Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Hook DLL for Main.exe eX ++ no need unpack.

Junior Spellweaver
Joined
Oct 25, 2005
Messages
117
Reaction score
254
Hi,I see someone need any main.exe eX ++ cracked,they dont know how to unpack so I make a small guide easy for crack main.exe.

1.Load Main.exe eX ++ Olly DBG,OEP like this:
Code:
00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1

HWBP at OEP and press Shift + F9 ,you have:

1.1
Code:
00CDDBE5 >  E8 C9C09BFF     call    00699CB3
00CDDBEA  ^ [COLOR="#FF0000"]E9 78FEFFFF[/COLOR]     jmp     00CDDA67

so I make a hook at offset 00CDDBEA.

How to make it? Look at:

2.Restart Olly and load main.exe again:

Code:
00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1
00CDDBED    B9 FFFF0000     mov     ecx, 0FFFF
00CDDBF2  - E0 FE           loopdne short 00CDDBF2
00CDDBF4    48              dec     eax
00CDDBF5    83F8 00         cmp     eax, 0
00CDDBF8  ^ 75 F3           jnz     short 00CDDBED
00CDDBFA    68 D180DC0A     push    0ADC80D1                         ; ASCII "kernel32.dll"
00CDDBFF    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00CDDC05    68 DE80DC0A     push    0ADC80DE                         ; ASCII "VirtualProtect"
00CDDC0A    50              push    eax
00CDDC0B    FF15 60ACC609   call    dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00CDDC11    8BD8            mov     ebx, eax
00CDDC13    50              push    eax
00CDDC14    8BCC            mov     ecx, esp
00CDDC16    51              push    ecx
00CDDC17    6A 40           push    40
00CDDC19    68 5B000000     push    5B
00CDDC1E    68 E5DBCD00     push    <ModuleEntryPoint>
00CDDC23    FFD0            call    eax
00CDDC25    8BCC            mov     ecx, esp
00CDDC27    51              push    ecx
00CDDC28    6A 40           push    40
00CDDC2A    68 19000000     push    19
00CDDC2F    68 B880DC0A     push    0ADC80B8
00CDDC34    8BC3            mov     eax, ebx
00CDDC36    FFD0            call    eax
00CDDC38    83C4 04         add     esp, 4
00CDDC3B  - E9 78A40E0A     jmp     0ADC80B8

at 00CDDC3B follow it to 0ADC80B8

Code:
0ADC80B8    90              nop
0ADC80B9    BE ED80DC0A     mov     esi, [COLOR="#B22222"]0ADC80ED[/COLOR]
0ADC80BE    BF E5DBCD00     mov     edi, <ModuleEntryPoint>
0ADC80C3    B9 5B000000     mov     ecx, 5B
0ADC80C8    F3:A4           rep     movs byte ptr es:[edi], byte ptr>
0ADC80CA    9D              popfd
0ADC80CB    61              popad
0ADC80CC  - E9 145BF1F5     jmp     <ModuleEntryPoint>

Look at offset 0ADC80ED in HEX DUMP,size 0x5B

Code:
0ADC80ED  E8 C9 C0 9B FF [COLOR="#FF0000"]E9 78 FE FF FF[/COLOR] 8B FF 55 8B EC 53  èÉÀ›ÿéxþÿÿ‹ÿU‹ìS

look 1.1 on top and red text : E9 78 FE FF FF

It is jmp 00CDDA67 (ASM code)
so we change it to free offset and write hook code.
Example I do it on Main zteam EX802 1.4.42

At 0ADC80ED :
Original : E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53
Hook: E8 C9 C0 9B FF E9 39 4F 4E 00 8B FF 55 8B EC 53

E9 39 4F 4E 00 is jmp 011C2B28 (ASM code)

so we write hook code at 011C2B28,like this:

Code:
011C2B28    68 582B1C01     push    011C2B58                         ; ASCII "zClient.dll"
011C2B2D    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
011C2B33  - E9 2FAFB1FF     jmp     00CDDA67                         ; Offset original JMP


Done,save it.From dll,we can patch any offset for crack Main.exe
Do it in other main.exe is same and surely work fine :)
 
Experienced Elementalist
Joined
Oct 19, 2010
Messages
231
Reaction score
531
And what about, restoring bytes, in some places of code, for example if disable proto crypt, it will restore again.
 
