Silkroad C++ Dll Client Protection (Anti Unpacking)

[MeGaMaX]

Hey guys miss ya all <3

this is a small dll source code that i coded in the past when i was interesting in silkroad development.

What does the job: protecting from sniffing the BFK of the .PK2 files ;)

Code:

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include "xorstr.h"
#include "detours.h"

#pragma comment(lib,"detours.lib")

#define ARRAYSIZE(x) sizeof(x)/sizeof(x[0])

DWORD g_ProtectAddress[] =
{
    0x004978B8,
    0x004CCC4A,
    0x004CCE1F,
    0x0083A84D,
    0x0083A8B1,
    0x0083A90D,
    0x0083A9C5,
    0x0083A969,
    0x0083AE69
};
DWORD RandomKey;
char* pszKey;
DWORD GetRandomValue()
{
    DWORD value;
    __asm
    {
        rdtsc
        mov value ,eax
    }
    return value;
}
DWORD GetJmpAddr(PBYTE pJmp)
{
    DWORD m_Addr;
    __asm
    {
        mov eax,pJmp
        add eax,[eax+1]
        add eax,5
        mov m_Addr,eax
    }
    return m_Addr;
}
__declspec(naked) void _protectme()
{
    __asm
    {
        pushfd
        push edx
        push eax

        mov eax,RandomKey
        not eax
        xor eax,pszKey
        not eax
        mov edx,[esp+0xC]
        mov [esp+0xC],eax
        mov     eax, edx
        pop     edx
        push    eax
        mov     eax, dword ptr [esp+0x8]
        push    eax
        popfd
        mov     eax, dword ptr [esp+0x4]
        retn    0x8
    }
}
void Initialize()
{
    RandomKey = GetRandomValue();
    pszKey = new char[20];
    strcpy(pszKey,/*MeGaMaX*/XorStr<0x7A,8,0x1F16EAF3>("\x37\x1E\x3B\x1C\x33\x1E\xD8"+0x1F16EAF3).s);
    __asm
    {
        not pszKey
        mov eax,RandomKey
        not eax
        xor pszKey,eax
    }
    DWORD oldProtect;
    for(int i=0;i<ARRAYSIZE(g_ProtectAddress);i++)
    {
        DWORD oldAddress = g_ProtectAddress[i];
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourAttach((void**)&g_ProtectAddress[i],&_protectme);
        DetourTransactionCommit();
        VirtualProtect((PVOID)oldAddress,4,PAGE_EXECUTE_READWRITE,&oldProtect);
        ((PBYTE)oldAddress)[0] = 0xE8;
    }
}
BOOLEAN WINAPI DllMain(HINSTANCE hDllHandle,DWORD nReason,LPVOID Reserved    )
{
    switch(nReason)
    {
        case DLL_PROCESS_ATTACH:
            Initialize();
            break;
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

How to use:

First of all you must get the push address from the client .exe files aka (sro_client.exe , replacer.exe , silkroad.exe)

i will provide here the vsro 188 address

sro_client.exe:

Code:

0x004978B8,
0x004CCC4A,
0x004CCE1F,
0x0083A84D,
0x0083A8B1,
0x0083A90D,
0x0083A9C5,
0x0083A969,
0x0083AE69

silkroad.exe:

Code:

0x00430FD3,
0x00408C15,
0x00408A17

replacer.exe:

Code:

0x00403B23

now what i have to do after i got the address i will replace them in this function:

Code:

DWORD g_ProtectAddress[] =
{
    

};

now i have to generate the xor key o.o this is example and change it in the dll source code

Code:

/*MeGaMaX*/XorStr<0x7A,8,0x1F16EAF3>("\x37\x1E\x3B\x1C\x33\x1E\xD8"+0x1F16EAF3).s

now what ?, you have to compile the dll, and add call to the dll in the exes by Import REConstructor 1.7e FINAL, remove the old bfk in the exe files like 169841 make it 90 90 90 90 90 90 or 00 00 00 00 00 00 cuz after you are importing this dll there is no use for the real bfk in the client anymore

note: i didnt provide how to generate the xor key, cuz i want this section to think how to do that, use your brain , and try to be more respectful in silkroad community, google is your friend

note2: this method have nothing to do with any other methods i used in any servers development i was in, for example Ludoworks

note3: after some days i will provide how to generate the xor key but like i said above i would like to see development instead of creating servers...

note4: you have to recompile the dll 3 times to change the address for every .exe file :)

source code in attachments, enjoy love ya guys , new hope, crayu , perry , pokemon man , synx , caipi , PowerPoint , and all of my friends and sro community ;)

Greetings: MeGaMaX

[MentaL]

[lemoniscool]

great release thanks

[LeMbo]

you MeGaMaX ?

