So, please post your knowledge about MSCRC or your self-invented scripts or ideas to speed up the MSCRC bypass project.
This is the current GMS MSCRC, converted into MSEA version but not working.
Code: Select all
[enable]
alloc(mscrc,100)
alloc(hscrc,100)
alloc(copy,1024)
alloc(dump,88568340)
createthread(copy)
label(exitmscrc)
label(mscrcret)
label(hscrcret)
label(llop)
label(getoutahere)
mscrc:
cmp ecx,00401000
jl exitmscrc
cmp ecx,00B00000
jg exitmscrc
sub ecx,00401000
push eax
lea eax,[dump]
add ecx,eax
pop eax
exitmscrc:
movzx ecx,byte ptr [ecx]
mov edx,[ebp+14]
jmp mscrcret
copy: //makes the fake memory
mov eax,00401000
lea ecx,[dump]
llop: //IDK wat this sheet does
xor ebx,ebx
movzx ebx,byte ptr [eax]
mov byte ptr [ecx],bl
inc eax
inc ecx
cmp eax,00B00000
jg getoutahere
jmp llop
getoutahere: // IDK wat this sheet does
lea ebx,[dump]
add ebx,68693b//A8793B - 401000
xor eax,eax
mov al,0F
mov byte ptr [ebx],al
inc ebx
mov al,B6
mov byte ptr [ebx],al
inc ebx
mov al,09
mov byte ptr [ebx],al
inc ebx
mov al,8B
mov byte ptr [ebx],al
inc ebx
mov al,55
mov byte ptr [ebx],al
ret
hscrc:
mov eax,fs:[20]
cmp eax,[esp+0c]
jne hscrcret
mov fs:[34],57
xor eax,eax
ret 000c
hscrcret:
mov edi,edi
push ebp
mov ebp,esp
jmp OpenProcess+05
009F6096: //the mscrc main addy
jmp mscrc
db 14
mscrcret:
OpenProcess:
jmp hscrc
[disable]
//no disable, it is useless
After my analysing using PEiD`s KANAL plug-in, I found two CRC checks (my god?!).
The address are:
004AAB37(maybe more or less) and 009F6096(confirmed)
I wonder if we can work on it.
Code: Select all
CRC32b :: 00797700 :: 00B97700
Referenced at 004AAB5D
Referenced at 004AAB74
Referenced at 004AAB8F
Referenced at 004AABA4
Referenced at 004AABBC
Referenced at 004AABD4
Referenced at 004AABEC
Referenced at 004AAC04
Referenced at 004AAC1D
Referenced at 004AAC35
Referenced at 004AAC4C
Referenced at 004AAC63
Referenced at 004AAC7B
Referenced at 004AAC93
Referenced at 004AACAC
Referenced at 004AACC4
Referenced at 004AACEB
CRC32b :: 0079C618 :: 00B9C618
Referenced at 0098C01C
Referenced at 0098C033
Referenced at 0098C04E
Referenced at 0098C063
Referenced at 0098C07B
Referenced at 0098C093
Referenced at 0098C0AB
Referenced at 0098C0C3
Referenced at 0098C0DC
Referenced at 0098C0F4
Referenced at 0098C10B
Referenced at 0098C122
Referenced at 0098C13A
Referenced at 0098C152
Referenced at 0098C16B
Referenced at 0098C183
Referenced at 0098C1A9
MD5 :: 0025E634 :: 0065E634
The reference is above.
{Big number} :: 00705F90 :: 00B05F90
Referenced at 00A50AB8
[UPDATE]
After analysing, I confirmed the TWO MSCRC checks.
I also found the check routine, as stated in the GzP post.
MSCRC Check Routine:
Code: Select all
The bypass works very simply and is generic per version of MapleStory, only needing to change the game dump when there's a patch of something of that manner, but how does it work? Putting it simply, the bypass utilizes an optimized & modified CRC32 algorithm on the memory, so we can use a PEiD plugin called KANAL to look for generic cryptography signatures:
KANAL's feedback on the analysis of an unpacked cop of MapleStory. 'CRC32b' being the table used for the integrity check.
