|
You last visited: Today at 02:13
Advertisement
[Release] Electus Reborn HWID Bypass || All Psro Hwid Bypass
Discussion on [Release] Electus Reborn HWID Bypass || All Psro Hwid Bypass within the SRO PServer Guides & Releases forum part of the SRO Private Server category.
05/07/2019, 15:33
|
#151
|
elite*gold: 0 
Join Date: Jan 2014
Posts: 7
Received Thanks: 1
|
when will you share? i think its okey now 
|
|
|
|
05/08/2019, 01:08
|
#152
|
elite*gold: 85
Join Date: Aug 2010
Posts: 1,278
Received Thanks: 524
|
#Request Close this Old Thread , thanks
|
|
|
|
|
05/22/2019, 14:25
|
#153
|
elite*gold: 0
Join Date: Oct 2012
Posts: 188
Received Thanks: 47
|
Can you release source codes before you closing this topic? Thanks much.
|
|
|
|
|
05/22/2019, 21:50
|
#154
|
elite*gold: 85
Join Date: Aug 2010
Posts: 1,278
Received Thanks: 524
|
Quote:
Originally Posted by wuffles35
Can you release source codes before you closing this topic? Thanks much.
|
$$
|
|
|
|
|
05/28/2019, 22:18
|
#155
|
elite*gold: 100
Join Date: Apr 2008
Posts: 860
Received Thanks: 1,486
|
Quote:
Originally Posted by wuffles35
Can you release source codes before you closing this topic? Thanks much.
|
Should be somewhat at the level of this. Most HWID-bypasses don't require much code. I made these as a POC for fun. Never shared them with anyone. I don't think they work out of the box on any server right now (i hope, at least). But they still serve as a POC.
Hint: You need to dump the AdapterAddresses variable to a file from a different computer.
Code:
#include <winsock2.h>
#include <iphlpapi.h>
#include <Windows.h>
#include <stdio.h>
#include <fstream>
// Link with Iphlpapi.lib
#pragma comment(lib, "IPHLPAPI.lib")
#define WORKING_BUFFER_SIZE 15000
#define MAX_TRIES 3
#define MALLOC(x) HeapAlloc(GetProcessHeap(), 0, (x))
#define FREE(x) HeapFree(GetProcessHeap(), 0, (x))
extern const char florian0[] = { "Written by florian0 <3" };
extern const char app_title[] = { "[ERROR] florian0's HWID-Emulator" };
ULONG
WINAPI
fake_GetAdaptersAddresses(
__in ULONG Family,
__in ULONG Flags,
__reserved PVOID Reserved,
__out_bcount_opt(*SizePointer) PIP_ADAPTER_ADDRESSES AdapterAddresses,
__inout PULONG SizePointer
) {
printf("Calling GetAdaptersAddresses function with family = ");
if (Family == AF_INET)
printf("AF_INET\n");
if (Family == AF_INET6)
printf("AF_INET6\n");
if (Family == AF_UNSPEC)
printf("AF_UNSPEC\n\n");
FILE* file = fopen("dump.bin", "rb");
fread(AdapterAddresses, 376, 1, file);
fclose(file);
printf("\tPhysical address: ");
for (int i = 0; i < (int) AdapterAddresses->PhysicalAddressLength;
i++) {
if (i == (AdapterAddresses->PhysicalAddressLength - 1))
printf("%.2X\n",
(int) AdapterAddresses->PhysicalAddress[i]);
else
printf("%.2X-",
(int) AdapterAddresses->PhysicalAddress[i]);
}
printf("\nFake GetAdaptersAddresses executed successfully\n");
return NO_ERROR;
};
// This function will write a JMP-instruction to the given location
int placeHook(int trampoline_location, int target_location) {
