Useful code

Post by **Raiden** » Mon Aug 30, 2010 9:56 am

Pros only, noobs get OUT

Okey, for what I`ve researched in the past week, I found a useful code:

MSEA v94:

00A6FBCA - b9 01 05 01 00             - mov ecx,00010501

Code: Select all

00A6FBA7 - 55                         - push ebp
00A6FBA8 - 8b ec                      - mov ebp,esp
00A6FBAA - 51                         - push ecx
00A6FBAB - 51                         - push ecx
00A6FBAC - 53                         - push ebx
00A6FBAD - 56                         - push esi
00A6FBAE - 8b f1                      - mov esi,ecx
00A6FBB0 - 57                         - push edi
00A6FBB1 - 8d 4e 18                   - lea ecx,[esi+18]
00A6FBB4 - e8 f7 ae f0 ff             - call 0097aab0 (trace the call??)
00A6FBB9 - 85 c0                      - test eax,eax (now where the eax comes from?)
00A6FBBB - 0f 84 b7 00 00 00          - je 00a6fc78 (if jle, then what happens?)
00A6FBC1 - 8b 46 48                   - mov eax,[esi+48]
00A6FBC4 - 8b 3d 60 20 b1 00          - mov edi,[00b12060] : [039F056F] (GetTickCount)
00A6FBCA - b9 01 05 01 00             - mov ecx,00010501 : [00000000] (Error code 10501: Hack Attempt Detected)
00A6FBCF - 3b c1                      - cmp eax,ecx 
00A6FBD1 - bb 01 00 01 00             - mov ebx,00010001 : [DA9C13C5]
00A6FBD6 - 7f 3f                      - jg 00a6fc17
00A6FBD8 - 3b c1                      - cmp eax,ecx
00A6FBDA - 0f 84 81 00 00 00          - je 00a6fc61 (If eax(error code) = 10501, go!!!)
00A6FBE0 - 3b c3                      - cmp eax,ebx
00A6FBE2 - 74 2c                      - je 00a6fc10
00A6FBE4 - 3d 02 01 01 00             - cmp eax,00010102 : [00000000]
00A6FBE9 - 74 76                      - je 00a6fc61
00A6FBEB - 3d 04 01 01 00             - cmp eax,00010104 : [00000000]
00A6FBF0 - 74 6f                      - je 00a6fc61
00A6FBF2 - 3d 00 03 01 00             - cmp eax,00010300 : [00000000]
00A6FBF7 - 7e 41                      - jle 00a6fc3a
00A6FBF9 - 3d 03 03 01 00             - cmp eax,00010303 : [00000000]
00A6FBFE - 7e 61                      - jle 00a6fc61
00A6FC00 - 3d 05 03 01 00             - cmp eax,00010305 : [00000000]
00A6FC05 - 7e 33                      - jle 00a6fc3a
00A6FC07 - 3d 08 03 01 00             - cmp eax,00010308 : [00000000]
00A6FC0C - 7e 53                      - jle 00a6fc61
00A6FC0E - eb 2a                      - jmp 00a6fc3a
00A6FC10 - ff d7                      - call edi
00A6FC12 - 89 46 5c                   - mov [esi+5c],eax
00A6FC15 - eb 23                      - jmp 00a6fc3a
00A6FC17 - 3d 01 06 01 00             - cmp eax,00010601 : [77006F00]
00A6FC1C - 74 43                      - je 00a6fc61
00A6FC1E - 3d 00 07 01 00             - cmp eax,00010700 : [00000000]
00A6FC23 - 7e 15                      - jle 00a6fc3a
00A6FC25 - 3d 06 07 01 00             - cmp eax,00010706 : [00000000]
00A6FC2A - 7e 35                      - jle 00a6fc61
00A6FC2C - 3d 01 08 01 00             - cmp eax,00010801 : [00000000]
00A6FC31 - 74 2e                      - je 00a6fc61
00A6FC33 - 3d 01 0a 01 00             - cmp eax,00010a01 : [00000000]
00A6FC38 - 74 27                      - je 00a6fc61
00A6FC3A - 83 66 48 00                - and dword ptr [esi+48],00
00A6FC3E - ff d7                      - call edi
00A6FC40 - 2b 46 5c                   - sub eax,[esi+5c]
00A6FC43 - 3d 60 ea 00 00             - cmp eax,0000ea60
00A6FC48 - 76 2e                      - jna 00a6fc78
00A6FC4A - 53                         - push ebx
00A6FC4B - 8d 4d f8                   - lea ecx,[ebp-08]
00A6FC4E - e8 2a 00 00 00             - call 00a6fc7d
00A6FC53 - 68 18 81 bb 00             - push 00bb8118 : [00000000]
00A6FC58 - 8d 45 f8                   - lea eax,[ebp-08]
00A6FC5B - 50                         - push eax
00A6FC5C - e8 d2 28 01 00             - call 00a82533
00A6FC61 - 50                         - push eax (from here, error code 10501 will be processed)
00A6FC62 - 8d 4d f8                   - lea ecx,[ebp-08]
00A6FC65 - e8 13 00 00 00             - call 00a6fc7d (trace call?)
00A6FC6A - 68 18 81 bb 00             - push 00bb8118 : [00000000]
00A6FC6F - 8d 45 f8                   - lea eax,[ebp-08]
00A6FC72 - 50                         - push eax
00A6FC73 - e8 bb 28 01 00             - call 00a82533 (trace call?)
00A6FC78 - 5f                         - pop edi
00A6FC79 - 5e                         - pop esi
00A6FC7A - 5b                         - pop ebx
00A6FC7B - c9                         - leave
00A6FC7C - c3                         - ret

