Defeat mauka anti cheat

Introduction:

Mauka anti cheat or i dont know what is called its a "decent" anti cheat system combined with a launcher builder wich is very good by the way, also the launcher created check for files and avoid reeplacement of these files.

You can find the released here:

Code:

http://forum.ragezone.com/f197/simply-muonline-launcher-anticheat-612374/

Anyway this anti cheat accomplish the goal of protect from hacks in MuOnline, at least to stop noob and for private servers.

Pros:

- The launcher builder is packed with i dont know packer, caused i unpack without knowing what packer was, its pretty lame, but it will stop most of MuOnline cheaters that believe they really know how unpack.

- The launcher builder and launcher itself, seems to be coded on delphi, and caused delphi compiler is some badass shit, it allmost look like obfuscated code.

- Got some little protection in case of unpack, it will stop for sure most of noobs.

Con:

- The launcher itself is packed with UPX wich is a bullshit, if you want to compress use ASPack and bring a little more of secure

- Scanning system is via "footprint" and you can say this system its very lame and lazy, i recommend heuristic scan with some other things.

- Do a launcher isnt the smartest thing for an anti cheat, but i take it caused it was for MuOnline so its ok, this game doesnt deserve anything more than this.

- Skyteam hand on this (blurcode) i think...

Resume:

- Kickass MuGuard, even if muguard its kernel 0 and all that crap that doesnt even know how use it, this launcher + anti cheat accomplish like i say to protect better than muguard from a begginer in cheats.

Lets Unpack:

1.- We will open with ollydbg and we first see:

Code:

004E2FE4 > B8 84947D00 MOV EAX,Launcher.007D9484 004E2FE9 50 PUSH EAX 004E2FEA 64:FF35 00000000 PUSH DWORD PTR FS:[0] 004E2FF1 64:8925 00000000 MOV DWORD PTR FS:[0],ESP

If the packer wanted you didnt note that this is an SEH then he fails and fail big, even if this seems to be "obfuscated" it totally sucks, so i follow the addr of the SEH:

Code:

007D9484

2.- Now i put a breakpoint in there and execute:

Ofcourse an exception will happen but we press SHIFT+F9 for avoid it and we land on the SEH and we see this:

Code:

007D9484 B8 09827DF0 MOV EAX,F07D8209 007D9489 8D88 9E120010 LEA ECX,DWORD PTR DS:[EAX+1000129E] 007D948F 8941 01 MOV DWORD PTR DS:[ECX+1],EAX 007D9492 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4] 007D9496 8B52 0C MOV EDX,DWORD PTR DS:[EDX+C] 007D9499 C602 E9 MOV BYTE PTR DS:[EDX],0E9 007D949C 83C2 05 ADD EDX,5 007D949F 2BCA SUB ECX,EDX 007D94A1 894A FC MOV DWORD PTR DS:[EDX-4],ECX 007D94A4 33C0 XOR EAX,EAX 007D94A6 C3 RETN

Ok i can cleary see that this is a routine to build an JMP jump caused i see the 0E9 byte wich is the opcode prefix, again another fail by the unknown packer.

If we keep with F7 and land on this part:

Code:

007D94A1 894A FC MOV DWORD PTR DS:[EDX-4],ECX

We can see that the jump in the memory addr of EDX was already created and it looks like this:

Code:

004E2FFA -E9 A8642F00 JMP Launcher.007D94A7

Ok so ill follow this jump and see where it leads:

Code:

007D94A7 B8 09827DF0 MOV EAX,F07D8209 007D94AC 64:8F05 00000000 POP DWORD PTR FS:[0] 007D94B3 83C4 04 ADD ESP,4 007D94B6 55 PUSH EBP 007D94B7 53 PUSH EBX 007D94B8 51 PUSH ECX 007D94B9 57 PUSH EDI 007D94BA 56 PUSH ESI 007D94BB 52 PUSH EDX 007D94BC 8D98 57120010 LEA EBX,DWORD PTR DS:[EAX+10001257] 007D94C2 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18] 007D94C5 52 PUSH EDX 007D94C6 8BE8 MOV EBP,EAX 007D94C8 6A 40 PUSH 40 007D94CA 68 00100000 PUSH 1000 007D94CF FF73 04 PUSH DWORD PTR DS:[EBX+4] 007D94D2 6A 00 PUSH 0 007D94D4 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10] 007D94D7 03CA ADD ECX,EDX 007D94D9 8B01 MOV EAX,DWORD PTR DS:[ECX] 007D94DB FFD0 CALL EAX

