I'm trying to remove gameguard from maplestory. I have unpacked maplestory, killed the CryptVerifySignature, replaced GameGuard.des with a fake, and patched the code that gives you the h_acking detected message. Now I cannot select a character. Using ethereal, I found that, with gameguard, maple sends the server 66 bytes, server sends 22, maple sends 22, server sends 22, maple sends 22, server sends 22, maple disconnects and connects to game server. Without gameguard: maple sends 66 bytes, server sends 22 bytes, maple sends ACK, -nothing-. Anyone know how I can h_ack/emulate/bypass this?

erm.. no reply?

zzzzzz

the server uses game guard rev checks to make sure u have the right game guard

if it wont detect any = instant dc

drop that idea of ur head

unless you can find some method to make the server think you have game guard...

I'm not positive, but I think gameguard is either hooking the windows socket api or is using a ndis filter driver. I don't know any other way to intercept or insert packets.

BTW is there a debugger i can use thats not blocked or detected by gameguard?

you can freeze and olly it.

Theres a hash to check for GG condition. If you want to removed GG you have to remove the hash. If not your game client will shut down or DC.

i figured out the hash already. Theres a block at the end of GameGuard.des that has the filename and a digital signature. To kill the hash check, unpack maplestory with asprotect stripper, load it into OllyDbg, put bp on CryptVerifySignatureA, and patch CryptVerifySignatureA with mov eax,1 and nops.

Doesn't StripperX damage the IAT of files

it seems to work fine. BTW you also need to patch a few push instructions before the CryptVerifySignatureA with nop (don't remember how many). you also need CRC bypass because you changed the code

[edit] try this OllyScript

[edit2] anyone know how to unpack themida?

orean packers are the hardest to unpacked thats but it cause application to lag out.

Btw what games are you playing.

theres a tool called unthemida, but it doesn't work on gg. perhaps gg is using hacked themida like it used to use hacked upx. gg's themida also has an anti-olly trick that crashes olly, but i patched mine. now when i debug, it gives an error saying "An internal exception occured (Address: 0x77fe8f) ..." the instruction at that address is 0077FE8F 888488 7EB7ED20 MOV BYTE PTR DS:[EAX+ECX*4+20EDB77E], AL and AL is 00 and the address is 8F6E2756. isn't that address kernel mode? any ideas? im using SND's hacked olly and i don't know how many hide debugger plugins

If u remove the gg (that is very easy to do only patching 3 jumps), u'll need to emulate the GG checksum packet (cli to server). Otherwise u'll be disconnected from the game server after N seconds!

Just a note, i'm reversing the gamemon and found that are 2 different checksums calculated by gamemon that is sent to the game process, using unnamed pipe communication. These checksums are sent to game server, but i'm not sure yet if they are sent using 1 or 2 different packets..

About themida, there isn't any working public unpackers/tuts for the newest versions, only for old versions. So, GL on unpacking it!

Just a note, i'm reversing the gamemon and found that are 2 different checksums calculated by gamemon that is sent to the game process, using unnamed pipe communication. These checksums are sent to game server, but i'm not sure yet if they are sent using 1 or 2 different packets..


You sure it's unnamed pipe?
I caught named pipes though...

I'm also trying to figure out what GG is doing, and
as I hooked NtWriteFile and NtReadFile from both the game and GG, I got the following log...


PID 1280=game
PID 552=GameMon.des

[PID ]-[TID ]
[1280]-[ 544] NtWriteFile(\Device\NamedPipe\Win32Pipes.00000500. 00000002, Length=16)
[ 552]-[1156] NtReadFile(\Device\NamedPipe\Win32Pipes.00000500.0 0000002, Length=16)
[ 552]-[1156] NtWriteFile(\Device\NamedPipe\Win32Pipes.00000500. 00000001, Length=16)
[1280]-[ 544] NtReadFile(\Device\NamedPipe\Win32Pipes.00000500.0 0000001, Length=16)
[ 552]-[1156] NtWriteFile(\Device\NamedPipe\Win32Pipes.00000500. 00000001, Length=16)
[1280]-[ 544] NtReadFile(\Device\NamedPipe\Win32Pipes.00000500.0 0000001, Length=16)
[1280]-[ 544] NtWriteFile(\Device\NamedPipe\Win32Pipes.00000500. 00000002, Length=16)
[ 552]-[1156] NtReadFile(\Device\NamedPipe\Win32Pipes.00000500.0 0000002, Length=16)
[1280]-[ 544] NtWriteFile(\Device\NamedPipe\Win32Pipes.00000500. 00000002, Length=16)
[ 552]-[1156] NtReadFile(\Device\NamedPipe\Win32Pipes.00000500.0 0000002, Length=16)
[ 552]-[1156] NtWriteFile(\Device\NamedPipe\Win32Pipes.00000500. 00000001, Length=16)
[1280]-[ 544] NtReadFile(\Device\NamedPipe\Win32Pipes.00000500.0 0000001, Length=16)
....


they are sending 16bytes of info back and forth,
but the game still kept running when I suspended these threads though...

I'm 100% sure that is using CreatePipe() function, and not the createnamedpipe (at least on the mu gg version!). The game process is the parent process and gamemon is the child. Each process, (gamemon and game.exe) creates a PipeThreadProc() that reads/write data from/to the pipe.

