-
Hook DLL for Main.exe eX ++ no need unpack.
Hi,I see someone need any main.exe eX ++ cracked,they dont know how to unpack so I make a small guide easy for crack main.exe.
1.Load Main.exe eX ++ Olly DBG,OEP like this:
Code:
00CDDBE5 > 60 pushad
00CDDBE6 9C pushfd
00CDDBE7 FC cld
00CDDBE8 B8 01000000 mov eax, 1
HWBP at OEP and press Shift + F9 ,you have:
1.1
Code:
00CDDBE5 > E8 C9C09BFF call 00699CB3
00CDDBEA ^ E9 78FEFFFF jmp 00CDDA67
so I make a hook at offset 00CDDBEA.
How to make it? Look at:
2.Restart Olly and load main.exe again:
Code:
00CDDBE5 > 60 pushad
00CDDBE6 9C pushfd
00CDDBE7 FC cld
00CDDBE8 B8 01000000 mov eax, 1
00CDDBED B9 FFFF0000 mov ecx, 0FFFF
00CDDBF2 - E0 FE loopdne short 00CDDBF2
00CDDBF4 48 dec eax
00CDDBF5 83F8 00 cmp eax, 0
00CDDBF8 ^ 75 F3 jnz short 00CDDBED
00CDDBFA 68 D180DC0A push 0ADC80D1 ; ASCII "kernel32.dll"
00CDDBFF FF15 64ACC609 call dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00CDDC05 68 DE80DC0A push 0ADC80DE ; ASCII "VirtualProtect"
00CDDC0A 50 push eax
00CDDC0B FF15 60ACC609 call dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00CDDC11 8BD8 mov ebx, eax
00CDDC13 50 push eax
00CDDC14 8BCC mov ecx, esp
00CDDC16 51 push ecx
00CDDC17 6A 40 push 40
00CDDC19 68 5B000000 push 5B
00CDDC1E 68 E5DBCD00 push <ModuleEntryPoint>
00CDDC23 FFD0 call eax
00CDDC25 8BCC mov ecx, esp
00CDDC27 51 push ecx
00CDDC28 6A 40 push 40
00CDDC2A 68 19000000 push 19
00CDDC2F 68 B880DC0A push 0ADC80B8
00CDDC34 8BC3 mov eax, ebx
00CDDC36 FFD0 call eax
00CDDC38 83C4 04 add esp, 4
00CDDC3B - E9 78A40E0A jmp 0ADC80B8
at 00CDDC3B follow it to 0ADC80B8
Code:
0ADC80B8 90 nop
0ADC80B9 BE ED80DC0A mov esi, 0ADC80ED
0ADC80BE BF E5DBCD00 mov edi, <ModuleEntryPoint>
0ADC80C3 B9 5B000000 mov ecx, 5B
0ADC80C8 F3:A4 rep movs byte ptr es:[edi], byte ptr>
0ADC80CA 9D popfd
0ADC80CB 61 popad
0ADC80CC - E9 145BF1F5 jmp <ModuleEntryPoint>
Look at offset 0ADC80ED in HEX DUMP,size 0x5B
Code:
0ADC80ED E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53 èÉÀ›ÿéxþÿÿ‹ÿU‹ìS
look 1.1 on top and red text : E9 78 FE FF FF
It is jmp 00CDDA67 (ASM code)
so we change it to free offset and write hook code.
Example I do it on Main zteam EX802 1.4.42
At 0ADC80ED :
Original : E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53
Hook: E8 C9 C0 9B FF E9 39 4F 4E 00 8B FF 55 8B EC 53
E9 39 4F 4E 00 is jmp 011C2B28 (ASM code)
so we write hook code at 011C2B28,like this:
Code:
011C2B28 68 582B1C01 push 011C2B58 ; ASCII "zClient.dll"
011C2B2D FF15 64ACC609 call dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
011C2B33 - E9 2FAFB1FF jmp 00CDDA67 ; Offset original JMP
Done,save it.From dll,we can patch any offset for crack Main.exe
Do it in other main.exe is same and surely work fine :)
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
@tomatoes
which main you have used as example?
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
And what about, restoring bytes, in some places of code, for example if disable proto crypt, it will restore again.