Ok this seems to be the real face of the packer, but lets keep looking down. and ill put a BREAKPOINT here:

Code:

007D951C 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C] 007D951F 894E 14 MOV DWORD PTR DS:[ESI+14],ECX 007D9522 FFD7 CALL EDI 007D9524 8985 3F130010 MOV DWORD PTR SS:[EBP+1000133F],EAX

3.- Well once we break we will keep debug with F8:

And step over the CALL EDI opcode, so when we see EAX we already got our OEP:

Code:

007D9524 8985 3F130010 MOV DWORD PTR SS:[EBP+1000133F],EAX ; Launcher.<ModuleEntryPoint>

Code:

OEP = 004E2FE4

Ok this was easy, we can put a breakpoint in OEP and we land there, but i prefere to see how the packer calls the OEP and it calls it here:

Code:

007D9540 5A POP EDX 007D9541 5E POP ESI 007D9542 5F POP EDI 007D9543 59 POP ECX 007D9544 5B POP EBX 007D9545 5D POP EBP 007D9546 -FFE0 JMP EAX ; Launcher.<ModuleEntryPoint>

So the JMP EAX enter into the OEP and we are here:

Code:

004E2FE4 > 55 PUSH EBP 004E2FE5 8BEC MOV EBP,ESP 004E2FE7 83C4 F0 ADD ESP,-10 004E2FEA B8 18BC4D00 MOV EAX,Launcher.004DBC18 004E2FEF E8 2472F2FF CALL Launcher.0040A218 004E2FF4 A1 68BA4E00 MOV EAX,DWORD PTR DS:[4EBA68] 004E2FF9 8B00 MOV EAX,DWORD PTR DS:[EAX] 004E2FFB E8 400CFEFF CALL Launcher.004C3C40 004E3000 A1 68BA4E00 MOV EAX,DWORD PTR DS:[4EBA68] 004E3005 8B00 MOV EAX,DWORD PTR DS:[EAX] 004E3007 B2 01 MOV DL,1 004E3009 E8 6E29FEFF CALL Launcher.004C597C 004E300E 8B0D F8B64E00 MOV ECX,DWORD PTR DS:[4EB6F8] ; Launcher.00572D00 004E3014 A1 68BA4E00 MOV EAX,DWORD PTR DS:[4EBA68] 004E3019 8B00 MOV EAX,DWORD PTR DS:[EAX] 004E301B 8B15 A8A44D00 MOV EDX,DWORD PTR DS:[4DA4A8] ; Launcher.004DA500 004E3021 E8 320CFEFF CALL Launcher.004C3C58 004E3026 8B0D 08BC4E00 MOV ECX,DWORD PTR DS:[4EBC08] ; Launcher.00572CC0 004E302C A1 68BA4E00 MOV EAX,DWORD PTR DS:[4EBA68] 004E3031 8B00 MOV EAX,DWORD PTR DS:[EAX] 004E3033 8B15 6C934D00 MOV EDX,DWORD PTR DS:[4D936C] ; Launcher.004D93C4 004E3039 E8 1A0CFEFF CALL Launcher.004C3C58 004E303E A1 68BA4E00 MOV EAX,DWORD PTR DS:[4EBA68] 004E3043 8B00 MOV EAX,DWORD PTR DS:[EAX] 004E3045 E8 5E0DFEFF CALL Launcher.004C3DA8 004E304A E8 752EF2FF CALL Launcher.00405EC4

5.- Now we will openIMPREC TOOLand put the OEP and get imports.Without any problem we got them all so we can dump with Ollydbg>Plugin>Dump and we demark the option "Rebuild Import".

