Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Exploit fixes, some sources and stuff [im done.]

Joined
Jul 23, 2011
Messages
391
Reaction score
664
Hello there. It've been a time since I posted anything here. Anyhow, here is the deal. Since some people I trusted disappoited me (selling my work, calling meh a scammer, and such sh!t), I've decided to take some pretty serious step. The point is you sell MY work = it gets released to public for free. Probably, this thread is the last one in which I release my stuff to public (free). That means most of my stuff will become private / for sale. . I'm going to drop my old skype / email addresses and such stuff. Basically, kinda going underground. Still, those who bought any stuff from me should pm me @ RZ and get my new infos.


So, lets start. I wont post whole source code of module runtime patcher, but will give enough for you to do assembly fixes or simply a program that does the same stuff. All the offsets are there. Those fixes are relatively old, but still has to be useful for you guys.

Some exploit fixes [c#]

PHP:
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;

namespace ModuleFixesRuntime.Memory
{
    sealed class CMemoryPatcher
    {
        [DllImport("kernel32.dll")]
        private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseaddress_1005, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseaddress_1005, [Out] byte[] lpBuffer, int dwSize, out int lpNumberOfBytesRead);

        [DllImport("kernel32.dll")]
        static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, MemoryProtectionConsts flNewProtect, out MemoryProtectionConsts lpflOldProtect);
        
        [Flags]
        public enum MemoryProtectionConsts : uint
        {
            EXECUTE = 0x10,
            EXECUTE_READ = 0x20,
            EXECUTE_READWRITE = 0x40,
            NOACCESS = 0x01,
            READONLY = 0x02,
            READWRITE = 0x04
        }

        [Flags]
        public enum ProcessAccessFlags : uint
        {
            All = 0x001F0FFF,
            Terminate = 0x00000001,
            CreateThread = 0x00000002,
            VMOperation = 0x00000008,
            VMRead = 0x00000010,
            VMWrite = 0x00000020,
            DupHandle = 0x00000040,
            SetInformation = 0x00000200,
            QueryInformation = 0x00000400,
            Synchronize = 0x00100000
        }

        static bool WriteMemory(Process process, int addr, byte[] data, out int bytesWritten)
        {
            IntPtr hProc = OpenProcess(ProcessAccessFlags.All, false, process.Id);
            bool worked = WriteProcessMemory(hProc, new IntPtr(addr), data, (UInt32)data.LongLength, out bytesWritten);
            CloseHandle(hProc);
            return worked;
        }
        //constants
        const byte ASM_NOP = 0x90;

        public void ApplyGameServerFixes(string ProcName)
        {
            Process GameProcess = null;

            bool flag = false;
            try
            {
                GameProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //--------------------------------------------------------------------
            int AddrExHandler_1 = 0x00521765;
            int AddrExHandler_2 = 0x00521768;
            //--------------------------------------------------------------------
            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };
            //--------------------------------------------------------------------

            Console.WriteLine("Starting game server patch sequence");

            string Msg = string.Empty;

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_1 = 0;
            WriteMemory(GameProcess, AddrExHandler_1, Patch_ExHandler_1, out WritenBytes_ExHandler_1);

            Msg = (WritenBytes_ExHandler_1 == Patch_ExHandler_1.Length)
              ?
              string.Format("Patching exception handler step #1 success [{0}] bytes", WritenBytes_ExHandler_1)
              :
              string.Format("Pathing exception handler step #1 failed [{0}] bytes", WritenBytes_ExHandler_1);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_2 = 0;
            WriteMemory(GameProcess, AddrExHandler_2, Patch_ExHandler_2, out WritenBytes_ExHandler_2);

            Msg = (WritenBytes_ExHandler_2 == Patch_ExHandler_2.Length)
              ?
              string.Format("Patching exception handler step #2 success [{0}] bytes", WritenBytes_ExHandler_2)
              :
              string.Format("Pathing exception handler step #2 failed [{0}] bytes", WritenBytes_ExHandler_2);

            Console.WriteLine(Msg);
            //--------------------------------------------------------------------
        }

        public void ApplyShardManagerFixes(string ProcName)
        {
            Process ShardProcess = null;

            bool flag = false;
            try
            {
                ShardProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //--------------------------------------------------------------------
            int AddrExHandler_1 = 0x00402B05;
            int AddrExHandler_2 = 0x00402B08;

            int AddrExHandler_3 = 0x007998D6;
            int AddrExHandler_4 = 0x007998EE;
            int AddrExHandler_5 = 0x007999C2;


            //--------------------------------------------------------------------
            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };
            byte[] Patch_ExHandler_345 = new byte[] { 0x78 };
            //--------------------------------------------------------------------

            Console.WriteLine("Starting shard manager patch sequence");

            string Msg = string.Empty;

            //--------------------------------------------------------------------
            int WritenBytes_ExHandler_1 = 0;
            WriteMemory(ShardProcess, AddrExHandler_1, Patch_ExHandler_1, out WritenBytes_ExHandler_1);

