Hook DLL for Main.exe eX ++ no need unpack.

[tomatoes]

Hi,I see someone need any main.exe eX ++ cracked,they dont know how to unpack so I make a small guide easy for crack main.exe.

1.Load Main.exe eX ++ Olly DBG,OEP like this:

Code:

00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1

HWBP at OEP and press Shift + F9 ,you have:

1.1

Code:

00CDDBE5 >  E8 C9C09BFF     call    00699CB3
00CDDBEA  ^ E9 78FEFFFF     jmp     00CDDA67

so I make a hook at offset 00CDDBEA.

How to make it? Look at:

2.Restart Olly and load main.exe again:

Code:

00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1
00CDDBED    B9 FFFF0000     mov     ecx, 0FFFF
00CDDBF2  - E0 FE           loopdne short 00CDDBF2
00CDDBF4    48              dec     eax
00CDDBF5    83F8 00         cmp     eax, 0
00CDDBF8  ^ 75 F3           jnz     short 00CDDBED
00CDDBFA    68 D180DC0A     push    0ADC80D1                         ; ASCII "kernel32.dll"
00CDDBFF    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00CDDC05    68 DE80DC0A     push    0ADC80DE                         ; ASCII "VirtualProtect"
00CDDC0A    50              push    eax
00CDDC0B    FF15 60ACC609   call    dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00CDDC11    8BD8            mov     ebx, eax
00CDDC13    50              push    eax
00CDDC14    8BCC            mov     ecx, esp
00CDDC16    51              push    ecx
00CDDC17    6A 40           push    40
00CDDC19    68 5B000000     push    5B
00CDDC1E    68 E5DBCD00     push    <ModuleEntryPoint>
00CDDC23    FFD0            call    eax
00CDDC25    8BCC            mov     ecx, esp
00CDDC27    51              push    ecx
00CDDC28    6A 40           push    40
00CDDC2A    68 19000000     push    19
00CDDC2F    68 B880DC0A     push    0ADC80B8
00CDDC34    8BC3            mov     eax, ebx
00CDDC36    FFD0            call    eax
00CDDC38    83C4 04         add     esp, 4
00CDDC3B  - E9 78A40E0A     jmp     0ADC80B8

at 00CDDC3B follow it to 0ADC80B8

Code:

0ADC80B8    90              nop
0ADC80B9    BE ED80DC0A     mov     esi, 0ADC80ED
0ADC80BE    BF E5DBCD00     mov     edi, <ModuleEntryPoint>
0ADC80C3    B9 5B000000     mov     ecx, 5B
0ADC80C8    F3:A4           rep     movs byte ptr es:[edi], byte ptr>
0ADC80CA    9D              popfd
0ADC80CB    61              popad
0ADC80CC  - E9 145BF1F5     jmp     <ModuleEntryPoint>

Look at offset 0ADC80ED in HEX DUMP,size 0x5B

Code:

0ADC80ED  E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53  èÉÀ›ÿéxþÿÿ‹ÿU‹ìS

look 1.1 on top and red text : E9 78 FE FF FF

It is jmp 00CDDA67 (ASM code)
so we change it to free offset and write hook code.
Example I do it on Main zteam EX802 1.4.42

At 0ADC80ED :
Original : E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53
Hook: E8 C9 C0 9B FF E9 39 4F 4E 00 8B FF 55 8B EC 53

E9 39 4F 4E 00 is jmp 011C2B28 (ASM code)

so we write hook code at 011C2B28,like this:

Code:

011C2B28    68 582B1C01     push    011C2B58                         ; ASCII "zClient.dll"
011C2B2D    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
011C2B33  - E9 2FAFB1FF     jmp     00CDDA67                         ; Offset original JMP

Done,save it.From dll,we can patch any offset for crack Main.exe
Do it in other main.exe is same and surely work fine :)

[MentaL]

[ashlay]

@tomatoes
which main you have used as example?

[tomatoes]

Main EX802 zTeam 1.4.42
http://www.mediafire.com/download/jl...ntt16/main.rar

[SmallHabit]

And what about, restoring bytes, in some places of code, for example if disable proto crypt, it will restore again.

