Exploit fixes, some sources and stuff [im done.]

**Chern0byl** · 31-05-14

Hello there. It've been a time since I posted anything here. Anyhow, here is the deal. Since some people I trusted disappoited me (selling my work, calling meh a scammer, and such sh!t), I've decided to take some pretty serious step. The point is you sell MY work = it gets released to public for free. Probably, this thread is the last one in which I release my stuff to public (free). That means most of my stuff will become private / for sale. . I'm going to drop my old skype / email addresses and such stuff. Basically, kinda going underground. Still, those who bought any stuff from me should pm me @ RZ and get my new infos.

So, lets start. I wont post whole source code of module runtime patcher, but will give enough for you to do assembly fixes or simply a program that does the same stuff. All the offsets are there. Those fixes are relatively old, but still has to be useful for you guys.

Some exploit fixes [c#]

PHP Code:


using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;

namespace ModuleFixesRuntime.Memory
{
    sealed class CMemoryPatcher
    {
        [DllImport("kernel32.dll")]
        private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseaddress_1005, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseaddress_1005, [Out] byte[] lpBuffer, int dwSize, out int lpNumberOfBytesRead);

        [DllImport("kernel32.dll")]
        static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, MemoryProtectionConsts flNewProtect, out MemoryProtectionConsts lpflOldProtect);
        
        [Flags]
        public enum MemoryProtectionConsts : uint
        {
            EXECUTE = 0x10,
            EXECUTE_READ = 0x20,
            EXECUTE_READWRITE = 0x40,
            NOACCESS = 0x01,
            READONLY = 0x02,
            READWRITE = 0x04
        }

        [Flags]
        public enum ProcessAccessFlags : uint
        {
            All = 0x001F0FFF,
            Terminate = 0x00000001,
            CreateThread = 0x00000002,
            VMOperation = 0x00000008,
            VMRead = 0x00000010,
            VMWrite = 0x00000020,
            DupHandle = 0x00000040,
            SetInformation = 0x00000200,
            QueryInformation = 0x00000400,
            Synchronize = 0x00100000
        }

        static bool WriteMemory(Process process, int addr, byte[] data, out int bytesWritten)
        {
            IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, process.Id);
            bool worked = WriteProcessMemory(hProc, new IntPtr(addr), data, (UInt32)data.LongLength, out bytesWritten);
            CloseHandle(hProc);
            return worked;
        }
        //constants
        const byte ASM_NOP = 0x90;

        public void ApplyGameServerFixes(string ProcName)
        {
            Process GameProcess = null;

            bool flag = false;
            try
            {
                GameProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //--------------------------------------------------------------------
            int AddrExHandler_1 = 0x00521765;
            int AddrExHandler_2 = 0x00521768;
            //--------------------------------------------------------------------
            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };
            //--------------------------------------------------------------------

            Console.WriteLine("Starting game server patch sequence");

            string Msg = string.Empty;

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_1 = 0;
            WriteMemory(GameProcess, AddrExHandler_1, Patch_ExHandler_1, out WritenBytes_ExHandler_1);

            Msg = (WritenBytes_ExHandler_1 == Patch_ExHandler_1.Length)
              ?
              string.Format("Patching exception handler step #1 success [{0}] bytes", WritenBytes_ExHandler_1)
              :
              string.Format("Pathing exception handler step #1 failed [{0}] bytes", WritenBytes_ExHandler_1);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_2 = 0;
            WriteMemory(GameProcess, AddrExHandler_2, Patch_ExHandler_2, out WritenBytes_ExHandler_2);

            Msg = (WritenBytes_ExHandler_2 == Patch_ExHandler_2.Length)
              ?
              string.Format("Patching exception handler step #2 success [{0}] bytes", WritenBytes_ExHandler_2)
              :
              string.Format("Pathing exception handler step #2 failed [{0}] bytes", WritenBytes_ExHandler_2);

            Console.WriteLine(Msg);
            //--------------------------------------------------------------------
        }

        public void ApplyShardManagerFixes(string ProcName)
        {
            Process ShardProcess = null;

            bool flag = false;
            try
            {
                ShardProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //--------------------------------------------------------------------
            int AddrExHandler_1 = 0x00402B05;
            int AddrExHandler_2 = 0x00402B08;

            int AddrExHandler_3 = 0x007998D6;
            int AddrExHandler_4 = 0x007998EE;
            int AddrExHandler_5 = 0x007999C2;