If we can trace the functions and calls, it`ll be something useful.

Post by **PIEzLOVERS** » Mon Aug 30, 2010 10:31 pm

And what does that does ?
(My MSEA Crashed)
Can't test it out

Post by **guyz92** » Mon Aug 30, 2010 10:40 pm

Raiden wrote:Pros only, noobs get OUT

Okey, for what I`ve researched in the past week, I found a useful code:

MSEA v94:
Code: Select all
00A6FBCA - b9 01 05 01 00             - mov ecx,00010501
If we can trace the functions and calls, it`ll be something useful.

that code mov ecx,10501 mean ecx value=10501(hex). That all i can provide.

Post by **Raiden** » Mon Aug 30, 2010 10:45 pm

guyz92 wrote:
Raiden wrote:Pros only, noobs get OUT

Okey, for what I`ve researched in the past week, I found a useful code:

MSEA v94:
Code: Select all
00A6FBCA - b9 01 05 01 00             - mov ecx,00010501
If we can trace the functions and calls, it`ll be something useful.
that code mov ecx,10501 mean ecx value=10501(hex). That all i can provide.

No...no.....
That is part of the HS Callback function to assign HAD messages. Error code 10501(Hack Attempt Detected)

If we can trace calls/functions until the end, reverse/nop/forcejump the function, a new bypass will form, and it is the absolutely immortal bypass. Means, if we did it, HS WON`T crash maple down and give HAD when detected hacks. SWEET!!!!!! (If can do that la.....zzzzz)