[megaman963]

Hey guys miss ya all <3

I miss you too Mega on this community,,

Well, I just accept your challenge to create an application for generating XorStr for your Dynamic Library ...

I made it this code with java, so just take a look :

Code:

public static void encrypting(char[] args, int XORStart, int XORAddress) {
        final int XORSTART = XORStart;
        char[] xs = args;
        final int BUFLEN = xs.length + 1;
        char[] s = new char[BUFLEN];
        int nXORSTART = XORSTART + BUFLEN - 1;

        for (int i = BUFLEN - 1; i > 0; i--) {
            //decrement XorKey value
            nXORSTART -= 1;
            //reset nXORSTART if went zero
            if (nXORSTART == 0) {
                nXORSTART = 256;
            }
            //generate key by calcualte the char with xor of nXORSTART
            s[i] = (char) ((xs[i - 1] ^ nXORSTART));
        }
        //print generated XorStr key
        System.out.print("/*" + String.valueOf(args) + "*/XorStr<"
                + String.format("0x%02X", (byte) XORStart) + ","
                + String.format("0x%02X", XORAddress) + ">(\"");
        for (int x = 1; x < s.length; x++) {
            System.out.print(String.format("\\x%02X", (byte) s[x]));
        }
        System.out.println("\"+" + String.format("0x%02X", XORAddress)
                + ").s");
    }

It will print the whole string like this one:

Code:

/*MeGaMaX*/XorStr<0x7A,8,0x1F16EAF3>("\x37\x1E\x3B\x1C\x33\x1E\xD8"+0x1F16EAF3).s

For example, i made my own one :D :

Code:

/*Megaman963*/XorStr<0x2C,0x1F16EAF3>("\x61\x48\x49\x4E\x5D\x50\x5C\x0A\x02\x06"+0x1F16EAF3).s

But really thank you for sharing this great way of hidding the PK2 ... which i will not use it anyway xD ...

Cheers,,

[MeGaMaX]

For example, i made my own one :D :

Code:

/*Megaman963*/XorStr<0x2C,0x1F16EAF3>("\x61\x48\x49\x4E\x5D\x50\x5C\x0A\x02\x06"+0x1F16EAF3).s

mega, thanks for trying but i found no one is interesting in the release and little peoples who will use it if they understand it :|

buddy the red highlighted part is wrong you still missing some bytes codes and some structures

here is example on mine:

Code:

/*Megaman963*/XorStr<0xCA,11,0x967C5AC0>("\x87\xAE\xAB\xAC\xA3\xAE\xBE\xE8\xE4\xE0"+0x967C5AC0).s

/*Megaman963*/XorStr<0xC7,11,0xD9153BAF>("\x8A\xAD\xAE\xAB\xA6\xAD\xA3\xF7\xF9\xE3"+0xD9153BAF).s

/*Megaman963*/XorStr<0x7E,11,0x1DFAA87C>("\x33\x1A\xE7\xE0\xEF\xE2\xEA\xBC\xB0\xB4"+0x1DFAA87C).s

[lemoniscool]

as i said already its a great release, but as androw3349 said hardly anyone will use it because hardly anyone will be able to create those XorStr lines .. for those people i found a html file that will print out the whole line as you need it its attached to this post

Scan: https://www.virustotal.com/en/file/f...is/1374078889/

its tested and works like a charm =)

[MeGaMaX]

as i said already its a great release, but as androw3349 said hardly anyone will use it because hardly anyone will be able to create those XorStr lines .. for those people i found a html file that will print out the whole line as you need it its attached to this post

Scan: https://www.virustotal.com/en/file/f...is/1374078889/

its tested and works like a charm =)

yup same algo :)

[Caosfox]

for me is like chinese all of this..... default pk2 key ftw!!

