monz2 (01-20-2013),The Decoder (01-21-2013)
was just looking for a new way to bypass HS
found all the internals here. im not an asm god or anything
but this could be useful to a few people here
Code:3AFE0001 dec ebp 3AFE0002 pop edx 3AFE0003 nop 3AFE0005 add byte ptr [ebx], al 3AFE0007 add byte ptr [eax], al 3AFE000A add byte ptr [eax+eax], al 3AFE000C add byte ptr [eax], al 3AFE000B Unknown operand 3AFE000B add byte ptr [eax], al 3AFE000D add bh, bh 3AFE000F inc dword ptr [eax] 3AFE0015 add byte ptr [eax+00000000h], bh 3AFE0017 add byte ptr [eax], al 3AFE001A add byte ptr [eax+00h], al 3AFE001C add byte ptr [eax], al 3AFE0020 cmp byte ptr [edx+03h], 00000000h 3AFE0022 add byte ptr [eax], al 3AFE0024 add byte ptr [eax], al 3AFE0026 add byte ptr [eax], al 3AFE0028 add byte ptr [eax], al 3AFE002A add byte ptr [eax], al 3AFE002C add byte ptr [eax], al 3AFE002E add byte ptr [eax], al 3AFE0030 add byte ptr [eax], al 3AFE0032 add byte ptr [eax], al 3AFE0034 add byte ptr [eax], al 3AFE0036 add byte ptr [eax], al 3AFE0038 add byte ptr [eax], al 3AFE003A add byte ptr [eax], al 3AFE003C add byte ptr [eax], alEDIT: wtf is with these retarded code tags lately?Code:3AFE0041 call 48FE0041h // <- calling something from Engine here 3AFE0042 pop ds 3AFE0047 mov edx, 09B4000Eh 3AFE0049 int 21h 3AFE004E mov eax, 21CD4C01h 3AFE004F push esp 3AFE0054 push 70207369h 3AFE0056 jc 3AFE00C5h 3AFE0059 jc 3AFE00BAh 3AFE005A insd 3AFE005D and byte ptr [ebx+61h], ah 3AFE005E outsb 3AFE005F outsb 3AFE0060 outsd 3AFE0062 je 3AFE0082h 3AFE0065 bound esp, dword ptr [ebp+20h] 3AFE0067 jc 3AFE00DCh 3AFE0068 outsb 3AFE006B and byte ptr [ecx+6Eh], ch 3AFE006F and byte ptr [edi+ecx*2+53h], al 3AFE0072 and byte ptr [ebp+6Fh], ch 3AFE007 A or eax, 00240A0Dh 3AFE007C add byte ptr [eax], al 3AFE007E add byte ptr [eax], al 3AFE0080 add byte ptr [eax], al 3AFE0082 arpl word ptr [edi], sp 3AFE0083 pop ecx 3AFE0085 in eax, 27h 3AFE0086 inc esi 3AFE0087 aaa 3AFE0089 mov dh, 27h 3AFE008A inc esi 3AFE008B aaa 3AFE008D mov dh, 27h 3AFE008E inc esi 3AFE008F aaa 3AFE0091 mov dh, 2Eh 3AFE0097 mov byte ptr [374633B6h], al // <- Ref to CShell here 3AFE0099 mov dh, 2Eh 3AFE009C mov ah, B6h 3AFE009D pop esi 3AFE009E inc esi 3AFE009F aaa 3AFE00A1 mov dh, 2Eh 3AFE00A4 mov bl, B6h 3AFE00A6 adc al, 00000046h 3AFE00A7 aaa 3AFE00A9 mov dh, 00h 3AFE00AE or byte ptr [esi+esi*4+24h], 00000046h 3AFE00AF aaa 3AFE00B1 mov dh, 27h 3AFE00B2 inc esi 3AFE00B5 mov dh, 48h 3AFE00B6 inc esi 3AFE00B7 aaa 3AFE00B9 mov dh, 2Eh 3AFE00BF mov ebp, 37462CB6h // <- CShell again 3AFE00C1 mov dh, 2Eh 3AFE00C3 movsd 3AFE00C5 mov dh, 26h 3AFE00C6 inc esi 3AFE00C7 aaa 3AFE00C9 mov dh, 39h 3AFE00CB adc al, FFFFFFA3h 3AFE00CD mov dh, 26h 3AFE00CE inc esi 3AFE00CF aaa 3AFE00D1 mov dh, 2Eh 3AFE00D3 cmpsb 3AFE00D5 mov dh, 26h 3AFE00D6 inc esi
also LOL @ my fail of spelling "Nexon" wrong
Last edited by -Bl00d-; 01-20-2013 at 02:10 AM. Reason: added few comments
Successful buys: 20
Successful sells: 4
Successful trades: 9
Scammed: 4
^^^^^^^^^^^
vouche for me?
