memory check bypass !!!

[BadBurrito]

Hey so I am playing ca eu and today I was looking for the memory checks they do since a few patches ago... soooo the are NOT in EHSvc.dll as I read in some posts, they are located in the CShell.dll, its quite easy to find... the following source is working for CA EU only but it should be easy to understand what it does... the end of the function where the bytes are checked is hooked and some values are changed in the registers (eax, ecx and edi) I am not sure if you are needing all of these registers but it is working have fun

And yeah it is written in nasm because in my opinion hooking is easier and when you are using c++ most of the parts are asm too so there is no big difference...

Code:

%include 'C:\Programme\asm\inc\nasmx.inc'

IMPORT VirtualProtect, 16
IMPORT CreateThread, 24
IMPORT GetModuleHandleA, 4

extern Sleep

entry	DllEntry

[section .text]

checkhook:
mov eax, 0x1
mov ecx, 0x1
mov edi, 0x5
add esp, 4
jmp [memhookback]



proc attachmem
locals none
	mov eax, 0x379C21D0	
	mov dword [memhookback], eax
	add dword [memhookback], 6

	invoke VirtualProtect, 0x379C21D0, 10, 40h, oldprotect

	mov ecx, 0x379C21D0
	mov byte [ecx], 0xE9	
	mov eax, checkhook
	sub eax, 0x379C21D0
	sub eax, 5
	mov dword [ecx+1], eax

endproc


proc getmodule
locals none

	loopcshell:
	push 100
	call Sleep
	invoke GetModuleHandleA, szCshell
	cmp eax, 0
	je loopcshell

invoke	CreateThread, 0, 0, attachmem, 0, 0, 0
endproc



proc   DllEntry, ptrdiff_t hinst, size_t reason, size_t reserved
locals none
	mov	ecx, 1
	cmp	[ebp+0Ch], ecx 
	jne	goon
	invoke	CreateThread, 0, 0, getmodule, 0, 0, 0
	goon:
	mov	eax, 1
endproc




[section .data]

    szCshell:    declare(NASMX_TCHAR) NASMX_TEXT('CShell.dll'), 0x0


[section .bss]
	
	modulecshell : resd 2
	memhookback : resd 2
	oldprotect : resd 2

[nigger]

Too bad half the section doesn't even know assembly. You and Schim are the only people I know that post things in assembly. You sir have my respect.

[CoderNever]

Lol, If you don't know any ASM and you are in the combat arms source code section it is almost implied that you're a leacher...

[nigger]

Lol, If you don't know any ASM and you are in the combat arms source code section it is almost implied that you're a leacher...

You just summed up this section.

[Ch40zz-C0d3r]

My question is:
Why you not simply hooked here?

Code:

379C218F   /.  55                            PUSH EBP

ANd never call the original one?

[//\\//etwork3r]

Good job im just waiting to sombody relase hack with this function Revarse life taker will back hi hi ^^