Wow, who woulda thought, that windows own debugger, WinDbg would be the one that could pull it off lol. Ok here's the deal folks(btw this is intended for those that are actually making trainers etc, not a noob's post at all)
This is what the code looks like at startup.

image00400000+0x19a784:
0059a784 0000 add [eax],al
0059a786 0000 add [eax],al
0059a788 0000 add [eax],al
0059a78a 0000 add [eax],al
0059a78c 0000 add [eax],al
0059a78e 0000 add [eax],al
0059a790 0000 add [eax],al
0059a792 0000 add [eax],al

Then after a few instructions are parsed and run, the code is unpacked revealing the ever commonly known:

image00400000+0x19a784:
0059a784 0f852b060000 jne image00400000+0x19adb5 (0059adb5)
0059a78a 8b8714010000 mov eax,[edi+0x114]
0059a790 83e0fe and eax,0xfffffffe
0059a793 83f812 cmp eax,0x12
0059a796 0f8419060000 je image00400000+0x19adb5 (0059adb5)
0059a79c 8b1d78f16700 mov ebx,[image00400000+0x27f178 (0067f178)]
0059a7a2 8d45c0 lea eax,[ebp-0x40]
0059a7a5 50 push eax


now, here comes the interesting part, if you edit this now, and switch the jne to a je, then keep going, the game fires up(best if used in a windowed mode) and viola! GodMode is reborn!!! now, as for the crc check, it's definitely in MapleStory and not GameGuard... why you ask? because if you change instructions just before running the instruction at "015ee44d" the game will NOT dc you. however, after this point, memory altering is impossible with WinDbg because it can no longer access the memory correctly. I have got into the game and on one map allowed GodMode for more than 10 minutes, so I know this works, just needs a better method of doing it. When I change maps, the game throws a strange exception at WinDbg that it cannot handle or pass on, always flings itself into an infinite loop of access violations. But as long as I stay on one map it works fine.

Anyway, hopefully this will help Dark Byte or Sean in some way. I'll keep you guys posted if I discover anything else.

P.S. Oh yeah, I find it weird that GameGuard fails to initialize if I just allow all the code to run in the debugger, however if i set a couple breakpoints first, then it loads just fine??? Doesn't make any sense at all.

[note to mofo] can you add "(GodMode 0.12)", to the title of this, since it isn't really clarified in the tite what I'm having luck with? Thanks

lol great job man ill go try it shortly .... any 1 expert wanna make a patch for people?

I would if I could just dump the darn thing, working on it in memory is simple enough for me, dumping the image to disk however eludes me. If someone has knowledge of how to dump a module in memory to disk using WinDbg, I'd be very grateful if you'd let me know lol, kuz at that point, patching would be super easy indeed, also, I am guessing from the nature how it worked for me, that a person making a trainer would need to create a trainer to do the following...

1. Run before MS
2. Scan the Memory at 59a784
3. At the moment of it changing, suspend the MS process
4. Inject the new code in it's place before MS does the first CRC run
5. Exit out of the trainer.

That does pose the question though, would there be any way to set hotkeys? doubtful, and vacs would be extremely hard to create as well, without the ability to turn the code on/off you would have to set the coords at runtime each time, and exit to turn it off.

hmm, what make you tryed to use windbg, i would never twat of using it because i expect G.g to be smart enough to patch it in verion 1 of G.g.
well this is also a good way to do it, my way is much less of a hassle.

anywayz good job

I don't know what made me think of it. It just popped into my head that if MicroSoft created their debugger to work on all types of kernel stuff and drivers, perhaps they had a better way of handling all the anti-debugging techniques used in current code, looks like they do ^_^ And thanks for the compliment.

What's the different between that and changing the memory (jne to je) when MapleStory startup?

Anyway, good finding. GameGuard now might update again to block this. Good luck.

What's the different between that and changing the memory (jne to je) when MapleStory startup?

I'm not sure that I follow your question, I am changing the jne to je here, or jmp whichever you prefer. The thing that I'm really trying to show though, is that using this requires neither jamilah, nor any other rootkits. It doesn't need a "bypass" at all because it somehow does that all by itself. It is practically the same thing as using CE, just without a bypass.

By using the debugger, you're probably changing the instruction so quick that MS didn't execute any instruction at "015ee44d" (CRC32 checking) which seems like what you're stating correct?

Correct, it is doing it quick enough in the process(just after unpacking) that the CRC checks have not been done yet, and this totally flies, i'm guessing(haven't looked into it yet) that the crc gets a reading after the file is unpacked, then makes it's number. My guess is that it then periodically checks that sum again throughout gameplay, thus why the code will work before the code is in place, but not after.


[edit]
I have now checked to see if you can suspend the app at the point it decides to load GG and inject the code changes. This definitely doesn't work, the CRC check has already been run by the time it calls GG into existence. Still looking into it though.

debugging...just great...:ermm:

a tut on how to use this would help for us less-debugging-literate.