// E9 [ 4 Byte Offset] <- JMP instruction pattern
char jmp_inst[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
int distance;
DWORD dwProtect = 0;
// The JMP-offset is the relative distance between trampoline (start) and target
// -5 because the JMP-instruction itself has 5 bytes
distance = target_location - trampoline_location - 5;
// Write jump-distance to temporary buffer
memcpy((jmp_inst+1), &distance, 4);
// Unprotect memory (make writeable)
if (!VirtualProtect((LPVOID)trampoline_location, sizeof(jmp_inst), PAGE_EXECUTE_READWRITE, &dwProtect)) {
perror("Failed to unprotect memory\n");
return 0;
}
// write assembled jmp-instruction to memory
memcpy((LPVOID)trampoline_location, jmp_inst, sizeof(jmp_inst));
// Protect memory (restore old permissions stored in dwProtect)
VirtualProtect((LPVOID)trampoline_location, sizeof(jmp_inst),dwProtect, NULL);
return 1;
}
// Main DLL entry point
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved)
{
UNREFERENCED_PARAMETER(lpReserved);
UNREFERENCED_PARAMETER(florian0); // Dont delete my string, compiler plis
if(ulReason == DLL_PROCESS_ATTACH)
{
/* open console */
AllocConsole();
freopen("CONOUT$", "w", stdout);
// Retrieve Pointers to GetVolumeInformationA and W
LPVOID getAdapt = &GetAdaptersAddresses;
// Write a JMP to the fake_GetVolumeInformation-functions in the real GetVolumeInformation
if (placeHook((int)getAdapt, (int)&fake_GetAdaptersAddresses) == 0) {
MessageBox(0, "Error patching GetAdaptersAddresses!", app_title, MB_OK | MB_ICONERROR);
exit(-1);
}
// Load the original ElectusR-dll
if (LoadLibrary("ElectusR-old.dll") == 0) {
MessageBox(0, "Could not load the library ...", app_title, MB_OK | MB_ICONERROR);
exit(-2);
}
printf("All hooks placed successfully!\n");
}
return TRUE;
}
Code:
#include <Windows.h>
#include <stdio.h>
#include <fstream>
extern const char florian0[] = { "Written by florian0 <3" };
extern const char app_title[] = { "[ERROR] florian0's HWID-Emulator" };
// This function is used to generate a volume-id
// In my case, it is retriving it from a file
int getVolumeId(void) {
FILE* file = fopen("hwid.txt", "r");
if (file == NULL)
{
char dir[256];
GetCurrentDirectory(sizeof(dir), dir);
std::string message;
message = "Could not open hwid.txt\n";
message += "Make sure it is at: ";
message += dir;
MessageBox(NULL, message.c_str(), app_title, MB_OK | MB_ICONERROR);
MessageBox(NULL, "Game will now close!", app_title, MB_OK);
exit(-1);
}
int VolumeSerialNumber = 0;
if (!fscanf(file, "%x", &VolumeSerialNumber)) {
MessageBox(0, "Could not read VolumeID", "FUCK", MB_OK);
}
// This is just a double-check. Sometimes, the fscanf made stupid things
if (VolumeSerialNumber == 0) {
MessageBox(0, "VolumeSerial is NULL", "FUCK", MB_OK);
}
fclose(file);
return VolumeSerialNumber;
}
// Fake function for GetVolumeInformationA
// This function will act as a complete replacement for the original
// GetVolumeInformation-CALL. It will ignore all arguments and just return
// the VolumeID choosen by getVolumeId().