So now we know where the CRC32 table is located, lets have a look at how it is used:
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; ULONG __cdecl CalculateCRC32(LPVOID lpStartAddress, SIZE_T nSize, ULONG ulInitialHash, BOOL bUseHash)
CalculateCRC32 proc near
lpStartAddress = dword ptr 8
nSize = dword ptr 0Ch
ulInitialHash = dword ptr 10h
bUseHash = dword ptr 14h
push ebp
mov ebp, esp
cmp [ebp+bUseHash], 0
mov ecx, [ebp+lpStartAddress]
jz short loc_473980
xor [ebp+ulInitialHash], ecx
loc_473980:
mov eax, [ebp+ulInitialHash] ; Generic bypass hook-point
push esi
push edi
mov edi, [ebp+nSize]
cmp edi, 10h
jb loc_473B22
mov esi, edi
push ebx
shr esi, 4
CalculateCRC:
movzx ebx, byte ptr [ecx]
mov edx, eax
shr edx, 18h
xor edx, ebx
mov ebx, eax
mov eax, ds:CRC32Table[edx*4]
shl ebx, 8
xor eax, ebx
movzx ebx, byte ptr [ecx+1]
mov edx, eax
shr edx, 18h
xor edx, ebx
mov edx, ds:CRC32Table[edx*4]
shl eax, 8
xor edx, eax
mov eax, edx
shr eax, 18h
shl edx, 8
inc ecx
movzx ebx, byte ptr [ecx+1]
xor eax, ebx
mov eax, ds:CRC32Table[eax*4]
xor eax, edx
inc ecx
movzx ebx, byte ptr [ecx+1]
mov edx, eax
shr edx, 18h
xor edx, ebx
mov edx, ds:CRC32Table[edx*4]
shl eax, 8
xor edx, eax
inc ecx
movzx ebx, byte ptr [ecx+1]
mov eax, edx
shr eax, 18h
xor eax, ebx
mov eax, ds:CRC32Table[eax*4]
shl edx, 8
xor eax, edx
inc ecx
movzx ebx, byte ptr [ecx+1]
mov edx, eax
shr edx, 18h
xor edx, ebx
mov edx, ds:CRC32Table[edx*4]
shl eax, 8
xor edx, eax
inc ecx
movzx ebx, byte ptr [ecx+1]
mov eax, edx
shr eax, 18h
xor eax, ebx
mov eax, ds:CRC32Table[eax*4]
shl edx, 8
xor eax, edx
inc ecx
movzx ebx, byte ptr [ecx+1]
mov edx, eax
shr edx, 18h
xor edx, ebx
mov edx, ds:CRC32Table[edx*4]
inc ecx
movzx ebx, byte ptr [ecx+1]
shl eax, 8
xor edx, eax
mov eax, edx
inc ecx
shr eax, 18h
xor eax, ebx
mov eax, ds:CRC32Table[eax*4]
movzx ebx, byte ptr [ecx+1]
shl edx, 8
xor eax, edx
inc ecx
mov edx, eax
shr edx, 18h
xor edx, ebx
mov edx, ds:CRC32Table[edx*4]
shl eax, 8
xor edx, eax
inc ecx
movzx ebx, byte ptr [ecx]
mov eax, edx
shr eax, 18h
xor eax, ebx
mov eax, ds:CRC32Table[eax*4]
movzx ebx, byte ptr [ecx+1]
shl edx, 8
xor eax, edx
mov edx, eax
shr edx, 18h
xor edx, ebx
mov edx, ds:CRC32Table[edx*4]
shl eax, 8
xor edx, eax
inc ecx
movzx ebx, byte ptr [ecx+1]
mov eax, edx
shr eax, 18h
xor eax, ebx
mov eax, ds:CRC32Table[eax*4]
shl edx, 8
xor eax, edx
inc ecx
movzx ebx, byte ptr [ecx+1]
mov edx, eax
shr edx, 18h
xor edx, ebx
mov edx, ds:CRC32Table[edx*4]
inc ecx
movzx ebx, byte ptr [ecx+1]
shl eax, 8
xor edx, eax
inc ecx
mov eax, edx
shr eax, 18h
xor eax, ebx
mov eax, ds:CRC32Table[eax*4]
movzx ebx, byte ptr [ecx+1]
shl edx, 8
xor eax, edx
inc ecx
mov edx, eax
shr edx, 18h
xor edx, ebx
mov edx, ds:CRC32Table[edx*4]
shl eax, 8
xor eax, edx
inc ecx
sub edi, 10h
dec esi
jnz CalculateCRC
pop ebx
loc_473B22:
cmp edi, 1
jb short loc_473B41
loc_473B27:
movzx esi, byte ptr [ecx]
mov edx, eax
shr edx, 18h
xor edx, esi
mov edx, ds:CRC32Table[edx*4]
shl eax, 8
xor eax, edx
inc ecx
dec edi
jnz short loc_473B27
loc_473B41:
pop edi
pop esi
pop ebp
retn
CalculateCRC32 endp
This is fairly self-explanitory, the function works in this manner:
ULONG __cdecl CalculateCRC32(
__in LPVOID lpBuffer,
__in SIZE_T nSize,
__in_opt ULONG ulInitialHash,
__in BOOL bUseInitialHash
);
Parameters
lpBuffer - The buffer for which the CRC is to be calculated for.