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Quote:
Originally Posted by
SmallHabit
And what about, restoring bytes, in some places of code, for example if disable proto crypt, it will restore again.
I dont know,just research main.exe eX a bit,no more.But I think it is a protect of Webzen.you can compare Main.exe Blue CHS no encrypt (I shared),In new main eX some function (Obfuscated) crash main.exe and If I restore with code ( no Obfuscated) of main.exe Blue CHS,it work fine.Check it :)
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
@tomatoes
How activate mu.exe in this main 1.4.42
Thanks
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Quote:
Originally Posted by
gmrote
ask main 1.4.42 the fix then Thanks
when hook zClient.dll in this main, mu.exe is automaticaly desactiveted
I'm don't understand that :s, I used two ways for hook and same result
Used Windows 8.1 & OIlyDBG 1.10
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
ZClient.dll patch JMP mu.exe so you cant start Mu.exe.If you want start Mu.exe,please patch again JMP=>JNZ offset Mu.exe by other dll after zClient.dll loaded.
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Quote:
Originally Posted by
tomatoes
ZClient.dll patch JMP mu.exe so you cant start Mu.exe.If you want start Mu.exe,please patch again JMP=>JNZ offset Mu.exe by other dll after zClient.dll loaded.
Ah Ok, Thanks a lot, I don´t know this ;)
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Quote:
Originally Posted by
laulinh2
help me please :((
here is hooked with dll
https://www.sendspace.com/file/5o04b2
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
I try to hook Dll Antihack from pinkof and it start the splash and the game load for about 2 sec. then close.?? any idea sir @tomatoes?
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Many people have asked me to help hook the pinkof gameguard of the main
Here is Main with GameGuard.dll Hooked -> Main + GameGuard.dll
Here is Main with GameGuard.dll + zClient.dll Hooked -> Main + GameGuard.dll + zClient.dll
zClient.dll ?, use yours
Note: If you have problems starting the game is bad config, not bad hook, it´s a simple hook
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
hello.
.
My main kor S8..
Please help me hook zteam s8 dll in My main..
My Main Link: https://www.sendspace.com/file/zyvyk8
Thanks..:huh:
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
- - - Updated - - -
testmain
- - - Updated - - -
Quote:
Originally Posted by
pquintal
Many people have asked me to help hook the pinkof gameguard of the main
Here is Main with GameGuard.dll Hooked ->
Main + GameGuard.dll
Here is Main with GameGuard.dll + zClient.dll Hooked ->
Main + GameGuard.dll + zClient.dll
zClient.dll ?, use yours
Note: If you have problems starting the game is bad config, not bad hook, it´s a simple hook
http://image.ohozaa.com/i/508/rCpa3k.jpg
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Quote:
Originally Posted by
gmrote
you have disabled in options autostart analysis main
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Quote:
Originally Posted by
pquintal
you have disabled in options autostart analysis main
help me add skype live:rote2011
- - - Updated - - -
Quote:
Originally Posted by
tomatoes
Hi,I see someone need any main.exe eX ++ cracked,they dont know how to unpack so I make a small guide easy for crack main.exe.
1.Load Main.exe eX ++ Olly DBG,OEP like this:
Code:
00CDDBE5 > 60 pushad
00CDDBE6 9C pushfd
00CDDBE7 FC cld
00CDDBE8 B8 01000000 mov eax, 1
HWBP at OEP and press Shift + F9 ,you have:
1.1
Code:
00CDDBE5 > E8 C9C09BFF call 00699CB3
00CDDBEA ^ E9 78FEFFFF jmp 00CDDA67
so I make a hook at offset 00CDDBEA.
