nForce
30th June 2006, 14:44
For these two files GameGuard uses a very simple encryption method, where a 32bit key is stored at the beginning of the file.
A reversal of their basic encryption algorithm is provided bellow:
/************************************************** **********************************
* Project: ERL Decryptor *
* *
* Copyright (C) 2006 by nForce *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the Free Software *
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
************************************************** **********************************/
#include <iostream>
#include <fstream>
using namespace std;
int main ( int nArguments, const char * szArguments [] )
{
if ( nArguments > 1 )
{
std::string sOutput ( szArguments [ 1 ] );
ifstream ifsTargetFile ( sOutput.c_str (), ios::binary );
sOutput.append ( ".dec" );
ofstream ofsOutputFile ( ( sOutput.c_str () ) );
if ( ( ifsTargetFile.is_open () ) &&
( ofsOutputFile.is_open () ) )
{
unsigned long nCryptoKey;
ifsTargetFile.read ( ( ( char * ) ( & nCryptoKey ) ), 4 );
while ( ifsTargetFile.good () )
{
nCryptoKey = ( nCryptoKey * 3 + 1 );
unsigned char nEncryptedByte;
ifsTargetFile.get ( ( * ( char * ) ( & nEncryptedByte ) ) );
unsigned char nCryptoByte = ( unsigned char ) ( nCryptoKey & 0xff );
nCryptoByte = nCryptoByte + 0x65;
nEncryptedByte = nCryptoByte ^ nEncryptedByte;
ofsOutputFile.put ( ( * ( char * ) ( & nEncryptedByte ) ) );
}
}
ifsTargetFile.close ();
ofsOutputFile.close ();
}
else
{
cout << "Syntax Error!" << endl
<< "Syntax: " << szArguments [ 0 ] << " <Erl File>" << endl;
}
return 0;
}
temp2
30th June 2006, 16:19
For these two files GameGuard uses a very simple encryption method, where a 32bit key is stored at the beginning of the file.
Unfortunately I believe you will find GG varies things on a per game basis. I knocked this project up and tried it against Lineage II’s npgg.erl and npgl.erl in Lineage II\system\GameGuard It produced garbage.
It would be really nice to get this working as I’m sure your aware that the contents of these erl files is very interesting. Any hints?
nForce
30th June 2006, 16:52
Sorry I was compiling and running it on my Linux machine. I forgot the Windows standard libraries require you to specifically open files in binary mode to ignore special command characters. The code has been updated in the post above and bellow is an attached working binary. There still may be differences between games however it works with the game I have been playing around with (not lineage 2).
temp2
1st July 2006, 04:34
The code has been updated in the post above and bellow is an attached working binary.
Weird exe that one m8 and it has way too many Kernel32 imports for my liking. That may be because you used the Dinkumware standard libraries though. The source code compiles fine and it now works with:
npgg.erl
npgl.erl
npgl1.erl
which are presumably the GameGuard.des process log files but not with:
npgm.erl
npgmup.erl
npsc.erl
which are presumably the GameMon.des process. I wonder if they are just using a different nCryptoByte = nCryptoByte + 0x65;?
How did you generate the algorithm? By reverse engineering or frequency analysis of the files?
Here is a little teaser from an decrypted npgm.erl. I think you will agree these files are very interesting.