nSize - The size of the region to hashed / 16.
ulInitialHash - This parameter is only valid if bUseInitialHash is TRUE, ulInitialHash is added to the hash if it is specified.
bUseInitialHash - If this parameter is specified then ulInitialHash is added onto the return.
Return
The function returns the CRC fo the region specified.MSCRC check 1:
Code: Select all
//MapleSEA v93 MSCRC Routine
004AAB28 - 55 - push ebp
004AAB29 - 8b ec - mov ebp,esp
004AAB2B - 83 7d 14 00 - cmp dword ptr [ebp+14],00
004AAB2F - 8b 4d 08 - mov ecx,[ebp+08]
004AAB32 - 74 03 - je 004aab37
004AAB34 - 31 4d 10 - xor [ebp+10],ecx
004AAB37 - 8b 45 10 - mov eax,[ebp+10]
004AAB3A - 56 - push esi
004AAB3B - 57 - push edi
004AAB3C - 8b 7d 0c - mov edi,[ebp+0c]
004AAB3F - 83 ff 10 - cmp edi,10
004AAB42 - 0f 82 91 01 00 00 - jb 004aacd9
004AAB48 - 8b f7 - mov esi,edi
004AAB4A - 53 - push ebx
004AAB4B - c1 ee 04 - shr esi,04
004AAB4E - 0f b6 19 - movzx ebx,byte ptr [ecx]
004AAB51 - 8b d0 - mov edx,eax
004AAB53 - c1 ea 18 - shr edx,18
004AAB56 - 33 d3 - xor edx,ebx
004AAB58 - 8b d8 - mov ebx,eax
004AAB5A - 8b 04 95 00 77 b9 00 - mov eax,[edx*4+ztltaskmemreallocimp+1a364f]
004AAB61 - c1 e3 08 - shl ebx,08
004AAB64 - 33 c3 - xor eax,ebx
004AAB66 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAB6A - 8b d0 - mov edx,eax
004AAB6C - c1 ea 18 - shr edx,18
004AAB6F - 33 d3 - xor edx,ebx
004AAB71 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AAB78 - c1 e0 08 - shl eax,08
004AAB7B - 33 d0 - xor edx,eax
004AAB7D - 8b c2 - mov eax,edx
004AAB7F - c1 e8 18 - shr eax,18
004AAB82 - c1 e2 08 - shl edx,08
004AAB85 - 41 - inc ecx
004AAB86 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAB8A - 33 c3 - xor eax,ebx
004AAB8C - 8b 04 85 00 77 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a364f]
004AAB93 - 33 c2 - xor eax,edx
004AAB95 - 41 - inc ecx
004AAB96 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAB9A - 8b d0 - mov edx,eax
004AAB9C - c1 ea 18 - shr edx,18
004AAB9F - 33 d3 - xor edx,ebx
004AABA1 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AABA8 - c1 e0 08 - shl eax,08
004AABAB - 33 d0 - xor edx,eax
004AABAD - 41 - inc ecx
004AABAE - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AABB2 - 8b c2 - mov eax,edx
004AABB4 - c1 e8 18 - shr eax,18
004AABB7 - 33 c3 - xor eax,ebx
004AABB9 - 8b 04 85 00 77 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a364f]
004AABC0 - c1 e2 08 - shl edx,08
004AABC3 - 33 c2 - xor eax,edx
004AABC5 - 41 - inc ecx
004AABC6 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AABCA - 8b d0 - mov edx,eax
004AABCC - c1 ea 18 - shr edx,18
004AABCF - 33 d3 - xor edx,ebx
004AABD1 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AABD8 - c1 e0 08 - shl eax,08
004AABDB - 33 d0 - xor edx,eax
004AABDD - 41 - inc ecx
004AABDE - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AABE2 - 8b c2 - mov eax,edx
004AABE4 - c1 e8 18 - shr eax,18
004AABE7 - 33 c3 - xor eax,ebx
004AABE9 - 8b 04 85 00 77 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a364f]
