Page 1 of 3 123 LastLast
Results 1 to 15 of 32
  1. #1
    /b/oss's Avatar
    Join Date
    Feb 2010
    Gender
    male
    Posts
    13,652
    Reputation
    795
    Thanks
    3,543

    Cool Bypassing GameGuard

    Hey there!

    i hope after this TUT will be less banns and so on. ENJOY TUT!

    The simple fact that you are willing to read this tutorial shows that you are at least interested in making your own hacks/bypasses.
    I will walk you guys through the general idea behind the PostMessage bypass and its sourcecode.

    Here is a list of tools that you will probably need (so look for a copy of these programs):


    -Microsoft Visual C++ (any version will do, I myself use 6.0)
    -Microsoft Visual Basic (just to save the hassle and to be able to setup a GUI real fast)
    -OllyDbg with some plugins (IDA pro is more powerful, but also harder to use)
    -A brain and the will to try things over and over again untill u get the hang of it


    You have downloaded these tools, your IQ isn't lower than 70 and you have the will to learn and to try until you succeed!
    So lets get started!

    So, what does GameGuard do? Why can't I use certain functions?

    To keep it simple: GameGuard basically intercepts some (almost every single one) of the functions that allows users to create macro tools/bots.
    If youre familiar with "hacking" you have most likely heard of "hooking" functions (and a many times used technique, Microsoft's Detours).
    This is often done when simple adjustments have to be made to a program of which the user has lost the sourcecode (or simply doesnt have the sourcecode) from. You overwrite the first 5 Op-codes of the function you want to intercept with a call to your own function.
    This prevents the original function from being executed and executes your function instead! You can then check the params that were send to the original function, execute some other pieces of code if you like and then return to the function so you dont completely ruin the dataflow.
    (As I have mentioned before, a good way to do this is by "detouring" a function.) Im unsure if GameGuard uses detours, though it appears to me that the hooking method they use is very similar to what I described.

    So basically the first 5 bytes of the original function are not as they are supposed to be, and therefor you are dependant on what GameGuard allows you to do with this function.
    In the case of PostMessage calling PostMessage will not cause the function to be executed as you intended it to be.


    Well, Ive got a clue now how GG blocks these functions.. How to bypass it?

    Bypassing a function thats hooked by GG isn't that hard.
    Basically you let YOUR function handle the op-codes that were originally at the 1st 5 bytes of the program, then you will let the program jump to the function's offset + 5 bytes.
    That way you JUMP OVER the bytes GG has overwritten to redirect the function to a GG function.
    If you do that without executing the original op-codes you will most likely make the game crash because the registers will be all messed up.

    Off to some code (Here is where Visual c++ jumps in):
    Code:
    #include <windows.h>
    
    HINSTANCE hInst; 
    DWORD DLLFunc; 
    HWND hFlyff;
    HWND hWnd;
    
    
    __declspec(naked) BOOL WINAPI __stdcall myPostMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
    {
       __asm
       {
          mov  edi, edi
          push ebp
          mov  ebp, esp
          jmp [DLLFunc]
       }
    }
    I will explain this code line by line. The first few lines are there to declare some variables and to import some standard windowsfunctions.


    Code:
    __declspec(naked) BOOL WINAPI __stdcall
    This function needs to be able to manage its own stack, and doesn't necesarilly return a value.

    Code:
    myPostMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
    The functionname and the parameters you will pass through it, these parameters must be identical to the ones of the function youre bypassing.
    If you are unsure what parameters to pass to it look the original function up on MSDN.

    Code:
                                                        __asm
       {
          mov  edi, edi
          push ebp
          mov  ebp, esp
          jmp [DLLFunc]
       }
    Now it's getting tricky, this piece of code is written in assembly, thats just a small step above the "machine language", the 0's and 1's.
    jmp [DLLFunc] means that the program should jump to a certain offset, that offset is equal to the functionroot + 5 bytes.

    We declare it in DLLMain:

    Code:
       BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID /*lpvReason*/)
    {
        switch (dwReason)
        {
            
            case DLL_PROCESS_ATTACH:
            {
                   if (DLLFunc == NULL) {
                    hInst = LoadLibrary("user32.dll");
                    DLLFunc = (DWORD)GetProcAddress(hInst, "PostMessageA") + 5; 
                    }
                   if (hFlyff == NULL) {
                    hFlyff = ::FindWindow(NULL, "FLYFF");
                    }
            }
            break;
    