15:47:56:671 --- GameMon.des version 566 : Mon Oct 24 21:51:04 2005 ---
15:47:56:671 cmd: 11534336 884 1 208 204 MapleStoryUS b8 ac 0
15:47:56:671 argc: 9, argv: 11534336 884 1 208 204 MapleStoryUS b8 ac 0
15:47:56:671 CommThread(58) ID: 2596
…
15:47:57:062 pi6
15:47:57:062 -- ParseIni done
15:47:57:078 CS2: PrtcLibVer 1.32
15:47:57:078 -- InitNPGM
15:47:57:078 Admin Privilege
15:47:57:109 reggms: 2
15:47:57:109 previous TAM: 1
15:47:57:125 win xp
15:47:57:125 InitCallgateNT: 1
15:47:57:125 npscan: C:\Games\MapleStory\GameGuard\npscan.des
15:47:57:125 Try to turn on npscan
15:47:57:140 Virobot Turn ON
15:47:57:140 ReadSMThread(dc) ID: 2624
15:47:57:140 [0 : 0x804d7000 - 0x214780 - 0x12] \WINDOWS\system32\ntoskrnl.exe
15:47:57:140 [1 : 0x806ec000 - 0x20380 - 0x12] \WINDOWS\system32\hal.dll
15:47:57:140 [2 : 0xf899f000 - 0x2000 - 0x12] \WINDOWS\system32\KDCOM.DLL
15:47:57:140 [3 : 0xf88af000 - 0x3000 - 0x12] \WINDOWS\system32\BOOTVID.dll
15:47:57:140 [4 : 0xba70c000 - 0xd3000 - 0x0] sptd.sys
15:47:57:156 [5 : 0xf89a1000 - 0x2000 - 0x1a] \WINDOWS\System32\Drivers\WMILIB.SYS
15:47:57:156 [6 : 0xba6f4000 - 0x18000 - 0x1a] \WINDOWS\System32\Drivers\SPTD9453.SYS
15:47:57:156 [7 : 0xba6c6000 - 0x2e000 - 0x0] ACPI.sys
15:47:57:156 [8 : 0xba6b5000 - 0x11000 - 0x0] pci.sys
15:47:57:156 [9 : 0xf849f000 - 0x9000 - 0x0] isapnp.sys
15:47:57:156 [10 : 0xf84af000 - 0xf000 - 0x0] ohci1394.sys
15:47:57:156 [11 : 0xf84bf000 - 0xd000 - 0x1a] \WINDOWS\system32\DRIVERS\1394BUS.SYS
15:47:57:156 [12 : 0xf8a67000 - 0x1000 - 0x0] pciide.sys
15:47:57:156 [13 : 0xf871f000 - 0x7000 - 0x1a] \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
15:47:57:156 [14 : 0xf89a3000 - 0x2000 - 0x0] intelide.sys
15:47:57:156 [15 : 0xf84cf000 - 0xb000 - 0x0] MountMgr.sys
15:47:57:156 [16 : 0xba696000 - 0x1f000 - 0x0] ftdisk.sys
15:47:57:156 [17 : 0xf89a5000 - 0x2000 - 0x0] dmload.sys
15:47:57:156 [18 : 0xba670000 - 0x26000 - 0x0] dmio.sys
15:47:57:156 [19 : 0xf8727000 - 0x5000 - 0x0] PartMgr.sys
15:47:57:156 [20 : 0xf872f000 - 0x5000 - 0x0] c1j5rwuqb1.sys
15:47:57:156 [21 : 0xf84df000 - 0x9000 - 0x0] sfsync02.sys
15:47:57:156 [22 : 0xf84ef000 - 0xd000 - 0x0] VolSnap.sys
15:47:57:156 [23 : 0xba658000 - 0x18000 - 0x0] atapi.sys
15:47:57:156 [24 : 0xba644000 - 0x14000 - 0x0] nvatabus.sys
15:47:57:156 [25 : 0xf84ff000 - 0xd000 - 0x0] si3112.sys
15:47:57:156 [26 : 0xba62c000 - 0x18000 - 0x1a] \WINDOWS\System32\Drivers\SCSIPORT.SYS
15:47:57:156 [27 : 0xf850f000 - 0x9000 - 0x0] disk.sys