004AABF0 - c1 e2 08 - shl edx,08
004AABF3 - 33 c2 - xor eax,edx
004AABF5 - 41 - inc ecx
004AABF6 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AABFA - 8b d0 - mov edx,eax
004AABFC - c1 ea 18 - shr edx,18
004AABFF - 33 d3 - xor edx,ebx
004AAC01 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AAC08 - 41 - inc ecx
004AAC09 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAC0D - c1 e0 08 - shl eax,08
004AAC10 - 33 d0 - xor edx,eax
004AAC12 - 8b c2 - mov eax,edx
004AAC14 - 41 - inc ecx
004AAC15 - c1 e8 18 - shr eax,18
004AAC18 - 33 c3 - xor eax,ebx
004AAC1A - 8b 04 85 00 77 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a364f]
004AAC21 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAC25 - c1 e2 08 - shl edx,08
004AAC28 - 33 c2 - xor eax,edx
004AAC2A - 41 - inc ecx
004AAC2B - 8b d0 - mov edx,eax
004AAC2D - c1 ea 18 - shr edx,18
004AAC30 - 33 d3 - xor edx,ebx
004AAC32 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AAC39 - c1 e0 08 - shl eax,08
004AAC3C - 33 d0 - xor edx,eax
004AAC3E - 41 - inc ecx
004AAC3F - 0f b6 19 - movzx ebx,byte ptr [ecx]
004AAC42 - 8b c2 - mov eax,edx
004AAC44 - c1 e8 18 - shr eax,18
004AAC47 - 33 c3 - xor eax,ebx
004AAC49 - 8b 04 85 00 77 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a364f]
004AAC50 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAC54 - c1 e2 08 - shl edx,08
004AAC57 - 33 c2 - xor eax,edx
004AAC59 - 8b d0 - mov edx,eax
004AAC5B - c1 ea 18 - shr edx,18
004AAC5E - 33 d3 - xor edx,ebx
004AAC60 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AAC67 - c1 e0 08 - shl eax,08
004AAC6A - 33 d0 - xor edx,eax
004AAC6C - 41 - inc ecx
004AAC6D - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAC71 - 8b c2 - mov eax,edx
004AAC73 - c1 e8 18 - shr eax,18
004AAC76 - 33 c3 - xor eax,ebx
004AAC78 - 8b 04 85 00 77 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a364f]
004AAC7F - c1 e2 08 - shl edx,08
004AAC82 - 33 c2 - xor eax,edx
004AAC84 - 41 - inc ecx
004AAC85 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAC89 - 8b d0 - mov edx,eax
004AAC8B - c1 ea 18 - shr edx,18
004AAC8E - 33 d3 - xor edx,ebx
004AAC90 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AAC97 - 41 - inc ecx
004AAC98 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AAC9C - c1 e0 08 - shl eax,08
004AAC9F - 33 d0 - xor edx,eax
004AACA1 - 41 - inc ecx
004AACA2 - 8b c2 - mov eax,edx
004AACA4 - c1 e8 18 - shr eax,18
004AACA7 - 33 c3 - xor eax,ebx
004AACA9 - 8b 04 85 00 77 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a364f]
004AACB0 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
004AACB4 - c1 e2 08 - shl edx,08
004AACB7 - 33 c2 - xor eax,edx
004AACB9 - 41 - inc ecx
004AACBA - 8b d0 - mov edx,eax
004AACBC - c1 ea 18 - shr edx,18
004AACBF - 33 d3 - xor edx,ebx
004AACC1 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AACC8 - c1 e0 08 - shl eax,08
004AACCB - 33 c2 - xor eax,edx
004AACCD - 41 - inc ecx
004AACCE - 83 ef 10 - sub edi,10
004AACD1 - 4e - dec esi
004AACD2 - 0f 85 76 fe ff ff - jne 004aab4e