monz2 (01-20-2013),The Decoder (01-21-2013)
what's this fuckery?
Acea (01-20-2013)
This gave me a boner...
-Bl00d- (01-20-2013),The Decoder (01-21-2013)
Tbh; I'm shittier in assembly than you are, but this looks like a bunch of junk to me.
Doesn't seem like its doing anything
Now once again, I'm shit in asm.
I Read All Of My PM's & VM'sIf you need help with anything, just let me know.
Staff Administrator Since 10.13.2019
Publicist Since 04.04.2015
Middleman Since 04.14.2014
Global Moderator Since 08.01.2013
Premium Since 05.29.2013
Minion+ Since 04.18.2013
Combat Arms Minion Since 12.26.2012
Contributor Since 11.16.2012
Member Since 05.11.2010
Successful buys: 20
Successful sells: 4
Successful trades: 9
Scammed: 4
^^^^^^^^^^^
vouche for me?
[MPGH]Flengo (01-20-2013)
God...
Stop it from loading and youre done, there is one check for all functions. If you bypass that check you can simply return the load function and youre done.
Progress with my game - "Disbanded"
- Fixed FPS lag on spawning entities due to the ent_preload buffer!
- Edit the AI code to get some better pathfinding
- Fixed the view bug within the sniper scope view. The mirror entity is invisible now!
- Added a new silencer for ALL weapons. Also fixed the rotation bugs
- Added a ton of new weapons and the choice to choose a silencer for every weapon
- Created a simple AntiCheat, noobs will cry like hell xD
- The name will be Disbanded, the alpha starts on the 18th august 2014
Some new physics fun (Serversided, works on every client)
My new AI
https://www.youtube.com/watch?v=EMSB1GbBVl8
And for sure my 8 months old gameplay with 2 friends
https://www.youtube.com/watch?v=Na2kUdu4d_k
-Bl00d- (01-20-2013)
Departure (01-28-2013),[MPGH]Flengo (01-28-2013),Saltine (01-28-2013)
in olly debug right click and select analyze code.........
Zeroes have nothing to do with stuff being junk in general, the problem is just that he is looking at the wrong memory page.
Wont help as the bytes shown at that address are not code, they're part of the PE header (= data). Though if the page is recognized as the PE header, he might get some structure information with the data instead.
But anyway, that's nothing interesting in this case.
Last edited by HellSpider; 01-29-2013 at 10:34 AM.
@HellSpider
that's my point if you analyze the code it should be "DB" which will show "00"
//Edit
for example non analyzed code in olly will always be "add byte ptr [eax], al" for 00's. and you are correct it looks more like a padding to a given structure, also like you said it could be a possible header.
Also "mov byte ptr [374633B6h], al // <- Ref to CShell here" it is moving value in al which is a lower part EAX in to that address, which indicates its just a variable, but yes given the address it would be safe to assume its a variable in CShell, But im pretty sure it has nothing to do with bypassing ect..
Last edited by Departure; 01-30-2013 at 07:52 AM. Reason: giving explanation
[MPGH]Flengo (01-30-2013)
Ah you meant it that way, yes it's true the zero data should turn into "db 00", didn't think about that. My bad.
And I know 100% it's the PE header, it's not a "possible" header.
And to that last part, it's not safe to assume it's a variable in CShell. There are misinterpreted data fragments that Olly tries it's best to convert into ASM intructions. It's just "bad luck" that the bytes are in an order that looks like valid code. In reality, that particular instruction does not exist.
3AFE0000 - 3AFE1000 -> PE Header (0x1000 byte page allocation, in file data the header is smaller).
3AFE1000 - ... -> Code section = Valid instructions
[MPGH]Flengo (01-30-2013)