Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    BadBurrito's Avatar
    Join Date
    Jan 2012
    Gender
    male
    Posts
    32
    Reputation
    21
    Thanks
    226

    Cool EASY MEMORY CHECK BYPASS !!!

    Hey so finally I got it working without a hook like I released before so it is easier to use... it is not a good signature scan I just did it in a minute but the addy is just for EU and I am also not sure if they use different memory checks in the NA version

    just copy this to your source and you can use your memory hacks all the time you will not crash if you start a game or when you respawn

    Code:
    #define memcheckbreaker 0x379C21D0 //for CA EU !!!
    DWORD memcheck = dwFindPattern((DWORD)CShell, 0x900000, (PBYTE)"\xFF\x34\x24\x5B\x81\xC4\x04\x00\x00\x00\xC3", "xxxxxxxxxxx") + 0x04;
    MemoryEdit((void *)memcheck, (void *)"\x58\xB8\x01\x00\x00\x00",6);
    how it works:
    so it is the end of the check function and it has to return true so that you do not crash... so it moves 1 to the eax register like in the hook I released before... in the end of the check function there is an add esp, 4 that takes 6 bytes I replaced the first byte with a pop eax so that the esp increases by 4 and so I got enough place for the instruction mov eax, 1 (5 bytes)

    I hope I can help some people with this

  2. The Following 12 Users Say Thank You to BadBurrito For This Useful Post:

    arun823 (10-20-2012),Ch40zz-C0d3r (10-20-2012),ChaosMagician (11-16-2012),[MPGH]Flengo (10-20-2012),GoldWhite (11-20-2012),iMaxxx (10-20-2012),Otaviomorais (10-30-2012),pDevice (10-29-2012),R3dLine (10-29-2012),Sneak84 (11-09-2012),street_21 (10-20-2012),supremejean (10-28-2012)

  3. #2
    Ch40zz-C0d3r's Avatar
    Join Date
    Apr 2011
    Gender
    male
    Posts
    831
    Reputation
    44
    Thanks
    401
    My Mood
    Twisted
    Hehe nice1
    But a simple hook in function start and return true is easier in my opnion lol

    EDIT: How did you found it? My way wasnt really nice
    Last edited by Ch40zz-C0d3r; 10-20-2012 at 07:22 AM.

    Progress with my game - "Disbanded"
    • Fixed FPS lag on spawning entities due to the ent_preload buffer!
    • Edit the AI code to get some better pathfinding
    • Fixed the view bug within the sniper scope view. The mirror entity is invisible now!
    • Added a new silencer for ALL weapons. Also fixed the rotation bugs
    • Added a ton of new weapons and the choice to choose a silencer for every weapon
    • Created a simple AntiCheat, noobs will cry like hell xD
    • The name will be Disbanded, the alpha starts on the 18th august 2014



    Some new physics fun (Serversided, works on every client)



    My new AI
    https://www.youtube.com/watch?v=EMSB1GbBVl8

    And for sure my 8 months old gameplay with 2 friends
    https://www.youtube.com/watch?v=Na2kUdu4d_k

  4. The Following User Says Thank You to Ch40zz-C0d3r For This Useful Post:

    BadBurrito (10-20-2012)

  5. #3
    BadBurrito's Avatar
    Join Date
    Jan 2012
    Gender
    male
    Posts
    32
    Reputation
    21
    Thanks
    226
    Code:
    379C218F   /.  55                            PUSH EBP
    I think that this is not the start of the function... so I just checked with a hardware breakpoint where they access the addys and check their bytes, they do it here:
    Code:
    379C1F8C::  add     al, [ebx]
    so the function starts earlier, but I do not hook it in the beginning because many addys and register are changed in this function and when I skip all of them it crashes, but a hook in the end works

  6. #4
    arun823's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Location
    Los Angeles, California
    Posts
    523
    Reputation
    151
    Thanks
    1,899
    My Mood
    Amused
    Nice find, hopefully this doesn't get detected
    Reversing is the only way to move forward.

  7. #5
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    /admincp/banning.php
    Posts
    20,566
    Reputation
    5180
    Thanks
    14,176
    My Mood
    Inspired
    Is this for the scan that they do when you die? If so, I tried it and it didn't work.
    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.

     


     
    VM | PM | IM
    Staff Administrator Since 10.13.2019
    Publicist Since 04.04.2015
    Middleman Since 04.14.2014
    Global Moderator Since 08.01.2013
    Premium Since 05.29.2013

    Minion+ Since 04.18.2013

    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  8. #6
    BadBurrito's Avatar
    Join Date
    Jan 2012
    Gender
    male
    Posts
    32
    Reputation
    21
    Thanks
    226
    yes it is and for me it works... are you playing na or eu? ...did you check if the sig scan finds an address?