            //--------------------------------------------------------------------
            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };
            byte[] Patch_ExHandler_345 = new byte[] { 0x78 };
            //--------------------------------------------------------------------

            Console.WriteLine("Starting shard manager patch sequence");

            string Msg = string.Empty;

            //--------------------------------------------------------------------
            int WritenBytes_ExHandler_1 = 0;
            WriteMemory(ShardProcess, AddrExHandler_1, Patch_ExHandler_1, out WritenBytes_ExHandler_1);

            Msg = (WritenBytes_ExHandler_1 == Patch_ExHandler_1.Length)
                ?
                string.Format("Patching exception handler step #1 success [{0}] bytes", WritenBytes_ExHandler_1)
                :
                string.Format("Pathing exception handler step #1 failed [{0}] bytes", WritenBytes_ExHandler_1);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_2 = 0;
            WriteMemory(ShardProcess, AddrExHandler_2, Patch_ExHandler_2, out WritenBytes_ExHandler_2);

            Msg = (WritenBytes_ExHandler_2 == Patch_ExHandler_2.Length)
               ?
               string.Format("Patching exception handler step #2 success [{0}] bytes", WritenBytes_ExHandler_2)
               :
               string.Format("Pathing exception handler step #2 failed [{0}] bytes", WritenBytes_ExHandler_2);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_3 = 0;
           
            WriteMemory(ShardProcess, AddrExHandler_3, Patch_ExHandler_345, out WritenBytes_ExHandler_3);
            
            Msg = (WritenBytes_ExHandler_3 == Patch_ExHandler_345.Length)
               ?
               string.Format("Patching exception handler step #3 success [{0}] bytes", WritenBytes_ExHandler_3)
               :
               string.Format("Pathing exception handler step #3 failed [{0}] bytes", WritenBytes_ExHandler_3);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_4 = 0;
            WriteMemory(ShardProcess, AddrExHandler_4, Patch_ExHandler_345, out WritenBytes_ExHandler_4);

            Msg = (WritenBytes_ExHandler_4 == Patch_ExHandler_345.Length)
               ?
               string.Format("Patching exception handler step #4 success [{0}] bytes", WritenBytes_ExHandler_4)
               :
               string.Format("Pathing exception handler step #4 failed [{0}] bytes", WritenBytes_ExHandler_4);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_5 = 0;
            WriteMemory(ShardProcess, AddrExHandler_5, Patch_ExHandler_345, out WritenBytes_ExHandler_5);

            Msg = (WritenBytes_ExHandler_5 == Patch_ExHandler_345.Length)
               ?
               string.Format("Patching exception handler step #5 success [{0}] bytes", WritenBytes_ExHandler_5)
               :
               string.Format("Pathing exception handler step #5 failed [{0}] bytes", WritenBytes_ExHandler_5);

            Console.WriteLine(Msg);

        }
        public void ApplyDownloadServerFixes(string ProcName)
        {
            Process DownloadProcess = null;

            bool flag = false;
            try
            {
                DownloadProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }


            //--------------------------------------------------------------------
            int Addr631D = 0x00407544;
            //004B3FCA    83FB 07         CMP EBX,7


            int AddrA003_ToCodecave = 0x0040C522;
            int AddrA003_Codecave = 0x004d5E92;
            //--------------------------------------------------------------------
            byte[] Patch_631D = new byte[19];
            for (int i = 0; i < Patch_631D.Length; i++) Patch_631D[i] = ASM_NOP;
            byte[] Patch_A003_CodeOffset = new byte[] { 0xE9, 0x6B, 0x99, 0x0C, 0x00 };
            byte[] Patch_A003_Codecave =
                new byte[] 
                {
                    //cmp ebx,7
                    0x83, 0xFB, 0x07,
                    //je eip + 3
                    0x74, 0x03,
                    //jmp near dword ptr ds:[eax+5c]
                    0xFF, 0x60, 0x5C,
                    //retn 10
                    0xC2, 0x10, 0x00
                };
            //--------------------------------------------------------------------
            Console.WriteLine("Starting download server patch sequence");

            string Msg = string.Empty;

            int WritenBytes_631D = 0;
            WriteMemory(DownloadProcess, Addr631D, Patch_631D, out WritenBytes_631D);

            Msg = (WritenBytes_631D == Patch_631D.Length)
                ?
                string.Format("Patching 0x631D opcode success [{0}] bytes", WritenBytes_631D)
                :
                string.Format("Pathing 0x631D opcode failed [{0}] bytes", WritenBytes_631D);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_Codecave = 0;
            WriteMemory(DownloadProcess, AddrA003_Codecave, Patch_A003_Codecave, out WritenBytes_A003_Codecave);