            Msg = (WritenBytes_ExHandler_1 == Patch_ExHandler_1.Length)
                ?
                string.Format("Patching exception handler step #1 success [{0}] bytes", WritenBytes_ExHandler_1)
                :
                string.Format("Pathing exception handler step #1 failed [{0}] bytes", WritenBytes_ExHandler_1);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_2 = 0;
            WriteMemory(ShardProcess, AddrExHandler_2, Patch_ExHandler_2, out WritenBytes_ExHandler_2);

            Msg = (WritenBytes_ExHandler_2 == Patch_ExHandler_2.Length)
               ?
               string.Format("Patching exception handler step #2 success [{0}] bytes", WritenBytes_ExHandler_2)
               :
               string.Format("Pathing exception handler step #2 failed [{0}] bytes", WritenBytes_ExHandler_2);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_3 = 0;
           
            WriteMemory(ShardProcess, AddrExHandler_3, Patch_ExHandler_345, out WritenBytes_ExHandler_3);
            
            Msg = (WritenBytes_ExHandler_3 == Patch_ExHandler_345.Length)
               ?
               string.Format("Patching exception handler step #3 success [{0}] bytes", WritenBytes_ExHandler_3)
               :
               string.Format("Pathing exception handler step #3 failed [{0}] bytes", WritenBytes_ExHandler_3);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_4 = 0;
            WriteMemory(ShardProcess, AddrExHandler_4, Patch_ExHandler_345, out WritenBytes_ExHandler_4);

            Msg = (WritenBytes_ExHandler_4 == Patch_ExHandler_345.Length)
               ?
               string.Format("Patching exception handler step #4 success [{0}] bytes", WritenBytes_ExHandler_4)
               :
               string.Format("Pathing exception handler step #4 failed [{0}] bytes", WritenBytes_ExHandler_4);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

            int WritenBytes_ExHandler_5 = 0;
            WriteMemory(ShardProcess, AddrExHandler_5, Patch_ExHandler_345, out WritenBytes_ExHandler_5);

            Msg = (WritenBytes_ExHandler_5 == Patch_ExHandler_345.Length)
               ?
               string.Format("Patching exception handler step #5 success [{0}] bytes", WritenBytes_ExHandler_5)
               :
               string.Format("Pathing exception handler step #5 failed [{0}] bytes", WritenBytes_ExHandler_5);

            Console.WriteLine(Msg);

        }
        public void ApplyDownloadServerFixes(string ProcName)
        {
            Process DownloadProcess = null;

            bool flag = false;
            try
            {
                DownloadProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }


            //--------------------------------------------------------------------
            int Addr631D = 0x00407544;
            //004B3FCA    83FB 07         CMP EBX,7


            int AddrA003_ToCodecave = 0x0040C522;
            int AddrA003_Codecave = 0x004d5E92;
            //--------------------------------------------------------------------
            byte[] Patch_631D = new byte[19];
            for (int i = 0; i < Patch_631D.Length; i++) Patch_631D[i] = ASM_NOP;
            byte[] Patch_A003_CodeOffset = new byte[] { 0xE9, 0x6B, 0x99, 0x0C, 0x00 };
            byte[] Patch_A003_Codecave =
                new byte[] 
                {
                    //cmp ebx,7
                    0x83, 0xFB, 0x07,
                    //je eip + 3
                    0x74, 0x03,
                    //jmp near dword ptr ds:[eax+5c]
                    0xFF, 0x60, 0x5C,
                    //retn 10
                    0xC2, 0x10, 0x00
                };
            //--------------------------------------------------------------------
            Console.WriteLine("Starting download server patch sequence");

            string Msg = string.Empty;

            int WritenBytes_631D = 0;
            WriteMemory(DownloadProcess, Addr631D, Patch_631D, out WritenBytes_631D);

            Msg = (WritenBytes_631D == Patch_631D.Length)
                ?
                string.Format("Patching 0x631D opcode success [{0}] bytes", WritenBytes_631D)
                :
                string.Format("Pathing 0x631D opcode failed [{0}] bytes", WritenBytes_631D);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_Codecave = 0;
            WriteMemory(DownloadProcess, AddrA003_Codecave, Patch_A003_Codecave, out WritenBytes_A003_Codecave);

            Msg = (WritenBytes_A003_Codecave == Patch_A003_Codecave.Length)
                ?
                string.Format("Writing 0xA003 Codecave success [{0}] bytes", WritenBytes_A003_Codecave)
                :
                string.Format("Writing 0xA003 Codecave failed [{0}] bytes", WritenBytes_A003_Codecave);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_CodeOffset = 0;
            WriteMemory(DownloadProcess, AddrA003_ToCodecave, Patch_A003_CodeOffset, out WritenBytes_A003_CodeOffset);

            Msg = (WritenBytes_A003_CodeOffset == Patch_A003_CodeOffset.Length)
                ?
                string.Format("Patching 0xA003 Codecave offset success [{0}] bytes", WritenBytes_A003_CodeOffset)
                :
                string.Format("Patching 0xA003 Codecave offset failed [{0}] bytes", WritenBytes_A003_CodeOffset);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------