And yes, the exchanged data size is normally 16 bytes long. The structure of each packet is:

struc pipe_data{
DWORD Type; //type of msg (eg: it says it's a reply msg to another packet of same ID)
DWORD LocalTimeCalc; //a number generated based on the GetLocalTime() function
DWORD ID; //it says what info the Data will contain
DWORD Data; //eg: it can be the gg checksum :P)
}

* However, i found there are anothers packets with different formats that can be 32 bytes long and, in this case, Data member will be the size of additional data, but i still dunno what they can contain.

If u want to understand how the thing is going on, study the GG_Start() proc, that is inside of each game.exe that uses npgamelib. I'm currently developing a GG Launcher that is able to communicate with gamemon.des, and i'm reversing the pipe packets now.

im reversing dump_wmimmc.sys. wtf is this weird code? the jmp near ptr invalid and all the db and dd. btw i figured out all the client side stuff. I only need the server stuff

im reversing dump_wmimmc.sys. wtf is this weird code? the jmp near ptr invalid and all the db and dd. btw i figured out all the client side stuff. I only need the server stuff

You can't reverse dump_wmimmc.sys any more. More than 90% of its code has been obfuscated using Code Virtualizer (http://www.oreans.com/codevirtualizer.php)
since late rev800's.

Well, I wouldn't say it's impossible, but it's definitely impractical!

What you can do, is hook every single function imported by dump_wmimmc.sys and log everything. Besides that, you can dump its data section from time to time, to see what data it's dealing with. (That's what I did.)

ok that invalid addr is in the reloc section. it is right at the end of the file. its
.reloc:000367F4 loc_367F4: ; CODE XREF: DriverEntry:loc_17FC5j
.reloc:000367F4 push offset loc_35412
.reloc:000367F9 jmp loc_199DC
and then
.reloc:000199DC pusha
.reloc:000199DD pushf
.reloc:000199DE cld
.reloc:000199DF call $+5
.reloc:000199E4
.reloc:000199E4 loc_199E4: ; DATA XREF: sub_13D82+5C63o
.reloc:000199E4 pop edi
.reloc:000199E5 sub edi, offset loc_199E4
.reloc:000199EB mov eax, edi
.reloc:000199ED add edi, offset dword_19700
.reloc:000199F3 cmp eax, [edi+2Ch]
reminds me of themida. help plz

ok that invalid addr is in the reloc section. it is right at the end of the file.

You're going to analyze all their virtual machines?

depends. when the server sends a packet to check for gameguard, does GameMon.des, dump_wmimmc.sys, or NPPNT2.sys send the reply packet?

depends. when the server sends a packet to check for gameguard, does GameMon.des, dump_wmimmc.sys, or NPPNT2.sys send the reply packet?

It's possible to totally kill dump_wmimmc.sys's functionality and still keep GameMon.des and the game running...so, I think it's safe to conclude that dump_wmimmc.sys and NPPNT2.sys (this driver does nothing but open up holes in game's IOPM) are not involved in client/server packet relay; it's done by GameMon.des.

The npchecksum sender is the gamemon.des. I could keep my cracked game.exe alive for more than 1min, that means i successfuly sent the first npchecksum packet to server. But, after 30 seconds more, appears that the game sends the same npchecksum packet, containing a key calculated differently from the previous npchecksum key. Appears there are 2 different routines inside gamemon that calculate keys for each time it sends the npchecksum packet to game.

not related to gameguard, but how to unpack maplestory global 0.39? it has yC, but i unpacked that and fixed iat. under yC is aspr, but both stripperX and the script i posted above do not work. stripper misses 2 imports, misses some bytes at oep, and didn't resolve any of the vm. the script says unrecgonized version. help plz. also, how to unpack gamemon.des

It's rather basic.

This is in Gunbound, probably the same in Maplestory.

Server sends a packet to the client (always the same, never changes) encrypted with an xor-ish method, client decrypts, pipes through to GameMon, which then initializes and replies with it's own info, client encrypts that info, and sends to the server.

The first 2 challenge/responses are -always- the same. Hence it's incredibly easy to just change 4 bytes and remove GG and emulate this packet to run for 250sec (the interval of the cr packets).

After that, the data becomes a little more randomized and is calculated by GG. It's not a hash of any kind.

Here is an example of some of GB's challenge/responses divided into DWORDs.


[GGPktEmu] Challenge => 000008B2 00D8A513 00000616 4247CC89
[GGPktEmu] Response => 000008B2 00D8A513 0000063A 4FDA738A
[GGPktEmu] Challenge => 000008B2 00D8A4E6 00000616 7A776C8E
[GGPktEmu] Response => 000008B2 00D8A4E6 0000063A 30130F83


You don't need unThemida to unpack Themida.. It's not better than the others it's just.. different. It takes more than a tutorial to unpack it.

2 problems:
1. I can't edit the previous posts?! The button is gone! I can edit this one?!
2. I heard crc bypass in maplestory is patched or something?

No CRC bypass isn't patched in MapleStory its just before people had trouble bypassing GG CRC before a bypass was released

Yeah, I found the bypass and took a look in IDA. The Bypass.exe is a generic dll injection program. PHAIL.DLL is injected into maplestory and F***U.dll is injected into GameMon. However, I'm too lazy to analyze the dlls. Can someone tell me how they work? Do they work similar to the CT +CEM method? Also, can someone tell me how pipes work in Windows? SIMPLE example code in C#/C/C++ would be helpful.