Bypassing Apex: Process Reboot ( Old )

[pc117]

Bypassing Apex: Process Reboot
Other than this initial reboot, the anti-cheat is very poor, you can rewrite the whole .text section and then take a shit inside it's process space and it wont notice.
Module which handles the rebooting: 'BootThunker.xoe'.
This section is not packed at runtime so you can analyse the code without needing view the virtual memory at runtime.
Long story short, you want to stop it calling BootThunkerStart.
I've hacked 3 different games with this anti-cheat and this has been the same for all of them. You have a modified entry-point which loads up a start routine.
The start routine calls will look like this:

sub_11E0A40(&dword_11F6D14);
v5 = (int)sub_11DE550(v3, v4, a1, 0);
*(_DWORD *)(v5 + 16) = ((int (__cdecl *)())*(&sub_11F5060 + 1))();
sub_11E1DD0(0);
if ( sub_11DE640(0) )
{
sub_11E0A40(&dword_11F6D18);
v6 = sub_11DFC70(0, v5);
v15 = v6;
if ( v6 )
{
sub_11E0A40(dword_11F6D1C);
v13 = v6;
v12 = 1;
}
else
{
sub_11E0A40(&dword_11F6D28);
v7 = sub_11E0020(0, 0);
v15 = v7;
if ( v7 )
{
sub_11E0A40(dword_11F6D2C);
v13 = v7;
v12 = 2;
}
else
{
sub_11E0A40(&dword_11F6D38);
v8 = sub_11DFDA0(0, 0);
v15 = v8;
if ( !v8 )
goto LABEL_12;
sub_11E0A40(dword_11F6CF8);
v13 = v8;
v12 = 3;
}
}
11E0A40 being a logging function, followed by a function call. The functions called are just wrappers for avital's modules. The rest of the code in these functions I can assume is just error handling. However there seem to be no self-preservation checks present.
The target 'wrapper function' you want will look something like this:

v6 = (int (*)(void))sub_11F502C("BootThunkerStart");

Solutions:
Hook the wrapper function.
Hook the import.
Hook something else.
Stop the function from happening.
Long story short, you can replace the call to the wrapper function with 'nop' operations.
example:
.axL:011DE17D call sub_11E0020
5 Byte NOP here would suffice.
Remember not to disregard the fact that it will no longer give you a EAX.
EAX = sub_11E0020(0, 0);
So it will be using the other EAX, which happens to be fine.

[astron51]

Bypassing Apex: Process Reboot
Other than this initial reboot, the anti-cheat is very poor, you can rewrite the whole .text section and then take a shit inside it's process space and it wont notice.
Module which handles the rebooting: 'BootThunker.xoe'.
This section is not packed at runtime so you can analyse the code without needing view the virtual memory at runtime.
Long story short, you want to stop it calling BootThunkerStart.
I've hacked 3 different games with this anti-cheat and this has been the same for all of them. You have a modified entry-point which loads up a start routine.
The start routine calls will look like this:

sub_11E0A40(&dword_11F6D14);
v5 = (int)sub_11DE550(v3, v4, a1, 0);
*(_DWORD *)(v5 + 16) = ((int (__cdecl *)())*(&sub_11F5060 + 1))();
sub_11E1DD0(0);
if ( sub_11DE640(0) )
{
sub_11E0A40(&dword_11F6D18);
v6 = sub_11DFC70(0, v5);
v15 = v6;
if ( v6 )
{
sub_11E0A40(dword_11F6D1C);
v13 = v6;
v12 = 1;
}
else
{
sub_11E0A40(&dword_11F6D28);
v7 = sub_11E0020(0, 0);
v15 = v7;
if ( v7 )
{
sub_11E0A40(dword_11F6D2C);
v13 = v7;
v12 = 2;
}
else
{
sub_11E0A40(&dword_11F6D38);
v8 = sub_11DFDA0(0, 0);
v15 = v8;
if ( !v8 )
goto LABEL_12;
sub_11E0A40(dword_11F6CF8);
v13 = v8;
v12 = 3;
}
}
11E0A40 being a logging function, followed by a function call. The functions called are just wrappers for avital's modules. The rest of the code in these functions I can assume is just error handling. However there seem to be no self-preservation checks present.
The target 'wrapper function' you want will look something like this:

v6 = (int (*)(void))sub_11F502C("BootThunkerStart");

Solutions:
Hook the wrapper function.
Hook the import.
Hook something else.
Stop the function from happening.
Long story short, you can replace the call to the wrapper function with 'nop' operations.
example:
.axL:011DE17D call sub_11E0020
5 Byte NOP here would suffice.
Remember not to disregard the fact that it will no longer give you a EAX.
EAX = sub_11E0020(0, 0);
So it will be using the other EAX, which happens to be fine.

Saw this long time ago... You leech it from U*nkn*nC***t
/msg2short

[haqkhan]

hi. I was muslim .. I pray to for urself.how to use mack video and shere my eng is poor i need help plssssssss