        }

        public void ApplyGatewayServerFixes(string ProcName)
        {
            Process GatewayProcess = null;

            bool flag = false;
            try
            {
                GatewayProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //--------------------------------------------------------------------
            int Addr631D = 0x0043F384;
            int AddrA003_ToCodecave = 0x00443c22;
            int AddrA003_Codecave = 0x004d5e92;
            //--------------------------------------------------------------------

            byte[] Patch_631D = new byte[19];
            for (int i = 0; i < Patch_631D.Length; i++) Patch_631D[i] = ASM_NOP;

            byte[] Patch_A003_CodeOffset = new byte[] { 0xE9, 0x6B, 0x22, 0x09, 0x00 };
            byte[] Patch_A003_Codecave = 
                new byte[] 
                {
                    //cmp ebx, 7
                    0x83, 0xFB, 0x07,
                    //je eip + 3
                    0x74, 0x03,
                    //jmp near dword ptr ds:[eax + 0x5c]
                    0xFF, 0x60, 0x5C,
                    //ret 10
                    0xC2, 0x10, 0x00
                };

            //--------------------------------------------------------------------
            Console.WriteLine("Starting gateway patch sequence");
            string Msg = string.Empty;


            int WritenBytes_631D = 0;
            WriteMemory(GatewayProcess, Addr631D, Patch_631D, out WritenBytes_631D);

            Msg = (WritenBytes_631D == Patch_631D.Length)
                ?
                string.Format("Patching 0x631D opcode success [{0}] bytes", WritenBytes_631D)
                :
                string.Format("Pathing 0x631D opcode failed [{0}] bytes", WritenBytes_631D);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_Codecave = 0;
            WriteMemory(GatewayProcess, AddrA003_Codecave, Patch_A003_Codecave, out WritenBytes_A003_Codecave);

            Msg = (WritenBytes_A003_Codecave == Patch_A003_Codecave.Length)
                ?
                string.Format("Writing 0xA003 Codecave success [{0}] bytes", WritenBytes_A003_Codecave)
                :
                string.Format("Writing 0xA003 Codecave failed [{0}] bytes", WritenBytes_A003_Codecave);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_CodeOffset = 0;
            WriteMemory(GatewayProcess, AddrA003_ToCodecave, Patch_A003_CodeOffset, out WritenBytes_A003_CodeOffset);

            Msg = (WritenBytes_A003_CodeOffset == Patch_A003_CodeOffset.Length)
                ?
                string.Format("Patching 0xA003 Codecave offset success [{0}] bytes", WritenBytes_A003_CodeOffset)
                :
                string.Format("Patching 0xA003 Codecave offset failed [{0}] bytes", WritenBytes_A003_CodeOffset);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
        }

        public byte[] GenerateFilterExceptionCodecave()
        {
            byte[] OutputBuffer = new byte[0x1000];
            byte[] ValueBuffer;
            int BufferLen = 0;
            //int JlAddr = 0x00401D36;
            
            int OkJumpAddr = 0x004c2cac;
            int FailJumpAddr = 0x004c2c96;

            ushort[] Opcodes = new ushort[] 
            {
                0x7010
            };


            byte[] InstructionBuffer = new byte[25];
            byte[] Cmp_Ecx_Prefix = new byte[2] { 0x81, 0xF9 };
            byte[] Nulls = new byte[2] { 0x00, 0x00 };

            byte[] Jl_Opcode_Instruction = new byte[6] { 0x0F, 0x8C, 0x52, 0xF0, 0xF3, 0xFF };
   
            for (int i = 0; i < Opcodes.Length; i++)
            {
                //2 bytes of instruction opcode
                Buffer.BlockCopy(Cmp_Ecx_Prefix, 0, InstructionBuffer, 0, Cmp_Ecx_Prefix.Length);
                ValueBuffer = BitConverter.GetBytes((int)Opcodes[i]);
                Buffer.BlockCopy(ValueBuffer, 0, InstructionBuffer, 2, 2);
               
               // Buffer.BlockCopy(Jl_Opcode_Instruction, 0, InstructionBuffer, 6, 6);
               // Buffer.BlockCopy(new byte[]  
                Buffer.BlockCopy(InstructionBuffer, 0, OutputBuffer, BufferLen, 12);
                BufferLen += 12;
            }

            return OutputBuffer;
        }

        public void ApplyAgentServerFixes(string ProcName)
        {
            Process AgentProcess = null;

            bool flag = false;

            try
            {
                AgentProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //actual work

            //--------------------------------------------------------------------
            int Addr1005 = 0x00430444;
            int Addr600D = 0x00430452;
            int AddrFilter = 0x00401D16;
            int AddrCommon_1 = 0x004488C0;
            int Addr631D = 0x0042BEF4;
            int Addr6303_1 = 0x0042D339;
            int Addr6303_2 = 0x0042D36C;
            int Addr6303_3 = 0x0042D374;
            int AddrA003_ToCodecave = 0x00430312;
            int AddrA003_Codecave = 0x004C2FC6;
            int AddrFilterOpcodes_ToCodecave = 0x00401D16;
            int AddrFilterOpcodes_Codecave = 0x004C2CD8;
            int AddrFilterOpcodes_OkCase = 0x004c2cac;
            int AddrFilterOpcodes_FailCase = 0x004c2c96;