When i opened the ms.exe it shows me some code then just stops...ms doesn't even open...what a headache.

I think i'll go try some more rootkits T_T

shifting gears for a second...

What of that godmode trainer sean made...is it possible to create another trainer and just use the hotkey before gameguard finishes loading and close the trainer again? Just a thought. (Can't really remember if that was before or after the crc was put back into ms)

debugging...just great...:ermm:

a tut on how to use this would help for us less-debugging-literate.

When i opened the ms.exe it shows me some code then just stops...ms doesn't even open...what a headache.

I think i'll go try some more rootkits T_T

shifting gears for a second...

What of that godmode trainer sean made...is it possible to create another trainer and just use the hotkey before gameguard finishes loading and close the trainer again? Just a thought. (Can't really remember if that was before or after the crc was put back into ms)


thats impossible now, theyve REINSERTED CRC checks...... seans was during the period where they first put in nprotect i think, and took out CRC....

nice work willowben, i wouldve never thought of WinDbg...all that wtime with FUrookit and others o.o

Thanks for the comp cryptus! And dv8r, I did state at the top that this thread was to help those peeps who were working on trainers or hacks etc... It really isn't meant to be a thread that will guide you through everything. As for seans hack, cryptus is correct, it is impossible to use his trainer right now, however, it does work along the same lines, his trainer I'm sure(have not tried it) uses the same concept of changing the jne to je(a weird notice to debug users, a certain debugger out there tells me it is a jnz and jz not je lmao practically same dif) so, if it would be possible to pause the process BEFORE the crc check comes into play, then maybe the trainer would work, but i do not know of a way yet to pause the process so precisely without using a debugger. I have even tried an app that stalls it when it attempts to load GG, but that isn't quick enough, bottom line, it's got to be done just after the exe is unpacked into the memory. or if someone figures out how to bypass that darn crc check then that would be the best way to do it, then you could do pretty much whatever you wanted. So, in close, I'm sorry, I never meant for this to be a method for everyone to use, just wanted to get the info out that it has been done and tested to other coders out there.

Sorry, I wrote a program that search for maplestory.exe process. If the process isn't found it loops and keep on searching. Once it found it, it sleeps for a "certain time", then wake up and change jne to je. But got no luck, first it was change jne to je to quick, you still get hurt in the game. I then change that "certain time". Then it changes too late, you don't get hurt but in 1 sec, you get dc. Then I made it search and once it find the process, it checks to see if address 59A784 is filled with the jne instruction. If it's not, it keep searching, if it is, it would change it to je. This cause a pop up window dialog saying Protection Error, error: 45.

Sorry, I did what I can for you guys. (Man, I hate inputting the pin code.) OMS sure suck big time.

Lol well im gussing god mode will soon be alive again... hah wizet jus cant keep u guys down

Lol well im gussing god mode will soon be alive again... hah wizet jus cant keep u guys down


not necessarily...

but good job guys.
I guess

best case scenario=We kick gamegaurds butt and use all the nice hacks again.
Worst case scenario=We are stuck with this temporary godmode

but fantasy scenarios

best=CRC32 checking fails, Nprotect is destroyed from the face of the planet, we can use server sided hacks
worst case scenario=Wizet and gameguard kill all haxor.

Small Update guys, I have the unpacked exe, I'm having a little bit of trouble with the darn imports though. Hopefully soon I'll have the imports correct. I'll keep you guys updated, also, it was fairly easy to get it unpacked, so if someone else out there wants to jump in and beat me to getting this task done, my feelings wouldn't be hurt at all lol!

Anyonw who wants to try out Windbg u can get it from http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.5.3.8.exe

Wow, who woulda thought, that windows own debugger, WinDbg would be the one that could pull it off lol. Ok here's the deal folks(btw this is intended for those that are actually making trainers etc, not a noob's post at all)
This is what the code looks like at startup.

image00400000+0x19a784:
0059a784 0000 add [eax],al
0059a786 0000 add [eax],al
0059a788 0000 add [eax],al
0059a78a 0000 add [eax],al
0059a78c 0000 add [eax],al
0059a78e 0000 add [eax],al
0059a790 0000 add [eax],al
0059a792 0000 add [eax],al