004AACD8 - 5b - pop ebx
004AACD9 - 83 ff 01 - cmp edi,01
004AACDC - 72 1a - jb 004aacf8
004AACDE - 0f b6 31 - movzx esi,byte ptr [ecx]
004AACE1 - 8b d0 - mov edx,eax
004AACE3 - c1 ea 18 - shr edx,18
004AACE6 - 33 d6 - xor edx,esi
004AACE8 - 8b 14 95 00 77 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a364f]
004AACEF - c1 e0 08 - shl eax,08
004AACF2 - 33 c2 - xor eax,edx
004AACF4 - 41 - inc ecx
004AACF5 - 4f - dec edi
004AACF6 - 75 e6 - jne 004aacde
004AACF8 - 8b 4d 18 - mov ecx,[ebp+18]
004AACFB - 85 c9 - test ecx,ecx
004AACFD - 5f - pop edi
004AACFE - 5e - pop esi
004AACFF - 74 06 - je 004aad07
004AAD01 - c7 01 0b 00 00 00 - mov [ecx],0000000b
004AAD07 - 5d - pop ebp
004AAD08 - c3 - ret
Code: Select all
//MSEA v93 MSCRC Second MSCRC Routine
0098BFE7 - 55 - push ebp
0098BFE8 - 8b ec - mov ebp,esp
0098BFEA - 83 7d 14 00 - cmp dword ptr [ebp+14],00
0098BFEE - 8b 4d 08 - mov ecx,[ebp+08]
0098BFF1 - 74 03 - je 0098bff6
0098BFF3 - 31 4d 10 - xor [ebp+10],ecx
0098BFF6 - 8b 45 10 - mov eax,[ebp+10]
0098BFF9 - 56 - push esi
0098BFFA - 57 - push edi
0098BFFB - 8b 7d 0c - mov edi,[ebp+0c]
0098BFFE - 83 ff 10 - cmp edi,10
0098C001 - 0f 82 91 01 00 00 - jb 0098c198
0098C007 - 8b f7 - mov esi,edi
0098C009 - 53 - push ebx
0098C00A - c1 ee 04 - shr esi,04
0098C00D - 0f b6 19 - movzx ebx,byte ptr [ecx]
0098C010 - 8b d0 - mov edx,eax
0098C012 - c1 ea 18 - shr edx,18
0098C015 - 33 d3 - xor edx,ebx
0098C017 - 8b d8 - mov ebx,eax
0098C019 - 8b 04 95 18 c6 b9 00 - mov eax,[edx*4+ztltaskmemreallocimp+1a8567]
0098C020 - c1 e3 08 - shl ebx,08
0098C023 - 33 c3 - xor eax,ebx
0098C025 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C029 - 8b d0 - mov edx,eax
0098C02B - c1 ea 18 - shr edx,18
0098C02E - 33 d3 - xor edx,ebx
0098C030 - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C037 - c1 e0 08 - shl eax,08
0098C03A - 33 d0 - xor edx,eax
0098C03C - 8b c2 - mov eax,edx
0098C03E - c1 e8 18 - shr eax,18
0098C041 - c1 e2 08 - shl edx,08
0098C044 - 41 - inc ecx
0098C045 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C049 - 33 c3 - xor eax,ebx
0098C04B - 8b 04 85 18 c6 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a8567]
0098C052 - 33 c2 - xor eax,edx
0098C054 - 41 - inc ecx
0098C055 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C059 - 8b d0 - mov edx,eax
0098C05B - c1 ea 18 - shr edx,18
0098C05E - 33 d3 - xor edx,ebx
0098C060 - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C067 - c1 e0 08 - shl eax,08
0098C06A - 33 d0 - xor edx,eax
0098C06C - 41 - inc ecx
0098C06D - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C071 - 8b c2 - mov eax,edx
0098C073 - c1 e8 18 - shr eax,18
0098C076 - 33 c3 - xor eax,ebx
0098C078 - 8b 04 85 18 c6 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a8567]
0098C07F - c1 e2 08 - shl edx,08
0098C082 - 33 c2 - xor eax,edx
0098C084 - 41 - inc ecx
0098C085 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C089 - 8b d0 - mov edx,eax
0098C08B - c1 ea 18 - shr edx,18
0098C08E - 33 d3 - xor edx,ebx
