remove NGS/XC available any regions 2015 ～ current version

[chuichui]

tested and available on the
KMST 1.2.1175/1176 & GMS 249.2/251.2 & CMS 208.1 & TMS 194.1/261.4 & JMS 424.1/425.1

simple explains how this works

void(__thiscall* _SendWvsSetUpStep)(int, int);
void __fastcall SendWvsSetUpStep_Hook(int Step, int a2) {

//    if (Step == 4) {//CMS
    if (Step == 12) {// log step 12 retaddr
        ULONG_PTR retaddr = (ULONG_PTR)_ReturnAddress();
        SCANRES(retaddr);
    } else if (Step == 1) {//modify to step 12 retaddr
        *(ULONG_PTR*)_AddressOfReturnAddress() = 0x1472B7A2A;// << Step 12's retaddr(it's inside VM block)
    }

    return _SendWvsSetUpStep(Step, a2);
}

CMS needs to use retaddr of step 4
since CMS also uses other anticheat in addition to XC/NGS, the startup sequence is a little different

-

some versions addr

CMS 208.1
SendWvsSetupStep = 143FB7250
step 4 retaddr = 149660519

GMS 251.2
SendWvsSetupStep = 144953C70
step 12 retaddr = 14A055B1C

KMST 1.2.1175
SendWvsSetupStep = 144B368D0
step 12 retaddr = 1472B7A2A

JMS 424.1
SendWvsSetUpStep = 1445D1D40
Step 12 retaddr = 1497DB94C

JMS 425.1
SendWvsSetUpStep = 144803A40
step 12 retaddr = 149BBB92A

KMST 1.2.1176
SendWvsSetupStep = 144CCFC40
step 12 retaddr = 1474B64F3

 

[Tyler1q1q]

In your testing have you experienced crashing with 0xc0000409 (EXCEPTION_STACK_BUFFER_OVERRUN)? If I return the Step 12 RetAddr on Step 1 then it crashes, but if I do it on any other Step (i.e. Step 11 comes right after Step 1 in GMS but before Step 2) then it does not crash. My understanding is if I do this StartNGS is called but the other CSecurityClient methods are skipped. (i.e. InitModule, StartModule, and InitKeyCrypt, assuming they are the same in order as being called in GMS as from the KMST reference.)

 

[chuichui]

In your testing have you experienced crashing with 0xc0000409 (EXCEPTION_STACK_BUFFER_OVERRUN)? If I return the Step 12 RetAddr on Step 1 then it crashes, but if I do it on any other Step (i.e. Step 11 comes right after Step 1 in GMS but before Step 2) then it does not crash. My understanding is if I do this StartNGS is called but the other CSecurityClient methods are skipped. (i.e. InitModule, StartModule, and InitKeyCrypt, assuming they are the same in order as being called in GMS as from the KMST reference.)

I haven't encountered
which version?

 

[Tyler1q1q]

I have tested this on v251.2 and v252.2 (current) and experienced the same on both.

I should also add that I am applying both of the CRC patches in your other post.

 

[chuichui]

I have tested this on v251.2 and v252.2 (current) and experienced the same on both.

I should also add that I am applying both of the CRC patches in your other post.

hmm myside no problem

void(__thiscall* _SendWvsSetUpStep)(int, int);
void __fastcall SendWvsSetUpStep_Hook(int nWvsSetUpStep, int a2) {

    SCANRES(nWvsSetUpStep);

    if (nWvsSetUpStep == 12) {
//    if (nWvsSetUpStep == 4) {//CMS
        SCANRES((ULONG_PTR)_ReturnAddress());
    } else if (nWvsSetUpStep == 1) {
        if (uSendWvsSetUpStep == 0x1448B6DC0) *(ULONG_PTR*)_AddressOfReturnAddress() = 0x14A0DE451;//GMS252.2
    }

    return _SendWvsSetUpStep(nWvsSetUpStep, a2);
}

I have no idea why EXCEPTION_STACK_BUFFER_OVERRUN appears on your side

 

[Tyler1q1q]

I've confirmed it working on GMS by itself, that's odd. I've confirmed the issue to be with one of the other hooks I am using.

Thank you for your help.

 

[hsymczld]

CMS 208.1
SendWvsSetupStep = 149660519
step 4 retaddr = 149660519

SendWvsSetupStep Is this correct?

 

[anhphu]

Very good release!

 

[chuichui]

CMS 208.1
SendWvsSetupStep = 149660519
step 4 retaddr = 149660519

SendWvsSetupStep Is this correct?

I accidentally type missed

CMS208.1
SendWvsSetupStep = 143FB7250
step 4 retaddr = 149660519

 

[strayKat]

I accidentally type missed

CMS208.1
SendWvsSetupStep = 143FB7250
step 4 retaddr = 149660519

Can you suggest a way to find SendWvsSetupStep? I just can't seem to get it :/

Am I looking at it?

 

[chuichui]

Can you suggest a way to find SendWvsSetupStep? I just can't seem to get it :/

Am I looking at it?
View attachment 265315

for x86

55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 50 8D ?? ?? 64 ?? ?? ?? ?? ?? 68

if cannot find
send unpack exe to here

 

[strayKat]

for x86

55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 50 8D ?? ?? 64 ?? ?? ?? ?? ?? 68

if cannot find
send unpack exe to here

To view the content, you need to sign in or register

- v229.3

I can find it in olly, but not in IDA. It's virtualized as it seems as well. How do I proceed from here to find step 12 retaddr?
Also, in your code, what is the function SCANRES? what it's supposed to do?

 

[Riremito]

To view the content, you need to sign in or register

- v229.3

I can find it in olly, but not in IDA. It's virtualized as it seems as well. How do I proceed from here to find step 12 retaddr?
Also, in your code, what is the function SCANRES? what it's supposed to do?

View attachment 265367

To view the content, you need to sign in or register

this is just output debug strings.

 

[strayKat]

To view the content, you need to sign in or register

this is just output debug strings.

Thanks Any idea how to get step 12 addr if I can't see CWVsApp::SetUp? I can't x-ref the function also since it wasn't analyzed as one in IDA.

Another thing, I just hook it the same I hook StringPool? (I use the public AuthHook). With this hook I don't specify SendWvsStepUpStep address, just the step 12 right? Normally ZXChar::Assign and Stringpool are being reinterpreted to their addresses.

typedef ZXString<char>* (__fastcall* StringPool__GetString_t)(void* ecx, void* edx, ZXString<char>* result, unsigned int nIdx, char formal);
auto StringPool__GetString = reinterpret_cast<StringPool__GetString_t>(0x00AFA940);
typedef void(__fastcall* ZXString_char__Assign_t)(void* pThis, void* edx, const char* s, int n);
auto ZXString_char__Assign = reinterpret_cast<ZXString_char__Assign_t>(0x00943EF0);

SetHook(TRUE, reinterpret_cast<void**>(&_SendWvsSetUpStep), SendWvsSetUpStep_Hook);