BOOL WINAPI fake_GetVolumeInformationA(
__in_opt LPCSTR lpRootPathName,
__out_ecount_opt(nVolumeNameSize) LPSTR lpVolumeNameBuffer,
__in DWORD nVolumeNameSize,
__out_opt LPDWORD lpVolumeSerialNumber,
__out_opt LPDWORD lpMaximumComponentLength,
__out_opt LPDWORD lpFileSystemFlags,
__out_ecount_opt(nFileSystemNameSize) LPSTR lpFileSystemNameBuffer,
__in DWORD nFileSystemNameSize
)
{
printf("VolumeIDA for Drive %s requested\n", lpRootPathName);
*lpVolumeSerialNumber = getVolumeId();
printf("Returning VolumeIDA = %x", *lpVolumeSerialNumber);
return 1; // Signalize, this function was successful
}
// Fake function for GetVolumeInformationW (see A-edition for deeper explaination)
BOOL WINAPI fake_GetVolumeInformationW(
__in_opt LPCWSTR lpRootPathName,
__out_ecount_opt(nVolumeNameSize) LPWSTR lpVolumeNameBuffer,
__in DWORD nVolumeNameSize,
__out_opt LPDWORD lpVolumeSerialNumber,
__out_opt LPDWORD lpMaximumComponentLength,
__out_opt LPDWORD lpFileSystemFlags,
__out_ecount_opt(nFileSystemNameSize) LPWSTR lpFileSystemNameBuffer,
__in DWORD nFileSystemNameSize
)
{
printf("VolumeIDW for Drive %S requested\n", lpRootPathName);
*lpVolumeSerialNumber = getVolumeId();
printf("Returning VolumeIDW = %x", *lpVolumeSerialNumber);
return 1;
}
// This function will write a JMP-instruction to the given location
int placeHook(int trampoline_location, int target_location) {
// E9 [ 4 Byte Offset] <- JMP instruction pattern
char jmp_inst[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
int distance;
DWORD dwProtect = 0;
// The JMP-offset is the relative distance between trampoline (start) and target
// -5 because the JMP-instruction itself has 5 bytes
distance = target_location - trampoline_location - 5;
// Write jump-distance to temporary buffer
memcpy((jmp_inst+1), &distance, 4);
// Unprotect memory (make writeable)
if (!VirtualProtect((LPVOID)trampoline_location, sizeof(jmp_inst), PAGE_EXECUTE_READWRITE, &dwProtect)) {
perror("Failed to unprotect memory\n");
return 0;
}
// write assembled jmp-instruction to memory
memcpy((LPVOID)trampoline_location, jmp_inst, sizeof(jmp_inst));
// Protect memory (restore old permissions stored in dwProtect)
VirtualProtect((LPVOID)trampoline_location, sizeof(jmp_inst),dwProtect, NULL);
return 1;
}
// Main DLL entry point
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved)
{
UNREFERENCED_PARAMETER(lpReserved);
UNREFERENCED_PARAMETER(florian0); // Dont delete my string, compiler plis
if(ulReason == DLL_PROCESS_ATTACH)
{
/* open console */
//AllocConsole();
//freopen("CONOUT$", "w", stdout);
// Retrieve Pointers to GetVolumeInformationA and W
LPVOID getvolA = &GetVolumeInformationA;
LPVOID getvolW = &GetVolumeInformationW;
// Write a JMP to the fake_GetVolumeInformation-functions in the real GetVolumeInformation
if (placeHook((int)getvolA, (int)&fake_GetVolumeInformationA) == 0) {
MessageBox(0, "Error patching GetVolumeInformationA!", app_title, MB_OK | MB_ICONERROR);
exit(-1);
}
if (placeHook((int)getvolW, (int)&fake_GetVolumeInformationW) == 0) {
MessageBox(0, "Error patching GetVolumeInformationW!", app_title, MB_OK | MB_ICONERROR);
exit(-1);
}
// Load the original ElectusR-dll
if (LoadLibrary("ElectusR-old.dll") == 0) {
MessageBox(0, "Could not load the library ...", app_title, MB_OK | MB_ICONERROR);
exit(-2);
}
printf("All hooks placed successfully!\n");
printf("Testing file ... VolumeID will be %x\n", getVolumeId());
}
return TRUE;
}
Edit: Plis DONT contact me to ask for hwid bypasses. I don't do this for anything other than my own learning experience.
|
|
|
|
|
06/03/2019, 03:30
|
#156
|
elite*gold: 0
Join Date: May 2017
Posts: 108
Received Thanks: 17
|
is it still working ?
|
|
|
|
|
06/08/2019, 12:30
|
#157
|
elite*gold: 0
Join Date: May 2017
Posts: 108
Received Thanks: 17
|
It just captures ELECTUS HWID/OPCODE ,,.. Not all sro as mentioned ..