0098C090 - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C097 - c1 e0 08 - shl eax,08
0098C09A - 33 d0 - xor edx,eax
0098C09C - 41 - inc ecx
0098C09D - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C0A1 - 8b c2 - mov eax,edx
0098C0A3 - c1 e8 18 - shr eax,18
0098C0A6 - 33 c3 - xor eax,ebx
0098C0A8 - 8b 04 85 18 c6 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a8567]
0098C0AF - c1 e2 08 - shl edx,08
0098C0B2 - 33 c2 - xor eax,edx
0098C0B4 - 41 - inc ecx
0098C0B5 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C0B9 - 8b d0 - mov edx,eax
0098C0BB - c1 ea 18 - shr edx,18
0098C0BE - 33 d3 - xor edx,ebx
0098C0C0 - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C0C7 - 41 - inc ecx
0098C0C8 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C0CC - c1 e0 08 - shl eax,08
0098C0CF - 33 d0 - xor edx,eax
0098C0D1 - 8b c2 - mov eax,edx
0098C0D3 - 41 - inc ecx
0098C0D4 - c1 e8 18 - shr eax,18
0098C0D7 - 33 c3 - xor eax,ebx
0098C0D9 - 8b 04 85 18 c6 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a8567]
0098C0E0 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C0E4 - c1 e2 08 - shl edx,08
0098C0E7 - 33 c2 - xor eax,edx
0098C0E9 - 41 - inc ecx
0098C0EA - 8b d0 - mov edx,eax
0098C0EC - c1 ea 18 - shr edx,18
0098C0EF - 33 d3 - xor edx,ebx
0098C0F1 - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C0F8 - c1 e0 08 - shl eax,08
0098C0FB - 33 d0 - xor edx,eax
0098C0FD - 41 - inc ecx
0098C0FE - 0f b6 19 - movzx ebx,byte ptr [ecx]
0098C101 - 8b c2 - mov eax,edx
0098C103 - c1 e8 18 - shr eax,18
0098C106 - 33 c3 - xor eax,ebx
0098C108 - 8b 04 85 18 c6 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a8567]
0098C10F - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C113 - c1 e2 08 - shl edx,08
0098C116 - 33 c2 - xor eax,edx
0098C118 - 8b d0 - mov edx,eax
0098C11A - c1 ea 18 - shr edx,18
0098C11D - 33 d3 - xor edx,ebx
0098C11F - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C126 - c1 e0 08 - shl eax,08
0098C129 - 33 d0 - xor edx,eax
0098C12B - 41 - inc ecx
0098C12C - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C130 - 8b c2 - mov eax,edx
0098C132 - c1 e8 18 - shr eax,18
0098C135 - 33 c3 - xor eax,ebx
0098C137 - 8b 04 85 18 c6 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a8567]
0098C13E - c1 e2 08 - shl edx,08
0098C141 - 33 c2 - xor eax,edx
0098C143 - 41 - inc ecx
0098C144 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C148 - 8b d0 - mov edx,eax
0098C14A - c1 ea 18 - shr edx,18
0098C14D - 33 d3 - xor edx,ebx
0098C14F - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C156 - 41 - inc ecx
0098C157 - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C15B - c1 e0 08 - shl eax,08
0098C15E - 33 d0 - xor edx,eax
0098C160 - 41 - inc ecx
0098C161 - 8b c2 - mov eax,edx
0098C163 - c1 e8 18 - shr eax,18
0098C166 - 33 c3 - xor eax,ebx
0098C168 - 8b 04 85 18 c6 b9 00 - mov eax,[eax*4+ztltaskmemreallocimp+1a8567]
0098C16F - 0f b6 59 01 - movzx ebx,byte ptr [ecx+01]
0098C173 - c1 e2 08 - shl edx,08