15:47:57:156 [28 : 0xf851f000 - 0xd000 - 0x1a] \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
15:47:57:156 [29 : 0xba60d000 - 0x1f000 - 0x0] fltMgr.sys
15:47:57:156 [30 : 0xf8737000 - 0x5000 - 0x0] PxHelp20.sys
15:47:57:156 [31 : 0xba5f6000 - 0x17000 - 0x0] KSecDD.sys
15:47:57:156 [32 : 0xba569000 - 0x8d000 - 0x0] Ntfs.sys
15:47:57:156 [33 : 0xba53c000 - 0x2d000 - 0x0] NDIS.sys
15:47:57:156 [34 : 0xba528000 - 0x14000 - 0x0] sfvfs02.sys
15:47:57:156 [35 : 0xf873f000 - 0x8000 - 0x0] sfhlp02.sys
15:47:57:171 [36 : 0xf89a7000 - 0x2000 - 0x0] sfhlp01.sys
15:47:57:171 [37 : 0xba516000 - 0x12000 - 0x0] sfdrv01.sys
15:47:57:171 [38 : 0xf89a9000 - 0x2000 - 0x0] prosync1.sys
15:47:57:171 [39 : 0xba4f9000 - 0x1d000 - 0x0] prohlp02.sys
15:47:57:171 [40 : 0xf8747000 - 0x5000 - 0x0] nv_agp.sys
15:47:57:171 [41 : 0xba4de000 - 0x1b000 - 0x0] Mup.sys
15:47:57:171 [42 : 0xf852f000 - 0xb000 - 0x0] agp440.sys
15:47:57:171 [43 : 0xf86af000 - 0xa000 - 0x1d] \SystemRoot\system32\DRIVERS\amdk7.sys
15:47:57:171 [44 : 0xf8847000 - 0x5000 - 0x1d] \SystemRoot\system32\DRIVERS\usbohci.sys
15:47:57:171 [45 : 0xf7d21000 - 0x23000 - 0x1d] \SystemRoot\system32\DRIVERS\USBPORT.SYS
15:47:57:171 [46 : 0xf884f000 - 0x7000 - 0x1d] \SystemRoot\system32\DRIVERS\usbehci.sys
15:47:57:171 [47 : 0xba405000 - 0x12000 - 0x1d] \SystemRoot\system32\DRIVERS\NVENET.sys
15:47:57:171 [48 : 0xf86bf000 - 0xe000 - 0x1d] \SystemRoot\system32\drivers\nvax.sys
15:47:57:171 [49 : 0xf86cf000 - 0xb000 - 0x1d] \SystemRoot\system32\DRIVERS\imapi.sys
15:47:57:171 [50 : 0xba43b000 - 0x3000 - 0x1d] \SystemRoot\system32\drivers\pfc.sys
15:47:57:171 [51 : 0xf86df000 - 0xd000 - 0x1d] \SystemRoot\system32\DRIVERS\cdrom.sys
15:47:57:171 [52 : 0xf86ef000 - 0xf000 - 0x1d] \SystemRoot\system32\DRIVERS\redbook.sys
15:47:57:171 [53 : 0xf7cfe000 - 0x23000 - 0x1d] \SystemRoot\system32\DRIVERS\ks.sys
15:47:57:171 [54 : 0xf86ff000 - 0x10000 - 0x1d] \SystemRoot\system32\DRIVERS\nic1394.sys
15:47:57:171 [55 : 0xf7b88000 - 0x176000 - 0x1d] \SystemRoot\system32\DRIVERS\ati2mtag.sys
15:47:57:171 [56 : 0xf7b74000 - 0x14000 - 0x1d] \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
15:47:57:171 [57 : 0xf7b2a000 - 0x4a000 - 0x1d] \SystemRoot\System32\Drivers\dtscsi.sys
15:47:57:171 [58 : 0xf885f000 - 0x7000 - 0x1d] \SystemRoot\system32\DRIVERS\fdc.sys
15:47:57:171 [59 : 0xf857f000 - 0x10000 - 0x1d] \SystemRoot\system32\DRIVERS\serial.sys
15:47:57:171 [60 : 0xba42b000 - 0x4000 - 0x1d] \SystemRoot\system32\DRIVERS\serenum.sys
15:47:57:171 [61 : 0xf7b16000 - 0x14000 - 0x1d] \SystemRoot\system32\DRIVERS\parport.sys