[tomatoes]

And what about, restoring bytes, in some places of code, for example if disable proto crypt, it will restore again.

I dont know,just research main.exe eX a bit,no more.But I think it is a protect of Webzen.you can compare Main.exe Blue CHS no encrypt (I shared),In new main eX some function (Obfuscated) crash main.exe and If I restore with code ( no Obfuscated) of main.exe Blue CHS,it work fine.Check it :)

[pquintal]

@tomatoes
How activate mu.exe in this main 1.4.42
Thanks

[pquintal]

ask main 1.4.42 the fix then Thanks

when hook zClient.dll in this main, mu.exe is automaticaly desactiveted
I'm don't understand that :s, I used two ways for hook and same result

Used Windows 8.1 & OIlyDBG 1.10

[tomatoes]

ZClient.dll patch JMP mu.exe so you cant start Mu.exe.If you want start Mu.exe,please patch again JMP=>JNZ offset Mu.exe by other dll after zClient.dll loaded.

[pquintal]

ZClient.dll patch JMP mu.exe so you cant start Mu.exe.If you want start Mu.exe,please patch again JMP=>JNZ offset Mu.exe by other dll after zClient.dll loaded.

Ah Ok, Thanks a lot, I don´t know this ;)

[laulinh2]

help me hook dll in main zteam ss8
dll : https://www.mediafire.com/?2zsc2g6l7y8gs36

[laulinh2]

help me please :((

[pquintal]

help me please :((

here is hooked with dll
https://www.sendspace.com/file/5o04b2

[nitoy]

I try to hook Dll Antihack from pinkof and it start the splash and the game load for about 2 sec. then close.?? any idea sir @tomatoes?

[pquintal]

Many people have asked me to help hook the pinkof gameguard of the main
Here is Main with GameGuard.dll Hooked -> Main + GameGuard.dll
Here is Main with GameGuard.dll + zClient.dll Hooked -> Main + GameGuard.dll + zClient.dll
zClient.dll ?, use yours

Note: If you have problems starting the game is bad config, not bad hook, it´s a simple hook

[jinimu]

hello.
.
My main kor S8..

Please help me hook zteam s8 dll in My main..

My Main Link: https://www.sendspace.com/file/zyvyk8

Thanks..

[gmrote]

- - - Updated - - -

testmain

- - - Updated - - -

Many people have asked me to help hook the pinkof gameguard of the main
Here is Main with GameGuard.dll Hooked -> Main + GameGuard.dll
Here is Main with GameGuard.dll + zClient.dll Hooked -> Main + GameGuard.dll + zClient.dll
zClient.dll ?, use yours

Note: If you have problems starting the game is bad config, not bad hook, it´s a simple hook

[pquintal]

- - - Updated - - -

testmain

- - - Updated - - -

you have disabled in options autostart analysis main

[gmrote]

you have disabled in options autostart analysis main

help me add skype live:rote2011

- - - Updated - - -

Hi,I see someone need any main.exe eX ++ cracked,they dont know how to unpack so I make a small guide easy for crack main.exe.

1.Load Main.exe eX ++ Olly DBG,OEP like this:

Code:

00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1

HWBP at OEP and press Shift + F9 ,you have:

1.1

Code:

00CDDBE5 >  E8 C9C09BFF     call    00699CB3
00CDDBEA  ^ E9 78FEFFFF     jmp     00CDDA67

so I make a hook at offset 00CDDBEA.