Junior Spellweaver
Joined
Oct 25, 2005
Messages
117
Reaction score
254
And what about, restoring bytes, in some places of code, for example if disable proto crypt, it will restore again.

I dont know,just research main.exe eX a bit,no more.But I think it is a protect of Webzen.you can compare Main.exe Blue CHS no encrypt (I shared),In new main eX some function (Obfuscated) crash main.exe and If I restore with code ( no Obfuscated) of main.exe Blue CHS,it work fine.Check it :)
 
Experienced Elementalist
Joined
May 16, 2009
Messages
205
Reaction score
101
ask main 1.4.42 the fix then Thanks
when hook zClient.dll in this main, mu.exe is automaticaly desactiveted
I'm don't understand that :s, I used two ways for hook and same result

Used Windows 8.1 & OIlyDBG 1.10
 
Junior Spellweaver
Joined
Oct 25, 2005
Messages
117
Reaction score
254
ZClient.dll patch JMP mu.exe so you cant start Mu.exe.If you want start Mu.exe,please patch again JMP=>JNZ offset Mu.exe by other dll after zClient.dll loaded.
 
Experienced Elementalist
Joined
May 16, 2009
Messages
205
Reaction score
101
ZClient.dll patch JMP mu.exe so you cant start Mu.exe.If you want start Mu.exe,please patch again JMP=>JNZ offset Mu.exe by other dll after zClient.dll loaded.
Ah Ok, Thanks a lot, I don´t know this ;)
 
Initiate Mage
Joined
Aug 20, 2005
Messages
24
Reaction score
1
I try to hook Dll Antihack from pinkof and it start the splash and the game load for about 2 sec. then close.?? any idea sir tomatoes?
 
Experienced Elementalist
Joined
May 16, 2009
Messages
205
Reaction score
101
Many people have asked me to help hook the pinkof gameguard of the main
Here is Main with GameGuard.dll Hooked ->
Here is Main with GameGuard.dll + zClient.dll Hooked ->
zClient.dll ?, use yours

Note: If you have problems starting the game is bad config, not bad hook, it´s a simple hook
 
Initiate Mage
Joined
Feb 7, 2013
Messages
33
Reaction score
1
hello.
.
My main kor S8..

Please help me hook zteam s8 dll in My main..

My Main Link:

Thanks..:huh:
 
Experienced Elementalist
Joined
May 10, 2013
Messages
286
Reaction score
62


testmain



Many people have asked me to help hook the pinkof gameguard of the main
Here is Main with GameGuard.dll Hooked ->
Here is Main with GameGuard.dll + zClient.dll Hooked ->
zClient.dll ?, use yours

Note: If you have problems starting the game is bad config, not bad hook, it´s a simple hook

tomatoes - Hook DLL for Main.exe eX ++  no need unpack. - RaGEZONE Forums
 
Last edited:
Experienced Elementalist
Joined
May 10, 2013
Messages
286
Reaction score
62
you have disabled in options autostart analysis main
help me add skype live:rote2011



Hi,I see someone need any main.exe eX ++ cracked,they dont know how to unpack so I make a small guide easy for crack main.exe.

1.Load Main.exe eX ++ Olly DBG,OEP like this:
Code:
00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1

HWBP at OEP and press Shift + F9 ,you have:

1.1
Code:
00CDDBE5 >  E8 C9C09BFF     call    00699CB3
00CDDBEA  ^ [COLOR=#FF0000]E9 78FEFFFF[/COLOR]     jmp     00CDDA67

so I make a hook at offset 00CDDBEA.

