Some Luck with WinDbg (GodMode 0.12)

[wilbowen]

Wow, who woulda thought, that windows own debugger, WinDbg would be the one that could pull it off lol. Ok here's the deal folks(btw this is intended for those that are actually making trainers etc, not a noob's post at all)
This is what the code looks like at startup.

image00400000+0x19a784:
0059a784 0000 add [eax],al
0059a786 0000 add [eax],al
0059a788 0000 add [eax],al
0059a78a 0000 add [eax],al
0059a78c 0000 add [eax],al
0059a78e 0000 add [eax],al
0059a790 0000 add [eax],al
0059a792 0000 add [eax],al

Then after a few instructions are parsed and run, the code is unpacked revealing the ever commonly known:

image00400000+0x19a784:
0059a784 0f852b060000 jne image00400000+0x19adb5 (0059adb5)
0059a78a 8b8714010000 mov eax,[edi+0x114]
0059a790 83e0fe and eax,0xfffffffe
0059a793 83f812 cmp eax,0x12
0059a796 0f8419060000 je image00400000+0x19adb5 (0059adb5)
0059a79c 8b1d78f16700 mov ebx,[image00400000+0x27f178 (0067f178)]
0059a7a2 8d45c0 lea eax,[ebp-0x40]
0059a7a5 50 push eax


now, here comes the interesting part, if you edit this now, and switch the jne to a je, then keep going, the game fires up(best if used in a windowed mode) and viola! GodMode is reborn!!! now, as for the crc check, it's definitely in MapleStory and not GameGuard... why you ask? because if you change instructions just before running the instruction at "015ee44d" the game will NOT dc you. however, after this point, memory altering is impossible with WinDbg because it can no longer access the memory correctly. I have got into the game and on one map allowed GodMode for more than 10 minutes, so I know this works, just needs a better method of doing it. When I change maps, the game throws a strange exception at WinDbg that it cannot handle or pass on, always flings itself into an infinite loop of access violations. But as long as I stay on one map it works fine.

Anyway, hopefully this will help Dark Byte or Sean in some way. I'll keep you guys posted if I discover anything else.

P.S. Oh yeah, I find it weird that GameGuard fails to initialize if I just allow all the code to run in the debugger, however if i set a couple breakpoints first, then it loads just fine??? Doesn't make any sense at all.

[note to mofo] can you add "(GodMode 0.12)", to the title of this, since it isn't really clarified in the tite what I'm having luck with? Thanks

[Goshinki]

lol great job man ill go try it shortly .... any 1 expert wanna make a patch for people?

[wilbowen]

I would if I could just dump the darn thing, working on it in memory is simple enough for me, dumping the image to disk however eludes me. If someone has knowledge of how to dump a module in memory to disk using WinDbg, I'd be very grateful if you'd let me know lol, kuz at that point, patching would be super easy indeed, also, I am guessing from the nature how it worked for me, that a person making a trainer would need to create a trainer to do the following...

1. Run before MS
2. Scan the Memory at 59a784
3. At the moment of it changing, suspend the MS process
4. Inject the new code in it's place before MS does the first CRC run
5. Exit out of the trainer.

That does pose the question though, would there be any way to set hotkeys? doubtful, and vacs would be extremely hard to create as well, without the ability to turn the code on/off you would have to set the coords at runtime each time, and exit to turn it off.

[farmerchum]

hmm, what make you tryed to use windbg, i would never twat of using it because i expect G.g to be smart enough to patch it in verion 1 of G.g.
well this is also a good way to do it, my way is much less of a hassle.

anywayz good job

[wilbowen]

I don't know what made me think of it. It just popped into my head that if MicroSoft created their debugger to work on all types of kernel stuff and drivers, perhaps they had a better way of handling all the anti-debugging techniques used in current code, looks like they do ^_^ And thanks for the compliment.

[dcay]

What's the different between that and changing the memory (jne to je) when MapleStory startup?

Anyway, good finding. GameGuard now might update again to block this. Good luck.

[wilbowen]

Quote:

Originally Posted by dcay

What's the different between that and changing the memory (jne to je) when MapleStory startup?

I'm not sure that I follow your question, I am changing the jne to je here, or jmp whichever you prefer. The thing that I'm really trying to show though, is that using this requires neither jamilah, nor any other rootkits. It doesn't need a "bypass" at all because it somehow does that all by itself. It is practically the same thing as using CE, just without a bypass.