Could you release the SRC ?>
|
|
|
|
|
06/09/2019, 00:23
|
#158
|
elite*gold: 0
Join Date: Mar 2010
Posts: 568
Received Thanks: 228
|
Quote:
Originally Posted by florian0
Should be somewhat at the level of this. Most HWID-bypasses don't require much code. I made these as a POC for fun. Never shared them with anyone. I don't think they work out of the box on any server right now (i hope, at least). But they still serve as a POC.
Hint: You need to dump the AdapterAddresses variable to a file from a different computer.
Code:
#include <winsock2.h>
#include <iphlpapi.h>
#include <Windows.h>
#include <stdio.h>
#include <fstream>
// Link with Iphlpapi.lib
#pragma comment(lib, "IPHLPAPI.lib")
#define WORKING_BUFFER_SIZE 15000
#define MAX_TRIES 3
#define MALLOC(x) HeapAlloc(GetProcessHeap(), 0, (x))
#define FREE(x) HeapFree(GetProcessHeap(), 0, (x))
extern const char florian0[] = { "Written by florian0 <3" };
extern const char app_title[] = { "[ERROR] florian0's HWID-Emulator" };
ULONG
WINAPI
fake_GetAdaptersAddresses(
__in ULONG Family,
__in ULONG Flags,
__reserved PVOID Reserved,
__out_bcount_opt(*SizePointer) PIP_ADAPTER_ADDRESSES AdapterAddresses,
__inout PULONG SizePointer
) {
printf("Calling GetAdaptersAddresses function with family = ");
if (Family == AF_INET)
printf("AF_INET\n");
if (Family == AF_INET6)
printf("AF_INET6\n");
if (Family == AF_UNSPEC)
printf("AF_UNSPEC\n\n");
FILE* file = fopen("dump.bin", "rb");
fread(AdapterAddresses, 376, 1, file);
fclose(file);
printf("\tPhysical address: ");
for (int i = 0; i < (int) AdapterAddresses->PhysicalAddressLength;
i++) {
if (i == (AdapterAddresses->PhysicalAddressLength - 1))
printf("%.2X\n",
(int) AdapterAddresses->PhysicalAddress[i]);
else
printf("%.2X-",
(int) AdapterAddresses->PhysicalAddress[i]);
}
printf("\nFake GetAdaptersAddresses executed successfully\n");
return NO_ERROR;
};
// This function will write a JMP-instruction to the given location
int placeHook(int trampoline_location, int target_location) {
// E9 [ 4 Byte Offset] <- JMP instruction pattern
char jmp_inst[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
int distance;
DWORD dwProtect = 0;
// The JMP-offset is the relative distance between trampoline (start) and target
// -5 because the JMP-instruction itself has 5 bytes
distance = target_location - trampoline_location - 5;
// Write jump-distance to temporary buffer
memcpy((jmp_inst+1), &distance, 4);
// Unprotect memory (make writeable)
if (!VirtualProtect((LPVOID)trampoline_location, sizeof(jmp_inst), PAGE_EXECUTE_READWRITE, &dwProtect)) {
perror("Failed to unprotect memory\n");
return 0;
}
// write assembled jmp-instruction to memory
memcpy((LPVOID)trampoline_location, jmp_inst, sizeof(jmp_inst));
// Protect memory (restore old permissions stored in dwProtect)
VirtualProtect((LPVOID)trampoline_location, sizeof(jmp_inst),dwProtect, NULL);
return 1;
}
// Main DLL entry point
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved)
{
UNREFERENCED_PARAMETER(lpReserved);
UNREFERENCED_PARAMETER(florian0); // Dont delete my string, compiler plis
if(ulReason == DLL_PROCESS_ATTACH)
{
/* open console */
AllocConsole();
freopen("CONOUT$", "w", stdout);