            Msg = (WritenBytes_A003_Codecave == Patch_A003_Codecave.Length)
                ?
                string.Format("Writing 0xA003 Codecave success [{0}] bytes", WritenBytes_A003_Codecave)
                :
                string.Format("Writing 0xA003 Codecave failed [{0}] bytes", WritenBytes_A003_Codecave);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_CodeOffset = 0;
            WriteMemory(DownloadProcess, AddrA003_ToCodecave, Patch_A003_CodeOffset, out WritenBytes_A003_CodeOffset);

            Msg = (WritenBytes_A003_CodeOffset == Patch_A003_CodeOffset.Length)
                ?
                string.Format("Patching 0xA003 Codecave offset success [{0}] bytes", WritenBytes_A003_CodeOffset)
                :
                string.Format("Patching 0xA003 Codecave offset failed [{0}] bytes", WritenBytes_A003_CodeOffset);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

        }

        public void ApplyGatewayServerFixes(string ProcName)
        {
            Process GatewayProcess = null;

            bool flag = false;
            try
            {
                GatewayProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //--------------------------------------------------------------------
            int Addr631D = 0x0043F384;
            int AddrA003_ToCodecave = 0x00443c22;
            int AddrA003_Codecave = 0x004d5e92;
            //--------------------------------------------------------------------

            byte[] Patch_631D = new byte[19];
            for (int i = 0; i < Patch_631D.Length; i++) Patch_631D[i] = ASM_NOP;

            byte[] Patch_A003_CodeOffset = new byte[] { 0xE9, 0x6B, 0x22, 0x09, 0x00 };
            byte[] Patch_A003_Codecave = 
                new byte[] 
                {
                    //cmp ebx, 7
                    0x83, 0xFB, 0x07,
                    //je eip + 3
                    0x74, 0x03,
                    //jmp near dword ptr ds:[eax + 0x5c]
                    0xFF, 0x60, 0x5C,
                    //ret 10
                    0xC2, 0x10, 0x00
                };

            //--------------------------------------------------------------------
            Console.WriteLine("Starting gateway patch sequence");
            string Msg = string.Empty;


            int WritenBytes_631D = 0;
            WriteMemory(GatewayProcess, Addr631D, Patch_631D, out WritenBytes_631D);

            Msg = (WritenBytes_631D == Patch_631D.Length)
                ?
                string.Format("Patching 0x631D opcode success [{0}] bytes", WritenBytes_631D)
                :
                string.Format("Pathing 0x631D opcode failed [{0}] bytes", WritenBytes_631D);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_Codecave = 0;
            WriteMemory(GatewayProcess, AddrA003_Codecave, Patch_A003_Codecave, out WritenBytes_A003_Codecave);

            Msg = (WritenBytes_A003_Codecave == Patch_A003_Codecave.Length)
                ?
                string.Format("Writing 0xA003 Codecave success [{0}] bytes", WritenBytes_A003_Codecave)
                :
                string.Format("Writing 0xA003 Codecave failed [{0}] bytes", WritenBytes_A003_Codecave);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_CodeOffset = 0;
            WriteMemory(GatewayProcess, AddrA003_ToCodecave, Patch_A003_CodeOffset, out WritenBytes_A003_CodeOffset);

            Msg = (WritenBytes_A003_CodeOffset == Patch_A003_CodeOffset.Length)
                ?
                string.Format("Patching 0xA003 Codecave offset success [{0}] bytes", WritenBytes_A003_CodeOffset)
                :
                string.Format("Patching 0xA003 Codecave offset failed [{0}] bytes", WritenBytes_A003_CodeOffset);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
        }

        public byte[] GenerateFilterExceptionCodecave()
        {
            byte[] OutputBuffer = new byte[0x1000];
            byte[] ValueBuffer;
            int BufferLen = 0;
            //int JlAddr = 0x00401D36;
            
            int OkJumpAddr = 0x004c2cac;
            int FailJumpAddr = 0x004c2c96;

            ushort[] Opcodes = new ushort[] 
            {
                0x7010
            };


            byte[] InstructionBuffer = new byte[25];
            byte[] Cmp_Ecx_Prefix = new byte[2] { 0x81, 0xF9 };
            byte[] Nulls = new byte[2] { 0x00, 0x00 };

            byte[] Jl_Opcode_Instruction = new byte[6] { 0x0F, 0x8C, 0x52, 0xF0, 0xF3, 0xFF };
   
            for (int i = 0; i < Opcodes.Length; i++)
            {
                //2 bytes of instruction opcode
                Buffer.BlockCopy(Cmp_Ecx_Prefix, 0, InstructionBuffer, 0, Cmp_Ecx_Prefix.Length);
                ValueBuffer = BitConverter.GetBytes((int)Opcodes[i]);
                Buffer.BlockCopy(ValueBuffer, 0, InstructionBuffer, 2, 2);
               