            //--------------------------------------------------------------------
            byte[] Patch_1005 = new byte[] { 0x78, 0x00, 0x00, 0x00 };
            byte[] Patch_600D = new byte[] { 0xC2, 0x10, 0x00, 0x90, 0x90, 0x90 };

            byte[] Patch_Filter = new byte[] { 0xEB, 0x1E, 0x90, 0x90, 0x90, 0x90 };

            byte[] Patch_Common_1 = new byte[] { 0xC3, 0x90, 0x90, 0x90, 0x90 };
            byte[] Patch_631D = new byte[19];
            for (int i = 0; i < Patch_631D.Length; i++) Patch_631D[i] = ASM_NOP;

            byte[] Patch_6303_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_6303_2 = new byte[] { 0x90, 0x90 };
            byte[] Patch_6303_3 = new byte[] { 0xEB };

            byte[] Patch_A003_CodeOffset = new byte[] { 0xE9, 0xAF, 0x2C, 0x09, 0x00 };
            byte[] Patch_A003_Codecave =
                new byte[]
            {
                //cmp ebx,7
                0x83, 0xFB, 0x07,
                //je eip + 3
                0x74, 0x03,
                //jmp near dword ptr ds:[eax+5c]
                0xFF, 0x60, 0x5C,
                //retn 10
                0xC2, 0x10, 0x00
            };
            #region ROFL
            byte[] Patch_A003_Nops =
                new byte[]
                {
                    0x90, 0x90, 0x90, 0x90,
                    0x90, 0x90, 0x90, 0x90,
                    0x90, 0x90, 0x90, 0x90,
                    0x90, 0x90, 0x90, 0x90
                };
            #endregion
                

            //jmp 0x004c2cd8 + NOP
            byte[] Patch_FilterExceptions_CodeOffset = new byte[]
            { 0xE9, 0xBD, 0x0F, 0x0C, 0x00, 0x90 };

            byte[] Patch_FilterExceptions_Codecave = GenerateFilterExceptionCodecave();
           // byte[] Patch_FilterExceptions_JumpInst
            //--------------------------------------------------------------------
            Console.WriteLine("Starting agent patch sequence");

            string Msg = string.Empty;

            //--------------------------------------------------------------------
            int WritenBytes_1005 = 0;
            WriteMemory(AgentProcess, Addr1005, Patch_1005, out WritenBytes_1005);


            Msg = (WritenBytes_1005 == Patch_1005.Length) 
                ? 
                string.Format("Patching 0x1005 opcode success [{0}] bytes", WritenBytes_1005)
                :
                string.Format("Patching 0x1005 opcode failed [{0}] bytes", WritenBytes_1005);

            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_600D = 0;
            WriteMemory(AgentProcess, Addr600D, Patch_600D, out WritenBytes_600D);

            Msg = (WritenBytes_600D == Patch_600D.Length)
                ?
                string.Format("Patching 0x600D opcode success [{0}] bytes", WritenBytes_600D)
                :
                string.Format("Patching 0x600D opcode failed [{0}] bytes", WritenBytes_600D);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            // temporary disabled
            int WritenBytes_Filter = 0;
            WriteMemory(AgentProcess, AddrFilter, Patch_Filter, out WritenBytes_Filter);

            Msg = (WritenBytes_Filter == Patch_Filter.Length)
                ?
                string.Format("Patching filter success [{0}] bytes", WritenBytes_Filter)
                :
                string.Format("Patching filter failed [{0}] bytes", WritenBytes_Filter);
            Console.WriteLine(Msg);
           
            //--------------------------------------------------------------------
            int WritenBytes_Common_1 = 0;
            WriteMemory(AgentProcess, AddrCommon_1, Patch_Common_1, out WritenBytes_Common_1);

            Msg = (WritenBytes_Common_1 == Patch_Common_1.Length)
                ?
                string.Format("Patching common exception handler success [{0}] bytes", WritenBytes_Common_1)
                :
                string.Format("Patching common exception handler failed [{0}] bytes", WritenBytes_Common_1);
            Console.WriteLine(Msg);
            //--------------------------------------------------------------------
            int WritenBytes_631D = 0;
            WriteMemory(AgentProcess, Addr631D, Patch_631D, out WritenBytes_631D);

            Msg = (WritenBytes_631D == Patch_631D.Length)
                ?
                string.Format("Patching 0x631D success [{0}] bytes", WritenBytes_631D)
                :
                string.Format("Patching 0x631D failed [{0}] bytes", WritenBytes_631D);
            Console.WriteLine(Msg);
            //--------------------------------------------------------------------
            int WritenBytes_6303_1 = 0;
            WriteMemory(AgentProcess, Addr6303_1, Patch_6303_1, out WritenBytes_6303_1);