Code: Select all

00A6FBA7 - 55                         - push ebp
00A6FBA8 - 8b ec                      - mov ebp,esp
00A6FBAA - 51                         - push ecx
00A6FBAB - 51                         - push ecx
00A6FBAC - 53                         - push ebx
00A6FBAD - 56                         - push esi
00A6FBAE - 8b f1                      - mov esi,ecx
00A6FBB0 - 57                         - push edi
00A6FBB1 - 8d 4e 18                   - lea ecx,[esi+18]
00A6FBB4 - e8 f7 ae f0 ff             - call 0097aab0 (trace the call??)
00A6FBB9 - 85 c0                      - test eax,eax (now where the eax comes from?)
00A6FBBB - 0f 84 b7 00 00 00          - je 00a6fc78 (if jle, then what happens?)
00A6FBC1 - 8b 46 48                   - mov eax,[esi+48]
00A6FBC4 - 8b 3d 60 20 b1 00          - mov edi,[00b12060] : [039F056F] (GetTickCount)
00A6FBCA - b9 01 05 01 00             - mov ecx,00010501 : [00000000] (Error code 10501: Hack Attempt Detected)
00A6FBCF - 3b c1                      - cmp eax,ecx 
00A6FBD1 - bb 01 00 01 00             - mov ebx,00010001 : [DA9C13C5]
00A6FBD6 - 7f 3f                      - jg 00a6fc17
00A6FBD8 - 3b c1                      - cmp eax,ecx
00A6FBDA - 0f 84 81 00 00 00          - je 00a6fc61 (If eax(error code) = 10501, go!!!)
00A6FBE0 - 3b c3                      - cmp eax,ebx
00A6FBE2 - 74 2c                      - je 00a6fc10
00A6FBE4 - 3d 02 01 01 00             - cmp eax,00010102 : [00000000]
00A6FBE9 - 74 76                      - je 00a6fc61
00A6FBEB - 3d 04 01 01 00             - cmp eax,00010104 : [00000000]
00A6FBF0 - 74 6f                      - je 00a6fc61
00A6FBF2 - 3d 00 03 01 00             - cmp eax,00010300 : [00000000]
00A6FBF7 - 7e 41                      - jle 00a6fc3a
00A6FBF9 - 3d 03 03 01 00             - cmp eax,00010303 : [00000000]
00A6FBFE - 7e 61                      - jle 00a6fc61
00A6FC00 - 3d 05 03 01 00             - cmp eax,00010305 : [00000000]
00A6FC05 - 7e 33                      - jle 00a6fc3a
00A6FC07 - 3d 08 03 01 00             - cmp eax,00010308 : [00000000]
00A6FC0C - 7e 53                      - jle 00a6fc61
00A6FC0E - eb 2a                      - jmp 00a6fc3a
00A6FC10 - ff d7                      - call edi
00A6FC12 - 89 46 5c                   - mov [esi+5c],eax
00A6FC15 - eb 23                      - jmp 00a6fc3a
00A6FC17 - 3d 01 06 01 00             - cmp eax,00010601 : [77006F00]
00A6FC1C - 74 43                      - je 00a6fc61
00A6FC1E - 3d 00 07 01 00             - cmp eax,00010700 : [00000000]
00A6FC23 - 7e 15                      - jle 00a6fc3a
00A6FC25 - 3d 06 07 01 00             - cmp eax,00010706 : [00000000]
00A6FC2A - 7e 35                      - jle 00a6fc61
00A6FC2C - 3d 01 08 01 00             - cmp eax,00010801 : [00000000]
00A6FC31 - 74 2e                      - je 00a6fc61
00A6FC33 - 3d 01 0a 01 00             - cmp eax,00010a01 : [00000000]
00A6FC38 - 74 27                      - je 00a6fc61
00A6FC3A - 83 66 48 00                - and dword ptr [esi+48],00
00A6FC3E - ff d7                      - call edi
00A6FC40 - 2b 46 5c                   - sub eax,[esi+5c]
00A6FC43 - 3d 60 ea 00 00             - cmp eax,0000ea60
00A6FC48 - 76 2e                      - jna 00a6fc78
00A6FC4A - 53                         - push ebx
00A6FC4B - 8d 4d f8                   - lea ecx,[ebp-08]
00A6FC4E - e8 2a 00 00 00             - call 00a6fc7d
00A6FC53 - 68 18 81 bb 00             - push 00bb8118 : [00000000]
00A6FC58 - 8d 45 f8                   - lea eax,[ebp-08]
00A6FC5B - 50                         - push eax
00A6FC5C - e8 d2 28 01 00             - call 00a82533
00A6FC61 - 50                         - push eax (from here, error code 10501 will be processed)
00A6FC62 - 8d 4d f8                   - lea ecx,[ebp-08]
00A6FC65 - e8 13 00 00 00             - call 00a6fc7d (trace call?)
00A6FC6A - 68 18 81 bb 00             - push 00bb8118 : [00000000]
00A6FC6F - 8d 45 f8                   - lea eax,[ebp-08]
00A6FC72 - 50                         - push eax
00A6FC73 - e8 bb 28 01 00             - call 00a82533 (trace call?)
00A6FC78 - 5f                         - pop edi
00A6FC79 - 5e                         - pop esi
00A6FC7A - 5b                         - pop ebx
00A6FC7B - c9                         - leave
00A6FC7C - c3                         - ret

Maybe we can do something with this?

Post by **PIEzLOVERS** » Mon Aug 30, 2010 10:48 pm

That would normally require codecaves then just change

Code: Select all

00A6FBCA - b9 01 05 01 00             - mov ecx,00010501

to

Code: Select all

00A6FBCA - b9 01 05 01 00             - mov eax,00010501

Post by **Raiden** » Mon Aug 30, 2010 10:51 pm

..... You can`t just edit that to make a bypass right? It`s making things worse.

maybe this?