               // Buffer.BlockCopy(Jl_Opcode_Instruction, 0, InstructionBuffer, 6, 6);
               // Buffer.BlockCopy(new byte[]  
                Buffer.BlockCopy(InstructionBuffer, 0, OutputBuffer, BufferLen, 12);
                BufferLen += 12;
            }

            return OutputBuffer;
        }

        public void ApplyAgentServerFixes(string ProcName)
        {
            Process AgentProcess = null;

            bool flag = false;

            try
            {
                AgentProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //actual work

            //--------------------------------------------------------------------
            int Addr1005 = 0x00430444;
            int Addr600D = 0x00430452;
            int AddrFilter = 0x00401D16;
            int AddrCommon_1 = 0x004488C0;
            int Addr631D = 0x0042BEF4;
            int Addr6303_1 = 0x0042D339;
            int Addr6303_2 = 0x0042D36C;
            int Addr6303_3 = 0x0042D374;
            int AddrA003_ToCodecave = 0x00430312;
            int AddrA003_Codecave = 0x004C2FC6;
            int AddrFilterOpcodes_ToCodecave = 0x00401D16;
            int AddrFilterOpcodes_Codecave = 0x004C2CD8;
            int AddrFilterOpcodes_OkCase = 0x004c2cac;
            int AddrFilterOpcodes_FailCase = 0x004c2c96;

            //--------------------------------------------------------------------
            byte[] Patch_1005 = new byte[] { 0x78, 0x00, 0x00, 0x00 };
            byte[] Patch_600D = new byte[] { 0xC2, 0x10, 0x00, 0x90, 0x90, 0x90 };

            byte[] Patch_Filter = new byte[] { 0xEB, 0x1E, 0x90, 0x90, 0x90, 0x90 };

            byte[] Patch_Common_1 = new byte[] { 0xC3, 0x90, 0x90, 0x90, 0x90 };
            byte[] Patch_631D = new byte[19];
            for (int i = 0; i < Patch_631D.Length; i++) Patch_631D[i] = ASM_NOP;

            byte[] Patch_6303_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_6303_2 = new byte[] { 0x90, 0x90 };
            byte[] Patch_6303_3 = new byte[] { 0xEB };

            byte[] Patch_A003_CodeOffset = new byte[] { 0xE9, 0xAF, 0x2C, 0x09, 0x00 };
            byte[] Patch_A003_Codecave =
                new byte[]
            {
                //cmp ebx,7
                0x83, 0xFB, 0x07,
                //je eip + 3
                0x74, 0x03,
                //jmp near dword ptr ds:[eax+5c]
                0xFF, 0x60, 0x5C,
                //retn 10
                0xC2, 0x10, 0x00
            };
            #region ROFL
            byte[] Patch_A003_Nops =
                new byte[]
                {
                    0x90, 0x90, 0x90, 0x90,
                    0x90, 0x90, 0x90, 0x90,
                    0x90, 0x90, 0x90, 0x90,
                    0x90, 0x90, 0x90, 0x90
                };
            #endregion
                

            //jmp 0x004c2cd8 + NOP
            byte[] Patch_FilterExceptions_CodeOffset = new byte[]
            { 0xE9, 0xBD, 0x0F, 0x0C, 0x00, 0x90 };

            byte[] Patch_FilterExceptions_Codecave = GenerateFilterExceptionCodecave();
           // byte[] Patch_FilterExceptions_JumpInst
            //--------------------------------------------------------------------
            Console.WriteLine("Starting agent patch sequence");

            string Msg = string.Empty;

            //--------------------------------------------------------------------
            int WritenBytes_1005 = 0;
            WriteMemory(AgentProcess, Addr1005, Patch_1005, out WritenBytes_1005);


            Msg = (WritenBytes_1005 == Patch_1005.Length) 
                ? 
                string.Format("Patching 0x1005 opcode success [{0}] bytes", WritenBytes_1005)
                :
                string.Format("Patching 0x1005 opcode failed [{0}] bytes", WritenBytes_1005);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_600D = 0;
            WriteMemory(AgentProcess, Addr600D, Patch_600D, out WritenBytes_600D);