            Msg = (WritenBytes_6303_1 == Patch_6303_1.Length)
                ?
                string.Format("Patching 0x6303 step #1 success [{0}] bytes", WritenBytes_6303_1)
                :
                string.Format("Patching 0x6303 step #1 failed [{0}] bytes", WritenBytes_6303_1);
            Console.WriteLine(Msg);
            //--------------------------------------------------------------------
            int WritenBytes_6303_2 = 0;
            WriteMemory(AgentProcess, Addr6303_2, Patch_6303_2, out WritenBytes_6303_2);

            Msg = (WritenBytes_6303_2 == Patch_6303_2.Length)
                ?
                string.Format("Patching 0x6303 step #2 success [{0}] bytes", WritenBytes_6303_2)
                :
                string.Format("Patching 0x6303 step #2 failed [{0}] bytes", WritenBytes_6303_2);
            Console.WriteLine(Msg);
            //--------------------------------------------------------------------

            int WritenBytes_6303_3 = 0;
            WriteMemory(AgentProcess, Addr6303_3, Patch_6303_3, out WritenBytes_6303_3);

            Msg = (WritenBytes_6303_3 == Patch_6303_3.Length)
                ?
                string.Format("Patching 0x6303 step #3 success [{0}] bytes", WritenBytes_6303_3)
                :
                string.Format("Patching 0x6303 step #3 failed [{0}] bytes", WritenBytes_6303_3);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_Nops = 0;
            WriteMemory(AgentProcess, AddrA003_Codecave, Patch_A003_Nops, out WritenBytes_A003_Nops);

            Msg = (WritenBytes_A003_Nops == Patch_A003_Nops.Length)
                ?
                string.Format("Writing 0xA003 Codecave nops success [{0}] bytes", WritenBytes_A003_Nops)
                :
                string.Format("Writing 0xA003 Codecave nops failed [{0}] bytes", WritenBytes_A003_Nops);

            
            int WritenBytes_A003_Codecave = 0;
            WriteMemory(AgentProcess, AddrA003_Codecave, Patch_A003_Codecave, out WritenBytes_A003_Codecave);

            Msg = (WritenBytes_A003_Codecave == Patch_A003_Codecave.Length)
                ?
                string.Format("Writing 0xA003 Codecave success [{0}] bytes", WritenBytes_A003_Codecave)
                :
                string.Format("Writing 0xA003 Codecave failed [{0}] bytes", WritenBytes_A003_Codecave);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            int WritenBytes_A003_CodeOffset = 0;
            WriteMemory(AgentProcess, AddrA003_ToCodecave, Patch_A003_CodeOffset, out WritenBytes_A003_CodeOffset);

            Msg = (WritenBytes_A003_CodeOffset == Patch_A003_CodeOffset.Length)
                ?
                string.Format("Patching 0xA003 Codecave offset success [{0}] bytes", WritenBytes_A003_CodeOffset)
                :
                string.Format("Patching 0xA003 Codecave offset failed [{0}] bytes", WritenBytes_A003_CodeOffset);
            Console.WriteLine(Msg);

            //--------------------------------------------------------------------
            /*
			//shenanigans
            //write cases
            int tmp = 0;
            //ok case
            WriteMemory(AgentProcess, AddrFilterOpcodes_OkCase, new byte[] { 0xE9, 0x2E, 0xF1, 0xF3, 0xFF, 0x90 }, out tmp) ;
            //fail case
            WriteMemory(AgentProcess, AddrFilterOpcodes_FailCase, new byte[] { 0xEB, 0xFE }, out tmp);
            
            
            
            int WritenBytes_FilterException_Codecave = 0;
            WriteMemory(AgentProcess, AddrFilterOpcodes_Codecave, Patch_FilterExceptions_Codecave, out WritenBytes_FilterException_Codecave);

            Msg = (WritenBytes_FilterException_Codecave == Patch_FilterExceptions_Codecave.Length)
                ?
                string.Format("Writing filter exception codecave success [{0}] bytes", WritenBytes_FilterException_Codecave)
                :
                string.Format("Writing filter exception codecave failed [{0}] bytes", WritenBytes_FilterException_Codecave);
           
            //--------------------------------------------------------------------
            
            int WritenBytes_FilterException_ToCode_Offset = 0;
            WriteMemory(AgentProcess, AddrFilterOpcodes_ToCodecave, Patch_FilterExceptions_CodeOffset, out WritenBytes_FilterException_ToCode_Offset);

            Msg = (WritenBytes_FilterException_ToCode_Offset == Patch_FilterExceptions_CodeOffset.Length)
                ?
                string.Format("Patching filter exception codecave offset success [{0}] bytes", WritenBytes_FilterException_ToCode_Offset)
                :
                string.Format("Patching filter exception codecave offset failed [{0}] bytes", WritenBytes_FilterException_ToCode_Offset);
            Console.WriteLine(Msg);
             * */
        }
    }
}

And here is a squirrel.

Chern0byl - Exploit fixes, some sources and stuff [im done.] - RaGEZONE Forums


This thread will be updated with some more sources / free releases soon.
 