            case DLL_THREAD_ATTACH:
                {
                   if (DLLFunc == NULL) {
                    hInst = LoadLibrary("user32.dll");
                    DLLFunc = (DWORD)GetProcAddress(hInst, "PostMessageA") + 5; 
                    }
                   if (hFlyff == NULL) {
                    hFlyff = ::FindWindow(NULL, "FLYFF");
                    }
                }
            break;
            case DLL_THREAD_DETACH:
                {
                    if (hInst != NULL) {
                   // Un-Load DLL
                   ::FreeLibrary(hInst);
                   hInst = NULL;
                } 
                }
            break;
            case DLL_PROCESS_DETACH:
            {
                    if (hInst != NULL) {
                   // Un-Load DLL
                   ::FreeLibrary(hInst);
                   hInst = NULL;
                } 
            }
            break;
        }
        return TRUE;
    }
    Now this isnt too hard to understand, this piece of code calculates the offset of the PostMessage-function and adds 5 bytes to that offset so the offset DLLFunc helds will be the 1st byte past the 5 bytes that GG has overwritten upon initialisation of the DLL.
    Using both DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH allows you to either inject the dll, or to load the dll from within your own application.
    Which way you choose depends on your own preferences.


    So back to the assembly part:
    Code:
                                                       __asm
       {
          mov  edi, edi
          push ebp
          mov  ebp, esp
          jmp [DLLFunc]
       }
    I have already explained the jmp [DLLFunc] part.
    Now here's how to understand what the other 3 instructions mean.
    Open up OllyDbg.
    Open user32.dll (located in the systemfolder of your windowsfolder)
    Press Ctrl+N.
    A list of function names will show up, scroll down till you find PostMessageA and double click it.
    You will be taken to the functionroot.
    Look at the first 3 lines: "OMG THATS THE EXACT SAME PIECE OF ASM AS THE ABOVE!"
    True
    So with the above piece of assembly code we manually execute the overwritten bytes.
    If you have some knowledge on assembly you will see that Code:
    mov edi, edi
    push ebp
    mov ebp, esp
    is 5 Bytes long!

    So we have successfully written a bypass for the PostMessageA-function now!
    Gratz! You've done it!

    Now only 1 more thing remains..
    In order to make other programs able to use our functions we must export it.
    There is an easy way to do this using Visual C++.
    Add a .def file to the project.
    The syntaxis to export a function is as follows:

    Code:
         LIBRARY "<name of dll here>" 
    EXPORTS
        <Name of Function here> 
    In our case that's:
         Code:
         LIBRARY "BypassedPostMessage" 
    EXPORTS
             myPostMessageA
    Compiling this code will result in a dll which you can then use with scripting/programming tools like AutoIT and visual basic.


    Yay! We have a Bypass now! How to use it??!!
    Simple!
    We import the function with visual basic!

    Here is a small example:
    [PHP]Private Declare Function myPostMessageA Lib "BypassedPostmessage.dll" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Long) As Long
    Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long

    Private Sub Command1_Click()
    Dim hWndCMD As Long
    hWndCMD = FindWindow(vbNullString, "FLYFF")
    myPostMessageA hWndCMD, WM_KEYDOWN, vbKeyE, 0
    End Sub[/PHP]

    So here are all the steps you have to take again, one by one:
    -Find a function that you want to use, but that is blocked by gameguard.
    -Open the dll that the original function is in with OllyDbg and look it up in the functionname list.
    -Go to the function and copy the first 5 bytes of instructions.
    -Paste these instructions in a piece of inline ASM.
    -Make sure that GetProcAddress() returns the offset of the function you want to bypass.
    -Rewrite the original function and make sure you pass the right parameters to it.
    -Export the function
    -Exploit the new function using Visual Basic, AutoIT, C++, delphi, whatever language you feel comfortable with.


    I hope this tutorial shows enough so you guys can use it to bypass other functions.
    Good luck hacking! press thanks IF i helped you!!

  2. The Following 6 Users Say Thank You to /b/oss For This Useful Post:

    BossMan. (06-15-2010),DRAKE` (06-15-2010),gianmk03 (06-16-2010),razorvswebster9321 (03-07-2014),richardtreier (06-16-2010),wailantum (06-15-2010)

  3. #2
    wailantum's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    nowhere
    Posts
    96
    Reputation
    10
    Thanks
    7
    My Mood
    Amused
    The process is pretty grim to accomplish isn't it??? lol but hey it'll benefit that then. Great job going to test it.
    My principles:
    1. Great minds never think alike.
    2. The lies beyond the truth make the truth a lie.
    3. The judgment in one's mind will never exceed the
    limits of one's self.
    4. Never judge for ignorance will befall upon you.
    5. Flaming is another way to show one's stupidity
    and pride.
    6. Humility towards others is the better answer to
    arguments.
    7. I care less if others belittle me in forums for numbers
    and reputation powers do not exceed my mind
    statistics can always be ruled out.
    8. Respect people that service the public for they do
    what you others can't even bother to do

  4. The Following User Says Thank You to wailantum For This Useful Post:

    /b/oss (06-15-2010)

  5. #3
    BossMan.'s Avatar
    Join Date
    Dec 2009
    Gender
    male
    Location
    BossWorld
    Posts
    3,314
    Reputation
    51
    Thanks
    419
    My Mood
    Relaxed
    Nice work man. Glad you found the effort and determination to post this. However, these things baffle me beyond comprehension D:



  6. #4
    DRAKE`'s Avatar
    Join Date
    Dec 2009
    Gender
    male
    Posts
    959
    Reputation
    116
    Thanks
    301
    Wohoho nice ure minion , congratz . And nice tuterail .
    i am @Eminem

  7. #5
    ronon6's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Posts
    193
    Reputation
    10
    Thanks
    24
    My Mood
    Angry
    Can someone please give me an link where to download visual c++ because when i searched i founded only parts to download and the parts were broken so can someone give me an working link with 1 download not some 10 parts.