            Msg = (WritenBytes_600D == Patch_600D.Length)
                ?
                string.Format("Patching 0x600D opcode success [{0}] bytes", WritenBytes_600D)
                :
                string.Format("Patching 0x600D opcode failed [{0}] bytes", WritenBytes_600D);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            // temporary disabled
            int WritenBytes_Filter = 0;
            WriteMemory(AgentProcess, AddrFilter, Patch_Filter, out WritenBytes_Filter);

            Msg = (WritenBytes_Filter == Patch_Filter.Length)
                ?
                string.Format("Patching filter success [{0}] bytes", WritenBytes_Filter)
                :
                string.Format("Patching filter failed [{0}] bytes", WritenBytes_Filter);
            Console.WriteLine(Msg);
           
            //--------------------------------------------------------------------
            int WritenBytes_Common_1 = 0;
            WriteMemory(AgentProcess, AddrCommon_1, Patch_Common_1, out WritenBytes_Common_1);

            Msg = (WritenBytes_Common_1 == Patch_Common_1.Length)
                ?
                string.Format("Patching common exception handler success [{0}] bytes", WritenBytes_Common_1)
                :
                string.Format("Patching common exception handler failed [{0}] bytes", WritenBytes_Common_1);
            Console.WriteLine(Msg);
            //--------------------------------------------------------------------
            int WritenBytes_631D = 0;
            WriteMemory(AgentProcess, Addr631D, Patch_631D, out WritenBytes_631D);

            Msg = (WritenBytes_631D == Patch_631D.Length)
                ?
                string.Format("Patching 0x631D success [{0}] bytes", WritenBytes_631D)
                :
                string.Format("Patching 0x631D failed [{0}] bytes", WritenBytes_631D);
            Console.WriteLine(Msg);
            //--------------------------------------------------------------------
            int WritenBytes_6303_1 = 0;
            WriteMemory(AgentProcess, Addr6303_1, Patch_6303_1, out WritenBytes_6303_1);

            Msg = (WritenBytes_6303_1 == Patch_6303_1.Length)
                ?
                string.Format("Patching 0x6303 step #1 success [{0}] bytes", WritenBytes_6303_1)
                :
                string.Format("Patching 0x6303 step #1 failed [{0}] bytes", WritenBytes_6303_1);
            Console.WriteLine(Msg);
            //--------------------------------------------------------------------
            int WritenBytes_6303_2 = 0;
            WriteMemory(AgentProcess, Addr6303_2, Patch_6303_2, out WritenBytes_6303_2);

            Msg = (WritenBytes_6303_2 == Patch_6303_2.Length)
                ?
                string.Format("Patching 0x6303 step #2 success [{0}] bytes", WritenBytes_6303_2)
                :
                string.Format("Patching 0x6303 step #2 failed [{0}] bytes", WritenBytes_6303_2);
            Console.WriteLine(Msg);
            //--------------------------------------------------------------------

            int WritenBytes_6303_3 = 0;
            WriteMemory(AgentProcess, Addr6303_3, Patch_6303_3, out WritenBytes_6303_3);

            Msg = (WritenBytes_6303_3 == Patch_6303_3.Length)
                ?
                string.Format("Patching 0x6303 step #3 success [{0}] bytes", WritenBytes_6303_3)
                :
                string.Format("Patching 0x6303 step #3 failed [{0}] bytes", WritenBytes_6303_3);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_Nops = 0;
            WriteMemory(AgentProcess, AddrA003_Codecave, Patch_A003_Nops, out WritenBytes_A003_Nops);

            Msg = (WritenBytes_A003_Nops == Patch_A003_Nops.Length)
                ?
                string.Format("Writing 0xA003 Codecave nops success [{0}] bytes", WritenBytes_A003_Nops)
                :
                string.Format("Writing 0xA003 Codecave nops failed [{0}] bytes", WritenBytes_A003_Nops);

            
            int WritenBytes_A003_Codecave = 0;
            WriteMemory(AgentProcess, AddrA003_Codecave, Patch_A003_Codecave, out WritenBytes_A003_Codecave);

            Msg = (WritenBytes_A003_Codecave == Patch_A003_Codecave.Length)
                ?
                string.Format("Writing 0xA003 Codecave success [{0}] bytes", WritenBytes_A003_Codecave)
                :
                string.Format("Writing 0xA003 Codecave failed [{0}] bytes", WritenBytes_A003_Codecave);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_CodeOffset = 0;
            WriteMemory(AgentProcess, AddrA003_ToCodecave, Patch_A003_CodeOffset, out WritenBytes_A003_CodeOffset);