15:47:57:171 [62 : 0xf858f000 - 0xd000 - 0x1d] \SystemRoot\system32\DRIVERS\i8042prt.sys
15:47:57:171 [63 : 0xf8867000 - 0x6000 - 0x1d] \SystemRoot\system32\DRIVERS\mouclass.sys
15:47:57:171 [64 : 0xf886f000 - 0x6000 - 0x1d] \SystemRoot\system32\DRIVERS\kbdclass.sys
15:47:57:171 [65 : 0xf8b79000 - 0x1000 - 0x1d] \SystemRoot\system32\drivers\msmpu401.sys
15:47:57:171 [66 : 0xf7af2000 - 0x24000 - 0x1d] \SystemRoot\system32\drivers\portcls.sys
15:47:57:171 [67 : 0xf859f000 - 0xf000 - 0x1d] \SystemRoot\system32\drivers\drmk.sys
15:47:57:187 [68 : 0xba427000 - 0x3000 - 0x1d] \SystemRoot\system32\DRIVERS\gameenum.sys
15:47:57:187 [69 : 0xf8b7a000 - 0x1000 - 0x1d] \SystemRoot\system32\DRIVERS\audstub.sys
15:47:57:187 [70 : 0xf85af000 - 0xd000 - 0x1d] \SystemRoot\system32\DRIVERS\rasl2tp.sys
15:47:57:187 [71 : 0xba423000 - 0x3000 - 0x1d] \SystemRoot\system32\DRIVERS\ndistapi.sys
15:47:57:187 [72 : 0xf7a3b000 - 0x17000 - 0x1d] \SystemRoot\system32\DRIVERS\ndiswan.sys
15:47:57:187 [73 : 0xf85bf000 - 0xb000 - 0x1d] \SystemRoot\system32\DRIVERS\raspppoe.sys
15:47:57:187 [74 : 0xf85cf000 - 0xc000 - 0x1d] \SystemRoot\system32\DRIVERS\raspptp.sys
15:47:57:187 [75 : 0xf8877000 - 0x5000 - 0x1d] \SystemRoot\system32\DRIVERS\TDI.SYS
15:47:57:187 [76 : 0xf887f000 - 0x5000 - 0x1d] \SystemRoot\system32\DRIVERS\ptilink.sys
15:47:57:187 [77 : 0xf8887000 - 0x5000 - 0x1d] \SystemRoot\system32\DRIVERS\raspti.sys
...
15:47:57:203 [104 : 0xba248000 - 0x58000 - 0x1d] \SystemRoot\system32\DRIVERS\tcpip.sys
15:47:57:203 [105 : 0xba233000 - 0x15000 - 0x2f] \??\H:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FIL TNT.SYS
15:47:57:203 [106 : 0xf7ad2000 - 0x9000 - 0x1d] \SystemRoot\system32\DRIVERS\wanarp.sys
15:47:57:203 [107 : 0xba20b000 - 0x28000 - 0x1d] \SystemRoot\system32\DRIVERS\netbt.sys
15:47:57:203 [108 : 0xba1e9000 - 0x22000 - 0x1d] \SystemRoot\System32\drivers\afd.sys
15:47:57:203 [109 : 0xf7ac2000 - 0x9000 - 0x1d] \SystemRoot\system32\DRIVERS\netbios.sys
15:47:57:203 [110 : 0xf8827000 - 0x7000 - 0x25] \??\H:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe
15:47:57:203 [111 : 0xf7aa2000 - 0xf000 - 0x1d] \SystemRoot\system32\DRIVERS\arp1394.sys
15:47:57:203 [112 : 0xba1bd000 - 0x2c000 - 0x1d] \SystemRoot\system32\DRIVERS\rdbss.sys
15:47:57:203 [113 : 0xf7a92000 - 0xe000 - 0x1d] \SystemRoot\System32\drivers\prodrv06.sys
15:47:57:218 [114 : 0xf882f000 - 0x6000 - 0x18] \??\H:\WINDOWS\system32\npptNT2.sys
15:47:57:218 [115 : 0xba126000 - 0x6f000 - 0x1d] \SystemRoot\system32\DRIVERS\mrxsmb.sys