Once we got the dumped file we apply the IAT patch by IMPREC and voila we have full unpacked, but we dont care this god danm thing caused it creates the launcher nothing more...

Now we will create a launcher with options and we will unpack it:

1.- Open the launcher with ollydbg and we see this:

Code:

026C8670 > $ 60 PUSHAD 026C8671 . BE 00D05C02 MOV ESI,Launcher.025CD000 026C8676 . 8DBE 0040E3FD LEA EDI,DWORD PTR DS:[ESI+FDE34000] 026C867C . 57 PUSH EDI 026C867D . 83CD FF OR EBP,FFFFFFFF 026C8680 . EB 10 JMP SHORT Launcher.026C8692

You probably know the technique of unpack with PUSHAD regist in ESP and bla bla bla, but i dont use this shit, so keep looking down and put a BP here:

Code:

026C880D . 61 POPAD

2.- [B]Now keep tracing with F7 and we see the tipical JMP with the OEP address:

Code:

026C881B .-E9 487FE9FD JMP Launcher.00560768

Code:

OEP = 00560768

Now we do the same steps that with the launcher builder, open IMPREC take the IAT with OEP, make dump with ollydbg plugin and apply the IAT patch on the executable.

Finally launcher full unpacked, now this is what we care, but if we run the launcher youll see isnt working...

We unpack bad?

Well i think its a protection (custom one) and ill look for it.

3.- Once we execute on Ollydbg we can see it crash here:

Code:

004D8229 8BD8 MOV EBX,EAX 004D822B 837B 10 00 CMP DWORD PTR DS:[EBX+10],0 004D822F 75 11 JNZ SHORT Launcher.004D8242

Code:

[EBX+10] = ??????

No valid address pointer, and we can see that the addr comes from EAX and EAX is 00 so wtf is wrong?.

Ill see the stack window and we see its called from here:

Code:

005561A8 33D2 XOR EDX,EDX 005561AA E8 352EF8FF CALL Launcher.004D8FE4 005561AF E8 7420F8FF CALL Launcher.004D8228

Now i will enter into the call in top of it with the addr 004D8FE4 and we see inside this:

Code:

004D8FE4 53 PUSH EBX 004D8FE5 56 PUSH ESI 004D8FE6 57 PUSH EDI 004D8FE7 8BFA MOV EDI,EDX 004D8FE9 8BD8 MOV EBX,EAX 004D8FEB 8B73 08 MOV ESI,DWORD PTR DS:[EBX+8] 004D8FEE 85F6 TEST ESI,ESI 004D8FF0 74 0B JE SHORT Launcher.004D8FFD 004D8FF2 8BC6 MOV EAX,ESI 004D8FF4 8B10 MOV EDX,DWORD PTR DS:[EAX] 004D8FF6 FF52 14 CALL DWORD PTR DS:[EDX+14] 004D8FF9 3BF8 CMP EDI,EAX 004D8FFB 7E 04 JLE SHORT Launcher.004D9001 004D8FFD 33C0 XOR EAX,EAX 004D8FFF EB 0A JMP SHORT Launcher.004D900B 004D9001 8BD7 MOV EDX,EDI 004D9003 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8] 004D9006 8B08 MOV ECX,DWORD PTR DS:[EAX] 004D9008 FF51 18 CALL DWORD PTR DS:[ECX+18] 004D900B 5F POP EDI 004D900C 5E POP ESI 004D900D 5B POP EBX 004D900E C3 RETN

Now i understand why, you see it make a simple comparation:

Code:

004D8FEB 8B73 08 MOV ESI,DWORD PTR DS:[EBX+8] 004D8FEE 85F6 TEST ESI,ESI 004D8FF0 74 0B JE SHORT Launcher.004D8FFD

If this is true then:

Code:

004D8FFD 33C0 XOR EAX,EAX

Lol so this is why we get crash, ill fix it by NOPING this XOR EAX, EAX. Now i test the program and voila it runs perfect, this was the "big custom protection".

