[TUTORIAL] How to remove GameGuard

[ChoVinisTa]

Good morning everyone
After many years of testing and trying to remove the protection, I finally got a quick and practical solution to the problem and I'm going to share it with you.

Below is the tutorial

I'm using x32dbg to do it but you can use any other debugger

Find the command

[COLOR="#FF0000"]CMP EAX,0x755[/COLOR]

Will return two results

You must be registered to see links

Above each instruction, there will be a "CALL" which is the call to start the gameguard

You must be registered to see links

Change this call to confirming that GameGuard has loaded correctly using the instruction below

MOV EAX, 0x755

Should stay like this

You must be registered to see links

Repeat this step with the other result and voila, gameguard removed from GME

Remembering that GME needs to be unpacked
​

 

[kyha]

Which game installer have you used?
and above all, from which region (GIS, GLS, GBS, etc)?

I have GLS and GIS... but the search by command does not give me any results.

 

[tiddus]

Which game installer have you used?
and above all, from which region (GIS, GLS, GBS, etc)?

I have GLS and GIS... but the search by command does not give me any results.

Hi kyha, it was tested on GIS version 917 and 923, and used pepigol's servefiles

 

[kyha]

You must be registered to see links

Pues ¡yeah!, este tutorial es compatible con GIS 923.
El acceso al juego es inmediato, muestra la lista de servidores.

Quise acceder a uno de los servidores pero me arroja el error 201... que es el mismo error que arroja en versiones desde que se implementó el modo tutorial y el acceso a items 2.

____________
Well Yeah!, this tutorial is compatible with GIS 923.
The access to the game is immediate, it shows the list of servers.

I wanted to access one of the servers but I get the error 201... which is the same error that is thrown in versions since the tutorial mode and access to items 2 was implemented.

 

[ChoVinisTa]

You must be registered to see links

Pues ¡yeah!, este tutorial es compatible con GIS 923.
El acceso al juego es inmediato, muestra la lista de servidores.

Quise acceder a uno de los servidores pero me arroja el error 201... que es el mismo error que arroja en versiones desde que se implementó el modo tutorial y el acceso a items 2.

____________
Well Yeah!, this tutorial is compatible with GIS 923.
The access to the game is immediate, it shows the list of servers.

I wanted to access one of the servers but I get the error 201... which is the same error that is thrown in versions since the tutorial mode and access to items 2 was implemented.

Check the logs, this error happens on S2 because the client sends some packets that the server doesn't recognize, so it drops the connection.

 

[kyha]

The following is the log file record.

