|
You last visited: Today at 09:32
Advertisement
Request
Discussion on Request within the Wolfteam forum part of the Shooter category.
08/29/2016, 23:12
|
#1
|
elite*gold: 0 
Join Date: Nov 2012
Posts: 7
Received Thanks: 0
|
Request
I am in need of some advice/help.
I have been analyzing the wolfteam.bin with Olly and I am trying to locate the xingcode initialization. I have found this in other games with the same anti cheat but have not been able to find it in the wolfteam.bin. Could anyone help me find this area of the games memory? I have used my normal method but am unable to locate anything.
Thank's
|
|
|
|
08/31/2016, 01:03
|
#2
|
elite*gold: 0
Join Date: Mar 2010
Posts: 2,931
Received Thanks: 1,858
|
Do you saw already this the posted source to prevent xc from initialization?
PBYTE FindStartOfFunc(PBYTE Addy)
{
if (!Addy) return Addy;
while (true) if (compare((PBYTE)"\x55\x8B\xEC", "xxx", Addy--)) return ++Addy;
}
PBYTE FindPush(PBYTE sig, PCHAR mask, DWORD dwBase, DWORD dwLen)
{
if (!dwBase) return nullptr;
BYTE PushSig[5] = { 0x68, 0, 0, 0, 0 };
*(PDWORD)(&PushSig[1]) = FindSignature(sig, mask, dwBase, dwLen, 0);
if (*(PDWORD)(&PushSig[1]) == NULL) return NULL;
return (PBYTE)FindSignature(PushSig, "xxxxx", dwBase, dwLen, 0);
}
bool bTriggered = false, bSuccess = false;
void bypass()
{
DWORD dwCShell = FindCShell();
if (dwCShell != NULL)
{
PBYTE BypassSig = FindPush((PBYTE)"XIGNCODE", "xxxxxxxxx", dwCShell, 5000000);
if (BypassSig != nullptr)
{
PBYTE BypassFunc = FindStartOfFunc(BypassSig);
if (BypassFunc && !memcmp(BypassFunc, (PBYTE)"\x55\x8B\xEC", 3))
{
Wrt((PBYTE)BypassFunc, (PBYTE)"\xB0\x01\xC3", 3);
bSuccess = true;
}
}
}
bTriggered = true;
}
cBreakpoint* bp = NULL;
PBYTE pcheck = 0;
LONG WINAPI ExceptionHandler(EXCEPTION_POINTERS* e)
{
if (e->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) return EXCEPTION_CONTINUE_SEARCH;
if (e->ContextRecord->Eip == (DWORD)pcheck)
{
e->ContextRecord->Esp -= 4;
*(PDWORD)(e->ContextRecord->Esp) = e->ContextRecord->Eip + 0x2;
e->ContextRecord->Eip = e->ContextRecord->Edx;
bypass();
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
}
void Start()
{
Sleep(1000);
AntiHWIDBan();
while (pcheck == nullptr)
{
Sleep(30);
pcheck = FindPush((PBYTE)"DIRECTSHOW\x00", "xxxxxxxxxx", (DWORD)GetModuleHandleA("wolfteam.bin"), 5000000);
}
pcheck -= 2;
bp = new cBreakpoint(ExceptionHandler);
bp->SetBP((DWORD)pcheck);
while (!bTriggered) Sleep(1000);
delete bp;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
//int iStaticModule = MessageBoxA(0, "Static CShell/Obj?", "", MB_YESNO);
//if (iStaticModule == IDYES) Hook((PBYTE)GetProcAddress(GetModuleHandleA("kerne l32"), "GetTempFileNameA"), (PBYTE)&xGetTempFileNameA, 5);
HANDLE hThread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&Start, NULL, NULL, NULL);
if (hThread != NULL) CloseHandle(hThread);
}
return TRUE;
}
|
|
|
|
|
08/31/2016, 02:07
|
#3
|
elite*gold: 0
Join Date: Nov 2012
Posts: 7
Received Thanks: 0
|
Quote:
Originally Posted by Ⓜiku Ⓗatsune
Do you saw already this the posted source to prevent xc from initialization?
PBYTE FindStartOfFunc(PBYTE Addy)
{
if (!Addy) return Addy;
while (true) if (compare((PBYTE)"\x55\x8B\xEC", "xxx", Addy--)) return ++Addy;
}
PBYTE FindPush(PBYTE sig, PCHAR mask, DWORD dwBase, DWORD dwLen)
{
if (!dwBase) return nullptr;
BYTE PushSig[5] = { 0x68, 0, 0, 0, 0 };
*(PDWORD)(&PushSig[1]) = FindSignature(sig, mask, dwBase, dwLen, 0);
if (*(PDWORD)(&PushSig[1]) == NULL) return NULL;
return (PBYTE)FindSignature(PushSig, "xxxxx", dwBase, dwLen, 0);
}
bool bTriggered = false, bSuccess = false;
void bypass()
{
DWORD dwCShell = FindCShell();
if (dwCShell != NULL)
{
PBYTE BypassSig = FindPush((PBYTE)"XIGNCODE", "xxxxxxxxx", dwCShell, 5000000);
if (BypassSig != nullptr)
{
PBYTE BypassFunc = FindStartOfFunc(BypassSig);
if (BypassFunc && !memcmp(BypassFunc, (PBYTE)"\x55\x8B\xEC", 3))
{
Wrt((PBYTE)BypassFunc, (PBYTE)"\xB0\x01\xC3", 3);
bSuccess = true;
}
}
}
bTriggered = true;
}
cBreakpoint* bp = NULL;
PBYTE pcheck = 0;
LONG WINAPI ExceptionHandler(EXCEPTION_POINTERS* e)
{
if (e->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) return EXCEPTION_CONTINUE_SEARCH;
if (e->ContextRecord->Eip == (DWORD)pcheck)
{
e->ContextRecord->Esp -= 4;
*(PDWORD)(e->ContextRecord->Esp) = e->ContextRecord->Eip + 0x2;
e->ContextRecord->Eip = e->ContextRecord->Edx;
bypass();
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
}
void Start()
{
Sleep(1000);
AntiHWIDBan();
while (pcheck == nullptr)
{
Sleep(30);
pcheck = FindPush((PBYTE)"DIRECTSHOW\x00", "xxxxxxxxxx", (DWORD)GetModuleHandleA("wolfteam.bin"), 5000000);
}
pcheck -= 2;
bp = new cBreakpoint(ExceptionHandler);
bp->SetBP((DWORD)pcheck);
while (!bTriggered) Sleep(1000);
delete bp;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
//int iStaticModule = MessageBoxA(0, "Static CShell/Obj?", "", MB_YESNO);
//if (iStaticModule == IDYES) Hook((PBYTE)GetProcAddress(GetModuleHandleA("kerne l32"), "GetTempFileNameA"), (PBYTE)&xGetTempFileNameA, 5);
HANDLE hThread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&Start, NULL, NULL, NULL);
if (hThread != NULL) CloseHandle(hThread);
}
return TRUE;
}
|
Nice .dll did not answer my question though I am trying to locate it in the .bin
|
|
|
|
All times are GMT +1. The time now is 09:33.
|
|
