[request] Riders of Icarus / Nexon Game Security Bypass

xidaozu · 07/18/2016, 15:13

Hello,

I am looking for bypass for nexon game security, mainly needed for Riders of Icarus. Would like to search for some hacks there. Any informations would be appreciated.

zorak10 · 08/01/2016, 05:17

im trying find one too

ginaowens · 08/02/2016, 09:52

One of my friend facing the same problem. But he told me some way out by some hacks.

cabalDE · 08/02/2016, 20:37

cheat engine?

talker666 · 08/06/2016, 00:41

there are bots / teleports but nothing public atm ! If someone has any info pls Post it here

thx

xidaozu · 08/06/2016, 22:17

any idea where to contact with devs and buy it?

~~Minato332~~ · 08/15/2016, 15:36

you guys are aware that you can use cheat engine on the game without the anti-cheat detecting it right? A bypass at that point isn't really necessary however it isn't too hard to figure out. If the game doesn't have an heartbeat for it's anti-cheat then you can simply delete the .dll/files for the anti-cheat or if you want to be smart you can find where it is initialized and disable it from there so the anti-cheat never gets launched.

Source:

Code:

#include <stdint.h>
#include <Shlwapi.h>
#pragma comment(lib, "Shlwapi.lib")
 
#define BLACKCIPHER_EXE "BlackCipher.aes"
 
typedef BOOL(WINAPI* CreateProcessWPtr)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION);
CreateProcessWPtr _CreateProcessW = (CreateProcessWPtr)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "CreateProcessW");
 
BOOL WINAPI CreateProcessW_Hook(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
{
	size_t chars_converted = 0;                             // used by wcstombs_s and mbstowcs_s
	char application_name_mb[512] = { "(nullptr)\0" };      // multibyte versions of the strings in the params
	char command_line_mb[512] = { "(nullptr)\0" };
	char current_directory_mb[512] = { "(nullptr)\0" };
	BOOL res;
	char buf[MAX_PATH] = { 0 };                             // used by GetModuleNameA
	PSTR cmd_line_end;                                      // pointer to the double quote after BlackCipher.aes in the cmd line
	size_t cmd_line_end_size;                               // size of the buffer after cmd_line_end
	int is_bc_executable = 0;                               // 1 if the call is related to BlackCipher.aes
	WCHAR replaced_cmd[512] = { 0 };                        // modified cmd line (BlackCipher.aes -> BlackCipher.aes2)
	
	do {
		if (lpApplicationName && wcstombs_s(&chars_converted, application_name_mb, 512, lpApplicationName, 512) == -1) {
			Log(L"wcstombs_s failed for lpApplicationName (%s)\n", lpApplicationName);
			break;
		}
 
		if (lpCommandLine && wcstombs_s(&chars_converted, command_line_mb, 512, lpCommandLine, 512) == -1) {
			Log(L"wcstombs_s failed for lpCommandLine (%s)\n", lpCommandLine);
			break;
		}
 
		if (lpCurrentDirectory && wcstombs_s(&chars_converted, current_directory_mb, 512, lpCurrentDirectory, 512) == -1) {
			Log(L"wcstombs_s failed for lpCurrentDirectory (%s)\n", lpCurrentDirectory);
			break;
		}
 
		is_bc_executable = StrStrIA(command_line_mb, BLACKCIPHER_EXE) != NULL;
 
		// replace BlackCipher.aes with BlackCipher.aes2
		if (is_bc_executable) 
		{
			cmd_line_end = StrStrIA(command_line_mb, BLACKCIPHER_EXE) + 15;
			cmd_line_end_size = MAX_PATH - (cmd_line_end - command_line_mb);
			memmove_s(cmd_line_end + 1, cmd_line_end_size - 1, cmd_line_end, cmd_line_end_size - 1);
			*cmd_line_end = '2';
 
			if (mbstowcs_s(&chars_converted, replaced_cmd, 512, command_line_mb, 512)) 
			{
				Log(L"mbstowcs_s failed for command_line_mb (%s)\n", command_line_mb);
				break;
			}
 
			lpCommandLine = replaced_cmd;
		}
 
	} while (0);
	
	res = _CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
 
	return res;
}
 
static uint32_t maple_pid = 0, maple_dump = 0, maple_base = 0, maple_size = 0;
 
typedef BOOL(WINAPI* ReadProcessMemoryPtr)(HANDLE, LPCVOID, LPVOID, SIZE_T, SIZE_T *);
ReadProcessMemoryPtr _ReadProcessMemory = (ReadProcessMemoryPtr)GetProcAddress(GetModuleHandleA("KernelBase.dll"), "ReadProcessMemory");
 