  9. #7
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    /admincp/banning.php
    Posts
    20,566
    Reputation
    5180
    Thanks
    14,176
    My Mood
    Inspired
    Quote Originally Posted by BadBurrito View Post
    yes it is and for me it works... are you playing na or eu? ...did you check if the sig scan finds an address?
    No I didn't. I'm on NA.
    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.

     


     
    VM | PM | IM
    Staff Administrator Since 10.13.2019
    Publicist Since 04.04.2015
    Middleman Since 04.14.2014
    Global Moderator Since 08.01.2013
    Premium Since 05.29.2013

    Minion+ Since 04.18.2013

    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  10. #8
    BadBurrito's Avatar
    Join Date
    Jan 2012
    Gender
    male
    Posts
    32
    Reputation
    21
    Thanks
    226
    hmmm ok I think the sig scan is the problem I just tried it on an old dump of cshell and it did not work, I try to get a working one... the current sig scan obviously just works for the current eu version...

    ---------- Post added at 12:49 PM ---------- Previous post was at 11:58 AM ----------

    So I just checked old dumps and found the address manually but the function changed a lot during the last updates... so I think a signature scan is not senseful I am sorry but this is just working for EU at the moment!!! ...but if someone who plays NA wants to get it I can help but I do not have any NA files sorry...

  11. #9
    arun823's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Location
    Los Angeles, California
    Posts
    523
    Reputation
    151
    Thanks
    1,899
    My Mood
    Amused
    Scan works fine for me, just logged it for na

    Code:
    #define RespawnPatch		0x379CEB5F
    /Edit, tested and works like a charm
    Last edited by arun823; 10-20-2012 at 02:20 PM.
    Reversing is the only way to move forward.

  12. The Following 2 Users Say Thank You to arun823 For This Useful Post:

    BadBurrito (10-20-2012),[MPGH]Flengo (10-20-2012)

  13. #10
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    /admincp/banning.php
    Posts
    20,566
    Reputation
    5180
    Thanks
    14,176
    My Mood
    Inspired
    Quote Originally Posted by arun823 View Post
    Scan works fine for me, just logged it for na

    Code:
    #define RespawnPatch		0x379CEB5F
    @BadBurrito

    /Edit, tested and works like a charm I'll post like a 10 second video of it working.
    Yup works for me as well. Really good works. Figured out my error also, scan is working perfect.

    Thanks
    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.

     


     
    VM | PM | IM
    Staff Administrator Since 10.13.2019
    Publicist Since 04.04.2015
    Middleman Since 04.14.2014
    Global Moderator Since 08.01.2013
    Premium Since 05.29.2013

    Minion+ Since 04.18.2013

    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  14. #11
    Ch40zz-C0d3r's Avatar
    Join Date
    Apr 2011
    Gender
    male
    Posts
    831
    Reputation
    44
    Thanks
    401
    My Mood
    Twisted
    LOL im Just asking myself how did you debugged CA to get all functions accesing the pointer? o_0

    Also your Mask is wrong! Real mask: xxxxxx????x then sig will work lol, why did you failed on making mask?
    Last edited by Ch40zz-C0d3r; 10-20-2012 at 01:44 PM.

    Progress with my game - "Disbanded"
    • Fixed FPS lag on spawning entities due to the ent_preload buffer!
    • Edit the AI code to get some better pathfinding
    • Fixed the view bug within the sniper scope view. The mirror entity is invisible now!
    • Added a new silencer for ALL weapons. Also fixed the rotation bugs
    • Added a ton of new weapons and the choice to choose a silencer for every weapon
    • Created a simple AntiCheat, noobs will cry like hell xD
    • The name will be Disbanded, the alpha starts on the 18th august 2014



    Some new physics fun (Serversided, works on every client)



    My new AI
    https://www.youtube.com/watch?v=EMSB1GbBVl8

    And for sure my 8 months old gameplay with 2 friends
    https://www.youtube.com/watch?v=Na2kUdu4d_k

  15. #12
    BadBurrito's Avatar
    Join Date
    Jan 2012
    Gender
    male
    Posts
    32
    Reputation
    21
    Thanks
    226
    I just did not care for the mask but thanks ... I just coded a dll that sets hardware breakpoints and then injected it into engine.exe
    and thanks arun823 for the NA address

  16. #13
    disav0w_'s Avatar
    Join Date
    Oct 2012
    Gender
    male
    Posts
    13
    Reputation
    10
    Thanks
    61
    I didn't read whole posts, but if anyone want to know how he get it, he it's probably by attaching cheat engine debugger and seeing what accesses to a VA address in .text section of CShell. When you enter in game, it get accessed by this part of code. I already had it since CA implemented it.
    Anyway, good job, atleast someone get it. That's how I do it : (ca eu)

    Code:
    DWORD addressToPass_CShell;
    BYTE CRCBYTE_CSHELL;
    DWORD dwCRCCheck_HookStart = 0x379C1F85;
    DWORD dwCRCCheck_JMPBack = 0x379C1F8E;
    __declspec(naked) void __cdecl hkCRCCheck()
    {
    __asm mov ebx, 0;
    __asm add ebx, edx; //here ebx contain address which is getting scanned
    __asm mov addressToPass_CShell, ebx;
    __asm pushad; //savin stack
    __asm pushfd; //savin also flags
    
    //example..
    	if(addressToPass_CShell == dwNameTags1)
    	{
    		CRCBYTE_CSHELL = NAMETAGS1BYTES[0];
    		goto JmpPoint;
    	}
    //end of example..
    