            Msg = (WritenBytes_A003_CodeOffset == Patch_A003_CodeOffset.Length)
                ?
                string.Format("Patching 0xA003 Codecave offset success [{0}] bytes", WritenBytes_A003_CodeOffset)
                :
                string.Format("Patching 0xA003 Codecave offset failed [{0}] bytes", WritenBytes_A003_CodeOffset);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            /*
            //BULLSHIT
            //write cases
            int tmp = 0;
            //ok case
            WriteMemory(AgentProcess, AddrFilterOpcodes_OkCase, new byte[] { 0xE9, 0x2E, 0xF1, 0xF3, 0xFF, 0x90 }, out tmp) ;
            //fail case
            WriteMemory(AgentProcess, AddrFilterOpcodes_FailCase, new byte[] { 0xEB, 0xFE }, out tmp);
            
            
            
            int WritenBytes_FilterException_Codecave = 0;
            WriteMemory(AgentProcess, AddrFilterOpcodes_Codecave, Patch_FilterExceptions_Codecave, out WritenBytes_FilterException_Codecave);

            Msg = (WritenBytes_FilterException_Codecave == Patch_FilterExceptions_Codecave.Length)
                ?
                string.Format("Writing filter exception codecave success [{0}] bytes", WritenBytes_FilterException_Codecave)
                :
                string.Format("Writing filter exception codecave failed [{0}] bytes", WritenBytes_FilterException_Codecave);
           
            //--------------------------------------------------------------------
            
            int WritenBytes_FilterException_ToCode_Offset = 0;
            WriteMemory(AgentProcess, AddrFilterOpcodes_ToCodecave, Patch_FilterExceptions_CodeOffset, out WritenBytes_FilterException_ToCode_Offset);

            Msg = (WritenBytes_FilterException_ToCode_Offset == Patch_FilterExceptions_CodeOffset.Length)
                ?
                string.Format("Patching filter exception codecave offset success [{0}] bytes", WritenBytes_FilterException_ToCode_Offset)
                :
                string.Format("Patching filter exception codecave offset failed [{0}] bytes", WritenBytes_FilterException_ToCode_Offset);
            Console.WriteLine(Msg);
             * */
        }
    }
}

And here is a squirrel.

This thread will be updated with some more sources / free releases soon.

**MentaL**

Exploit fixes, some sources and stuff [im done.]

**Sector1337** · 01-06-14

that's a good thing, old developers share their work.. nvm The perfect game called "Silkroad Online" is died 2 years ago.

**MaxZeus** · 01-06-14

Sorry to hear this Chern0, but this is not something new really.

After all we are in a captalism world, and everyone want to earn something no matter at which cost (especially when speaking about private gameservers).

Even with you going underground, you will still be seeing the same scenario in a reduced manner.

Good luck in your next approaches :)

**hamzafigo** · 12-06-14

Sorry for my stupid ask. How to add this code?

I just wanna fix some exploits just already done in my server.

**lemoniscool** · 12-06-14

Originally Posted by hamzafigo

Sorry for my stupid ask. How to add this code?

I just wanna fix some exploits just already done in my server.

did you seriously register for this question? wow ... okay .. my suggestion on how to solve your problem: try to learn some C# or maybe even better try to learn some programming basics and what to do with code ... just a tip: http://bit.ly/1hRqgZM

**hamzafigo** · 13-06-14

If u take a look at my reg. date, u`ll know if i reg for the question or not.

And thnx for the advice.

**LogiN** · 16-06-14

Originally Posted by hamzafigo

Sorry for my stupid ask. How to add this code?

I just wanna fix some exploits just already done in my server.

To add to what has published chernobyl, you must do so by ollydbg open the .exe file and patch..

Example:

PHP Code:


public void ApplyGameServerFixes(string ProcName)

        {

            Process GameProcess = null;



            bool flag = false;

            try

            {

                GameProcess = Process.GetProcessesByName(ProcName)[0];

                flag = true;

            }

            catch { }



            if (!flag)

            {

                Console.WriteLine("Could not find [{0}] process", ProcName);

                return;

            }



            //--------------------------------------------------------------------

            int AddrExHandler_1 = 0x00521765;

            int AddrExHandler_2 = 0x00521768;

            //--------------------------------------------------------------------

            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };

            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };

            //--------------------------------------------------------------------

Target: ApplyGameServerFixes [SR_GameServer.exe]
Open in ollydbg, press CTRL+G and put Offset.