How to make it? Look at:

2.Restart Olly and load main.exe again:

Code:

00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1
00CDDBED    B9 FFFF0000     mov     ecx, 0FFFF
00CDDBF2  - E0 FE           loopdne short 00CDDBF2
00CDDBF4    48              dec     eax
00CDDBF5    83F8 00         cmp     eax, 0
00CDDBF8  ^ 75 F3           jnz     short 00CDDBED
00CDDBFA    68 D180DC0A     push    0ADC80D1                         ; ASCII "kernel32.dll"
00CDDBFF    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00CDDC05    68 DE80DC0A     push    0ADC80DE                         ; ASCII "VirtualProtect"
00CDDC0A    50              push    eax
00CDDC0B    FF15 60ACC609   call    dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00CDDC11    8BD8            mov     ebx, eax
00CDDC13    50              push    eax
00CDDC14    8BCC            mov     ecx, esp
00CDDC16    51              push    ecx
00CDDC17    6A 40           push    40
00CDDC19    68 5B000000     push    5B
00CDDC1E    68 E5DBCD00     push    <ModuleEntryPoint>
00CDDC23    FFD0            call    eax
00CDDC25    8BCC            mov     ecx, esp
00CDDC27    51              push    ecx
00CDDC28    6A 40           push    40
00CDDC2A    68 19000000     push    19
00CDDC2F    68 B880DC0A     push    0ADC80B8
00CDDC34    8BC3            mov     eax, ebx
00CDDC36    FFD0            call    eax
00CDDC38    83C4 04         add     esp, 4
00CDDC3B  - E9 78A40E0A     jmp     0ADC80B8

at 00CDDC3B follow it to 0ADC80B8

Code:

0ADC80B8    90              nop
0ADC80B9    BE ED80DC0A     mov     esi, 0ADC80ED
0ADC80BE    BF E5DBCD00     mov     edi, <ModuleEntryPoint>
0ADC80C3    B9 5B000000     mov     ecx, 5B
0ADC80C8    F3:A4           rep     movs byte ptr es:[edi], byte ptr>
0ADC80CA    9D              popfd
0ADC80CB    61              popad
0ADC80CC  - E9 145BF1F5     jmp     <ModuleEntryPoint>

Look at offset 0ADC80ED in HEX DUMP,size 0x5B

Code:

0ADC80ED  E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53  èÉÀ›ÿéxþÿÿ‹ÿU‹ìS

look 1.1 on top and red text : E9 78 FE FF FF

It is jmp 00CDDA67 (ASM code)
so we change it to free offset and write hook code.
Example I do it on Main zteam EX802 1.4.42

At 0ADC80ED :
Original : E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53
Hook: E8 C9 C0 9B FF E9 39 4F 4E 00 8B FF 55 8B EC 53

E9 39 4F 4E 00 is jmp 011C2B28 (ASM code)

so we write hook code at 011C2B28,like this:

Code:

011C2B28    68 582B1C01     push    011C2B58                         ; ASCII "zClient.dll"
011C2B2D    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
011C2B33  - E9 2FAFB1FF     jmp     00CDDA67                         ; Offset original JMP

Done,save it.From dll,we can patch any offset for crack Main.exe
Do it in other main.exe is same and surely work fine :)

[ggakboy1]

help me plz
EX702 1.03R tai
http://pan.baidu.com/s/1hq02How
just need change ip,hook GameGuard

[Mecanik]

Hello mates! Can someone help me with the new main of zTeam? they have added some extra protection so i get some GameGuard :: error
I really wnat to post my latest update for FREE to the people(liveguard).
Main wont start without Starter.exe ....

https://drive.google.com/file/d/0B9s...ew?usp=sharing

I feel pretty stupid because i can`t attach it... but i dont have a choice :(

LE: sorry i forgot, it can be any other .dll just don`t put export name. Normally my dll name is liveguard.ll and export function Mecanik()

[Mecanik]

Bump ?:(

[jackbot]

Bump ?:(

Give me your skype mate... ill help u with this

[nagato12]

buenas se puede enganchar un dll para que los item exelentes se vean su color bien

[florin18de]

I have problems with hd resolution , my luncher have otions for wide screean and my main.exe dosent suport it. What i nead to do for that wide resolution to work? Please someone can help me?

[hugab]

hello.
.
My main kor S8..

Please help me hook zteam s8 dll in My main..

My Main Link: https://mega.nz/#!C1NWiYKJ!s-ma6isD8a6Rli4uLs1E1anAAy7feGBROYA5MNUDW8k

Thanks..