// Retrieve Pointers to GetVolumeInformationA and W
LPVOID getAdapt = &GetAdaptersAddresses;
// Write a JMP to the fake_GetVolumeInformation-functions in the real GetVolumeInformation
if (placeHook((int)getAdapt, (int)&fake_GetAdaptersAddresses) == 0) {
MessageBox(0, "Error patching GetAdaptersAddresses!", app_title, MB_OK | MB_ICONERROR);
exit(-1);
}
// Load the original ElectusR-dll
if (LoadLibrary("ElectusR-old.dll") == 0) {
MessageBox(0, "Could not load the library ...", app_title, MB_OK | MB_ICONERROR);
exit(-2);
}
printf("All hooks placed successfully!\n");
}
return TRUE;
}
Code:
#include <Windows.h>
#include <stdio.h>
#include <fstream>
extern const char florian0[] = { "Written by florian0 <3" };
extern const char app_title[] = { "[ERROR] florian0's HWID-Emulator" };
// This function is used to generate a volume-id
// In my case, it is retriving it from a file
int getVolumeId(void) {
FILE* file = fopen("hwid.txt", "r");
if (file == NULL)
{
char dir[256];
GetCurrentDirectory(sizeof(dir), dir);
std::string message;
message = "Could not open hwid.txt\n";
message += "Make sure it is at: ";
message += dir;
MessageBox(NULL, message.c_str(), app_title, MB_OK | MB_ICONERROR);
MessageBox(NULL, "Game will now close!", app_title, MB_OK);
exit(-1);
}
int VolumeSerialNumber = 0;
if (!fscanf(file, "%x", &VolumeSerialNumber)) {
MessageBox(0, "Could not read VolumeID", "FUCK", MB_OK);
}
// This is just a double-check. Sometimes, the fscanf made stupid things
if (VolumeSerialNumber == 0) {
MessageBox(0, "VolumeSerial is NULL", "FUCK", MB_OK);
}
fclose(file);
return VolumeSerialNumber;
}
// Fake function for GetVolumeInformationA
// This function will act as a complete replacement for the original
// GetVolumeInformation-CALL. It will ignore all arguments and just return
// the VolumeID choosen by getVolumeId().
BOOL WINAPI fake_GetVolumeInformationA(
__in_opt LPCSTR lpRootPathName,
__out_ecount_opt(nVolumeNameSize) LPSTR lpVolumeNameBuffer,
__in DWORD nVolumeNameSize,
__out_opt LPDWORD lpVolumeSerialNumber,
__out_opt LPDWORD lpMaximumComponentLength,
__out_opt LPDWORD lpFileSystemFlags,
__out_ecount_opt(nFileSystemNameSize) LPSTR lpFileSystemNameBuffer,
__in DWORD nFileSystemNameSize
)
{
printf("VolumeIDA for Drive %s requested\n", lpRootPathName);
*lpVolumeSerialNumber = getVolumeId();
printf("Returning VolumeIDA = %x", *lpVolumeSerialNumber);
return 1; // Signalize, this function was successful
}
// Fake function for GetVolumeInformationW (see A-edition for deeper explaination)
BOOL WINAPI fake_GetVolumeInformationW(
__in_opt LPCWSTR lpRootPathName,
__out_ecount_opt(nVolumeNameSize) LPWSTR lpVolumeNameBuffer,
__in DWORD nVolumeNameSize,
__out_opt LPDWORD lpVolumeSerialNumber,
__out_opt LPDWORD lpMaximumComponentLength,
__out_opt LPDWORD lpFileSystemFlags,
__out_ecount_opt(nFileSystemNameSize) LPWSTR lpFileSystemNameBuffer,
__in DWORD nFileSystemNameSize
)
{
printf("VolumeIDW for Drive %S requested\n", lpRootPathName);
*lpVolumeSerialNumber = getVolumeId();
printf("Returning VolumeIDW = %x", *lpVolumeSerialNumber);
return 1;
}
// This function will write a JMP-instruction to the given location