Last edited:
Initiate Mage
Joined
Feb 4, 2014
Messages
24
Reaction score
0
that's a good thing, old developers share their work.. nvm The perfect game called "Silkroad Online" is died 2 years ago.
 
Unknown Place
Joined
Mar 7, 2013
Messages
580
Reaction score
87
Sorry to hear this Chern0, but this is not something new really.


After all we are in a captalism world, and everyone want to earn something no matter at which cost (especially when speaking about private gameservers).


Even with you going underground, you will still be seeing the same scenario in a reduced manner.


Good luck in your next approaches :)
 
Initiate Mage
Joined
Jan 21, 2014
Messages
46
Reaction score
4
Sorry for my stupid ask. How to add this code?:blushing:

I just wanna fix some exploits just already done in my server.
 
Master Summoner
Joined
Nov 9, 2009
Messages
579
Reaction score
238
Sorry for my stupid ask. How to add this code?:blushing:

I just wanna fix some exploits just already done in my server.

did you seriously register for this question? wow ... okay .. my suggestion on how to solve your problem: try to learn some C# or maybe even better try to learn some programming basics and what to do with code ... just a tip:
 
Initiate Mage
Joined
Jan 21, 2014
Messages
46
Reaction score
4
If u take a look at my reg. date, u`ll know if i reg for the question or not.

And thnx for the advice.
 
Experienced Elementalist
Joined
Mar 10, 2012
Messages
285
Reaction score
120
Sorry for my stupid ask. How to add this code?:blushing:

I just wanna fix some exploits just already done in my server.

To add to what has published chernobyl, you must do so by ollydbg open the .exe file and patch..

Example:
PHP:
public void ApplyGameServerFixes(string ProcName)
        {
            Process GameProcess = null;

            bool flag = false;
            try
            {
                GameProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //--------------------------------------------------------------------
            int AddrExHandler_1 = 0x00521765;
            int AddrExHandler_2 = 0x00521768;
            //--------------------------------------------------------------------
            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };
            //--------------------------------------------------------------------

Target: ApplyGameServerFixes [SR_GameServer.exe]
Open in ollydbg, press CTRL+G and put Offset.

PHP:
            //--------------------------------------------------------------------
            int AddrExHandler_1 = 0x00521765;
            int AddrExHandler_2 = 0x00521768;
            //--------------------------------------------------------------------
            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };
            //--------------------------------------------------------------------

The AddrExHandler_1 located the Offset 0x00521765 and writes the bytes { 0x90, 0x90 }; --- NOP
The AddrExHandler_2 located the Offset 0x00521768 and writes the bytes { 0xEB }; -- JMP

If you want to implement it in one .DLL you can do it in C++

Examples: Fix.cpp
PHP:
#include "Fix.h"
#include "Asm.h"
void Fixs()
{
   SetByte(0x00521765,0xEB); -- JMP
   SetNop(0x00521768,2); -- NOP
}

Fix.h
PHP:
void Fixs();

Asm.cpp
PHP:
#include "Asm.h"
void SetNop(DWORD dwOffset, int Size){
	for(int n=0; n < Size; n++){
		*(BYTE*)(dwOffset+n) = 0x90;
	}
}
void SetByte(DWORD dwOffset, BYTE btValue){
	*(BYTE*)(dwOffset) = btValue;
}

Asm.h
PHP:
void SetNop(DWORD dwOffset, int Size);
void SetByte(DWORD dwOffset, BYTE btValue);

Have enough :)
So is that you could use what public Chernobyl.

Good Luck! :thumbup:
 
Last edited:
Junior Spellweaver
Joined
Jul 2, 2012
Messages
151
Reaction score
13
great release. usefull for ppl which are inside programming.

Any1 here who knows how to use this? PM me, I am working on another tool to avoid exploits I could share it with 1 who knows how to apply chernos sources.

Just pm me for more infos. I am sure u will like it.

regards,
Julian
 
Master Summoner
Joined
Nov 9, 2009
Messages
579
Reaction score
238
dafuq .. why change his code and use it in olly or c++ lol .. guys dont you see that this is c# ready-to-use code? xD
cmon he couldnt have done it easier for you guys ... it really is a ready-to-use c# class ... thats as easy as it gets okay he could have released it as a compiled exe but thats way too easy dont you think? :p
 
Last edited:
Initiate Mage
Joined
Jan 14, 2012
Messages
46
Reaction score
11
dafuq .. why change his code and use it in olly or c++ lol ..

It's a usable C# code, yes. LoGiN has provided a C++ code incase if someone wanted to use it as a dll, instead of opening the patcher everytime you run your server. Sometimes you might forget to apply the patch and leave it un-attended ;)
 
Master Summoner
Joined
Nov 9, 2009
Messages
579
Reaction score
238
It's a usable C# code, yes. LoGiN has provided a C++ code incase if someone wanted to use it as a dll, instead of opening the patcher everytime you run your server. Sometimes you might forget to apply the patch and leave it un-attended ;)

you know c# is also capable to compile dlls, do you?
 