  8. #6
    BossMan.'s Avatar
    Join Date
    Dec 2009
    Gender
    male
    Location
    BossWorld
    Posts
    3,314
    Reputation
    51
    Thanks
    419
    My Mood
    Relaxed



  9. The Following User Says Thank You to BossMan. For This Useful Post:

    7uZioN (08-19-2011)

  10. #7
    ronon6's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Posts
    193
    Reputation
    10
    Thanks
    24
    My Mood
    Angry
    Ty i try to downlaod right now.

  11. #8
    BossMan.'s Avatar
    Join Date
    Dec 2009
    Gender
    male
    Location
    BossWorld
    Posts
    3,314
    Reputation
    51
    Thanks
    419
    My Mood
    Relaxed
    Press it, don't say it



  12. #9
    /b/oss's Avatar
    Join Date
    Feb 2010
    Gender
    male
    Posts
    13,652
    Reputation
    795
    Thanks
    3,543
    Quote Originally Posted by GAMERXL View Post
    Wohoho nice ure minion , congratz . And nice tuterail .
    still not unbanned / banned aggain?

  13. #10
    ronon6's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Posts
    193
    Reputation
    10
    Thanks
    24
    My Mood
    Angry
    So i download express not professional right=?

  14. #11
    /b/oss's Avatar
    Join Date
    Feb 2010
    Gender
    male
    Posts
    13,652
    Reputation
    795
    Thanks
    3,543
    Quote Originally Posted by ronon6 View Post
    So i download express not professional right=?
    i prefer express / yes, download express, well you can download professional too but..

  15. #12
    bassie10's Avatar
    Join Date
    May 2010
    Gender
    male
    Posts
    116
    Reputation
    11
    Thanks
    49
    My Mood
    Cheerful
    Can tu make a downloading bypass?
    Jus tlike, u download the bypass, inject it or something, or w.e
    That would be awesome!, this i cant understand Sorry,
    Im not that good with computers,
    Still niceley done i gues!

  16. #13
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    /dev/null
    Posts
    5,706
    Reputation
    907
    Thanks
    7,293
    My Mood
    Mellow
    Uh leech much? Sif your English improved 1000000% while writing this -.-

    And you don't even know what putting code in a namespace is.

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I don’t think this is a coincidence
    You can win the rat race,
    But you're still nothing but a fucking RAT.


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  17. #14
    /b/oss's Avatar
    Join Date
    Feb 2010
    Gender
    male
    Posts
    13,652
    Reputation
    795
    Thanks
    3,543
    Quote Originally Posted by J-Deezy View Post
    Uh leech much? Sif your English improved 1000000% while writing this -.-

    And you don't even know what putting code in a namespace is.
    i don't leech. YOU DO? and my english is good enought! /yea

  18. #15
    bassie10's Avatar
    Join Date
    May 2010
    Gender
    male
    Posts
    116
    Reputation
    11
    Thanks
    49
    My Mood
    Cheerful
    Quote Originally Posted by bassie10 View Post
    Can tu make a downloading bypass?
    Jus tlike, u download the bypass, inject it or something, or w.e
    That would be awesome!, this i cant understand Sorry,
    Im not that good with computers,
    Still niceley done i gues!
    pls an answer, Thnx

Page 1 of 3 123 LastLast

Similar Threads

  1. [Request] fifa online2 bypass gameguard
    By zulfto in forum Anti-Cheat
    Replies: 2
    Last Post: 02-12-2011, 01:27 AM
  2. İ want bypass gameguard
    By nopeaceyeswar in forum CrossFire Hacks & Cheats
    Replies: 16
    Last Post: 09-02-2009, 08:34 PM
  3. Bypassing GameGuard
    By CioNide in forum Anti-Cheat
    Replies: 5
    Last Post: 04-25-2009, 06:23 PM
  4. Ways to bypass GameGuard
    By XqwertyX in forum WarRock Korea Hacks
    Replies: 12
    Last Post: 06-01-2007, 04:42 PM
  5. bypass gameguard?
    By Krumbles in forum Suggestions, Requests & Help
    Replies: 4
    Last Post: 12-30-2006, 08:38 PM