Copy Memory Template

[ThePhailure772]

005E168E      60            PUSHAD
005E168F      E8 0C000000   CALL Gunz_-_U.005E16A0
005E1694      00006B00      DD Gunz_-_U.006B0000
005E1698      99834400      DD Gunz_-_U.00448399
005E169C      00006C00      DD Gunz_-_U.006C0000
005E16A0  /.  5D            POP EBP
005E16A1  |.  8D45 00       LEA EAX,DWORD PTR SS:[EBP]
005E16A4  |.  8D5D 04       LEA EBX,DWORD PTR SS:[EBP+4]
005E16A7  |.  8D4D 08       LEA ECX,DWORD PTR SS:[EBP+8]
005E16AA  |.  8B00          MOV EAX,DWORD PTR DS:[EAX]
005E16AC  |.  8B1B          MOV EBX,DWORD PTR DS:[EBX]
005E16AE  |.  8B09          MOV ECX,DWORD PTR DS:[ECX]
005E16B0  |.  8918          MOV DWORD PTR DS:[EAX],EBX
005E16B2  |.  50            PUSH EAX
005E16B3  |.  51            PUSH ECX                                 ; /pOldProtect
005E16B4  |.  6A 40         PUSH 40                                  ; |NewProtect = PAGE_EXECUTE_READWRITE
005E16B6  |.  6A 30         PUSH 30                                  ; |Size = 30 (48.)
005E16B8  |.  53            PUSH EBX                                 ; |Address
005E16B9  |.  FF15 F4625E00 CALL DWORD PTR DS:[<&KERNEL32.VirtualPro>; \VirtualProtect
005E16BF  |.  58            POP EAX
005E16C0  |.  8B38          MOV EDI,DWORD PTR DS:[EAX]
005E16C2  |.  8D75 3A       LEA ESI,DWORD PTR SS:[EBP+3A]
005E16C5  |.  B9 05000000   MOV ECX,5
005E16CA  |.  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[EDI]
005E16CC  |.  61            POPAD
005E16CD  \.  C3            RETN

Binary:

60 E8 0C 00 00 00 00 00 6B 00 99 83 44 00 00 00 6C 00 5D 8D 45 00 8D 5D 04 8D 4D 08 8B 00 8B 1B
8B 09 89 18 50 51 6A 40 6A 30 53 FF 15 F4 62 5E 00 58 8B 38 8D 75 3A B9 05 00 00 00 F3 A4 61 C3

Usage:
Replace the second dword in the table, this example it's 00448399. Then you need to change the size in virtualprotect and after the virtual protect you change mov ecx,22 to the size of you code. Now add your code after the retn (don't skip any lines).

Example:

typedef void *(__cdecl ShellCode_t) ();
ShellCode_t ShellCode;
void Execute ()
{
   char *shellCode = "\x60\xE8\x0C\x00\x00\x00\x00\x00\x6B\x00\x99\x83\x44\x00\x00\x00\x6C\x00\x5D\x8D\x45\x00\x8D\x5D\x04\x8D\x4D\x08\x8B\x00\x8B\x1B\x8B\x09\x89\x18\x50\x51\x6A\x40\x6A\x30\x53\xFF\x15\xF4\x62\x5E\x00\x58\x8B\x38\x8D\x75\x3A\xB9\x05\x00\x00\x00\xF3\xA4\x61\xC3";
  
   DWORD dwProtect;
   VirtualProtect (shellCode, 66, PAGE_EXECUTE, &dwProtect);
   ShellCode = (ShellCode_t)shellCode;
   ShellCode ();
}

 

[Axium]

You sure are the God of Developing.

 

[darkness95]

Thanks,but..This is for that?... u, u (God Dammit Im Noob xD)

 

[Wucas]

that is amazing

 

[death4u2]

can someone explain to me what this is for?

 

[Torsen]

Right, heres a question, what about removing that specificasm, and creating it so that either a seperate program or DLL will put it back, just to make sure that the DLL is a verified one, and not replaced with a script ("hacks").

 

[Guy]

that is amazing

Something tells me you have no idea what this is - mind explaining what you think this may be?

Right, heres a question, what about removing that specificasm, and creating it so that either a seperate program or DLL will put it back, just to make sure that the DLL is a verified one, and not replaced with a script ("hacks").

1) You wouldn't replace native code with a script.
2) Code segment integrity checks, and remote checks on specific data is extremely easy to do; your "method" unnecessarily adds more work to the build process of such a project, without any or all gain.

 

[nanowarior]

