Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    explosionsinthe
    explosionsinthe is offline
    New member explosionsinthe's Avatar
    Join Date
    2011 Apr
    Posts
    16
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0

    Gameguard Issues im having

    So I finally found a game protected by gameguard whose executable is not packed and my goal is only to prevent the game from initializing gameguard (I am not going to disclose the name of the game in case their devs find this and decide to update its protection).
    I searched for referenced text strings and found a couple with gameguard errors for message boxes inside and thats how I located exactly which function initializes it. Now I will show you where gameguard initializes and explain what my problem is.

    Code:
    004539F2  |. 6A 00          PUSH 0                                        /lParam 
    004539F4  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]                  |
    004539F7  |. 51             PUSH ECX                                      |hInst
    004539F8  |. 6A 00          PUSH 0                                        |hMenu 
    004539FA  |. 6A 00          PUSH 0                                        |hParent 
    004539FC  |. 8B55 E8        MOV EDX,DWORD PTR SS:[EBP-18]                 |
    004539FF  |. 0355 F4        ADD EDX,DWORD PTR SS:[EBP-C]                  |
    00453A02  |. 52             PUSH EDX                                      |Height
    00453A03  |. 8B45 EC        MOV EAX,DWORD PTR SS:[EBP-14]                 |
    00453A06  |. 0345 F8        ADD EAX,DWORD PTR SS:[EBP-8]                  |
    00453A09  |. 50             PUSH EAX                                      |Width 
    00453A0A  |. 6A 00          PUSH 0                                        |Y 
    00453A0C     68 00000080    PUSH 80000000                                 |X
    00453A11  |. 8B4D F0        MOV ECX,DWORD PTR SS:[EBP-10]                 |
    00453A14  |. 51             PUSH ECX                                      |Style
    00453A15  |. 68 603C9C00    PUSH GAMEClie.009C3C60                        |WindowName 
    00453A1A  |. 68 F83B9C00    PUSH GAMEClie.009C3BF8                        |Class
    00453A1F  |. 6A 00          PUSH 0                                        |ExtStyle 
    00453A21  |. FF15 587C8B00  CALL DWORD PTR DS:[<&USER32.CreateWindowExA>] \CreateWindowExA
    00453A27  |. 3BF4           CMP ESI,ESP
    00453A29  |. E8 020D3A00    CALL GAMEClie.007F4730
    00453A2E  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
    00453A31  |. 8B55 FC        MOV EDX,DWORD PTR SS:[EBP-4]
    00453A34  |. 8915 F43B9C00  MOV DWORD PTR DS:[9C3BF4],EDX
    00453A3A  |. 837D FC 00     CMP DWORD PTR SS:[EBP-4],0
    00453A3E  |. 75 04          JNZ SHORT GAMEClie.00453A44
    00453A40  |. 33C0           XOR EAX,EAX
    00453A42  |. EB 7D          JMP SHORT GAMEClie.00453AC1
    00453A44  |> A1 F43B9C00    MOV EAX,DWORD PTR DS:[9C3BF4]
    00453A49     50             PUSH EAX                                     
    00453A4A     B9 280C9F00    MOV ECX,GAMEClie.009F0C28                         
    00453A4F     E8 DC8E2A00    CALL GAMEClie.006FC930   <---------GG Initializer          
    00453A54  |. 85C0           TEST EAX,EAX
    00453A56  |. 75 04          JNZ SHORT GAMEClie.00453A5C
    After NOPing the GG intializing call I had to modify 2 JNZs which check if GG is on and thats it. I hit the run button for the last time and I heard the intro sound of the game playing normally while the game and olly were running without problems, except for one... the window of the game never showed up... I am sure that CreateWindowExA call above the GG initializer is the game's window because I checked the width and height that was passed to the call and they match the size of the game's window ran without olly.
    So this is where I am at, GG is stopped from initializing and the game runs just that the window is not visible. Any ideas ?

    ---------- Post added at 06:42 AM ---------- Previous post was at 05:54 AM ----------

    I think I figured out why the window doesn't show, the first JNZ I was talking about is the one 2 lines under the GG Initializer function and this is what the area after the one I posted looks like.