Master Summoner
Joined
Nov 9, 2009
Messages
579
Reaction score
238
Can you compile a .NET dll to work with a C++ executable?

well if you want it to be injected into the C++ executable there are ways to do so but they are a bit more work but can be found by 5 minutes of using google .. for example:

mheyman said:
First, you make a simple regular C++ DLL that looks like the following:

dllmain.cpp:
Code:
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include "resource.h"
extern void LaunchDll(
  unsigned char *dll, size_t dllLength, 
  char const *className, char const *methodName);
static DWORD WINAPI launcher(void* h)
{
    HRSRC res = ::FindResourceA(static_cast<HMODULE>(h),
                   MAKEINTRESOURCEA(IDR_DLLENCLOSED), "DLL");
    if (res)
    {
        HGLOBAL dat = ::LoadResource(static_cast<HMODULE>(h), res);
        if (dat)
        {
            unsigned char *dll =
                static_cast<unsigned char*>(::LockResource(dat));
            if (dll)
            {
                size_t len = SizeofResource(static_cast<HMODULE>(h), res);
                LaunchDll(dll, len, "MyNamespace.MyClass", "DllMain");
            }
        }
    }
    return 0;
}
extern "C" BOOL APIENTRY DllMain(HMODULE h, DWORD reasonForCall, void* resv)
{
    if (reasonForCall == DLL_PROCESS_ATTACH)
    {
        CreateThread(0, 0, launcher, h, 0, 0);
    }
    return TRUE;
}

Note the thread creation. This is to keep Windows happy because calling managed code within a DLL entrypoint is a no-no.

Next, you have to create that LaunchDll function the code above references. This goes in a separate file because it will be compiled as a managed C++ unit of code. To do this, first create the .cpp file (I called it LaunchDll.cpp). Then right click on that file in your project and in Configuration Properties-->C/C++-->General change the Common Language RunTime Support entry to Common Language RunTime Support (/clr). You can't have exceptions, minimal rebuild, runtime checks and probably some other things I forgot about but the compiler will tell you about. When the compiler complains, track down what settings you much change from the default and change them on the LaunchDll.cpp file only.

LaunchDll.cpp:
Code:
#using <mscorlib.dll>
// Load a managed DLL from a byte array and call a static method in the DLL.
// dll - the byte array containing the DLL
// dllLength - the length of 'dll'
// className - the name of the class with a static method to call.
// methodName - the static method to call. Must expect no parameters.
void LaunchDll(
    unsigned char *dll, size_t dllLength,
    char const *className, char const *methodName)
{
    // convert passed in parameter to managed values
    cli::array<unsigned char>^ mdll = gcnew cli::array<unsigned char>(dllLength);
    System::Runtime::InteropServices::Marshal::Copy(
        (System::IntPtr)dll, mdll, 0, mdll->Length);
    System::String^ cn =
        System::Runtime::InteropServices::Marshal::PtrToStringAnsi(
            (System::IntPtr)(char*)className);
    System::String^ mn =
        System::Runtime::InteropServices::Marshal::PtrToStringAnsi(
            (System::IntPtr)(char*)methodName);

    // used the converted parameters to load the DLL, find, and call the method.
    System::Reflection::Assembly^ a = System::Reflection::Assembly::Load(mdll);
    a->GetType(cn)->GetMethod(mn)->Invoke(nullptr, nullptr);
}

Now for the really tricky part. You probably noticed the resource loading in dllmain.cpp:launcher(). What this does is retrieve a second DLL that has been inserted as a resource into the DLL getting created here. To do this, create a resource file by doing the right click-->Add-->New Item-->Visual C++-->Resource-->Resource File (.rc) thing. Then, you need to make sure there is a line like:

resource.rc:
Code:
IDR_DLLENCLOSED DLL "C:\\Path\\to\\Inner.dll"

in the file. (Tricky, huh?)

The only thing left to do is to create that Inner.dll assembly. Just make sure to include a MyNamespace.MyClass class with a public void DllMain() method (of course you can call these functions whatever you want to, these are just the values hardcoded into dllmain.cpp:launcher() above.

So, in conclusion, the code above takes an existing managed DLL, inserts it into a resource of an unmanaged DLL which, upon getting attached to a process, will load the managed DLL from the resource and call a method in it.

so that being quoted (and tested before) i can proudly say it actually IS possible to load managed dlls on injection to unmanaged executables BUT as you can see is a bit harder than just creating an executable thats working for ALL modules at once unlike a dll which requires 1 dll for every module that has to be injected and i guess having 6 or 7 dlls to be injected its more likely to forget about one.

In my opinion, having a small prog that might also be set to auto start fixing all exploits at once when a module is started is better. And to avoid to forget it you can also write a small batch file that checks if the fix prog is running and if not starts it which is then being started by a cronjob once every 5 minutes.. hell it could even be started by SQL Server Agent once every 5 seconds .. whatever you want

but lets stop arguing about what could be done and what would be better, if you dont want a compiled exe behaving like described above im totally fine with it, then chernos code will stay as he intended it to be: not used by people who dont know how to use it
 
Last edited:
Junior Spellweaver
Joined
Jul 2, 2012
Messages
151
Reaction score
13
@lemoniscool, I think most of us are looking for a fixed compiled exe.

