The community that will never stop discussing!
https://xemectrum.guyz92.men/
ok so wad do i need to do with the crc to make a bypass??mind teaching??Raiden wrote:You`re right.
dude if you want a bypass so badly learn C++losttale wrote:ok so wad do i need to do with the crc to make a bypass??mind teaching??Raiden wrote:You`re right.
Code: Select all
#include <windows.h>
#define CALC_JMPDISTANCE(start, target) (int)(((int)target-(int)start)-5)
int nCRCRegionSize = 0x872501;
DWORD dwCRCRegionStart = 0x00401000;
DWORD dwCRCRegionEnd = dwCRCRegionStart+nCRCRegionSize;
int nCRCReturnSize = 6;
DWORD dwCRCFunction;
DWORD dwCRCReturn;
DWORD dwOpenProcessReturn = (DWORD)OpenProcess + 5;
LPVOID lpvNewCRCRegion;
static const BYTE cbCRCArrayOfBytes[16] = {
0x0F, 0xB6, 0x09, 0x8B,
0x55, 0x14, 0x8B, 0x12,
0x33, 0xD1, 0x81, 0xE2,
0xFF, 0x00, 0x00, 0x00
};
static const WCHAR szCRCMask[] = L"xxxxxxxxxxxxxxxx";
// LPVOID lpvStartAddress - address to start searching at
// DWORD cdwSearchSize - number of bytes to keep searching for
// LPBYTE lpbMemory - memory to search for
// LPCTSTR lpcszMask - search mask
LPVOID FindMemory(__in LPCVOID lpcvStart, __in DWORD cdwSearchSize, __in LPCBYTE lpbMemory, __in_z LPCWSTR lpcszMask)
{
LPBYTE pCurrent = (LPBYTE)lpcvStart;
BOOL bFound = FALSE;
for(; (DWORD)pCurrent < (DWORD)lpcvStart+cdwSearchSize; pCurrent++)
{
for(UINT i = 0; i < wcslen(lpcszMask); i++, bFound = TRUE)
{
if(lpcszMask[i] != 0x3F) // '?'
{
if(pCurrent[i] != lpbMemory[i])
{
bFound = FALSE;
break;
}
}
else
continue;
}
if(bFound)
return pCurrent;
}
return NULL;
}
__declspec(naked) VOID WINAPI OpenProcessHook()
{
__asm {
MOV EAX, DWORD PTR FS:[20h]
CMP EAX, DWORD PTR [ESP+0Ch]
JNZ Return
MOV BYTE PTR FS:[34h], 57
XOR EAX, EAX
RETN 0Ch
Return:
PUSH EBP
MOV EBP, ESP
JMP DWORD PTR [dwOpenProcessReturn]
}
}
__declspec(naked) VOID WINAPI MapleStoryCRCHook()
{
__asm {
PUSH EAX
LEA EAX, DWORD PTR [ECX]
CMP EAX, [dwCRCRegionStart]
JB Exit
CMP EAX, [dwCRCRegionEnd]
JA Exit
PUSH EBX
MOV EBX, [lpvNewCRCRegion]
SUB EAX, [dwCRCRegionStart]
ADD EAX, EBX
MOVZX ECX, BYTE PTR [EAX]
POP EBX
POP EAX
JMP Return
Exit:
POP EAX
MOVZX ECX, BYTE PTR [ECX]
Return:
MOV EDX, [EBP+14h]
JMP [dwCRCReturn]
}
}
inline BOOL BypassHackShieldCRC(__in BOOL bBypass)
{
static BOOL bEnabled = FALSE;
static LPVOID lpvOldMemory;
static DWORD dwProtection;
BOOL bRet = FALSE;
if(bBypass && !bEnabled)
{
if(VirtualProtect((LPVOID)OpenProcess, 5, PAGE_EXECUTE_READWRITE, &dwProtection))
{
__try {
lpvOldMemory = HeapAlloc(GetProcessHeap(), 0, 5);
if(lpvOldMemory != NULL)
{
CopyMemory(lpvOldMemory, (LPVOID)OpenProcess, 5);
*(BYTE*)OpenProcess = 0xE9; // JMP
*(DWORD*)((DWORD)OpenProcess+1) = CALC_JMPDISTANCE(OpenProcess, OpenProcessHook);
bEnabled = TRUE;
bRet = TRUE;
}
}
__except(EXCEPTION_EXECUTE_HANDLER) {}
if(!bEnabled)
VirtualProtect((LPVOID)dwCRCRegionStart, nCRCRegionSize, dwProtection, &dwProtection);
}
}
else if(!bBypass && bEnabled)
{
__try {
CopyMemory((LPVOID)OpenProcess, lpvOldMemory, nCRCReturnSize);
HeapFree(GetProcessHeap(), 0, lpvOldMemory);
if(VirtualProtect((LPVOID)dwCRCRegionStart, nCRCRegionSize, dwProtection, &dwProtection))
{
bEnabled = FALSE;
bRet = TRUE;
}
if(!bEnabled)