    Code:
    00453A58  |. 33C0           XOR EAX,EAX
    00453A5A  |. EB 65          JMP SHORT GAMEClie.00453AC1
    00453A5C  |> 8BF4           MOV ESI,ESP
    00453A5E  |. 68 10254500    PUSH GAMEClie.00452510                                       ; /pTopLevelFilter 
    00453A63  |. FF15 AC748B00  CALL DWORD PTR DS:[<&KERNEL32.SetUnhandledExceptionFilter>]  ; \SetUnhandledExceptionFilter
    00453A69  |. 3BF4           CMP ESI,ESP
    00453A6B  |. E8 C00C3A00    CALL GAMEClie.007F4730
    00453A70  |. 8BF4           MOV ESI,ESP
    00453A72  |. 8B4D 0C        MOV ECX,DWORD PTR SS:[EBP+C]
    00453A75  |. 51             PUSH ECX                                                     ; /ShowState
    00453A76  |. 8B55 FC        MOV EDX,DWORD PTR SS:[EBP-4]                                 ; |
    00453A79  |. 52             PUSH EDX                                                     ; |hWnd
    00453A7A  |. FF15 547C8B00  CALL DWORD PTR DS:[<&USER32.ShowWindow>]                     ; \ShowWindow
    00453A80  |. 3BF4           CMP ESI,ESP
    00453A82  |. E8 A90C3A00    CALL GAMEClie.007F4730
    00453A87  |. 8BF4           MOV ESI,ESP
    00453A89  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
    00453A8C  |. 50             PUSH EAX                                                     ; /hWnd
    00453A8D  |. FF15 507C8B00  CALL DWORD PTR DS:[<&USER32.UpdateWindow>]                   ; \UpdateWindow
    00453A93  |. 3BF4           CMP ESI,ESP
    00453A95  |. E8 960C3A00    CALL GAMEClie.007F4730
    00453A9A  |. 8BF4           MOV ESI,ESP
    00453A9C  |. 6A 01          PUSH 1                                                       ; /Show = TRUE
    00453A9E  |. FF15 4C7C8B00  CALL DWORD PTR DS:[<&USER32.ShowCursor>]                     ; \ShowCursor
    00453AA4  |. 3BF4           CMP ESI,ESP
    00453AA6  |. E8 850C3A00    CALL GAMEClie.007F4730
    00453AAB  |. 8BF4           MOV ESI,ESP
    00453AAD  |. 6A 00          PUSH 0
    00453AAF  |. FF15 487D8B00  CALL DWORD PTR DS:[<&ole32.CoInitialize>]                    ;  ole32.CoInitialize
    00453AB5  |. 3BF4           CMP ESI,ESP
    I kept modifying that JNZ in order to skip this block because I remember it used to crash the game so I never looked at it again and I always missed the ShowWindow call
    I think that has to be why the window never showed, I will work on it and let you know how it goes.

    ---------- Post added at 06:56 AM ---------- Previous post was at 06:42 AM ----------

    It seems I didn't have to modify the second JNZ either, NOPing the GG Initializer is all thats needed and the game runs just fine without GameGuard. I haven't registered an account yet in order to play but according to what I've read there is some sort of server which sends some values to the game which are sent to GameGuard decrypted then re-encrypted , sent back to the game and then back to the server in order to stay connected.
    But im good for now anyway, I will try to write this "emulator" later on when I get better at reversing in general.
    Last edited by explosionsinthe; 2011-04-15 at 04:17 AM.

  2. #2
    makradesh
    makradesh is offline
    Member-in-training makradesh's Avatar
    Join Date
    2011 Feb
    Location
    UG in PGC
    Posts
    68
    Thanks Thanks Given 
    3
    Thanks Thanks Received 
    14
    Thanked in
    9 Posts
    Rep Power
    0
    Lmao, i must admit for finding everything out on yourself you did do a great job!

    I think you are a real bot writter in progres..

    Thumbs up man!
    If you need help, ill be here ^^,
    Stewie kills the world in 2012.

  3. #3
    explosionsinthe
    explosionsinthe is offline
    New member explosionsinthe's Avatar
    Join Date
    2011 Apr
    Posts
    16
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    Thanks although truth is this was easy even for me, it's just I was silly enough to not see the ShowWindow and UpdateWindow calls any sooner >< . I am not entirely sure about how to aproach gameguard itself right now but my guess is I would have to get the gameguard executables (or at least GameMon) unpacked open it up in olly and try to figure out how exactly it communicates with the game client.

  4. #4
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    is that the nprotect gameguard? you can bypass that without even writing emulator, or keeping it from loading just use cheat engine

  5. #5
    makradesh
    makradesh is offline
    Member-in-training makradesh's Avatar
    Join Date
    2011 Feb
    Location
    UG in PGC
    Posts
    68
    Thanks Thanks Given 
    3
    Thanks Thanks Received 
    14
    Thanked in
    9 Posts
    Rep Power
    0
    I think the reason explosioninthe did this is cause he wants to grow in the GG bypass scene..

    So that he will understand the way GG works..
    Just using a EMU or CE from someone wont help you understand what you just did..

    Atleast thats what i think he was doing:$
    hehe
    Stewie kills the world in 2012.