PHP Code:


            //--------------------------------------------------------------------

            int AddrExHandler_1 = 0x00521765;

            int AddrExHandler_2 = 0x00521768;

            //--------------------------------------------------------------------

            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };

            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };

            //--------------------------------------------------------------------

The AddrExHandler_1 located the Offset 0x00521765 and writes the bytes { 0x90, 0x90 }; --- NOP
The AddrExHandler_2 located the Offset 0x00521768 and writes the bytes { 0xEB }; -- JMP

If you want to implement it in one .DLL you can do it in C++

Examples: Fix.cpp

PHP Code:


#include "Fix.h"

#include "Asm.h"

void Fixs()

{

   SetByte(0x00521765,0xEB); -- JMP

   SetNop(0x00521768,2); -- NOP

}

Fix.h

PHP Code:


void Fixs();

Asm.cpp

PHP Code:


#include "Asm.h"

void SetNop(DWORD dwOffset, int Size){

    for(int n=0; n < Size; n++){

        *(BYTE*)(dwOffset+n) = 0x90;

    }

}

void SetByte(DWORD dwOffset, BYTE btValue){

    *(BYTE*)(dwOffset) = btValue;

}

Asm.h

PHP Code:


void SetNop(DWORD dwOffset, int Size);

void SetByte(DWORD dwOffset, BYTE btValue);

Have enough :)
So is that you could use what public Chernobyl.

Good Luck!

**tschulian** · 21-06-14

great release. usefull for ppl which are inside programming.

Any1 here who knows how to use this? PM me, I am working on another tool to avoid exploits I could share it with 1 who knows how to apply chernos sources.

Just pm me for more infos. I am sure u will like it.

regards,
Julian

**lemoniscool** · 23-06-14

dafuq .. why change his code and use it in olly or c++ lol .. guys dont you see that this is c# ready-to-use code? xD
cmon he couldnt have done it easier for you guys ... it really is a ready-to-use c# class ... thats as easy as it gets okay he could have released it as a compiled exe but thats way too easy dont you think? :P

**Molten** · 24-06-14

Originally Posted by lemoniscool

dafuq .. why change his code and use it in olly or c++ lol ..

It's a usable C# code, yes. LoGiN has provided a C++ code incase if someone wanted to use it as a dll, instead of opening the patcher everytime you run your server. Sometimes you might forget to apply the patch and leave it un-attended ;)

**lemoniscool** · 24-06-14

Originally Posted by Molten

It's a usable C# code, yes. LoGiN has provided a C++ code incase if someone wanted to use it as a dll, instead of opening the patcher everytime you run your server. Sometimes you might forget to apply the patch and leave it un-attended ;)

you know c# is also capable to compile dlls, do you?

**Molten** · 24-06-14

Originally Posted by lemoniscool

you know c# is also capable to compile dlls, do you?

Can you compile a .NET dll to work with a C++ executable?

**lemoniscool** · 25-06-14

Originally Posted by Molten

Can you compile a .NET dll to work with a C++ executable?

well if you want it to be injected into the C++ executable there are ways to do so but they are a bit more work but can be found by 5 minutes of using google .. for example:

Originally Posted by mheyman

First, you make a simple regular C++ DLL that looks like the following:

dllmain.cpp:

Code:

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include "resource.h"
extern void LaunchDll(
  unsigned char *dll, size_t dllLength, 
  char const *className, char const *methodName);
static DWORD WINAPI launcher(void* h)
{
    HRSRC res = ::FindResourceA(static_cast<HMODULE>(h),
                   MAKEINTRESOURCEA(IDR_DLLENCLOSED), "DLL");
    if (res)
    {
        HGLOBAL dat = ::LoadResource(static_cast<HMODULE>(h), res);
        if (dat)
        {
            unsigned char *dll =
                static_cast<unsigned char*>(::LockResource(dat));
            if (dll)
            {
                size_t len = SizeofResource(static_cast<HMODULE>(h), res);
                LaunchDll(dll, len, "MyNamespace.MyClass", "DllMain");
            }
        }
    }
    return 0;
}
extern "C" BOOL APIENTRY DllMain(HMODULE h, DWORD reasonForCall, void* resv)
{
    if (reasonForCall == DLL_PROCESS_ATTACH)
    {
        CreateThread(0, 0, launcher, h, 0, 0);
    }
    return TRUE;
}

Note the thread creation. This is to keep Windows happy because calling managed code within a DLL entrypoint is a no-no.