005E168E      60            PUSHAD
005E168F      E8 0C000000   CALL Gunz_-_U.005E16A0
005E1694      00006B00      DD Gunz_-_U.006B0000
005E1698      99834400      DD Gunz_-_U.00448399
005E169C      00006C00      DD Gunz_-_U.006C0000
005E16A0  /.  5D            POP EBP
005E16A1  |.  8D45 00       LEA EAX,DWORD PTR SS:[EBP]
005E16A4  |.  8D5D 04       LEA EBX,DWORD PTR SS:[EBP+4]
005E16A7  |.  8D4D 08       LEA ECX,DWORD PTR SS:[EBP+8]
005E16AA  |.  8B00          MOV EAX,DWORD PTR DS:[EAX]
005E16AC  |.  8B1B          MOV EBX,DWORD PTR DS:[EBX]
005E16AE  |.  8B09          MOV ECX,DWORD PTR DS:[ECX]
005E16B0  |.  8918          MOV DWORD PTR DS:[EAX],EBX
005E16B2  |.  50            PUSH EAX
005E16B3  |.  51            PUSH ECX                                 ; /pOldProtect
005E16B4  |.  6A 40         PUSH 40                                  ; |NewProtect = PAGE_EXECUTE_READWRITE
005E16B6  |.  6A 30         PUSH 30                                  ; |Size = 30 (48.)
005E16B8  |.  53            PUSH EBX                                 ; |Address
005E16B9  |.  FF15 F4625E00 CALL DWORD PTR DS:[<&KERNEL32.VirtualPro>; \VirtualProtect
005E16BF  |.  58            POP EAX
005E16C0  |.  8B38          MOV EDI,DWORD PTR DS:[EAX]
005E16C2  |.  8D75 3A       LEA ESI,DWORD PTR SS:[EBP+3A]
005E16C5  |.  B9 05000000   MOV ECX,5
005E16CA  |.  F3:A4         REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[EDI]
005E16CC  |.  61            POPAD
005E16CD  \.  C3            RETN

Binary:

60 E8 0C 00 00 00 00 00 6B 00 99 83 44 00 00 00 6C 00 5D 8D 45 00 8D 5D 04 8D 4D 08 8B 00 8B 1B
8B 09 89 18 50 51 6A 40 6A 30 53 FF 15 F4 62 5E 00 58 8B 38 8D 75 3A B9 05 00 00 00 F3 A4 61 C3

Usage:
Replace the second dword in the table, this example it's 00448399. Then you need to change the size in virtualprotect and after the virtual protect you change mov ecx,22 to the size of you code. Now add your code after the retn (don't skip any lines).

Example:

typedef void *(__cdecl ShellCode_t) ();
ShellCode_t ShellCode;
void Execute ()
{
   char *shellCode = "\x60\xE8\x0C\x00\x00\x00\x00\x00\x6B\x00\x99\x83\x44\x00\x00\x00\x6C\x00\x5D\x8D\x45\x00\x8D\x5D\x04\x8D\x4D\x08\x8B\x00\x8B\x1B\x8B\x09\x89\x18\x50\x51\x6A\x40\x6A\x30\x53\xFF\x15\xF4\x62\x5E\x00\x58\x8B\x38\x8D\x75\x3A\xB9\x05\x00\x00\x00\xF3\xA4\x61\xC3";
  
   DWORD dwProtect;
   VirtualProtect (shellCode, 66, PAGE_EXECUTE, &dwProtect);
   ShellCode = (ShellCode_t)shellCode;
   ShellCode ();
}

That's pro asm u,u GJ, but i dont get it what it does to "GUNZ"

 

[cerealnp]

Force running by laucher FTW. Thx.

 

[jMerliN]

Looks handwritten, nice patcher.

Just curious why you don't just do:

MOV EAX, DWORD PTR DS:[EBP]
MOV EBX, DWORD PTR DS:[EBP+4]
MOV ECX, DWORD PTR DS:[EBP+8]

?? Just nitpicking, but pretty nice.

 

[ThePhailure772]

Looks handwritten, nice patcher.

Just curious why you don't just do:

MOV EAX, DWORD PTR DS:[EBP]
MOV EBX, DWORD PTR DS:[EBP+4]
MOV ECX, DWORD PTR DS:[EBP+8]

?? Just nitpicking, but pretty nice.

I did in the version I finished up, but yeah this is fully handwritten. This is mainly for remote code execution, but it made things like 100% more easy.

 

[jamz13]

Thanks for sharing, You should make an Server with anti dll injection included. would be very usefull for lots of people
(no i'm not begging ><)

 

[Torsen]

1) You wouldn't replace native code with a script.
2) Code segment integrity checks, and remote checks on specific data is extremely easy to do; your "method" unnecessarily adds more work to the build process of such a project, without any or all gain.

1) I need to.
2) My method is needed.
So im guessing through all that non-answering-of-my-question it is possible.
Also kid, "Guy" duck off editing my posts.
Seeing as it is YOU who has no Ducking idea what the duck he is talking about. You have never even seen my "anticheat".

So the big kid now "Guy" decides to remove the LoadLibrary function, pure motherfucking genius. 1. Server doesn't recieve packets, thus macth.login fails. 2. GUNZ WON'T Ducking RUN.

3. "Edit" my "anticheat" all you want. 4. If you modify the code incorrectly you're fucked The serverside checking will make sure of that. 5. IF YOU EVEN CAN modify it.

 

[ThePhailure772]

1) I need to.
2) My method is needed.
So im guessing through all that non-answering-of-my-question it is possible.

1) You want to replace native, byte code, with a script? Are you aware of what a script even is? Based off what you stated before, that is not what you appear to want.
2) I can modify your anti-cheat to do nothing; then, even if you do everything in your power to keep it loaded, it's useless without any sort of integrity check.

Right, heres a question, what about removing that specificasm, and creating it so that either a seperate program or DLL will put it back, just to make sure that the DLL is a verified one, and not replaced with a script ("hacks").

Didn't look like a question to me.

Not to mention, what if this separate program or library is removed from the load process?

In short, there's no real benefit to your little "idea".

The whole point of this is to be used by RCE. If you think you can beat my anti-hack, then when it's done for Trinity come on and try it. This is going to include many DYNAMIC integrity checks.