[megaman963]

mega, thanks for trying but i found no one is interesting in the release and little peoples who will use it if they understand it :|

buddy the red highlighted part is wrong you still missing some bytes codes and some structures

xD, it was the length of the characters of the key ... I just forget to add it ...

here the updated one :

Code:

public static void encrypting(char[] args, int XORStart, int XORAddress) {
        final int XORSTART = XORStart;
        char[] xs = args;
        final int BUFLEN = xs.length + 1;
        char[] s = new char[BUFLEN];
        int nXORSTART = XORSTART + BUFLEN - 1;

        for (int i = BUFLEN - 1; i > 0; i--) {
            //decrement XorKey value
            nXORSTART -= 1;
            //reset nXORSTART if went zero
            if (nXORSTART == 0) {
                nXORSTART = 256;
            }
            //generate key by calcualte the char with xor of nXORSTART
            s[i] = (char) ((xs[i - 1] ^ nXORSTART));
        }
        //print generated XorStr key
        System.out.print("/*" + String.valueOf(args) + "*/XorStr<"
                + String.format("0x%02X", (byte) XORStart) + ","
                + BUFLEN + ","
                + String.format("0x%02X", XORAddress) + ">(\"");
        for (int x = 1; x < s.length; x++) {
            System.out.print(String.format("\\x%02X", (byte) s[x]));
        }
        System.out.println("\"+" + String.format("0x%02X", XORAddress)
                + ").s");
    }

but still a question on my mind, the XORSTART has relation with XREFKILLER on generating that xor line ? for example:

Code:

/*Megaman963*/XorStr<0xEE,11,0x967C5AC0>("\xA3\x8A\x97\x90\x9F\x92\x9A\xCC\xC0\xC4"+0x967C5AC0).s

Is that 0x967C5AC0 <XREFKILLER> fine to be generated randomly ? or it must related with 0xEE <XORSTART> ?

If related, what it is the link between them?

[MeGaMaX]

xD, it was the length of the characters of the key ... I just forget to add it ...

here the updated one :

Code:

public static void encrypting(char[] args, int XORStart, int XORAddress) {
        final int XORSTART = XORStart;
        char[] xs = args;
        final int BUFLEN = xs.length + 1;
        char[] s = new char[BUFLEN];
        int nXORSTART = XORSTART + BUFLEN - 1;

        for (int i = BUFLEN - 1; i > 0; i--) {
            //decrement XorKey value
            nXORSTART -= 1;
            //reset nXORSTART if went zero
            if (nXORSTART == 0) {
                nXORSTART = 256;
            }
            //generate key by calcualte the char with xor of nXORSTART
            s[i] = (char) ((xs[i - 1] ^ nXORSTART));
        }
        //print generated XorStr key
        System.out.print("/*" + String.valueOf(args) + "*/XorStr<"
                + String.format("0x%02X", (byte) XORStart) + ","
                + BUFLEN + ","
                + String.format("0x%02X", XORAddress) + ">(\"");
        for (int x = 1; x < s.length; x++) {
            System.out.print(String.format("\\x%02X", (byte) s[x]));
        }
        System.out.println("\"+" + String.format("0x%02X", XORAddress)
                + ").s");
    }

but still a question on my mind, the XORSTART has relation with XREFKILLER on generating that xor line ? for example:

Code:

/*Megaman963*/XorStr<0xEE,11,0x967C5AC0>("\xA3\x8A\x97\x90\x9F\x92\x9A\xCC\xC0\xC4"+0x967C5AC0).s

Is that 0x967C5AC0 <XREFKILLER> fine to be generated randomly ? or it must related with 0xEE <XORSTART> ?

If related, what it is the link between them?

download the lemoniscool html script and you will understand its the same algo i was use

[lemoniscool]

i think you got me wrong, the html file i posted is NOT made by me, i found it on the net after 5 minutes of googleing ^^

[blapanda]

Just a question, how about those with regular noob-tools (no Joymax MPack PK2 editors, those extract and import tools only), are they still able to extract the files? Since, they won't have to use a key to export/import files to the pk2 files.

Are those noob-tools using a preset of keys (hardcoded e.g. 169841) in the tool?

[yorick671]

Yes, but do note that the pk2 files are not completely encrypted, you'll still be able to use hex editors (and possibly unpacking/brute force attacks)

[NourAyman]

So Nice

Keep going . :)

[bares1993]

this is for change blowfish key ?