Next, you have to create that LaunchDll function the code above references. This goes in a separate file because it will be compiled as a managed C++ unit of code. To do this, first create the .cpp file (I called it LaunchDll.cpp). Then right click on that file in your project and in Configuration Properties-->C/C++-->General change the Common Language RunTime Support entry to Common Language RunTime Support (/clr). You can't have exceptions, minimal rebuild, runtime checks and probably some other things I forgot about but the compiler will tell you about. When the compiler complains, track down what settings you much change from the default and change them on the LaunchDll.cpp file only.

LaunchDll.cpp:

Code:

#using <mscorlib.dll>
// Load a managed DLL from a byte array and call a static method in the DLL.
// dll - the byte array containing the DLL
// dllLength - the length of 'dll'
// className - the name of the class with a static method to call.
// methodName - the static method to call. Must expect no parameters.
void LaunchDll(
    unsigned char *dll, size_t dllLength,
    char const *className, char const *methodName)
{
    // convert passed in parameter to managed values
    cli::array<unsigned char>^ mdll = gcnew cli::array<unsigned char>(dllLength);
    System::Runtime::InteropServices::Marshal::Copy(
        (System::IntPtr)dll, mdll, 0, mdll->Length);
    System::String^ cn =
        System::Runtime::InteropServices::Marshal::PtrToStringAnsi(
            (System::IntPtr)(char*)className);
    System::String^ mn =
        System::Runtime::InteropServices::Marshal::PtrToStringAnsi(
            (System::IntPtr)(char*)methodName);

    // used the converted parameters to load the DLL, find, and call the method.
    System::Reflection::Assembly^ a = System::Reflection::Assembly::Load(mdll);
    a->GetType(cn)->GetMethod(mn)->Invoke(nullptr, nullptr);
}

Now for the really tricky part. You probably noticed the resource loading in dllmain.cpp:launcher(). What this does is retrieve a second DLL that has been inserted as a resource into the DLL getting created here. To do this, create a resource file by doing the right click-->Add-->New Item-->Visual C++-->Resource-->Resource File (.rc) thing. Then, you need to make sure there is a line like:

resource.rc:

Code:

IDR_DLLENCLOSED DLL "C:\\Path\\to\\Inner.dll"

in the file. (Tricky, huh?)

The only thing left to do is to create that Inner.dll assembly. Just make sure to include a MyNamespace.MyClass class with a public void DllMain() method (of course you can call these functions whatever you want to, these are just the values hardcoded into dllmain.cpp:launcher() above.

So, in conclusion, the code above takes an existing managed DLL, inserts it into a resource of an unmanaged DLL which, upon getting attached to a process, will load the managed DLL from the resource and call a method in it.

so that being quoted (and tested before) i can proudly say it actually IS possible to load managed dlls on injection to unmanaged executables BUT as you can see is a bit harder than just creating an executable thats working for ALL modules at once unlike a dll which requires 1 dll for every module that has to be injected and i guess having 6 or 7 dlls to be injected its more likely to forget about one.

In my opinion, having a small prog that might also be set to auto start fixing all exploits at once when a module is started is better. And to avoid to forget it you can also write a small batch file that checks if the fix prog is running and if not starts it which is then being started by a cronjob once every 5 minutes.. hell it could even be started by SQL Server Agent once every 5 seconds .. whatever you want

but lets stop arguing about what could be done and what would be better, if you dont want a compiled exe behaving like described above im totally fine with it, then chernos code will stay as he intended it to be: not used by people who dont know how to use it

**tschulian** · 26-06-14

@lemoniscool, I think most of us are looking for a fixed compiled exe.

The main problem is that most of them are not used to read and understand english.
Dunno what so hard to understand in "thank my post for ..." but we all know that. :D

**LogiN** · 27-06-14

@lemoniscool , no that many laps to repair it .. if you know programming, you'll know that one. scheduled DLL can cause you to read different applications simultaneously, you do not need to compile and make several DLL hook, one does everything.

That is just compiling 1. Dll you manage to make all necessary arrangements ..

Chernobyl public part of the arrangements made in C#
I explained and understood, and how to use it in C++

Guys! have the solution in your eyes, it is a matter of using a little logic.

Luck!!

Exploit fixes, some sources and stuff [im done.]

Thread Tools

Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Re: Exploit fixes, some sources and stuff [im done.]

Advertisement