BOOL WINAPI ReadProcessMemory_Hook(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer,SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
{
	BOOL res;
	int spoofed = 0;
	uint32_t pid = (uint32_t)GetProcessId(hProcess);
	uint32_t current_pid = (uint32_t)GetCurrentProcessId();
	LPCVOID original_base = lpBaseAddress;
 
	if (pid == maple_pid || pid == current_pid)
	{
		if (GetProcessId(hProcess) == maple_pid && (uint32_t)lpBaseAddress >= maple_base && (uint32_t)lpBaseAddress < maple_base + maple_size) {
			lpBaseAddress = (LPCVOID)((uint32_t)lpBaseAddress - maple_base + maple_dump);
			spoofed = 1;
		}
 
		if (GetProcessId(hProcess) == GetCurrentProcessId() && (uint32_t)lpBaseAddress >= MS_Memory_Start && (uint32_t)lpBaseAddress < MS_Memory_End) 
		{
			lpBaseAddress = (LPCVOID)((uint32_t)lpBaseAddress - MS_Memory_Start + MS_Memory);
			Log(L"!!!BC tried to check its own memory!!!");
			spoofed = 1;
		}
	}
 
	res = _ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead);
 
	return res;
}
 
typedef LPVOID PCLIENT_ID;
#define STATUS_ACCESS_DENIED 0xC0000022
 
typedef NTSYSAPI NTSTATUS(NTAPI* NtOpenProcessPtr)(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
NtOpenProcessPtr _NtOpenProcess = (NtOpenProcessPtr)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtOpenProcess");
 
NTSTATUS NTAPI NtOpenProcess_Hook(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId)
{
	NTSTATUS res;
	uint32_t pid;
	AccessMask |= PROCESS_QUERY_INFORMATION; // Ensures that we'll have permission to get PID
	res = _NtOpenProcess(ProcessHandle, AccessMask, ObjectAttributes, ClientId);
 
	pid = (uint32_t)GetProcessId(*ProcessHandle);
	if (!res && pid != maple_pid) 
	{
		Log(L"Blocking NtOpenProcess for pid %.08X\n", pid);
		res = STATUS_ACCESS_DENIED;
		*ProcessHandle = NULL;
	}
 
	return res;
}
 
typedef NTSYSAPI NTSTATUS(NTAPI* NtReadVirtualMemoryPtr)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
NtReadVirtualMemoryPtr _NtReadVirtualMemory = (NtReadVirtualMemoryPtr)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtReadVirtualMemory");
 
NTSTATUS NTAPI NtReadVirtualMemory_Hook(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded)
{
	if (GetProcessId(ProcessHandle) == maple_pid)
	{
		Log(L"Blocking NtReadVirtualMemory for address %.08X\n", BaseAddress);
		return STATUS_ACCESS_DENIED;
	}
 
	return _NtReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToRead, NumberOfBytesReaded);
}

zorak10 · 08/19/2016, 21:25

what this cod do? didint get it...

talker666 · 08/21/2016, 02:28

...holy **** i only read ohhh nexonguard is easy to hack ....no protection ...blabla...but there is nothing to find on the internet ....guys if you know something then share...thx

~~Minato332~~ · 08/24/2016, 21:20

Quote:

Originally Posted by talker666

...holy **** i only read ohhh nexonguard is easy to hack ....no protection ...blabla...but there is nothing to find on the internet ....guys if you know something then share...thx

My team and I already made a teleport tool for it and so on.

we are going to make a bot and sell

talker666 · 08/25/2016, 01:50

let me know ...i will buy instant

Krotus · 08/30/2016, 14:37

#moved…

b0gd4nuzzz · 02/04/2019, 21:57

Any hacks for Riders of Icarus?