00430FD3,
0x00408C15,
0x00408A17

replacer.exe:

Code:

0x00403B23

now what i have to do after i got the address i will replace them in this function:

Code:

DWORD g_ProtectAddress[] =
{
	

};

now i have to generate the xor key o.o this is example and change it in the dll source code

Code:

/*MeGaMaX*/XorStr<0x7A,8,0x1F16EAF3>("\x37\x1E\x3B\x1C\x33\x1E\xD8"+0x1F16EAF3).s

now what ?, you have to compile the dll, and add call to the dll in the exes by Import REConstructor 1.7e FINAL, remove the old bfk in the exe files like 169841 make it 90 90 90 90 90 90 or 00 00 00 00 00 00 cuz after you are importing this dll there is no use for the real bfk in the client anymore

note: i didnt provide how to generate the xor key, cuz i want this section to think how to do that, use your brain , and try to be more respectful in silkroad community, google is your friend

note2: this method have nothing to do with any other methods i used in any servers development i was in, for example Ludoworks

note3: after some days i will provide how to generate the xor key but like i said above i would like to see development instead of creating servers...

note4: you have to recompile the dll 3 times to change the address for every .exe file

source code in attachments, enjoy love ya guys , new hope, crayu , perry , pokemon man , synx , caipi , PowerPoint , and all of my friends and sro community

Greetings: MeGaMaX

[PortalDark]

#approved

[Alexiuns]

thanks

[鳳凰城]

Now what, no one's able to unpack such clients? HHHHH.

[PortalDark]

Quote:

Originally Posted by Phoenix 1337

Now what, no one's able to unpack such clients? HHHHH.

well, knowing the method used(since it is posted) it is easy to reverse it(in theory) but I'm pretty sure owners that use this method will use theirs too so it is not gonna be the same for evey server
inb4 noob server will die

[鳳凰城]

Quote:

Originally Posted by PortalDark

well, knowing the method used(since it is posted) it is easy to reverse it(in theory) but I'm pretty sure owners that use this method will use theirs too so it is not gonna be the same for evey server
inb4 noob server will die

If it's the method that megamax used in ludoworks, so its unpacked.

[Nezekan]

Quote:

Originally Posted by Phoenix 1337

Now what, no one's able to unpack such clients? HHHHH.

no, it means it is harder to unpack the client files, there is not a single thing made by humans that is 'unpackable'.

pokemon man

@OT: good job, now let's see who will be able to actually get it working

[pushipu]

Will they be able or not, at least some of "download/unzip/start bot" will not be able to figure it out. But let's be realists.. this will kill your online hardly xD

[caine_neros]

Good to see you back Androw.
If you would've just release the Agent server exploit fix .. *dream*
Still , good to see you back!

[magicanoo]

Thank you,bookmarked

p.s. I think that you have to find the xor cipher in order to unpack the binaries,correct?

[ersers2]

Apologies for posting to an old thread, will mbot still work after a PK2 key is changed using a method like this?

[zeies]

Help please. can't complie dll from vs2010 , it show this error


Error 2 error C2440: '<function-style-cast>' : cannot convert from 'System::String ^' to 'XorStr<XORSTART,BUFLEN,XREFKILLER>'

Error 3 error C2228: left of '.s' must have class/struct/union