  6. #6
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    yah thats why i like this community people seem to know what they are doing here not like other communities where people just leech shit or post a combination of tools to bypass something instead of coding their own tools but i'm not complaining sometimes the tools are good, and i guess i'm a leech too rofl so i'm not making any points here lol.

  7. #7
    explosionsinthe
    explosionsinthe is offline
    New member explosionsinthe's Avatar
    Join Date
    2011 Apr
    Posts
    16
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    Quote Originally Posted by pkedpker View Post
    you can bypass that without even writing emulator, or keeping it from loading just use cheat engine
    Cheat Engine 6 is detectable (at least by the GG build Alliance of Valiant Arms is using), its just GG shuts the game down not when it detects it but later on in order to fool people. If you read a GG analysis thread Dwar has opened you'll see this mechanism is presented as a feature by nProtect.
    If you want to see it for yourself attach CE 6 to the game do a search and wait for 10 minutes , GG will eventually crash the game and notify that it's found a tool.

    Quote Originally Posted by makradesh View Post
    So that he will understand the way GG works..
    Just using a EMU or CE from someone wont help you understand what you just did..
    hehe
    Couldn't have said it better myself, I usually get obsessed with how stuff works which is why I hate it when I read tutorials that look like "do this then that and then that" without explaining why all this is done. If I don't understand every bit of how something works and why I am doing something I get really uncomfortable with myself

    Now on to my GG adventure, while I was in a bus with a headache reaching my hometown I thought there should be a more efficient way to find out how games communicate with GG. I then remembered a tutorial I read where WPE Pro was used to sniff packets sent from an mmorpg to its server. Apart from that I registered an account for the game and logged in, I reached the character creation screen and after a minute I was disconnected from the server which means that earlier than that (the problem is I don't know how earlier that was) the server sent those encrypted values to the game so GG could work on them and send them back.
    If I could use that disconnected from server message in order to figure out which packets sent to my client were those 4 values intended for GG I should be able to trace that data and find how the game attemts to send it to it.
    Last edited by explosionsinthe; 2011-04-17 at 03:54 AM. Reason: typos

  8. #8
    makradesh
    makradesh is offline
    Member-in-training makradesh's Avatar
    Join Date
    2011 Feb
    Location
    UG in PGC
    Posts
    68
    Thanks Thanks Given 
    3
    Thanks Thanks Received 
    14
    Thanked in
    9 Posts
    Rep Power
    0
    Hehe, finnally i am liking this forum!!
    After my complain pm that i send to Dwar, this really cheers me up!!

    I really hope i can help both of you, i dont care how far you are with c++..
    If your having a hard time ill help you out !!

    And like i said: the best way to learn is to do it yourself.

    Dont forget to perform back ups, If u screw things up.. You always got a back up
    Stewie kills the world in 2012.

  9. #9
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    yeah explosion your only hope to write a emu for GG is to somehow load it up in OllyDBG without it detecting OLLYDBG obviously probably you gotta unpack it and fix all the errors it may present like checksums and such then do a breakpoint on send command aka "bp send".

    Everytime a packet gets sent, you'll see it in ollydbg no need for WPE PRO.. and you'll see the funcs that probably encrypted the packet too.

    Unpacking is i think the hardest step idk how to do it at all most tutorials don't help.

  10. #10
    explosionsinthe
    explosionsinthe is offline
    New member explosionsinthe's Avatar
    Join Date
    2011 Apr
    Posts
    16
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    Unpacking will certainly be the first biggest problem which I am not even sure whether I'll manage to overcome. I just hope I can rely on this new script this LCF-AT guy has released for that.
    On top of that I found a pdf guide by this Galco person who goes by different names which really explains a lot about how to do this. It seems GameMon will have to be running in order to be able to manually call some CreateKey function inside it so I can get past some virtualized code, so the issue here is I have to find a way to make GameMon run alongside Olly without it being detected/crashed by GameGuard. But all this provided I have managed to unpack the module.
    For now I will work on figuring out how to get the "keys" the gameserver sends to the game client and then how the game sends them to GameMon.

    @makradesh: Lol what exactly were you complaining to Dwar about ? Oh and I believe I am fairly experienced in C/C++ and windows memory programming, that aside you should know I am someone worth of helping out XD

    ---------- Post added at 06:26 PM ---------- Previous post was at 05:43 AM ----------

    So heres a rather unexpected problem im having. I run the game client and first attach WPE Pro to it, before I login I start sniffing all packets and then proceed to log into the server. Once logged in I wait until I see the disconnected from server message and then stop sniffing and I see nothing in WPE.
    I then decided to try with just olly by setting a breakpoint on all recv as well as send calls , again I log into the server and wait for a break until I see the disconnected from server message. Olly didn't break anywhere while I specifically expected it to break the moment I logged in, so I have either misunderstood the packets concept or something else is going on.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •