Results 1 to 8 of 8
  1. #1
    briankilla4's Avatar
    Join Date
    Aug 2010
    Gender
    male
    Location
    EGYPT,cairo
    Posts
    875
    Reputation
    10
    Thanks
    730
    My Mood
    Amazed

    Bypassing Gameguard: Imported functions

    Requirements: Reverse Engineering Knowledge.

    Code:
    void function_list_dump( )
    {
    	dwGameGuardClassBase = GetGameGuard( );
    
    	do
    	{
    		GGMethodTable = *(PDWORD*)dwGameGuardClassBase;
    		Sleep(10);
    	}
    	while( !GGMethodTable );
    
    	while( *(PDWORD)((DWORD)dwGameGuardClassBase + 4) == NULL )
    		Sleep(10);
    
    	do
    	{
    		GGMethodTable2 = **(PDWORD**)((DWORD)dwGameGuardClassBase + 4);
    	}
    	while( !GGMethodTable2 );
    
    #ifdef LOG_GG
    	pLog->log("\n-------------\nGG Method Table 1\nsize = %d", dwGetMethodCount(GGMethodTable));
    	PrintMethodLocations( GGMethodTable );
    	pLog->log("\n-------------\nGG Method Table 2\nsize = %d", dwGetMethodCount(GGMethodTable2));
    	PrintMethodLocations( GGMethodTable2 );
    	ExitProcess(0);
    #endif
    }
    GetGameGuard? Another GG function that's wrapped.





    Code:
    typedef PVOID (__cdecl* tGetGameGuard)( );
    tGetGameGuard GetGameGuard = (tGetGameGuard)GGPTR;
    GGPTR? Location of this function


    Code:
    mov     eax, offset off_D25874
    retn
    I just print the functions like this:

    Code:
    void PrintMethodLocations( PDWORD pdwVMT )
    {
    	DWORD dwIndex = 0;
    
    	for ( dwIndex = 0; pdwVMT[ dwIndex ]; dwIndex++ )
    	{
    		if ( IsBadCodePtr( ( FARPROC ) pdwVMT[ dwIndex ] ) )
    		{
    			break;
    		}
    
    		pLog->log("%i [ 0x%x ]", dwIndex, pdwVMT[dwIndex]);
    	}
    
    }
    these virtual tables are used by the game to operate gameguard.

  2. #2
    Prepix's Avatar
    Join Date
    Jun 2012
    Gender
    male
    Posts
    5,965
    Reputation
    117
    Thanks
    1,374
    /moved to the correct sub forum.

  3. #3
    briankilla4's Avatar
    Join Date
    Aug 2010
    Gender
    male
    Location
    EGYPT,cairo
    Posts
    875
    Reputation
    10
    Thanks
    730
    My Mood
    Amazed
    if someone have some reverse engneering skills pm me and i will give him something to use to bypass gg

  4. #4
    mountainh2o's Avatar
    Join Date
    Sep 2012
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    0
    Quote Originally Posted by briankilla4 View Post
    if someone have some reverse engneering skills pm me and i will give him something to use to bypass gg
    Considering you just c&p this from another site you might want to give credits to Shad0w_ for doing all the work.

    Also from Shad0w, who deserves all credit.


    Wanted to modify some assembly, it gave me the old security module error so I bypassed it.
    Blowfish decryption and emulation isn't really my thing so I'm looking at doing standard patches.

    The func, which i've named SecMod_

    Code:
    seg000:00854CE0 SecMod_854CE0 proc near
    seg000:00854CE0 push esi
    seg000:00854CE1 mov esi, ecx
    seg000:00854CE3 cmp dword ptr [esi+4], 0
    seg000:00854CE7 jnz short loc_854CF7
    seg000:00854CE9 push offset aSecurityModule
    seg000:00854CEE call sub_854B70
    seg000:00854CF3 xor eax, eax
    seg000:00854CF5 pop esi
    seg000:00854CF6 retn
    seg000:00854CF7 ; ---------------------------------------------------------------------------
    seg000:00854CF7
    seg000:00854CF7 loc_854CF7: ; CODE XREF: SecMod_854CE0+7j
    seg000:00854CF7 mov ecx, [esi+4]
    seg000:00854CFA mov eax, [ecx]
    seg000:00854CFC mov edx, [eax+8]
    seg000:00854CFF call edx
    seg000:00854D01 test eax, eax
    seg000:00854D03 jnz short loc_854D15
    seg000:00854D05 push offset aSecurityModu_0
    seg000:00854D0A mov ecx, esi
    seg000:00854D0C call sub_854B70
    seg000:00854D11 xor eax, eax
    seg000:00854D13 pop esi
    seg000:00854D14 retn
    seg000:00854D15 ; ---------------------------------------------------------------------------
    seg000:00854D15
    seg000:00854D15 loc_854D15:
    seg000:00854D15 cmp dword ptr [esi+8], 0
    seg000:00854D19 jz short loc_854D2B
    seg000:00854D1B push offset aSecurityModu_1
    seg000:00854D20 mov ecx, esi
    seg000:00854D22 call sub_854B70
    seg000:00854D27 xor eax, eax
    seg000:00854D29 pop esi
    seg000:00854D2A retn
    seg000:00854D2B ; ---------------------------------------------------------------------------
    seg000:00854D2B
    seg000:00854D2B loc_854D2B:
    seg000:00854D2B mov eax, 1
    seg000:00854D30 pop esi
    seg000:00854D31 retn
    seg000:00854D31 SecMod_854CE0 endp
    At first I figured ok, I can just hook it an ret 1 like they do @

    Code:
    seg000:00854D2B mov eax, 1
    seg000:00854D30 pop esi
    seg000:00854D31 retn
    An example of how I did this, was like so:

    (Thanks to fatboy88 & Zenma for the EDX trick for the hook)
    Code:
    /pedef int ( __thiscall* tSecMod)(void *ptr);
    //tSecMod oSecMod;

    int __fastcall SecModHook(void *ptr, void *Unknown)
    {
    return 1;
    }
    However if you follow the EIP, you will see almost-infinite-recursion happening (it will crash eventually).

    That I found was due to this function not being called:
    Code:
    (*(int (**)(void))(**(_DWORD **)(ptr + 4) + 8))()
    Rather than emulating the function, my way was to just patch over the conditions.

    The conditions are like roughly 10 byte conditional jumps, so simply forcing the conditional jumps with an 8 bit relative jump of my own in place can do the job.

    Corrected Function:

    Code:
    seg000:00854CF7 loc_854CF7: ; CODE XREF: SecMod_854CE0+7j
    seg000:00854CF7 mov ecx, [esi+4]
    seg000:00854CFA mov eax, [ecx]
    seg000:00854CFC mov edx, [eax+8]
    seg000:00854CFF call edx
    seg000:00854D01 test eax, eax
    seg000:00854D03 jmp short loc_854D15
    seg000:00854D05 push offset aSecurityModu_0 ; "Security Module Error - 2"
    seg000:00854D0A mov ecx, esi
    seg000:00854D0C call sub_854B70
    seg000:00854D11 xor eax, eax
    seg000:00854D13 pop esi
    seg000:00854D14 retn
    seg000:00854D15 ; ---------------------------------------------------------------------------
    seg000:00854D15
    seg000:00854D15 loc_854D15: ; CODE XREF: SecMod_854CE0+23j
    seg000:00854D15 cmp dword ptr [esi+8], 0
    seg000:00854D19 jmp short loc_854D2B
    seg000:00854D1B push offset aSecurityModu_1 ; "Security Module Error - 3"
    seg000:00854D20 mov ecx, esi
    seg000:00854D22 call sub_854B70
    seg000:00854D27 xor eax, eax
    seg000:00854D29 pop esi
    seg000:00854D2A retn
    seg000:00854D2B ; ---------------------------------------------------------------------------
    seg000:00854D2B
    seg000:00854D2B loc_854D2B: ; CODE XREF: SecMod_854CE0+39j
    seg000:00854D2B mov eax, 1
    seg000:00854D30 pop esi
    seg000:00854D31 retn
    seg000:00854D31 SecMod_854CE0 endp
    The hooking method is valid, just make sure that you call the function before returning.

    SecMod calls Module Error - 1? I never got that one myself but [protip:] that will only happen when*(PDWORD)ptr + 4 is NULL.

    Lots of other functions to look at and patch in my free time, I'll try to share as much information as I can be bothered to write out.

    Enjoy and Discuss.

  5. #5
    briankilla4's Avatar
    Join Date
    Aug 2010
    Gender
    male
    Location
    EGYPT,cairo
    Posts
    875
    Reputation
    10
    Thanks
    730
    My Mood
    Amazed
    Quote Originally Posted by mountainh2o View Post
    Considering you just c&p this from another site you might want to give credits to Shad0w_ for doing all the work.

    Also from Shad0w, who deserves all credit.


    Wanted to modify some assembly, it gave me the old security module error so I bypassed it.
    Blowfish decryption and emulation isn't really my thing so I'm looking at doing standard patches.

    The func, which i've named SecMod_

    Code:
    seg000:00854CE0 SecMod_854CE0 proc near
    seg000:00854CE0 push esi
    seg000:00854CE1 mov esi, ecx
    seg000:00854CE3 cmp dword ptr [esi+4], 0
    seg000:00854CE7 jnz short loc_854CF7
    seg000:00854CE9 push offset aSecurityModule
    seg000:00854CEE call sub_854B70
    seg000:00854CF3 xor eax, eax
    seg000:00854CF5 pop esi
    seg000:00854CF6 retn
    seg000:00854CF7 ; ---------------------------------------------------------------------------
    seg000:00854CF7
    seg000:00854CF7 loc_854CF7: ; CODE XREF: SecMod_854CE0+7j
    seg000:00854CF7 mov ecx, [esi+4]
    seg000:00854CFA mov eax, [ecx]
    seg000:00854CFC mov edx, [eax+8]
    seg000:00854CFF call edx
    seg000:00854D01 test eax, eax
    seg000:00854D03 jnz short loc_854D15
    seg000:00854D05 push offset aSecurityModu_0
    seg000:00854D0A mov ecx, esi
    seg000:00854D0C call sub_854B70
    seg000:00854D11 xor eax, eax
    seg000:00854D13 pop esi
    seg000:00854D14 retn
    seg000:00854D15 ; ---------------------------------------------------------------------------
    seg000:00854D15
    seg000:00854D15 loc_854D15:
    seg000:00854D15 cmp dword ptr [esi+8], 0
    seg000:00854D19 jz short loc_854D2B
    seg000:00854D1B push offset aSecurityModu_1
    seg000:00854D20 mov ecx, esi
    seg000:00854D22 call sub_854B70
    seg000:00854D27 xor eax, eax
    seg000:00854D29 pop esi
    seg000:00854D2A retn
    seg000:00854D2B ; ---------------------------------------------------------------------------
    seg000:00854D2B
    seg000:00854D2B loc_854D2B:
    seg000:00854D2B mov eax, 1
    seg000:00854D30 pop esi
    seg000:00854D31 retn
    seg000:00854D31 SecMod_854CE0 endp
    At first I figured ok, I can just hook it an ret 1 like they do @

    Code:
    seg000:00854D2B mov eax, 1
    seg000:00854D30 pop esi
    seg000:00854D31 retn
    An example of how I did this, was like so:

    (Thanks to fatboy88 & Zenma for the EDX trick for the hook)
    Code:
    /pedef int ( __thiscall* tSecMod)(void *ptr);
    //tSecMod oSecMod;

    int __fastcall SecModHook(void *ptr, void *Unknown)
    {
    return 1;
    }
    However if you follow the EIP, you will see almost-infinite-recursion happening (it will crash eventually).

    That I found was due to this function not being called:
    Code:
    (*(int (**)(void))(**(_DWORD **)(ptr + 4) + 8))()
    Rather than emulating the function, my way was to just patch over the conditions.

    The conditions are like roughly 10 byte conditional jumps, so simply forcing the conditional jumps with an 8 bit relative jump of my own in place can do the job.

    Corrected Function:

    Code:
    seg000:00854CF7 loc_854CF7: ; CODE XREF: SecMod_854CE0+7j
    seg000:00854CF7 mov ecx, [esi+4]
    seg000:00854CFA mov eax, [ecx]
    seg000:00854CFC mov edx, [eax+8]
    seg000:00854CFF call edx
    seg000:00854D01 test eax, eax
    seg000:00854D03 jmp short loc_854D15
    seg000:00854D05 push offset aSecurityModu_0 ; "Security Module Error - 2"
    seg000:00854D0A mov ecx, esi
    seg000:00854D0C call sub_854B70
    seg000:00854D11 xor eax, eax
    seg000:00854D13 pop esi
    seg000:00854D14 retn
    seg000:00854D15 ; ---------------------------------------------------------------------------
    seg000:00854D15
    seg000:00854D15 loc_854D15: ; CODE XREF: SecMod_854CE0+23j
    seg000:00854D15 cmp dword ptr [esi+8], 0
    seg000:00854D19 jmp short loc_854D2B
    seg000:00854D1B push offset aSecurityModu_1 ; "Security Module Error - 3"
    seg000:00854D20 mov ecx, esi
    seg000:00854D22 call sub_854B70
    seg000:00854D27 xor eax, eax
    seg000:00854D29 pop esi
    seg000:00854D2A retn
    seg000:00854D2B ; ---------------------------------------------------------------------------
    seg000:00854D2B
    seg000:00854D2B loc_854D2B: ; CODE XREF: SecMod_854CE0+39j
    seg000:00854D2B mov eax, 1
    seg000:00854D30 pop esi
    seg000:00854D31 retn
    seg000:00854D31 SecMod_854CE0 endp
    The hooking method is valid, just make sure that you call the function before returning.

    SecMod calls Module Error - 1? I never got that one myself but [protip:] that will only happen when*(PDWORD)ptr + 4 is NULL.

    Lots of other functions to look at and patch in my free time, I'll try to share as much information as I can be bothered to write out.

    Enjoy and Discuss.
    consider that am shadow, the functions u posted and copied doesnt work anymore as it got patched last GG update

  6. #6
    mountainh2o's Avatar
    Join Date
    Sep 2012
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    0
    Quote Originally Posted by briankilla4 View Post
    consider that am shadow, the functions u posted and copied doesnt work anymore as it got patched last GG update
    Wow this is a new low, your not shadow lol.

  7. #7
    DarkSt0rmX's Avatar
    Join Date
    Sep 2011
    Gender
    male
    Location
    Dragonball GT
    Posts
    1,217
    Reputation
    19
    Thanks
    1,372
    My Mood
    Relaxed
    @ check here if you can help •.•
    Last edited by DarkSt0rmX; 09-21-2012 at 02:18 PM.

     
    Skype: vituzzzu21

     
    Quote Originally Posted by Nuuma View Post
    he added me amd65 i got it , legit guy i vouch him
    Quote Originally Posted by .Cereal View Post
    People these 3 guys are trusted and safe, no harm for you .
    Quote Originally Posted by Kailani View Post
    thanks for gun adding for me
    Quote Originally Posted by kurtdampire View Post
    Really fast ! I vouch for this guy. Thanks again.
    Quote Originally Posted by GtxRive123 View Post
    THIS GUY IS SO LEGIT.! HE DOES THE GUNADD SO FAST.! HE IS 100% LEGIT no SCAM.!! Fastest gunadder in MPGH.NET in my oppinion I VOUCH FOR HIM !
    Quote Originally Posted by FreaZzer View Post
    Thanks for adding ! He's legit and fast !

  8. #8
    briankilla4's Avatar
    Join Date
    Aug 2010
    Gender
    male
    Location
    EGYPT,cairo
    Posts
    875
    Reputation
    10
    Thanks
    730
    My Mood
    Amazed
    Quote Originally Posted by darkstormx View Post
    @ check here if you can help •.•
    explain ?
    what are u saying

Similar Threads

  1. Bypassing GameGuard
    By /b/oss in forum Alliance of Valiant Arms (AVA) Hacks & Cheats
    Replies: 31
    Last Post: 06-16-2010, 01:58 AM
  2. İ want bypass gameguard
    By nopeaceyeswar in forum CrossFire Hacks & Cheats
    Replies: 16
    Last Post: 09-02-2009, 08:34 PM
  3. Bypassing GameGuard
    By CioNide in forum Anti-Cheat
    Replies: 5
    Last Post: 04-25-2009, 06:23 PM
  4. Ways to bypass GameGuard
    By XqwertyX in forum WarRock Korea Hacks
    Replies: 12
    Last Post: 06-01-2007, 04:42 PM
  5. bypass gameguard?
    By Krumbles in forum Suggestions, Requests & Help
    Replies: 4
    Last Post: 12-30-2006, 08:38 PM