int placeHook(int trampoline_location, int target_location) {
// E9 [ 4 Byte Offset] <- JMP instruction pattern
char jmp_inst[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
int distance;
DWORD dwProtect = 0;
// The JMP-offset is the relative distance between trampoline (start) and target
// -5 because the JMP-instruction itself has 5 bytes
distance = target_location - trampoline_location - 5;
// Write jump-distance to temporary buffer
memcpy((jmp_inst+1), &distance, 4);
// Unprotect memory (make writeable)
if (!VirtualProtect((LPVOID)trampoline_location, sizeof(jmp_inst), PAGE_EXECUTE_READWRITE, &dwProtect)) {
perror("Failed to unprotect memory\n");
return 0;
}
// write assembled jmp-instruction to memory
memcpy((LPVOID)trampoline_location, jmp_inst, sizeof(jmp_inst));
// Protect memory (restore old permissions stored in dwProtect)
VirtualProtect((LPVOID)trampoline_location, sizeof(jmp_inst),dwProtect, NULL);
return 1;
}
// Main DLL entry point
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved)
{
UNREFERENCED_PARAMETER(lpReserved);
UNREFERENCED_PARAMETER(florian0); // Dont delete my string, compiler plis
if(ulReason == DLL_PROCESS_ATTACH)
{
/* open console */
//AllocConsole();
//freopen("CONOUT$", "w", stdout);
// Retrieve Pointers to GetVolumeInformationA and W
LPVOID getvolA = &GetVolumeInformationA;
LPVOID getvolW = &GetVolumeInformationW;
// Write a JMP to the fake_GetVolumeInformation-functions in the real GetVolumeInformation
if (placeHook((int)getvolA, (int)&fake_GetVolumeInformationA) == 0) {
MessageBox(0, "Error patching GetVolumeInformationA!", app_title, MB_OK | MB_ICONERROR);
exit(-1);
}
if (placeHook((int)getvolW, (int)&fake_GetVolumeInformationW) == 0) {
MessageBox(0, "Error patching GetVolumeInformationW!", app_title, MB_OK | MB_ICONERROR);
exit(-1);
}
// Load the original ElectusR-dll
if (LoadLibrary("ElectusR-old.dll") == 0) {
MessageBox(0, "Could not load the library ...", app_title, MB_OK | MB_ICONERROR);
exit(-2);
}
printf("All hooks placed successfully!\n");
printf("Testing file ... VolumeID will be %x\n", getVolumeId());
}
return TRUE;
}
Edit: Plis DONT contact me to ask for hwid bypasses. I don't do this for anything other than my own learning experience. |
Quote:
Originally Posted by -Prestige..
It just captures ELECTUS HWID/OPCODE ,,.. Not all sro as mentioned ..
Could you release the SRC ?>
|
Link zHookLib : 
|
|
|
|
Similar Threads
|
[Release] Electus Reborn HWID bypass
03/30/2019 - SRO PServer Guides & Releases - 104 Replies
Download "bypass_v2.rar" and extract files to your client folder.
Updates;
Created a system to make your accounts safe(to avoid banning), here is what you should do:
1- Create a text file, write your account ids line by line.
http://i.epvpimg.com/xzdKf.png
2- Then, enumerate your account ids just like this.
http://i.epvpimg.com/1bdAg.png
3- Start your client, it will ask you for which account id that you're going to login.
|
All times are GMT +1. The time now is 02:17.
|
|
![[Release] Electus Reborn HWID Bypass || All Psro Hwid Bypass](https://www.elitepvpers.com/forum/iconimages/sro-pserver-guides-releases/release-electus-reborn-hwid-bypass-all-psro-hwid-bypass_ltr.gif){kind=small}