5.- Finally i want to remove the detection system so ill look for the API:

Code:

OpenProcess

I can see it here:

Code:

0040B9CC -FF25 4C505402 JMP DWORD PTR DS:[<&kernel32.OpenProcess>; kernel32.OpenProcess

So ill trace it by pressing CONTROL+F and write CALL 0040B9CC.

Voila i found this:

Code:

00554E4E E8 796BEBFF CALL <JMP.&kernel32.OpenProcess> 00554E53 8BF0 MOV ESI,EAX 00554E55 85F6 TEST ESI,ESI 00554E57 74 3A JE SHORT Launcher.00554E93 00554E59 8BD6 MOV EDX,ESI 00554E5B 8BC7 MOV EAX,EDI 00554E5D E8 46FFFFFF CALL Launcher.00554DA8 00554E62 84C0 TEST AL,AL 00554E64 74 2D JE SHORT Launcher.00554E93 00554E66 6A 01 PUSH 1 00554E68 6A 00 PUSH 0 00554E6A 6A 00 PUSH 0 00554E6C A1 90AC5600 MOV EAX,DWORD PTR DS:[56AC90] 00554E71 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18] 00554E74 E8 131FEBFF CALL Launcher.00406D8C 00554E79 50 PUSH EAX 00554E7A 68 B04E5500 PUSH Launcher.00554EB0 ; UNICODE "open" 00554E7F 6A 00 PUSH 0 00554E81 E8 0E25F1FF CALL <JMP.&shell32.ShellExecuteW> 00554E86 6A FF PUSH -1 00554E88 E8 5B69EBFF CALL <JMP.&kernel32.GetCurrentProcess> 00554E8D 50 PUSH EAX 00554E8E E8 E96BEBFF CALL <JMP.&kernel32.TerminateProcess>

Now ill see this and seems pretty important:

Code:

00554E5D E8 46FFFFFF CALL Launcher.00554DA8 00554E62 84C0 TEST AL,AL 00554E64 74 2D JE SHORT Launcher.00554E93

Looking inside CALL 00554DA8 we can see:

Code:

00554DD6 E8 216CEBFF CALL <JMP.&kernel32.ReadProcessMemory> 00554DDB 8D53 04 LEA EDX,DWORD PTR DS:[EBX+4] 00554DDE 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 00554DE2 B9 20000000 MOV ECX,20 00554DE7 E8 60DAEBFF CALL Launcher.0041284C 00554DEC 84C0 TEST AL,AL 00554DEE 74 0C JE SHORT Launcher.00554DFC 00554DF0 B3 01 MOV BL,1 00554DF2 6A 00 PUSH 0 00554DF4 57 PUSH EDI 00554DF5 E8 826CEBFF CALL <JMP.&kernel32.TerminateProcess> 00554DFA EB 0B JMP SHORT Launcher.00554E07 00554DFC 81C3 04800000 ADD EBX,8004 00554E02 4E DEC ESI 00554E03 ^75 C0 JNZ SHORT Launcher.00554DC5

So here we read the process memory and ofcourse the CALL 0041284C is the fuction that scan for detected cheat or dont.

6.- So finally we can know this JUMP is the one that makes the final decition:

Code:

00554DEC 84C0 TEST AL,AL 00554DEE 74 0C JE SHORT Launcher.00554DFC

Lets change the JE to JMP and for avoid bugs:

Code:

00554DFC 81C3 04800000 ADD EBX,8004 00554E02 4E DEC ESI 00554E03 ^75 C0 JNZ SHORT Launcher.00554DC5

NOP the JNZ jump

Last step is to change this JE jump that its a "prevention" the coder use:

Code:

00554E64 74 2D JE SHORT Launcher.00554E93

To JMP and...

Final Result: Builder launcher full unpacked + launcher itself unpacked + Anti cheat scan bypass = Defeated.

DOWNLOAD IN LINK THE WHOLE PATCH:

http://rapidshare.com/files/36129428...cheat.rar.html

Re: Defeat mauka anti cheat

Not trying to stir any problems or anything, but why are you posting how to break an anti-cheat when many probaly use this on their server or Mugaurd or anything else? destroying someones work that they put out for free to help private servers stop hackers? this kind of shit should be taken off the forum and banned from posting this kinda bullshit, like really? let me go disable everything that ever stoped hackers and post it on a PRIVATE SERVER FORUM! were the creater himself posted his anti-cheat... such a dick u are.