[dcay]

By using the debugger, you're probably changing the instruction so quick that MS didn't execute any instruction at "015ee44d" (CRC32 checking) which seems like what you're stating correct?

[wilbowen]

Correct, it is doing it quick enough in the process(just after unpacking) that the CRC checks have not been done yet, and this totally flies, i'm guessing(haven't looked into it yet) that the crc gets a reading after the file is unpacked, then makes it's number. My guess is that it then periodically checks that sum again throughout gameplay, thus why the code will work before the code is in place, but not after.


[edit]
I have now checked to see if you can suspend the app at the point it decides to load GG and inject the code changes. This definitely doesn't work, the CRC check has already been run by the time it calls GG into existence. Still looking into it though.

[dv8r]

debugging...just great...:ermm:

a tut on how to use this would help for us less-debugging-literate.

When i opened the ms.exe it shows me some code then just stops...ms doesn't even open...what a headache.

I think i'll go try some more rootkits T_T

shifting gears for a second...

What of that godmode trainer sean made...is it possible to create another trainer and just use the hotkey before gameguard finishes loading and close the trainer again? Just a thought. (Can't really remember if that was before or after the crc was put back into ms)

[cryptus92]

Quote:

Originally Posted by dv8r

debugging...just great...:ermm:

a tut on how to use this would help for us less-debugging-literate.

When i opened the ms.exe it shows me some code then just stops...ms doesn't even open...what a headache.

I think i'll go try some more rootkits T_T

shifting gears for a second...

What of that godmode trainer sean made...is it possible to create another trainer and just use the hotkey before gameguard finishes loading and close the trainer again? Just a thought. (Can't really remember if that was before or after the crc was put back into ms)

thats impossible now, theyve REINSERTED CRC checks...... seans was during the period where they first put in nprotect i think, and took out CRC....

nice work willowben, i wouldve never thought of WinDbg...all that wtime with FUrookit and others o.o

[wilbowen]

Thanks for the comp cryptus! And dv8r, I did state at the top that this thread was to help those peeps who were working on trainers or hacks etc... It really isn't meant to be a thread that will guide you through everything. As for seans hack, cryptus is correct, it is impossible to use his trainer right now, however, it does work along the same lines, his trainer I'm sure(have not tried it) uses the same concept of changing the jne to je(a weird notice to debug users, a certain debugger out there tells me it is a jnz and jz not je lmao practically same dif) so, if it would be possible to pause the process BEFORE the crc check comes into play, then maybe the trainer would work, but i do not know of a way yet to pause the process so precisely without using a debugger. I have even tried an app that stalls it when it attempts to load GG, but that isn't quick enough, bottom line, it's got to be done just after the exe is unpacked into the memory. or if someone figures out how to bypass that darn crc check then that would be the best way to do it, then you could do pretty much whatever you wanted. So, in close, I'm sorry, I never meant for this to be a method for everyone to use, just wanted to get the info out that it has been done and tested to other coders out there.

[dcay]

Sorry, I wrote a program that search for maplestory.exe process. If the process isn't found it loops and keep on searching. Once it found it, it sleeps for a "certain time", then wake up and change jne to je. But got no luck, first it was change jne to je to quick, you still get hurt in the game. I then change that "certain time". Then it changes too late, you don't get hurt but in 1 sec, you get dc. Then I made it search and once it find the process, it checks to see if address 59A784 is filled with the jne instruction. If it's not, it keep searching, if it is, it would change it to je. This cause a pop up window dialog saying Protection Error, error: 45.

Sorry, I did what I can for you guys. (Man, I hate inputting the pin code.) OMS sure suck big time.

[CloudLynch1]

Lol well im gussing god mode will soon be alive again... hah wizet jus cant keep u guys down

[cryptus92]

Quote:

Originally Posted by CloudLynch1

Lol well im gussing god mode will soon be alive again... hah wizet jus cant keep u guys down

not necessarily...

but good job guys.
I guess

best case scenario=We kick gamegaurds butt and use all the nice hacks again.
Worst case scenario=We are stuck with this temporary godmode

but fantasy scenarios

best=CRC32 checking fails, Nprotect is destroyed from the face of the planet, we can use server sided hacks
worst case scenario=Wizet and gameguard kill all haxor.