15:47:57:218 [116 : 0xf7a82000 - 0x9000 - 0x1d] \SystemRoot\System32\Drivers\Fips.SYS
15:47:57:218 [117 : 0xf8aaf000 - 0x1000 - 0x2a] \??\H:\Program Files\ewido\security suite\guard.sys
15:47:57:218 [118 : 0xf7a52000 - 0x10000 - 0x1d] \SystemRoot\System32\Drivers\Cdfs.SYS
15:47:57:218 [119 : 0xba10e000 - 0x18000 - 0x1d] \SystemRoot\System32\Drivers\dump_atapi.sys
15:47:57:218 [120 : 0xf8a47000 - 0x2000 - 0x1d] \SystemRoot\System32\Drivers\dump_WMILIB.SYS
15:47:57:218 [121 : 0xbf800000 - 0x1c1000 - 0x15] \SystemRoot\System32\win32k.sys
15:47:57:218 [122 : 0xf883f000 - 0x5000 - 0x15] \SystemRoot\System32\watchdog.sys
15:47:57:218 [123 : 0xba3d9000 - 0x3000 - 0x1d] \SystemRoot\System32\drivers\Dxapi.sys
15:47:57:218 [124 : 0xbf000000 - 0x12000 - 0x1d] \SystemRoot\System32\drivers\dxg.sys
15:47:57:218 [125 : 0xf8b07000 - 0x1000 - 0x1d] \SystemRoot\System32\drivers\dxgthk.sys
15:47:57:218 [126 : 0xbf012000 - 0x42000 - 0x15] \SystemRoot\System32\ati2dvag.dll
15:47:57:218 [127 : 0xbf054000 - 0x3f000 - 0x15] \SystemRoot\System32\ati2cqag.dll
15:47:57:218 [128 : 0xbf093000 - 0x36000 - 0x15] \SystemRoot\System32\atikvmag.dll
15:47:57:218 [129 : 0xbf0c9000 - 0x27c000 - 0x15] \SystemRoot\System32\ati3duag.dll
15:47:57:218 [130 : 0xbf345000 - 0xd3000 - 0x15] \SystemRoot\System32\ativvaxx.dll
15:47:57:218 [131 : 0xbffa0000 - 0x46000 - 0x15] \SystemRoot\System32\ATMFD.DLL
15:47:57:218 [132 : 0xb7d9f000 - 0x15000 - 0x1d] \SystemRoot\system32\drivers\wdmaud.sys
15:47:57:234 [133 : 0xb7e74000 - 0xf000 - 0x1d] \SystemRoot\system32\drivers\sysaudio.sys
15:47:57:234 [134 : 0xf870f000 - 0xc000 - 0x20] \??\H:\WINDOWS\system32\drivers\Haspnt.sys
15:47:57:234 [135 : 0xb7df8000 - 0x3000 - 0x1d] \SystemRoot\System32\Drivers\MarxDev1.SYS
15:47:57:234 [136 : 0xb7df4000 - 0x3000 - 0x1d] \SystemRoot\System32\Drivers\MarxDev2.SYS
15:47:57:234 [137 : 0xb7df0000 - 0x3000 - 0x1d] \SystemRoot\System32\Drivers\MarxDev3.SYS
15:47:57:234 [138 : 0xf89f9000 - 0x2000 - 0x1d] \SystemRoot\System32\Drivers\ParVdm.SYS
15:47:57:234 [139 : 0xba2bb000 - 0x5000 - 0x20] \??\H:\WINDOWS\system32\DRIVERS\PSTRIP.SYS
15:47:57:234 [140 : 0xb7b53000 - 0x6f000 - 0x20] \??\H:\WINDOWS\system32\drivers\hardlock.sys
15:47:57:234 [141 : 0xb7b30000 - 0x23000 - 0x1d] \SystemRoot\System32\Drivers\Fastfat.SYS
15:47:57:234 [142 : 0xb7b08000 - 0x28000 - 0x1d] \SystemRoot\system32\DRIVERS\secdrv.sys
15:47:57:234 [143 : 0xf8b85000 - 0x1000 - 0x18] \??\H:\WINDOWS\system32\SVKP.sys
15:47:57:234 [144 : 0xf7a62000 - 0xa000 - 0x20] \??\H:\WINDOWS\system32\drivers\Xprotector.sys
