Most visitors online was 8830 , on 6 Feb 2024
v117 unpacked + iat fix
- Thread starter Chriss
- Start date
How about removing game guard / Hashshield?
- Joined
- Jan 18, 2010
- Messages
- 3,109
- Reaction score
- 1,139
Unpacking the client is not anything new here. Now unvirtualizing the IP checks, bypassing themida CRC and HS modules, etc.. that's where everyone gets stuck. This is nice for IDA purposes I guess, but we already had a v117 unpacked for IDB's previously. 
Unpacking the client is not anything new here. Now unvirtualizing the IP checks, bypassing themida CRC and HS modules, etc.. that's where everyone gets stuck. This is nice for IDA purposes I guess, but we already had a v117 unpacked for IDB's previously.
Any way to bypass CRC checks and HS modules??? some tut?
- Joined
- Jan 18, 2010
- Messages
- 3,109
- Reaction score
- 1,139
@br1337 Chriss If it were that easy, then we'd have fully functional localhosts for versions other than v62~v90.
Before you're able to easily bypass CRC and HS, you'll need to un-vm the functions in the client that uses them. You can lookup the Deathway plugin for Olly which is an Oreans Unvirtualizer. Once you've un-vmed the client properly, you'll be able to NOP out all of the checks involved and modify other misc instructions. There's some tutorials out there for bypassing the debug register checks and stuff, and you can also look into the public CRC bypasses for more information and/or AoBs that can help you find it. Do note that the themida CRC checks are everywhere, there's tons of them, so you're going to need a valid AoB so that you can strip it from every function. Then, you have HackShield/GameGuard dependent on the version you're reversing that you'll need to bypass. In CWvsApp::SetUp, you'll have to NOP out the CSecurityClient::StartModule so that it doesn't start the AhnHS Service (probably more but I haven't researched it). We can't forget the IP checks either! Just changing the IP won't make the client fully run, it'll crash from IP checks throughout the client. You'll need to remove these checks and then you should have yourself a localhost.
One thing to note: While I prefer a real localhost game client (as do most), the easier way to tackle this would be to make a DLL instead. Using a DLL, you can use AoBs to parse in the client once it's active in memory, and skip all of the checks involved. This would mean you wouldn't need to take the time un-vming functions throughout the client or anything because you can automate the process and overwrite everything active in memory. Since newer Themida is used on higher game clients, it's extremely difficult to reverse it, and this is why you see things like LEN and other DLL's in place. Another thing that's useful about using a DLL over an actual client is that you can VMProtect a DLL better than you can your MapleStory client, making it impossible for people to see the code you're executing to bypass the client checks (which is probably done both for public LEN's and what Extalia did).
Before you're able to easily bypass CRC and HS, you'll need to un-vm the functions in the client that uses them. You can lookup the Deathway plugin for Olly which is an Oreans Unvirtualizer. Once you've un-vmed the client properly, you'll be able to NOP out all of the checks involved and modify other misc instructions. There's some tutorials out there for bypassing the debug register checks and stuff, and you can also look into the public CRC bypasses for more information and/or AoBs that can help you find it. Do note that the themida CRC checks are everywhere, there's tons of them, so you're going to need a valid AoB so that you can strip it from every function. Then, you have HackShield/GameGuard dependent on the version you're reversing that you'll need to bypass. In CWvsApp::SetUp, you'll have to NOP out the CSecurityClient::StartModule so that it doesn't start the AhnHS Service (probably more but I haven't researched it). We can't forget the IP checks either! Just changing the IP won't make the client fully run, it'll crash from IP checks throughout the client. You'll need to remove these checks and then you should have yourself a localhost.
One thing to note: While I prefer a real localhost game client (as do most), the easier way to tackle this would be to make a DLL instead. Using a DLL, you can use AoBs to parse in the client once it's active in memory, and skip all of the checks involved. This would mean you wouldn't need to take the time un-vming functions throughout the client or anything because you can automate the process and overwrite everything active in memory. Since newer Themida is used on higher game clients, it's extremely difficult to reverse it, and this is why you see things like LEN and other DLL's in place. Another thing that's useful about using a DLL over an actual client is that you can VMProtect a DLL better than you can your MapleStory client, making it impossible for people to see the code you're executing to bypass the client checks (which is probably done both for public LEN's and what Extalia did).
yeah you are right , I will try it
- Joined
- Jan 18, 2010
- Messages
- 3,109
- Reaction score
- 1,139
I would assume so, yes. Just make sure not to confuse Nexon's CCRC32 checks with Themida CRC though. You'll see bypasses for both of these
Also, I'm not able to get this far either so I have very little information to provide besides what I have seen done on localhosts, along with other info I've read and from people I know. It seems to be a fairly complicated and time consuming process. However, I would assume that if you can just manage to un-vm the client (the hard part imo), debugging from there should be easy since you can actually see all of the original instructions. I wish I had a unpacked and unvirtualized client available that didn't have all of these checks and stuff bypassed so I can see all the original calls, name everything and see what's removed :/
- Joined
- Nov 16, 2010
- Messages
- 144
- Reaction score
- 72
Eric : have you ever try to create your own DLL and hook it to client? if yes, can you share your experience
:I know that way is easier than trying to make a real localhost, but still not figure out, how to hook it to client and where to start
I don't know for version 117, but here's the approach I use to bypass gameguard in lower versions without unpacking it:
I run the client until it gives the hacking/no server available message error.
By knowing that, I open a client dump in STREDIT and look the ID of the string that shows error.
Then I search the array of bytes for the push instruction with the ID of the string and place a breakpoint there in Cheatengine.
I run the game and then wait until it reachs the breakpoint.
I start checking with calls does the loading of the game, which loads the game guard features.
IDA is a really nice tool to help you understand and name those functions
You can remove gameguard with 2 or 3 ret instructions.
CRC detection shouldnt be hard as well.
You place a breakpoint in a memory address and wait for reads on it.
That will you give you the CRC addy.
Then after you have a working bypass in Cheatengine you can think in translate into your localhost or to a DLL like eric mention.
I run the client until it gives the hacking/no server available message error.
By knowing that, I open a client dump in STREDIT and look the ID of the string that shows error.
Then I search the array of bytes for the push instruction with the ID of the string and place a breakpoint there in Cheatengine.
I run the game and then wait until it reachs the breakpoint.
I start checking with calls does the loading of the game, which loads the game guard features.
IDA is a really nice tool to help you understand and name those functions
You can remove gameguard with 2 or 3 ret instructions.
CRC detection shouldnt be hard as well.
You place a breakpoint in a memory address and wait for reads on it.
That will you give you the CRC addy.
Then after you have a working bypass in Cheatengine you can think in translate into your localhost or to a DLL like eric mention.
RaGEZONE Sponsor