Re: Defeat mauka anti cheat

Quote:

Originally Posted by EnergyDW

Not trying to stir any problems or anything, but why are you posting how to break an anti-cheat when many probaly use this on their server or Mugaurd or anything else? destroying someones work that they put out for free to help private servers stop hackers? this kind of shit should be taken off the forum and banned from posting this kinda bullshit, like really? let me go disable everything that ever stoped hackers and post it on a PRIVATE SERVER FORUM! were the creater himself posted his anti-cheat... such a dick u are.

For educational, meaby you dont know a shit about coding or unpacking but i believe anyone that want to bypass or unpack this can with medium level of knowledge.

So this help the coder to know what erros he do, i also put suggestion how improve and make a safer community.

Also i got the aprovement of the coder, that do this anti cheat, for post the guide and also he want i test his other anti cheat in progress.

So from my point of view the only dick head here is you, with no knowledge about allmost anything.

If your desire its to make this community get stuck into noobness like it always been, then i suggest you should been banned :lol:

Re: Defeat mauka anti cheat

BlurCoder helped me alot =) even in muonline cheat creating he helped me alot ^^

Re: Defeat mauka anti cheat

Quote:

Originally Posted by mauka

BlurCoder helped me alot =) even in muonline cheat creating he helped me alot ^^

Yeah i can see his delphi code on the checks and other places ^^

Re: Defeat mauka anti cheat

@@theunknownguy u are badass... but why dont ya make cool anti cheat? O.o or make a cool anticheat for like 20 usd... and u would earn some bucks...that would be better i guess?

@@mauka now make ur anti cheat better xD btw u did great job, if the "theunknownguy" said ur anti cheat is better than muguard :)

Re: Defeat mauka anti cheat

Quote:

Originally Posted by Aphrodites

@@theunknownguy u are badass... but why dont ya make cool anti cheat? O.o or make a cool anticheat for like 20 usd... and u would earn some bucks...that would be better i guess?

@@mauka now make ur anti cheat better xD btw u did great job, if the "theunknownguy" said ur anti cheat is better than muguard :)

I got my own anti cheat the price i cant tell is only for company and big games.

Meaby ill do one for MuOnline community, but "meaby".

Re: Defeat mauka anti cheat

maybe isnt the asnwer... if u can make it,do it, i guess it would be cool 1.and many of us would say big thanks to you ;) thats my oppinon.

Re: Defeat mauka anti cheat

yup! if he sayd that my launcher i better then muguard!!! buagagagg then its a 100% true and muguard is fcuked up =]

Re: Defeat mauka anti cheat

Quote:

Originally Posted by mauka

yup! if he sayd that my launcher i better then muguard!!! buagagagg then its a 100% true and muguard is fcuked up =]

I got the retail DLL that MuGuard sell:

Code:

- Same packer you use for builder launcher (still dont know the name) - CRC check for unpacked (lame one) - Better scan system.

Yours win in protection, MuGuard wins into secure detection (RING0), Scan system both seems the same, and both use CRC.

Ill say for now still yours better but just a little...

Re: Defeat mauka anti cheat

i win =)

its same coz i used a f1x metod and kingrstons and muguard do same + ask u 100$+ usd and dont give proper credits to coders

they are not coders they are copy/paste noobs =)) only true coders respect the credits R.I.P muguard ))))

Re: Defeat mauka anti cheat

mauka all what left to do for you is secure it better xD

Re: Defeat mauka anti cheat

nah i already did a better anticheat without that "f1x" scan method who block 100% of all proxy cheats, sniffers bla bla =D

Re: Defeat mauka anti cheat

:O release it :O xD

Re: Defeat mauka anti cheat

its to hard.. to complicated i need set it under each server its not like "just take and use" .. each server have own dll`s and bla bla need configure under each server it

its needs to be finished =) its in dev