How to make it? Look at:
2.Restart Olly and load main.exe again:
Code:
00CDDBE5 > 60 pushad
00CDDBE6 9C pushfd
00CDDBE7 FC cld
00CDDBE8 B8 01000000 mov eax, 1
00CDDBED B9 FFFF0000 mov ecx, 0FFFF
00CDDBF2 - E0 FE loopdne short 00CDDBF2
00CDDBF4 48 dec eax
00CDDBF5 83F8 00 cmp eax, 0
00CDDBF8 ^ 75 F3 jnz short 00CDDBED
00CDDBFA 68 D180DC0A push 0ADC80D1 ; ASCII "kernel32.dll"
00CDDBFF FF15 64ACC609 call dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00CDDC05 68 DE80DC0A push 0ADC80DE ; ASCII "VirtualProtect"
00CDDC0A 50 push eax
00CDDC0B FF15 60ACC609 call dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00CDDC11 8BD8 mov ebx, eax
00CDDC13 50 push eax
00CDDC14 8BCC mov ecx, esp
00CDDC16 51 push ecx
00CDDC17 6A 40 push 40
00CDDC19 68 5B000000 push 5B
00CDDC1E 68 E5DBCD00 push <ModuleEntryPoint>
00CDDC23 FFD0 call eax
00CDDC25 8BCC mov ecx, esp
00CDDC27 51 push ecx
00CDDC28 6A 40 push 40
00CDDC2A 68 19000000 push 19
00CDDC2F 68 B880DC0A push 0ADC80B8
00CDDC34 8BC3 mov eax, ebx
00CDDC36 FFD0 call eax
00CDDC38 83C4 04 add esp, 4
00CDDC3B - E9 78A40E0A jmp 0ADC80B8
at 00CDDC3B follow it to 0ADC80B8
Code:
0ADC80B8 90 nop
0ADC80B9 BE ED80DC0A mov esi, 0ADC80ED
0ADC80BE BF E5DBCD00 mov edi, <ModuleEntryPoint>
0ADC80C3 B9 5B000000 mov ecx, 5B
0ADC80C8 F3:A4 rep movs byte ptr es:[edi], byte ptr>
0ADC80CA 9D popfd
0ADC80CB 61 popad
0ADC80CC - E9 145BF1F5 jmp <ModuleEntryPoint>
Look at offset
0ADC80ED in HEX DUMP,size 0x5B
Code:
0ADC80ED E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53 èÉÀ›ÿéxþÿÿ‹ÿU‹ìS
look 1.1 on top and red text :
E9 78 FE FF FF
It is jmp 00CDDA67 (ASM code)
so we change it to free offset and write hook code.
Example I do it on Main zteam EX802 1.4.42
At
0ADC80ED :
Original : E8 C9 C0 9B FF
E9 78 FE FF FF 8B FF 55 8B EC 53
Hook: E8 C9 C0 9B FF
E9 39 4F 4E 00 8B FF 55 8B EC 53
E9 39 4F 4E 00 is jmp 011C2B28 (ASM code)
so we write hook code at 011C2B28,like this:
Code:
011C2B28 68 582B1C01 push 011C2B58 ; ASCII "zClient.dll"
011C2B2D FF15 64ACC609 call dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
011C2B33 - E9 2FAFB1FF jmp 00CDDA67 ; Offset original JMP
Done,save it.From dll,we can patch any offset for crack Main.exe
Do it in other main.exe is same and surely work fine :)
http://image.ohozaa.com/i/508/rCpa3k.jpg
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
help me plz
EX702 1.03R tai
http://pan.baidu.com/s/1hq02How
just need change ip,hook GameGuard
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Hello mates! Can someone help me with the new main of zTeam? they have added some extra protection so i get some GameGuard :: error
I really wnat to post my latest update for FREE to the people(liveguard).
Main wont start without Starter.exe ....
https://drive.google.com/file/d/0B9s...ew?usp=sharing
I feel pretty stupid because i can`t attach it... but i dont have a choice :(
LE: sorry i forgot, it can be any other .dll just don`t put export name. Normally my dll name is liveguard.ll and export function Mecanik()
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Quote:
Originally Posted by
mecanik1
Bump ?:(
Give me your skype mate... ill help u with this
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
buenas se puede enganchar un dll para que los item exelentes se vean su color bien
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
I have problems with hd resolution , my luncher have otions for wide screean and my main.exe dosent suport it. What i nead to do for that wide resolution to work? Please someone can help me?
:*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*::*:
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
-
Re: Hook DLL for Main.exe eX ++ no need unpack.
Quote:
Originally Posted by
tomatoes
Hi,I see someone need any main.exe eX ++ cracked,they dont know how to unpack so I make a small guide easy for crack main.exe.