Then after a few instructions are parsed and run, the code is unpacked revealing the ever commonly known:

image00400000+0x19a784:
0059a784 0f852b060000 jne image00400000+0x19adb5 (0059adb5)
0059a78a 8b8714010000 mov eax,[edi+0x114]
0059a790 83e0fe and eax,0xfffffffe
0059a793 83f812 cmp eax,0x12
0059a796 0f8419060000 je image00400000+0x19adb5 (0059adb5)
0059a79c 8b1d78f16700 mov ebx,[image00400000+0x27f178 (0067f178)]
0059a7a2 8d45c0 lea eax,[ebp-0x40]
0059a7a5 50 push eax


now, here comes the interesting part, if you edit this now, and switch the jne to a je, then keep going, the game fires up(best if used in a windowed mode) and viola! GodMode is reborn!!! now, as for the crc check, it's definitely in MapleStory and not GameGuard... why you ask? because if you change instructions just before running the instruction at "015ee44d" the game will NOT dc you. however, after this point, memory altering is impossible with WinDbg because it can no longer access the memory correctly. I have got into the game and on one map allowed GodMode for more than 10 minutes, so I know this works, just needs a better method of doing it. When I change maps, the game throws a strange exception at WinDbg that it cannot handle or pass on, always flings itself into an infinite loop of access violations. But as long as I stay on one map it works fine.

Anyway, hopefully this will help Dark Byte or Sean in some way. I'll keep you guys posted if I discover anything else.

P.S. Oh yeah, I find it weird that GameGuard fails to initialize if I just allow all the code to run in the debugger, however if i set a couple breakpoints first, then it loads just fine??? Doesn't make any sense at all.

[note to mofo] can you add "(GodMode 0.12)", to the title of this, since it isn't really clarified in the tite what I'm having luck with? Thanks

how do u unpack it to the red font form??
i try alot of things on windbg but non work to unpack it.... any ideas??

To get it to unpack in WinDbg, simply load the exe from WinDbg's "Open Executable" option. Then you're going to be looking at some break exception waiting patiently for you to do something, press F5 several times, till the code gets to the point that I stated earlier, then typing "u 59a784" will produce the code in red, typing "a 59a784" will allow you to enter a new instruction there "which is of course 'je 59adb5' " hope that helps, beyond that, try to figure some more stuff out on your own from there, I can't really help everyone who asks.

havent had a chance to look at the debugger...

can it attach to processes with out being detected?

or do i need to change the jump first? same bypass?

what i mean is how to tranfer data frm this:

image00400000+0x19a784:
0059a784 0000 add [eax],al
0059a786 0000 add [eax],al
0059a788 0000 add [eax],al
0059a78a 0000 add [eax],al
0059a78c 0000 add [eax],al
0059a78e 0000 add [eax],al
0059a790 0000 add [eax],al
0059a792 0000 add [eax],al

To this:

image00400000+0x19a784:
0059a784 0f852b060000 jne image00400000+0x19adb5 (0059adb5)
0059a78a 8b8714010000 mov eax,[edi+0x114]
0059a790 83e0fe and eax,0xfffffffe
0059a793 83f812 cmp eax,0x12
0059a796 0f8419060000 je image00400000+0x19adb5 (0059adb5)
0059a79c 8b1d78f16700 mov ebx,[image00400000+0x27f178 (0067f178)]
0059a7a2 8d45c0 lea eax,[ebp-0x40]
0059a7a5 50 push eax

anyone have hack!!! i wan hack call gm to ban me lalalaboi

Yes you can do this without being detected, and that is what i'm talking about mage, that post of mine above is how it changes. no other way to say it.

just a thought, but if you find a ASM instruction the same size as the 1 your inserting, couldnt you delete it then go back and insert your code line, so the file is infact the same size? (aslong as it was hardly ever called / didnt exactly do much)

wouldnt that in effect bypass the CRC check, because the file size is correct?

@wilbowen : Maple still does the CRC even if you change the code BEFORE the sequence begins. I know this because I've tried it b4. As for the CRCs, there's one that checks the game code on a certain range [not all code gets checked, just what Wizet set to CRC] coming from the main MapleStory.exe [ACProtect does this], and one from GameGuard which DOESN'T take care of the MS process, but checks if you change GameGuard functions ;) Trust me, it would be hella easier to **** up GG, than trying to trick MS's CRCs :) And from what I know, GameGuard's CRC is off ;)

Good luck at hunting detection funcs ;)...

@others : you don't unpack it in WinDbg, you simply let the application run - have a look at the memory BEFORE and AFTER the memory-unpacking begins...Basically what you do in all this business, is to pause and run the process :)...

How do you know if you change the code before instruction "015ee44d." Everytime I detach the debugger Ms server dc me and Iam back at the maple login screen?

simply load the exe from WinDbg's "Open Executable" option
Which exe exactly do u load -.- I can't figure this out =\

sry to interupt

can i ask noob question?
wat is this godlike mode do exactly?

in order to did this hack need window debugger only? do i need other program like "Godlike version 5.0" program???

MapleStory.exe
and the noob question - god mode disables the routine in the game that actually detects you getting hit and triggers your damage and getting thrown back.

Everytime I detach the debugger Maple seems to work for a minute then d/c me into the log in screen. Anyone know the cuase of that?

Second how do you know if you change the code before instruction "015ee44d."