    __asm popfd;
    __asm popad;
    __asm add al, byte ptr ds:[ebx];
    __asm jmp dwCRCCheck_JMPBack;
    
    JmpPoint:
    __asm popfd;
    __asm popad;
    __asm add al, CRCBYTE_CSHELL;
    __asm jmp dwCRCCheck_JMPBack;
    
    }
    @ nametagS1BYTES, memcpy inside an array of byte of 2 contains @ nametags first address.

    Anyway, this CRC check is not good. Most of assembly operation in this part of code is themidalicense junkcode. Yes, there is code mutation of oreans software. I guess what you would do if there was a virtualmachine
    Last edited by disav0w_; 10-20-2012 at 04:59 PM.

  17. #14
    arun823's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Location
    Los Angeles, California
    Posts
    523
    Reputation
    151
    Thanks
    1,899
    My Mood
    Amused
    Quote Originally Posted by disav0w_ View Post
    I didn't read whole posts, but if anyone want to know how he get it, he it's probably by attaching cheat engine debugger and seeing what accesses to a VA address in .text section of CShell. When you enter in game, it get accessed by this part of code. I already had it since CA implemented it.
    Anyway, good job, atleast someone get it. That's how I do it : (ca eu)

    Code:
    DWORD addressToPass_CShell;
    BYTE CRCBYTE_CSHELL;
    DWORD dwCRCCheck_HookStart = 0x379C1F85;
    DWORD dwCRCCheck_JMPBack = 0x379C1F8E;
    __declspec(naked) void __cdecl hkCRCCheck()
    {
    __asm mov ebx, 0;
    __asm add ebx, edx; //here ebx contain address which is getting scanned
    __asm mov addressToPass_CShell, ebx;
    __asm pushad; //savin stack
    __asm pushfd; //savin also flags
    
    //example..
    	if(addressToPass_CShell == dwNameTags1)
    	{
    		CRCBYTE_CSHELL = NAMETAGS1BYTES[0];
    		goto JmpPoint;
    	}
    //end of example..
    
    __asm popfd;
    __asm popad;
    __asm add al, byte ptr ds:[ebx];
    __asm jmp dwCRCCheck_JMPBack;
    
    JmpPoint:
    __asm popfd;
    __asm popad;
    __asm add al, CRCBYTE_CSHELL;
    __asm jmp dwCRCCheck_JMPBack;
    
    }
    @ nametagS1BYTES, memcpy inside an array of byte of 2 contains @ nametags first address.

    Anyway, this CRC check is not good. Most of assembly operation in this part of code is themidalicense junkcode. Yes, there is code mutation of oreans software. I guess what you would do if there was a virtualmachine
    Very nice method, this could be an alternative if BadBurrito's method gets detected.
    Reversing is the only way to move forward.

  18. #15
    ChaosMagician's Avatar
    Join Date
    Dec 2010
    Gender
    male
    Posts
    1,669
    Reputation
    20
    Thanks
    1,326
    My Mood
    Dead
    When gamestatus differs from 1, do we have to restore the original bytes?




    ~NOOBISSES ÉPICAS DO PESSOAL~


Page 1 of 2 12 LastLast

Similar Threads

  1. [Release] File Check Bypass (maybe)
    By Qix in forum Continent of the Ninth (C9) Hacks / Bots
    Replies: 14
    Last Post: 01-13-2013, 09:26 PM
  2. [Source Code] memory check bypass !!!
    By BadBurrito in forum Combat Arms Hack Coding / Programming / Source Code
    Replies: 5
    Last Post: 10-21-2012, 08:55 AM
  3. [Help] Steam check bypass?
    By naimc in forum Call of Duty Modern Warfare 3 Private Server Hacks
    Replies: 8
    Last Post: 08-19-2012, 08:58 AM
  4. [Preview] Black Lung Map Check Bypass Rez Zombie Spawn location rez OPK
    By supercarz1991 in forum Combat Arms Mod Discussion
    Replies: 18
    Last Post: 10-10-2011, 10:19 AM
  5. Easy price check
    By AtoZ in forum Marketplace Price Check / Questions
    Replies: 3
    Last Post: 06-09-2011, 07:36 AM