(thread=0, request=0)00000ACC (22/12/11 22:42:54) socket accepted from 192.168.1.3300001E8C (22/12/11 22:42:54) CSvcThread::OnConnect(00A47D78/0073059D)00001E8C (22/12/11 22:42:54) RECV>> [SS=00A47D78 SQ=36B1 CD=1000] 00001E8C (22/12/11 22:42:54) SEND>> [SS=00A47D78 SQ=53E5 CD=1001] 29 00 00 0000001E8C (22/12/11 22:42:54) RECV>> [SS=00A47D78 SQ=8D4F CD=1010] 5C 76 48 F0 F8 6B 47 F6 4C 45 AC C9 4A 19 4B 85 1A 14 70 8E D2 F6 68 92 24 74 8F 41 65 F3 E1 22 C6 C1 BC 8B E3 4F 75 44 A2 DB 6C 71 CC 9C F8 06 7E 0C A9 36 DE 7B 58 75 36 32 81 86 E0 D1 97 8A 49 58 78 5B 92 26 45 A9 52 93 77 61 DA 66 C2 9E A0 5C 15 47 65 72 BE D1 19 20 90 B5 31 FA 2B F6 A0 5C 15 47 65 72 BE D1 19 20 90 B5 31 FA 2B F600001E8C (22/12/11 22:42:54) Service Request: SVC_LOGIN/ADMIN(00A47D78)0000186C (22/12/11 22:42:54) dbthread started. (thread=1, request=1)0000186C (22/12/11 22:42:54) UserDB] UDBIN_LOGININFO00001E8C (22/12/11 22:42:54) PASS 12345600001E8C (22/12/11 22:42:54) Recv Version(923)00000818 (22/12/11 22:42:54) dbthread started. (thread=1, request=1)00000818 (22/12/11 22:42:54) GunboundDB] GDBIN_LOGIN00001E8C (22/12/11 22:42:54) SEND>> [SS=00A47D78 SQ=0E68 CD=1012] 00 00 23 48 00 00 54 61 6E 6B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 0C 00 0A 00 83 00 00 00 02 00 00 00 02 00 00 00 00 00 00 00 01 00 00 00 28 00 00 00 3B 16 00 00 72 0E 00 00 72 0E 00 00 32 05 9B 3B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 9D 85 68 6A 16 A4 C0 39 A9 5D E0 35 74 7C E8 07 35 92 4F 6F CF 52 72 3D D2 9F D8 D2 3E E3 B000001E8C (22/12/11 22:42:54) SEND>> [SS=00A47D78 SQ=E626 CD=1015] 4E 95 DD 29 CE 3A 55 DB 20 B6 AD 97 A6 5C C0 1C00001E8C (22/12/11 22:42:54) SEND>> [SS=00A47D78 SQ=8E08 CD=1060] 03 00 00 000000113C (22/12/11 22:42:54) dbthread started. (thread=1, request=1)0000113C (22/12/11 22:42:54) RecordDB] RDBIN_LOAD00001E8C (22/12/11 22:42:54) SEND>> [SS=00A47D78 SQ=71FA CD=1013] 0A 00 07 00 00 00 43 00 00 00 00 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 09 00 00 00 01 00 00 00 04 00 00 00 0A 00 00 00 03 00 00 00 00 00 00 00 08 00 00 00 09 00 00 00 03 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 01 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 12 00 01 00 00 00 06 00 00 00 00 00 00 00 03 00 00 00 02 00 00 00 00 00 00 00 05 00 00 00 03 00 00 00 00 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 08 00 00 00 16 00 00 00 06 00 00 00 09 00 00 00 04 00 00 00 00 00 00 00 0A 00 00 00 02 00 00 00 00 00 00 00 0B 00 00 00 04 00 00 00 00 00 00 00 0D 00 00 00 07 00 00 00 00 00 00 00 0E 00 00 00 05 00 00 00 00 00 00 00 0F 00 00 00 04 00 00 00 00 00 00 0000001E8C (22/12/11 22:42:54) RECV>> [SS=00A47D78 SQ=AD37 CD=5132] 00 0000001E8C (22/12/11 22:42:54) Unknown Service Request: 5132(00A47D78)00001E8C (22/12/11 22:42:54) DoProcessStream<>(...) failed because OnMsg() returned false00001E8C (22/12/11 22:42:54) CSvcThread::OnClose(00A47D78)00001E8C (22/12/11 22:42:54) IS NOT IN VALID CHANNEL00000818 (22/12/11 22:42:54) GunboundDB] GDBIN_LOGOUT0000113C (22/12/11 22:42:54) RecordDB] RDBIN_SAVE0000186C (22/12/11 22:43:04) dbthread ended. (thread=0, request=0)00000818 (22/12/11 22:43:04) dbthread ended. (thread=0, request=0)0000113C (22/12/11 22:43:04) dbthread ended. (thread=0, request=0)00001D90 (22/12/11 22:43:23) [C$][S lib] CleanupGameguardAuth() FREE LIST pProtocol[0xa22be0] dwVersion[0x10050] pNext[0xa22c20] pProtocol->pBefore[0x0]00001D90 (22/12/11 22:43:23) [C$][S lib] CleanupGameguardAuth() FREE LIST pProtocol[0xa22c20] dwVersion[0x10051] pNext[0xa22c60] pProtocol->pBefore[0xa22be0]00001D90 (22/12/11 22:43:23) [C$][S lib] CleanupGameguardAuth() FREE LIST pProtocol[0xa22c60] dwVersion[0x10052] pNext[0x0] pProtocol->pBefore[0xa22c20]00001D90 (22/12/11 22:43:23) [C$][S lib] CleanupGameguardAuth() STOPPING LOG

I managed to log in, changing the authority level from 100, (GM) or normal verified, (10)... because with them I always get error 201.But if I change the authority to [1]. (unverified e-mail), it allows me to log in... but the game closes.

 

[ChoVinisTa]

Notice that there is a line like this in that log you posted

"Unknown Service Request: 5132"

That's why the server gives an error, because the files don't know about this packet and close the connection.
I was able to get around this by changing this packet to something known (like 0x6100)
Or in this case, to 0x2100 which is the channel join
Even after changing this, another unknown packet appears, which is 0x7012, which I also did the same thing.
It's a wrong solution, I know, but it's a workaround that works

 

[kyha]

I have changed PUSH 5132, to PUSH 6100
Now the game doesn't crash, it doesn't close abruptly but it doesn't attempt to log in either.

The LOG has changed, referring that it does not find the service [7012].