How to make it? Look at:

2.Restart Olly and load main.exe again:

Code:
00CDDBE5 >  60              pushad
00CDDBE6    9C              pushfd
00CDDBE7    FC              cld
00CDDBE8    B8 01000000     mov     eax, 1
00CDDBED    B9 FFFF0000     mov     ecx, 0FFFF
00CDDBF2  - E0 FE           loopdne short 00CDDBF2
00CDDBF4    48              dec     eax
00CDDBF5    83F8 00         cmp     eax, 0
00CDDBF8  ^ 75 F3           jnz     short 00CDDBED
00CDDBFA    68 D180DC0A     push    0ADC80D1                         ; ASCII "kernel32.dll"
00CDDBFF    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
00CDDC05    68 DE80DC0A     push    0ADC80DE                         ; ASCII "VirtualProtect"
00CDDC0A    50              push    eax
00CDDC0B    FF15 60ACC609   call    dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
00CDDC11    8BD8            mov     ebx, eax
00CDDC13    50              push    eax
00CDDC14    8BCC            mov     ecx, esp
00CDDC16    51              push    ecx
00CDDC17    6A 40           push    40
00CDDC19    68 5B000000     push    5B
00CDDC1E    68 E5DBCD00     push    <ModuleEntryPoint>
00CDDC23    FFD0            call    eax
00CDDC25    8BCC            mov     ecx, esp
00CDDC27    51              push    ecx
00CDDC28    6A 40           push    40
00CDDC2A    68 19000000     push    19
00CDDC2F    68 B880DC0A     push    0ADC80B8
00CDDC34    8BC3            mov     eax, ebx
00CDDC36    FFD0            call    eax
00CDDC38    83C4 04         add     esp, 4
00CDDC3B  - E9 78A40E0A     jmp     0ADC80B8

at 00CDDC3B follow it to 0ADC80B8

Code:
0ADC80B8    90              nop
0ADC80B9    BE ED80DC0A     mov     esi, [COLOR=#B22222]0ADC80ED[/COLOR]
0ADC80BE    BF E5DBCD00     mov     edi, <ModuleEntryPoint>
0ADC80C3    B9 5B000000     mov     ecx, 5B
0ADC80C8    F3:A4           rep     movs byte ptr es:[edi], byte ptr>
0ADC80CA    9D              popfd
0ADC80CB    61              popad
0ADC80CC  - E9 145BF1F5     jmp     <ModuleEntryPoint>

Look at offset 0ADC80ED in HEX DUMP,size 0x5B

Code:
0ADC80ED  E8 C9 C0 9B FF [COLOR=#FF0000]E9 78 FE FF FF[/COLOR] 8B FF 55 8B EC 53  èÉÀ›ÿéxþÿÿ‹ÿU‹ìS

look 1.1 on top and red text : E9 78 FE FF FF

It is jmp 00CDDA67 (ASM code)
so we change it to free offset and write hook code.
Example I do it on Main zteam EX802 1.4.42

At 0ADC80ED :
Original : E8 C9 C0 9B FF E9 78 FE FF FF 8B FF 55 8B EC 53
Hook: E8 C9 C0 9B FF E9 39 4F 4E 00 8B FF 55 8B EC 53

E9 39 4F 4E 00 is jmp 011C2B28 (ASM code)

so we write hook code at 011C2B28,like this:

Code:
011C2B28    68 582B1C01     push    011C2B58                         ; ASCII "zClient.dll"
011C2B2D    FF15 64ACC609   call    dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
011C2B33  - E9 2FAFB1FF     jmp     00CDDA67                         ; Offset original JMP


Done,save it.From dll,we can patch any offset for crack Main.exe
Do it in other main.exe is same and surely work fine :)
tomatoes - Hook DLL for Main.exe eX ++  no need unpack. - RaGEZONE Forums
 
Skilled Illusionist
Joined
Jan 8, 2012
Messages
332
Reaction score
149
Hello mates! Can someone help me with the new main of zTeam? they have added some extra protection so i get some GameGuard :: error
I really wnat to post my latest update for FREE to the people(liveguard).
Main wont start without Starter.exe ....



I feel pretty stupid because i can`t attach it... but i dont have a choice :(

LE: sorry i forgot, it can be any other .dll just don`t put export name. Normally my dll name is liveguard.ll and export function Mecanik()
 
Last edited:
Back
Top