0098C176 - 33 c2 - xor eax,edx
0098C178 - 41 - inc ecx
0098C179 - 8b d0 - mov edx,eax
0098C17B - c1 ea 18 - shr edx,18
0098C17E - 33 d3 - xor edx,ebx
0098C180 - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C187 - c1 e0 08 - shl eax,08
0098C18A - 33 c2 - xor eax,edx
0098C18C - 41 - inc ecx
0098C18D - 83 ef 10 - sub edi,10
0098C190 - 4e - dec esi
0098C191 - 0f 85 76 fe ff ff - jne 0098c00d
0098C197 - 5b - pop ebx
0098C198 - 85 ff - test edi,edi
0098C19A - 76 1a - jna 0098c1b6
0098C19C - 0f b6 31 - movzx esi,byte ptr [ecx]
0098C19F - 8b d0 - mov edx,eax
0098C1A1 - c1 ea 18 - shr edx,18
0098C1A4 - 33 d6 - xor edx,esi
0098C1A6 - 8b 14 95 18 c6 b9 00 - mov edx,[edx*4+ztltaskmemreallocimp+1a8567]
0098C1AD - c1 e0 08 - shl eax,08
0098C1B0 - 33 c2 - xor eax,edx
0098C1B2 - 41 - inc ecx
0098C1B3 - 4f - dec edi
0098C1B4 - 75 e6 - jne 0098c19c
0098C1B6 - 5f - pop edi
0098C1B7 - 5e - pop esi
0098C1B8 - 5d - pop ebp
0098C1B9 - c3 - ret
MSCRC Calculation Routine:
Code: Select all
What calls the calculation routine?
InitialHash:
push ebx
push esi
xor esi, esi
push esi ; bUseHash
push esi ; ulInitialHash
lea eax, [ebp+lpBuffer]
push 2 ; nSize
push eax ; lpStartAddress
call CalculateCRC32
add esp, 10h
mov ebx, eax
CalculateHash:
mov eax, [edi+1Ch]
test eax, eax
jz short SendHash
cmp esi, [eax-4]
jnb short SendHash
push 1 ; bUseHash
lea eax, [eax+esi*8]
push ebx ; ulInitialHash
push dword ptr [eax+4] ; nSize
push dword ptr [eax] ; lpStartAddress
call CalculateCRC32
add esp, 10h
mov ebx, eax
inc esi
jmp short CalculateHash
The game first generates an initial hash which it then uses on the other hashes, according to the buffer size. The really great thing about this is that even though this is happening, the game calls completely static sizes. So it's very predictable.Code: Select all
//MSEA v93: CRC Calculation Routine Call
//InitialHash:
00A508D2 - 53 - push ebx
00A508D3 - 56 - push esi
00A508D4 - 33 f6 - xor esi,esi
00A508D6 - 56 - push esi
00A508D7 - 56 - push esi
00A508D8 - 56 - push esi
00A508D9 - 8d 45 08 - lea eax,[ebp+08]
00A508DC - 6a 02 - push 02
00A508DE - 50 - push eax
00A508DF - 89 75 fc - mov [ebp-04],esi
00A508E2 - e8 41 a2 a5 ff - call 004aab28
00A508E7 - 83 c4 14 - add esp,14
00A508EA - 8b d8 - mov ebx,eax
//Calculate Hash
00A508EC - 8b 47 04 - mov eax,[edi+04]
00A508EF - 85 c0 - test eax,eax
00A508F1 - 74 21 - je ztltaskmemreallocimp+5c863
00A508F3 - 3b 70 fc - cmp esi,[eax-04]
00A508F6 - 73 1c - jae ztltaskmemreallocimp+5c863
00A508F8 - 8d 4d fc - lea ecx,[ebp-04]
00A508FB - 51 - push ecx
00A508FC - 6a 01 - push 01
00A508FE - 8d 04 f0 - lea eax,[eax+esi*8]
00A50901 - 53 - push ebx
00A50902 - ff 70 04 - push [eax+04]
00A50905 - ff 30 - push [eax]
00A50907 - e8 1c a2 a5 ff - call 004aab28
00A5090C - 83 c4 14 - add esp,14
00A5090F - 8b d8 - mov ebx,eax
00A50911 - 46 - inc esi
00A50912 - eb d8 - jmp ztltaskmemreallocimp+5c83b
I hope we can make the bypass ASAP, with these info. **ALERT!!! We now have 3 enemies instead of 2!!! 2 MSCRC checks and a HSCRC check!!!!!