15:47:57:234 [145 : 0xb758c000 - 0x2a000 - 0x1d] \SystemRoot\system32\drivers\kmixer.sys
15:47:57:234 [146 : 0x7c900000 - 0xb0000 - 0x12] \WINDOWS\system32\ntdll.dll
15:47:57:250 KeServiceDescriptorTable: 0x80559b80
15:47:57:312 ServiceTable: 10ebd20, Limit: d885, TimeStamp: 41108004
15:47:57:312 SetAddress 0 = 0xf8aaf68c -> 0x8057459e
15:47:57:312 DiffAddress 0x029: 0xba711ac8 -> 0x8056f063
15:47:57:312 DiffAddress 0x03f: 0xf87f8824 -> 0x8059d6bd
15:47:57:312 DiffAddress 0x041: 0xf87f88fa -> 0x80597430
15:47:57:312 DiffAddress 0x047: 0xba711c22 -> 0x8056f76a
15:47:57:312 DiffAddress 0x049: 0xba711f9a -> 0x805801fe
15:47:57:312 DiffAddress 0x077: 0xba71198e -> 0x805684d5
15:47:57:312 DiffAddress 0x0a0: 0xba712064 -> 0x8056f473
15:47:57:312 DiffAddress 0x0b1: 0xba711efc -> 0x8056b9a8
15:47:57:312 DiffAddress 0x0f7: 0xf87f89c0 -> 0x80575527
15:47:57:312 DiffAddress 0x101: 0xf8aaf604 -> 0x8058ae1e
15:47:57:328 SetSDT: 1
15:47:57:328 -- InitGameHook
15:47:57:328 gamemon: C:\Games\MapleStory\GameGuard\GameMon.des
15:47:57:328 HOOKSDLL: C:\Games\MapleStory\GameGuard\npggNT.des
15:47:57:343 MDOI: ntdll.dll
15:47:57:343 MDOI: kernel32.dll
15:47:57:406 MDOI: user32.dll
15:47:57:468 MDOI: advapi32.dll
15:47:57:625 MDO: 0 0 0 0
15:47:57:625 CloneFile: C:\Games\MapleStory\MapleStory.exe
15:47:57:625 SmssPID: 476, \systemroot\system32\smss.exe
15:47:57:625 CsrssPID: 536, \??\h:\windows\system32\csrss.exe
15:47:57:625 LsassPID: 636, h:\windows\system32\lsass.exe
15:47:57:625 ClonePID: 884, c:\games\maplestory\maplestory.exe
15:47:57:625 LdrGetDllHandle: 7c916586
15:47:57:625 NtQuerySystemInformation: 7c90e1aa
15:47:57:625 NtResumeThread: 7c90e45f
15:47:57:625 Admin Account
15:47:57:625 now try to load ggdrv
15:47:57:625 Attached sys success
15:47:57:625 InitGmguardSvcReg : New setup ==> \??\H:\WINDOWS\system32\drivers\dump_wmimmc.sys
15:47:57:656 LoadDriver()
15:47:57:656 LoadGGDriver() : 126 = \Registry\Machine\System\CurrentControlSet\Service s\dump_wmimmc
15:47:57:671 Success to NtLoadDriver()
15:47:57:671 SetExcludePid()
15:47:57:671 SetDriverEnable()
15:47:57:671 GGDrv loaded.
15:47:57:671 DoHideProcess(2104)
15:47:57:671 DoHideProcess(884)
15:47:57:671 VirtualProtectEx: 8B ff 55 8B EC 56 8B 35 B8 12
15:47:57:671 DebugActiveProcess: 8B ff 55 8B EC E8 D7 55 02 00
15:47:57:671 GameModule start: 00400000, limit: 0073F000
15:47:57:734 N/A, 4, N/A (error4)
15:47:57:734 NATIVE SYSTEM PROCESS, smss.exe, skip
15:47:57:750 GameHook: Hooking 536='csrss.exe' ..