The main problem is that most of them are not used to read and understand english.
Dunno what so hard to understand in "thank my post for ..." but we all know that. :D
 
Experienced Elementalist
Joined
Mar 10, 2012
Messages
285
Reaction score
120
@lemoniscool , no that many laps to repair it .. if you know programming, you'll know that one. scheduled DLL can cause you to read different applications simultaneously, you do not need to compile and make several DLL hook, one does everything.

That is just compiling 1. Dll you manage to make all necessary arrangements ..

Chernobyl public part of the arrangements made ​​in C#
I explained and understood, and how to use it in C++

Guys! have the solution in your eyes, it is a matter of using a little logic.

Luck!!
 
Master Summoner
Joined
Nov 9, 2009
Messages
579
Reaction score
238
@lemoniscool , no that many laps to repair it .. if you know programming, you'll know that one. scheduled DLL can cause you to read different applications simultaneously, you do not need to compile and make several DLL hook, one does everything.

That is just compiling 1. Dll you manage to make all necessary arrangements ..

Chernobyl public part of the arrangements made ​​in C#
I explained and understood, and how to use it in C++

Guys! have the solution in your eyes, it is a matter of using a little logic.

Luck!!

okay true, when i think about it now there are possibilities to combine these into 1 dll, but still it needs to be injected into every process and at least in my opinion its easier to have a little prog that is run hidden and automatically that applies the fixes on its own ;)
but okay, if most of the people want dlls thats totally fine .. less work for me :D
 
Banned
Banned
Joined
Jun 16, 2014
Messages
51
Reaction score
9
To add to what has published chernobyl, you must do so by ollydbg open the .exe file and patch..

Example:
PHP:
public void ApplyGameServerFixes(string ProcName)
        {
            Process GameProcess = null;

            bool flag = false;
            try
            {
                GameProcess = Process.GetProcessesByName(ProcName)[0];
                flag = true;
            }
            catch { }

            if (!flag)
            {
                Console.WriteLine("Could not find [{0}] process", ProcName);
                return;
            }

            //--------------------------------------------------------------------
            int AddrExHandler_1 = 0x00521765;
            int AddrExHandler_2 = 0x00521768;
            //--------------------------------------------------------------------
            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };
            //--------------------------------------------------------------------

Target: ApplyGameServerFixes [SR_GameServer.exe]
Open in ollydbg, press CTRL+G and put Offset.

PHP:
            //--------------------------------------------------------------------
            int AddrExHandler_1 = 0x00521765;
            int AddrExHandler_2 = 0x00521768;
            //--------------------------------------------------------------------
            byte[] Patch_ExHandler_1 = new byte[] { 0x90, 0x90 };
            byte[] Patch_ExHandler_2 = new byte[] { 0xEB };
            //--------------------------------------------------------------------

The AddrExHandler_1 located the Offset 0x00521765 and writes the bytes { 0x90, 0x90 }; --- NOP
The AddrExHandler_2 located the Offset 0x00521768 and writes the bytes { 0xEB }; -- JMP

If you want to implement it in one .DLL you can do it in C++

Examples: Fix.cpp
PHP:
#include "Fix.h"
#include "Asm.h"
void Fixs()
{
   SetByte(0x00521765,0xEB); -- JMP
   SetNop(0x00521768,2); -- NOP
}

Fix.h
PHP:
void Fixs();

Asm.cpp
PHP:
#include "Asm.h"
void SetNop(DWORD dwOffset, int Size){
    for(int n=0; n < Size; n++){
        *(BYTE*)(dwOffset+n) = 0x90;
    }
}
void SetByte(DWORD dwOffset, BYTE btValue){
    *(BYTE*)(dwOffset) = btValue;
}

Asm.h
PHP:
void SetNop(DWORD dwOffset, int Size);
void SetByte(DWORD dwOffset, BYTE btValue);

Have enough :)
So is that you could use what public Chernobyl.

Good Luck! :thumbup:

thank you so much
 
Experienced Elementalist
Joined
Mar 10, 2012
Messages
285
Reaction score
120
okay true, when i think about it now there are possibilities to combine these into 1 dll, but still it needs to be injected into every process and at least in my opinion its easier to have a little prog that is run hidden and automatically that applies the fixes on its own ;)
but okay, if most of the people want dlls thats totally fine .. less work for me :D

That's right buddy. and users will know to do!!

1 - Compiling the program released by Chernobyl
2 - Use OllyDbg to patch files on understanding what I said.
3 - Use DLL to repair.

The choice belongs to the community! see if they choose.

Greating! ;-)
 
Initiate Mage
Joined
Sep 27, 2011
Messages
26
Reaction score
3
Thanks for the fixes, even if they are old, I still found some of them usefull.

About the way to use them, I think is easier to compile the code.
Just make your own

PHP:
Main()

and take care of

PHP:
CloseHandle()

Good luck =)
 
Back
Top