1.Load Main.exe eX ++ Olly DBG,OEP like this:
Code:
00CDDBE5 > 60 pushad
00CDDBE6 9C pushfd
00CDDBE7 FC cld
00CDDBE8 B8 01000000 mov eax, 1
HWBP at OEP and press Shift + F9 ,you have:
1.1
Code:
00CDDBE5 > E8 C9C09BFF call 00699CB3
00CDDBEA ^ E9 78FEFFFF jmp 00CDDA67
so I make a hook at offset 00CDDBEA.
How to make it? Look at:
2.Restart Olly and load main.exe again:
Code:
00CDDBE5 > 60 pushad
00CDDBE6 9C pushfd
00CDDBE7 FC cld
00CDDBE8 B8 01000000 mov eax, 1
00CDDBED B9 FFFF0000 mov ecx, 0FFFF
00CDDBF2 - E0 FE loopdne short 00CDDBF2
00CDDBF4 48 dec eax
00CDDBF5 83F8 00 cmp eax, 0
00CDDBF8 ^ 75 F3 jnz short 00CDDBED
00CDDBFA 68 D180DC0A push 0ADC80D1 ; ASCII "kernel32.dll"
00CDDBFF FF15 64ACC609 call dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00CDDC05 68 DE80DC0A push 0ADC80DE ; ASCII "VirtualProtect"
00CDDC0A 50 push eax
00CDDC0B FF15 60ACC609 call dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00CDDC11 8BD8 mov ebx, eax
00CDDC13 50 push eax
00CDDC14 8BCC mov ecx, esp
00CDDC16 51 push ecx
00CDDC17 6A 40 push 40
00CDDC19 68 5B000000 push 5B
00CDDC1E 68 E5DBCD00 push <ModuleEntryPoint>
00CDDC23 FFD0 call eax
00CDDC25 8BCC mov ecx, esp
00CDDC27 51 push ecx
00CDDC28 6A 40 push 40
00CDDC2A 68 19000000 push 19
00CDDC2F 68 B880DC0A push 0ADC80B8
00CDDC34 8BC3 mov eax, ebx
00CDDC36 FFD0 call eax
00CDDC38 83C4 04 add esp, 4
00CDDC3B - E9 78A40E0A jmp 0ADC80B8
at 00CDDC3B follow it to 0ADC80B8
Code:
0ADC80B8 90 nop
0ADC80B9 BE ED80DC0A mov esi, 0ADC80ED
0ADC80BE BF E5DBCD00 mov edi, <ModuleEntryPoint>
0ADC80C3 B9 5B000000 mov ecx, 5B
0ADC80C8 F3:A4 rep movs byte ptr es:[edi], byte ptr>
0ADC80CA 9D popfd
0ADC80CB 61 popad
0ADC80CC - E9 145BF1F5 jmp <ModuleEntryPoint>
Look at offset
0ADC80ED in HEX DUMP,size 0x5B
Code:
0ADC80ED E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53 èÉÀ›ÿéxþÿÿ‹ÿU‹ìS
look 1.1 on top and red text :
E9 78 FE FF FF
It is jmp 00CDDA67 (ASM code)
so we change it to free offset and write hook code.
Example I do it on Main zteam EX802 1.4.42
At
0ADC80ED :
Original : E8 C9 C0 9B FF
E9 78 FE FF FF 8B FF 55 8B EC 53
Hook: E8 C9 C0 9B FF
E9 39 4F 4E 00 8B FF 55 8B EC 53
E9 39 4F 4E 00 is jmp 011C2B28 (ASM code)
so we write hook code at 011C2B28,like this:
Code:
011C2B28 68 582B1C01 push 011C2B58 ; ASCII "zClient.dll"
011C2B2D FF15 64ACC609 call dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
011C2B33 - E9 2FAFB1FF jmp 00CDDA67 ; Offset original JMP
Done,save it.From dll,we can patch any offset for crack Main.exe
Do it in other main.exe is same and surely work fine :)
_____________________________________________________________________________
LoL Tomatoes , i hooked a zteam main sucesfuly but a x-team main Muemu , without sucess , main crashes after hook ,
look at my main http://murxonline.com.br/main.rar
:*:
_____________________________________________________________________________