VirtualProtect((LPVOID)dwCRCRegionStart, nCRCRegionSize, PAGE_EXECUTE_READWRITE, &dwProtection);
}
__except(EXCEPTION_EXECUTE_HANDLER) {}
}
return bRet;
}
inline BOOL BypassMapleStoryCRC(__in BOOL bBypass)
{
static BOOL bEnabled = FALSE;
static LPVOID lpvOldMemory;
static DWORD dwProtection;
BOOL bRet = FALSE;
if(bBypass && !bEnabled)
{
VirtualProtect((LPVOID)0x00400000, 0x070000000 - 0x00400000, PAGE_EXECUTE_READWRITE, &dwProtection);
dwCRCFunction = (DWORD)FindMemory((LPCVOID)0x00400000, 0x070000000 - 0x00400000, cbCRCArrayOfBytes, szCRCMask);
if(dwCRCFunction != NULL)
{
dwCRCReturn = dwCRCFunction+nCRCReturnSize;
lpvNewCRCRegion = VirtualAlloc(NULL, nCRCRegionSize, MEM_COMMIT, PAGE_READWRITE);
if(lpvNewCRCRegion != NULL)
{
__try {
CopyMemory(lpvNewCRCRegion, (LPVOID)dwCRCRegionStart, nCRCRegionSize); // copy CRC
lpvOldMemory = HeapAlloc(GetProcessHeap(), 0, nCRCReturnSize);
if(lpvOldMemory != NULL)
{
CopyMemory(lpvOldMemory, (LPVOID)dwCRCFunction, nCRCReturnSize);
*(BYTE*)dwCRCFunction = 0xE9; // JMP
*(DWORD*)(dwCRCFunction+1) = CALC_JMPDISTANCE(dwCRCFunction, MapleStoryCRCHook);
FillMemory((LPVOID)(dwCRCFunction+5), nCRCReturnSize-5, 0x90); // fill remaining bytes with NOPs
bEnabled = TRUE;
bRet = TRUE;
}
}
__except(EXCEPTION_EXECUTE_HANDLER) {}
}
}
VirtualProtect((LPVOID)0x00400000, 0x070000000 - 0x00400000, dwProtection, &dwProtection);
}
else if(!bBypass && bEnabled)
{
if(VirtualFree(lpvNewCRCRegion, nCRCRegionSize, MEM_DECOMMIT))
{
__try {
CopyMemory((LPVOID)dwCRCFunction, lpvOldMemory, nCRCReturnSize);
HeapFree(GetProcessHeap(), 0, lpvOldMemory);
bEnabled = FALSE;
bRet = TRUE;
}
__except(EXCEPTION_EXECUTE_HANDLER) {}
}
}
return bRet;
}
BOOL APIENTRY DllMain(__in HMODULE hModule, __in DWORD fdwReason, __in LPVOID lpvReserved)
{
UNREFERENCED_PARAMETER(lpvReserved);
switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
if(BypassHackShieldCRC(TRUE) && BypassMapleStoryCRC(TRUE))
{
DisableThreadLibraryCalls(hModule);
break;
}
return FALSE;
case DLL_PROCESS_DETACH:
BypassHackShieldCRC(FALSE);
BypassMapleStoryCRC(FALSE);
break;
}
return TRUE;
}
Code: Select all
#include <windows.h>
#include <stdio.h>
#include <process.h>
FILE* Log = 0;
unsigned long Return = 0;
void* Service = 0;
/*
EhSvc.dll Export Summary
Export Args Type Name
- 1 6 void Initialize
- 2 0 int StartService
- 3 0 int StopService
- 4 0 void Clear
- 5 0 void Unknown
- 6 2 void Unknown
- 7 0 int Unknown
- 8 1 int Unused
- 9 1 int Unused
- 10 1 int Initialize_2
- 11 ? ? Unknown
- 12 2 int MakeAckMsg
- 13 2 int MakeGuidAckMsg
- 14 2 void SaveSafeFunc
- 15 3 int Unused
- 16 3 int Unused
*/
enum ShieldFunctions
{
Shield_None,
Shield_Initialize,
Shield_StartService,
Shield_StopService,
Shield_Clear,
Shield_Unknown01,
Shield_Unknown02,
Shield_Unknown03,
Shield_Unused01,
Shield_Unused02,
Shield_Initialize_2,
Shield_Unknown04,
Shield_MakeAckMsg,
Shield_MakeGuidAckMsg,
Shield_SaveSafeFunc,
Shield_Unused03,
Shield_Unused04,
};
const char* ShieldNames[] =
{
"Initialize",
"StartService",
"StopService",
"Clear",
"Unknown01",
"Unknown02",
"Unknown03",
"Unused01",
"Unused02",
"Initialize_2",
"Unknown04",
"MakeAckMsg",
"MakeGuidAckMsg",
"SaveSafeFunc",
"Unused03",
"Unused04",
};