(thread=0, request=0)0000262C (22/12/13 22:46:43) socket accepted from 192.168.1.3300002620 (22/12/13 22:46:43) CSvcThread::OnConnect(00D95F10/02D5863D)00002620 (22/12/13 22:46:43) RECV>> [SS=00D95F10 SQ=36B1 CD=1000] 00002620 (22/12/13 22:46:43) SEND>> [SS=00D95F10 SQ=53E5 CD=1001] 29 00 00 0000002620 (22/12/13 22:46:43) RECV>> [SS=00D95F10 SQ=8D4F CD=1010] 5C 76 48 F0 F8 6B 47 F6 4C 45 AC C9 4A 19 4B 85 1A 14 70 8E D2 F6 68 92 24 74 8F 41 65 F3 E1 22 C6 C1 BC 8B E3 4F 75 44 A2 DB 6C 71 CC 9C F8 06 7E 0C A9 36 DE 7B 58 75 36 32 81 86 E0 D1 97 8A 45 80 61 58 13 1A 12 FC 7A 94 30 1C E4 1F 51 4D A0 5C 15 47 65 72 BE D1 19 20 90 B5 31 FA 2B F6 A0 5C 15 47 65 72 BE D1 19 20 90 B5 31 FA 2B F600002620 (22/12/13 22:46:43) Service Request: SVC_LOGIN/ADMIN(00D95F10)0000250C (22/12/13 22:46:43) dbthread started. (thread=1, request=1)0000250C (22/12/13 22:46:43) UserDB] UDBIN_LOGININFO00002620 (22/12/13 22:46:43) PASS 12345600002620 (22/12/13 22:46:43) Recv Version(923)00001968 (22/12/13 22:46:43) dbthread started. (thread=1, request=1)00001968 (22/12/13 22:46:43) GunboundDB] GDBIN_LOGIN00002620 (22/12/13 22:46:43) SEND>> [SS=00D95F10 SQ=0E68 CD=1012] 00 00 23 48 00 00 54 61 6E 6B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 06 00 06 00 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 00 00 00 00 00 00 00 00 00 00 00 E8 03 00 00 00 00 00 00 40 0D 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 0C 02 DF C7 0E B3 79 9B 72 09 2E B6 E3 41 2E 44 4F AE 2B D0 DF 8A 65 8C 67 C0 B5 A7 D6 51 1900002620 (22/12/13 22:46:43) SEND>> [SS=00D95F10 SQ=E626 CD=1015] 4E 95 DD 29 CE 3A 55 DB 20 B6 AD 97 A6 5C C0 1C00002620 (22/12/13 22:46:43) SEND>> [SS=00D95F10 SQ=8E08 CD=1060] 01 00 00 0000002460 (22/12/13 22:46:43) dbthread started. (thread=1, request=1)00002460 (22/12/13 22:46:43) RecordDB] RDBIN_LOAD00002620 (22/12/13 22:46:43) SEND>> [SS=00D95F10 SQ=71FA CD=1013] 0A 00 07 00 00 00 43 00 00 00 00 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 09 00 00 00 01 00 00 00 04 00 00 00 0A 00 00 00 03 00 00 00 00 00 00 00 08 00 00 00 09 00 00 00 03 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 01 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 12 00 01 00 00 00 06 00 00 00 00 00 00 00 03 00 00 00 02 00 00 00 00 00 00 00 05 00 00 00 03 00 00 00 00 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 08 00 00 00 16 00 00 00 06 00 00 00 09 00 00 00 04 00 00 00 00 00 00 00 0A 00 00 00 02 00 00 00 00 00 00 00 0B 00 00 00 04 00 00 00 00 00 00 00 0D 00 00 00 07 00 00 00 00 00 00 00 0E 00 00 00 05 00 00 00 00 00 00 00 0F 00 00 00 04 00 00 00 00 00 00 0000002620 (22/12/13 22:46:43) RECV>> [SS=00D95F10 SQ=AD37 CD=6100] 00 0000002620 (22/12/13 22:46:43) SEND>> [SS=00D95F10 SQ=91E2 CD=6101 RTC=0007]00002620 (22/12/13 22:46:43) RECV>> [SS=00D95F10 SQ=4525 CD=6000] 00002620 (22/12/13 22:46:43) Service Request: SVC_ITEM(00D95F10)00002620 (22/12/13 22:46:43) SVC_ITEM ] pSession->m_tmEventUserExpire = 0 00002620 (22/12/13 22:46:43) RECV>> [SS=00D95F10 SQ=DD13 CD=6004] 00002620 (22/12/13 22:46:43) Service Request: SVC_ITEM_GIFT_MSG(00D95F10)00002620 (22/12/13 22:46:43) RECV>> [SS=00D95F10 SQ=7501 CD=7012] 00002620 (22/12/13 22:46:43) Unknown Service Request: 7012(00D95F10)00002620 (22/12/13 22:46:43) DoProcessStream<>(...) failed because OnMsg() returned false00001F04 (22/12/13 22:46:43) dbthread started. (thread=1, request=2)00002620 (22/12/13 22:46:43) CSvcThread::OnClose(00D95F10)00002620 (22/12/13 22:46:43) IS NOT IN VALID CHANNEL00002460 (22/12/13 22:46:43) RecordDB] RDBIN_SAVE00001968 (22/12/13 22:46:43) GunboundDB] GDBIN_LOGOUT00001F04 (22/12/13 22:46:43) ItemDB] IDBIN_ITEM00001F04 (22/12/13 22:46:43) ItemDB] IDBIN_GIFT_MSG00001F04 (22/12/13 22:46:43) SELECT No, MenuId, Sender, UNIX_TIMESTAMP(SentTime), Msg, MsgType, ExpireType, GiftItemNo FROM GiftMsg WHERE Receiver='hack1'00001F04 (22/12/13 22:46:43) IDBIN_GIFT_MSG : DBR_SUCCESS0000250C (22/12/13 22:46:53) dbthread ended. (thread=0, request=0)00001F04 (22/12/13 22:46:53) dbthread ended. (thread=0, request=0)00001968 (22/12/13 22:46:53) dbthread ended. (thread=0, request=0)00002460 (22/12/13 22:46:53) dbthread ended. (thread=0, request=0)00002940 (22/12/13 22:47:05) [C$][S lib] CleanupGameguardAuth() FREE LIST pProtocol[0xf0cd18] dwVersion[0x10050] pNext[0xd69b18] pProtocol->pBefore[0x0]00002940 (22/12/13 22:47:05) [C$][S lib] CleanupGameguardAuth() FREE LIST pProtocol[0xd69b18] dwVersion[0x10051] pNext[0xd69b58] pProtocol->pBefore[0xf0cd18]00002940 (22/12/13 22:47:05) [C$][S lib] CleanupGameguardAuth() FREE LIST pProtocol[0xd69b58] dwVersion[0x10052] pNext[0x0] pProtocol->pBefore[0xd69b18]00002940 (22/12/13 22:47:05) [C$][S lib] CleanupGameguardAuth() STOPPING LOG