Code: Select all

[enable]

00A6FBBB:
jmp 00a6fc78//or jle 00a6fc78

[disable]

00A6FBBB:
je 00a6fc78

==================

Post by **Jeof** » Wed Sep 01, 2010 6:26 pm

Can you post just the mscrc script over here please ?

Post by **Raiden** » Wed Sep 01, 2010 7:13 pm

Update yourself.

However, itz the HSCRC that kena patched. MSCRC no problem. If HAD, just HSCRC detected changes when you enable MSCRC bypass.

Code: Select all

//GMS v85 MSCRC, AoB: 0F B6 09 8B 55 14 
[enable]
alloc(mscrc,100)
alloc(copy,1024)
alloc(dump,8856834)
createthread(copy)
label(exitmscrc)
label(mscrcret) 
label(llop)
label(getoutahere)

mscrc:
cmp ecx,00401000
jl exitmscrc
cmp ecx,00C73502
jg exitmscrc
sub ecx,00401000
push eax
lea eax,[dump]
add ecx,eax
pop eax
exitmscrc:
movzx ecx,byte ptr [ecx]
mov edx,[ebp+14]
jmp mscrcret 

copy:
mov eax,00401000
lea ecx,[dump]

llop:
xor ebx,ebx
movzx ebx,byte ptr [eax]
mov byte ptr [ecx],bl
inc eax
inc ecx
cmp eax,00C73500
jg getoutahere
jmp llop
getoutahere:
lea ebx,[dump]
add ebx,64241C
xor eax,eax              
mov al,0F
mov byte ptr [ebx],al
inc ebx
mov al,B6
mov byte ptr [ebx],al
inc ebx
mov al,09
mov byte ptr [ebx],al
inc ebx
mov al,8B
mov byte ptr [ebx],al
inc ebx
mov al,55
mov byte ptr [ebx],al
ret

00A4341C:
jmp mscrc
db 14
mscrcret:

[disable]
00A4341C:
db 0F B6 09 8B 55 14 

dealloc(mscrc)
dealloc(dump)
dealloc(copy)

Post by **PIEzLOVERS** » Wed Sep 01, 2010 8:07 pm

i suck at ASM :S
So this means that we just have to make the "1" in the HSCRC into "0" right ?

Post by **evilkie** » Wed Sep 01, 2010 8:21 pm

PIEzLOVERS wrote:i suck at ASM :S
So this means that we just have to make the "1" in the HSCRC into "0" right ?

no look

Raiden wrote:Update yourself.

However, itz the HSCRC that kena patched. MSCRC no problem. If HAD, just HSCRC detected changes when you enable MSCRC bypass.

Code: Select all

//GMS v85 MSCRC, AoB: 0F B6 09 8B 55 14 
[enable]<---enable part
alloc(mscrc,100)-preparing
alloc(hscrc,100)
alloc(copy,1024)
alloc(dump,8856834)
createthread(copy)<---start bypass
label(exitmscrc)
label(mscrcret) 
label(hscrcret)
label(llop)
label(getoutahere)<---end call to hs

mscrc:
cmp ecx,00401000
jl exitmscrc
cmp ecx,00C73502
jg exitmscrc
sub ecx,00401000
push eax
lea eax,[dump]
add ecx,eax
pop eax
exitmscrc:
movzx ecx,byte ptr [ecx]
mov edx,[ebp+14]
jmp mscrcret 

copy:
mov eax,00401000
lea ecx,[dump]

llop:
xor ebx,ebx
movzx ebx,byte ptr [eax]
mov byte ptr [ecx],bl
inc eax
inc ecx
cmp eax,00C73500
jg getoutahere
jmp llop
getoutahere:
lea ebx,[dump]
add ebx,64241C
xor eax,eax              
mov al,0F
mov byte ptr [ebx],al
inc ebx
mov al,B6
mov byte ptr [ebx],al
inc ebx
mov al,09
mov byte ptr [ebx],al
inc ebx
mov al,8B
mov byte ptr [ebx],al
inc ebx
mov al,55
mov byte ptr [ebx],al
ret

00A4341C:
jmp mscrc
db 14
mscrcret:

[disable]
00A4341C:
db 0F B6 09 8B 55 14 

dealloc(mscrc)
dealloc(dump)
dealloc(copy)

besides, that's how i think, just someone, not pro not noob

Useful code

Useful code

Re: Useful code

Re: Useful code

Re: Useful code

Re: Useful code

Re: Useful code

Re: Useful code

Re: Useful code

Re: Useful code

Re: Useful code