15:47:57:781 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 536
15:47:57:796 LAC IGG Success
15:47:57:796 GameHook: Hooking 564='winlogon.exe' ..
15:47:57:828 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 564
15:47:57:843 LAC IGG Success
15:47:57:843 GameHook: Hooking 624='services.exe' ..
15:47:57:859 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 624
15:47:57:875 LAC IGG Success
15:47:57:890 GameHook: Hooking 636='lsass.exe' ..
15:47:57:937 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 636
15:47:57:953 LAC IGG Success
15:47:57:953 GameHook: Hooking 796='svchost.exe' ..
15:47:57:968 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 796
15:47:57:984 LAC IGG Success
15:47:57:984 GameHook: Hooking 840='svchost.exe' ..
15:47:58:000 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 840
15:47:58:015 LAC IGG Success
15:47:58:031 GameHook: Hooking 900='svchost.exe' ..
15:47:58:078 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 900
15:47:58:078 LAC IGG Success
15:47:58:093 GameHook: Hooking 940='StyleXPService.exe' ..
15:47:58:125 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 940
15:47:58:125 LAC IGG Success
15:47:58:140 GameHook: Hooking 1080='svchost.exe' ..
15:47:58:156 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1080
15:47:58:171 LAC IGG Success
15:47:58:171 GameHook: Hooking 1148='svchost.exe' ..
15:47:58:203 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1148
15:47:58:203 LAC IGG Success
15:47:58:218 GameHook: Hooking 1188='spoolsv.exe' ..
15:47:58:234 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1188
15:47:58:250 LAC IGG Success
15:47:58:250 GameHook: Hooking 1400='Explorer.EXE' ..
15:47:58:281 : --- npggNT.des version 153 : Mon Oct 24 21:50:09 2005 ---
15:47:58:296 LAC IGG Success
15:47:58:312 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1400
15:47:58:312 GameHook: Hooking 1480='daemon.exe' ..
15:47:58:328 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1480
15:47:58:343 LAC IGG Success
15:47:58:343 GameHook: Hooking 1488='NVMixerTray.exe' ..
15:47:58:375 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1488
15:47:58:375 LAC IGG Success
15:47:58:390 GameHook: Hooking 1508='StyleXP.exe' ..
15:47:58:390 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1508
15:47:58:406 LAC IGG Success
15:47:58:421 GameHook: Hooking 1520='ctfmon.exe' ..
15:47:58:453 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1520
15:47:58:468 LAC IGG Success
15:47:58:468 GameHook: Hooking 1680='RUNDLL32.EXE' ..
15:47:58:500 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1680
15:47:58:515 LAC IGG Success
15:47:58:531 GameHook: Hooking 1724='ewidoctrl.exe' ..
15:47:58:531 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1724
15:47:58:546 LAC IGG Success
15:47:58:578 GameHook: Hooking 1756='ewidoguard.exe' ..
15:47:58:578 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1756
15:47:58:609 LAC IGG Success
15:47:58:609 GameHook: Hooking 1820='MDM.EXE' ..
15:47:58:625 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1820
15:47:58:640 LAC IGG Success
15:47:58:656 GameHook: Hooking 1328='svchost.exe' ..
15:47:58:671 LAC IGG Success
15:47:58:687 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1328
15:47:58:687 GameHook: Hooking 1652='msnmsgr.exe' ..