My file GunBound.INI, in GunBound.XFS / Graphics:

[Gunbound]
BrokerServerIP=192.168.1.33
BrokerServerPort=8400
BuddyIP=192.168.1.33
BuddyPort=8352
CountryFakeGrade=0
GameLanguage=1
PowerBall=0
NewForce=1
NewItem=0
NewReady=1
TutorialMode=0
[Image]BoardImage=ad_ingame.img
BoardImageChangeTime=10
BoardImageCount=10
BoardImageShow=false
[Option]
AutoRefresh=1
Background=1
Effect3D=3
EffectUse=1
EffectVolume=95
InterfaceMode=1
MouseSpeed=50
MusicUse=1
MusicVolume=95
ShootingMode=0
ShowMoon=1
ShowOnlineUser=0
ShowTurn=1

 

[garsia]

you need add thats packets on the server or bypass on client

 

[ChoVinisTa]

I patched gme and was able to log in, but I'm having problems with packet encryption etc.

Some of the Service Requests that gme sends are:

0x5132
0X7012
0x7050
0x6050
0x6052
0x7118
0x5133
0x3450
0x3433
0x6104

You must be registered to see links

You must be registered to see links

You must be registered to see links

You must be registered to see links

 

[ChoVinisTa]

My GME with gameguard removed and the packets modified to be able to enter the server

For those who want to download and test

v923

You must be registered to see links

Obs.: Not 100% complete, still needs more modifications

 

[DarkSton]

Y que server files puede usar
And which file server can you use?

 

[ChoVinisTa]

Can use any season 2 server file
The Pepigol files and the ones released by TheMarks work correctly

 

[DarkSton]

It seems to me that themark files have something malicious in GS2MANAGER, you could make a video, try ollydbg and it doesn't show me like the image

 

[tiddus]

It seems to me that themark files have something malicious in GS2MANAGER, you could make a video, try ollydbg and it doesn't show me like the image

you don't need to use this gs2manager, in the tests we didn't even turn it on, we only used the files that marks made available

 

[DarkSton]

error dll2.dll

 

[ChoVinisTa]

Sorry, it's the DLL I use for testing, I forgot to remove it

Here is the link with the new gme without the dll

You must be registered to see links

 

[DarkSton]

packets 7012 to what number did you change?

 

[ChoVinisTa]

I changed it to "0x6108" which is responsible for the GPs update request

 

[DarkSton]

Discord?