unsigned long HookJMP ( unsigned char* pbSource, unsigned char* pbDest )
{
unsigned long dwOldMask;
if ( VirtualProtect ( pbSource, 5, 0x40, &dwOldMask ) )
{
unsigned char* pbBuffer = (unsigned char*) malloc ( 10 );
memcpy ( pbBuffer, pbSource, 5 );
pbBuffer += 5;
pbBuffer [0] = 0xE9;
pbSource [0] = 0xE9;
*(unsigned long*)(pbBuffer + 1) = (unsigned long)( pbSource + 5 - pbBuffer ) - 5;
*(unsigned long*)(pbSource + 1) = (unsigned long)( pbDest - pbSource ) - 5;
VirtualProtect ( pbSource, 5, dwOldMask, &dwOldMask );
return (unsigned long) (pbBuffer - 5);
}
return 0;
}
unsigned long Real_CreateGUID = 0;
int WINAPI Shield_CreateGUID ( char* BufferIn, char* BufferOut )
{
_asm pushad
fprintf ( Log, "B IN\t%i %s\nB OUT\t%i %s\n", strlen ( BufferIn ), BufferIn, strlen ( BufferOut ), BufferOut );
fflush ( Log );
_asm popad
_asm push BufferOut
_asm push BufferIn
_asm call Real_CreateGUID
_asm pushad
fprintf ( Log, "A IN\t%i %s\nA OUT\t%i %s\n", strlen ( BufferIn ), BufferIn, strlen ( BufferOut ), BufferOut );
fflush ( Log );
_asm popad
}
__declspec ( naked ) void Shield_GenericBypass ( void )
{
_asm pop Return
_asm xor eax, eax
_asm jmp Return
}
unsigned long pReal_GetProcAddress = 0;
FARPROC __stdcall GetProcAddress_Hook ( void* Module, int Function )
{
FARPROC Address = 0;
_asm push Function
_asm push Module
_asm call pReal_GetProcAddress
_asm mov Address, eax
_asm pushad
if ( Module == Service )
{
fprintf ( Log, "[HackedShield] Redirecting function %s\n", ShieldNames [Function - 1] );
fflush ( Log );
switch ( Function )
{
case Shield_MakeGuidAckMsg:
Real_CreateGUID = (unsigned long) Address;
Address = (FARPROC) Shield_CreateGUID;
break;
default:
Address = (FARPROC) Shield_GenericBypass;
break;
}
}
_asm popad
return Address;
}
unsigned long pReal_LoadLibrary = 0;
void* __stdcall LoadLibrary_Hook ( char* Module )
{
void* Handle = 0;
_asm push Module
_asm call pReal_LoadLibrary
_asm mov Handle, eax
_asm pushad
if ( strstr ( Module, "EhSvc.dll" ) )
{
MessageBox ( 0, 0, 0, 0 );
Service = Handle;
}
_asm popad
return Handle;
}
int __stdcall DllMain ( HMODULE Dll, unsigned long Reason, void* Reserved )
{
if ( Reason == 1 )
{
DWORD Protect;
char LogPath [MAX_PATH];
GetModuleFileName ( Dll, LogPath, sizeof ( LogPath ) );
strcpy ( &LogPath [strlen ( LogPath ) - 3], "log" );
Log = fopen ( LogPath, "w+" );
HMODULE Kernel = GetModuleHandle ( "kernel32.dll" );
pReal_LoadLibrary = HookJMP ( (unsigned char*) GetProcAddress ( Kernel, "LoadLibraryA" ), (unsigned char*) LoadLibrary_Hook );
pReal_GetProcAddress = HookJMP ( (unsigned char*) GetProcAddress ( Kernel, "GetProcAddress" ), (unsigned char*) GetProcAddress_Hook );
}
return 1;
} wa fierce wor...lucky i nvr pm u ask for tut...lol...Raiden wrote:No requesting for hacks.
Those STUPID DUMB NOOB F***ING LEECHERS that spam PMs to me is SAMPAH MASYARAKAT!!!!!!!!!
Do not PM me for requsting hw to make or release or EVEN buy $$. I`ll not reply AT ALL!!!!!
i thought u will teach? i pm-ed u saying tat i have my own bypass jus need some1 to teachRaiden wrote:Go find a bypass first. When you found, then I`ll teach. I wont share my bypass to anyone.malvis wrote:
Any chance that you could teach me? I don't want this to be released public but yet i wanna learn.