remove NGS/XC available any regions 2015 ~ current version

Thanks, i dont have idea ,how to find CWsvApp::run CRC 😫
You can use AoB from CMS_v85U_DEVM.idb to match other version
C++:
IDB simple example
void __thiscall CWvsApp::Run(_DWORD *this, _DWORD *a2)
{
        ...
        if ( !dword_D87954 )
          _com_issue_error(-2147467261);
        IWzGr2D::RenderFrame((void *)dword_D87954); // CMS85Call(00B5E81D)->CMS85Func(00844F34)
        v37 = get_rand(dword_D83800) % 0x64u;
        if ( v37 < 50 )
        {
          if ( v37 < 15 )
            v37 = 1;
          else
            v37 = 2;
        }
        ...
        dword_D8614C(1); // CMS85Jmp(00B5F0C8)
}
Set IWzGr2D::RenderFrame return address to jmp address
C++:
CPP simple example
ULONG_PTR uRenderFrameAddr = 0x00844F34;
ULONG_PTR uRenderFrameJmpAddr = 0x00B5F0C8;
int(__thiscall* _IWzGr2D__RenderFrame)(void* ecx) = nullptr;
int __fastcall IWzGr2D__RenderFrame_Hook(void* ecx, void* edx)
{
        ...
        *(ULONG_PTR*)_AddressOfReturnAddress() = uRenderFrameJmpAddr;
        return _IWzGr2D__RenderFrame(ecx);
}
SetHook(true, reinterpret_cast<void**>(&_IWzGr2D__RenderFrame), IWzGr2D__RenderFrame_Hook);
 
Last edited:
You can use AoB from CMS_v85U_DEVM.idb to match other version
C++:
IDB simple example
void __thiscall CWvsApp::Run(_DWORD *this, _DWORD *a2)
{
        ...
        if ( !dword_D87954 )
          _com_issue_error(-2147467261);
        IWzGr2D::RenderFrame((void *)dword_D87954); // CMS85Call(00B5E81D)->CMS85Func(00844F34)
        v37 = get_rand(dword_D83800) % 0x64u;
        if ( v37 < 50 )
        {
          if ( v37 < 15 )
            v37 = 1;
          else
            v37 = 2;
        }
        ...
        dword_D8614C(1); // CMS85Jmp(00B5F0C8)
}
Set IWzGr2D::RenderFrame return address to jmp address
C++:
CPP simple example
ULONG_PTR uRenderFrameAddr = 0x00844F34;
ULONG_PTR uRenderFrameJmpAddr = 0x00B5F0C8;
int(__thiscall* _IWzGr2D__RenderFrame)(void* ecx) = nullptr;
int __fastcall IWzGr2D__RenderFrame_Hook(void* ecx, void* edx)
{
        ...
        *(ULONG_PTR*)_AddressOfReturnAddress() = uRenderFrameJmpAddr;
        return _IWzGr2D__RenderFrame(ecx);
}
SetHook(true, reinterpret_cast<void**>(&_IWzGr2D__RenderFrame), IWzGr2D__RenderFrame_Hook);
thanks , CMS85 its too old version, I actually don't understand Nexon how make client crashed. invoke NtCurrentTeb and make teb.StackBase= 0 ? :(
 
thanks , CMS85 its too old version, I actually don't understand Nexon how make client crashed. invoke NtCurrentTeb and make teb.StackBase= 0 ? :(
C-like:
1. stack clear and death (pre-bb and post-bb)
1) clear all registers and stack to 0, pre-bb -> low to high, post-bb -> high to low
2) jmp to 0x0 address and crash by access violation

2. call 0 (post-bb)
1) call 0x0 address and crash by access violation

3. unknown asm (CMS and GMS)
execute unknown asm by cmp & jne
this is in CFuncKeyMap and some functions
   
4. call low address (MSEA)
1) call random low address and crash by access violation


self crash codes finder
 
Last edited:
thanks , CMS85 its too old version, I actually don't understand Nexon how make client crashed. invoke NtCurrentTeb and make teb.StackBase= 0 ? :(
CWvsApp::Run CRC was found in these old versions(CMS79-CMS126)
CMS85 CWvsApp::Run CRC should be easy to match other old versions because the function AoB is similar.
The different is that higher versions enable vmprotect for CWvsApp::Run
CMS104 is the last version of all functions can be fully unvirtualized.
CMS105 or later started using vmprotect and can't see the function without unvirtualizing it.
You need to learn some knowledge about vmprotect in order to unvirtualize it.
Official removed CWvsApp::Run CRC and enabled CWvsContext::OnEnterField CRC after CMS126.
Remove CWvsContext::OnEnterField CRC is easier than remove CWvsApp::Run CRC.
I recommend using CMS136 instead of CMS121 because there had idb leak from KMS1029.
Using CMS85 and CMS95 are also good versions to learn client edit and wz edit.
Right! It calls GetTickCount in CWvsApp::Run and then clears the current thread's stack memory in for-loop.
It leads to a crash when the client attempts to access the now-empty memory.
 
Last edited:
CWvsApp::Run CRC was found in these old versions(CMS79-CMS126)
CMS85 CWvsApp::Run CRC should be easy to match other old versions because the function AoB is similar.
The different is that higher versions enable vmprotect for CWvsApp::Run
CMS104 is the last version of all functions can be fully unvirtualized.
CMS105 or later started using vmprotect and can't see the function without unvirtualizing it.
You need to learn some knowledge about vmprotect in order to unvirtualize it.
Official removed CWvsApp::Run CRC and enabled CWvsContext::OnEnterField CRC after CMS126.
Remove CWvsContext::OnEnterField CRC is easier than remove CWvsApp::Run CRC.
I recommend using CMS136 instead of CMS121 because there had idb leak from KMS1029.
Using CMS85 and CMS95 are also good versions to learn client edit and wz edit.
Right! It calls GetTickCount in CWvsApp::Run and then clears the current thread's stack memory in for-loop.
It leads to a crash when the client attempts to access the now-empty memory.
thanks again. :)
 
Back