15:47:58:718 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1652
15:47:58:718 LAC IGG Success
15:47:58:734 diff 77d41158, f1, 23
15:47:58:734 - diff: user32.dll 77d41158
15:47:58:734 F1 1A 80 7C 6C 02 81 7C 55 FA 81 7C 97 FF 81 7C
15:47:58:734 23 27 60 63 6C 02 81 7C 55 FA 81 7C 97 FF 81 7C
15:47:58:734 - diff: user32.dll 77d41248
15:47:58:734 77 1D 80 7C E5 17 80 7C 16 1E 80 7C 8A 2B 86 7C
15:47:58:734 40 26 60 63 E5 17 80 7C 16 1E 80 7C 8A 2B 86 7C
15:47:58:734 - diff: user32.dll 77d4128c
15:47:58:734 28 AC 80 7C D3 AC 80 7C 66 AA 80 7C 77 B8 80 7C
15:47:58:734 E2 22 60 63 87 26 60 63 66 AA 80 7C 77 B8 80 7C
15:47:58:734 GameHook: Hooking 1640='YPager.exe' ..
15:47:58:750 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 1640
15:47:58:781 LAC IGG Success
15:47:58:796 GameHook: Hooking 264='msiexec.exe' ..
15:47:58:796 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 264
15:47:58:812 LAC IGG Success
15:47:58:843 GameHook: Hooking 2852='Apache.exe' ..
15:47:58:875 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 2852
15:47:58:875 LAC IGG Success
15:47:58:890 GameHook: Hooking 2612='Apache.exe' ..
15:47:58:921 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 2612
15:47:58:921 LAC IGG Success
15:47:58:937 GameHook: Hooking 2276='firefox.exe' ..
15:47:58:953 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 2276
15:47:58:968 LAC IGG Success
15:47:58:968 GameHook: Hooking 2832='GameGuard.des' ..
15:47:58:984 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 2832
15:47:59:000 LAC IGG Success
15:47:59:000 -- InitGameHook Oncemore
15:47:59:015 GameHook: Hooking 884='MapleStory.exe' ..
15:47:59:062 not load. load now
15:47:59:078 : InitNPGG, GamePID: 884, GameWnd: 0, MonPID: 2104, CurrPID: 884
15:47:59:093 LAC IGG Success
15:47:59:093 GameMon Process, GameMon.des, skip
15:47:59:093 version C:\Games\MapleStory\GameGuard\npggNT.des, 2005060901, 2005012801
15:47:59:093 -- InitGameHook Done.
15:47:59:093 GameMonThread(104) ID: 1588
nForce
1st July 2006, 05:18
How did you generate the algorithm? By reverse engineering or frequency analysis of the files?
Here is a little teaser from an decrypted npgm.erl. I think you will agree these files are very interesting.
I developed the algorithm by reverse engineering the original algorithm in the game I was targeting.
And yes I agree npgm.erl looks very interesting.
temp2
1st July 2006, 05:25
And yes I agree npgm.erl looks very interesting.
In many games, as I understand it, most of the nasty stuff occurs in the hidden driver dump_wmimmc.sys that GameMon.des unpacks from itself, starts, stops and deletes. You can see it starting up in part of that log. If you want the whole log email me.
I believe that newer versions of GG, in say Lineage II, have however abandoned this strategy due to forthcoming problems with that kind of stuff in Vista. I like playing with GG you always find something interesting lurking in it.
HaggardSmurf
12th January 2007, 05:25
Question... How do I use it? I double click it and i get a quick command prompt that opens then closes then i check in the nexon folder and i have a new file i open it with the encryptor and i have another new one so i tried opening both with notepad and they're still encrypted. I dont get how to use it... Don't flame me for not knowing how to use a prog be mature and at least give some insight.
Thanks in advance
pursuit11
20th January 2007, 18:22
I must start out by saying impressive!
I used this program to decrypt Flyffs .erl files.... unfortuntly as i figured, all but one file turned out to be garbage... npgl.erl came out fine... which was interesting... was wondering if anyone tried decrypting anything with flyff gg/np at all...
To nForce:
I developed the algorithm by reverse engineering the original algorithm in the game I was targeting.
Which game? What program are you using to reverse engineer it? And if the "log" files algorithms are "simple" do you think the simplicity would apply to the other .erl files?
vBulletin® v3.7.0, Copyright ©2000-2008, Jelsoft Enterprises Ltd.