|
|
sponsored advertisements
|
|
[E-Book] Defeating and Emulating INCA's nProtect GameGuard |
28th December 2009, 04:50 AM
|
#1
|
Posting Well
Join Date: Dec 2009
Posts: 29
Reputation: 181
Rep Power: 350
|
[E-Book] Defeating and Emulating INCA's nProtect GameGuard
An e-book I wrote myself which providers the reader information on how GameGuard works and how to reverse it's algorithm and eventually create a working emulator to bypass server checks.
Once you really learn how GameGuard works, you could make a universal bypass (well 90% universal, some games have modified algorithms).
I didn't spend TOO much time writing it, so don't be harsh.
You can view the PDF here: http://www.unknowncheats.me/forum/do...o=file&id=4827
Sorry if you think my English is bad.
Last edited by Winslow; 2nd March 2010 at 07:21 PM.
|
E.T. is offline
|
|
28th December 2009, 05:24 AM
|
#2
|
Retired Administrator
|
Not too in-depth, but interesting tutorial with good information. nice work E.T.
|
Winslow is offline
|
|
28th December 2009, 05:28 AM
|
#3
|
Join Date: Jan 2009
Posts: 321
Reputation: 138
Rep Power: 375
|
Not elaboratively in-depth, though interesting, although, I remember hearing this somewhere a few back and it doesn't always work for some particular games. Maybe things changed over years (allowing more vulnerabilities or the opposite), although, I'd blatantly assume "over the years" that more enhanced schemes has come over these kinds of things. Good work, although!
|
iExclusive is offline
|
|
28th December 2009, 05:33 AM
|
#4
|
The Legendary Cheater
|
One of my good buddies was working on MU Online and hes said that they changed their algorithm every 2 hours ? And that he had to reverse around 200 different keys for it before it was complete.
I saw the source it was truly amazing is there any truth behind this.
Edit: It was legendary hackers source i saw and i see you credited him lol.
Edit: The problem with this is that the server sends a different index
every few hours which means you can only reverse one case
per every few hours.
Answered my question.
Edit: Your code looks alot like LegendaryHackers.......... Just sayin
Last edited by Gellin; 28th December 2009 at 05:41 AM.
|
Gellin is offline
|
|
28th December 2009, 05:36 AM
|
#5
|
Posting Well
Threadstarter
Join Date: Dec 2009
Posts: 29
Reputation: 181
Rep Power: 350
|
Quote:
Originally Posted by Gellin
One of my good buddies was working on MU Online and hes said that they changed their algorithm every 2 hours ? And that he had to reverse around 200 different keys for it before it was complete.
I saw the source it was truly amazing is there any truth behind this.
Edit: It was legendary hackers source i saw and i see you credited him lol.
|
Yeah, I've worked with him in reversing GameGuard before. He is a good friend of mine.
He probably meant 200 different cases in the switch case which means you can only reverse one case at a time every few hours.
They don't change the entire algorithm. Most games have the same algorithm anyways.
Quote:
Originally Posted by iExclusive
Not elaboratively in-depth, though interesting, although, I remember hearing this somewhere a few back and it doesn't always work for some particular games. Maybe things changed over years (allowing more vulnerabilities or the opposite), although, I'd blatantly assume "over the years" that more enhanced schemes has come over these kinds of things. Good work, although!
|
I said this myself. Some games have different algorithms. They are very similar though. There might be a piece of code somewhere in between and the cases will not always be the same for every game. Especially the most hacked ones.
[Auto Merged - 6:44:04 UTC]
Quote:
Originally Posted by Gellin
One of my good buddies was working on MU Online and hes said that they changed their algorithm every 2 hours ? And that he had to reverse around 200 different keys for it before it was complete.
I saw the source it was truly amazing is there any truth behind this.
Edit: It was legendary hackers source i saw and i see you credited him lol.
Edit: The problem with this is that the server sends a different index
every few hours which means you can only reverse one case
per every few hours.
Answered my question.
Edit: Your code looks alot like LegendaryHackers.......... Just sayin
|
Yes, like I said I worked with LegendaryHacker numerous times. I had sent him the original base for the emulator a long time ago before he really knew how GameGuard worked.
It's basically the same for every game except for a few, for example, here is my code for GunZ bypass:
Code:
unsigned long* inca__keygen(unsigned long* inkey)
{
unsigned short first = 8;
unsigned short second = 1;
unsigned int temp;
unsigned int index;
unsigned char* ptr1;
unsigned char* ptr2;
unsigned char ptr;
unsigned long* outkey = (unsigned long*)malloc(4*4);
blowfish__decrypt(inkey);
while(first)
{
ptr1 = (unsigned char*)inkey;
ptr2 = (unsigned char*)inkey+second;
for (unsigned short i = 0; i < first; i++)
{
for (unsigned short j = 0; j < second; j++)
{
ptr = (ptr1[0] ^ ptr2[0]);
if (ptr & 0x80)
{
ptr *= 2;
ptr ^= 0xA9;
}
else
ptr *= 2;
ptr1[0] ^= ptr;
ptr1++;
ptr2[0] ^= ptr;
ptr2++;
}
ptr1 += second;
ptr2 += second;
}
first >>= 1;
second *= 2;
}
temp = inkey[2];
inkey[2] = inkey[3];
inkey[3] = temp;
temp = inkey[1];
inkey[1] = inkey[0];
inkey[0] = inkey[3] ^ temp;
outkey[0] = 0x10056;
outkey[1] = inca__rand();
outkey[2] = inca__rand();
outkey[3] = inca__rand();
switch(inkey[0])
{
case 0x001:
{
I stopped at the switch case.
As you can see, for certain games they have things in between, so it's not always the same. But usually the most hacked games have the change in code. Like GunZ.
Last edited by E.T.; 28th December 2009 at 05:44 AM.
|
E.T. is offline
|
|
|
28th December 2009, 06:42 PM
|
#6
|
A Forum Hero
|
Quote:
Originally Posted by E.T.
An e-book I wrote myself which providers the reader information on how GameGuard works and how to reverse it's algorithm and eventually create a working emulator to bypass server checks.
Once you really learn how GameGuard works, you could make a universal bypass (well 90% universal, some games have modified algorithms).
I didn't spend TOO much time writing it, so don't be harsh.
You can view the PDF here: http://b0ts.org/Defeating and Emulating INCA's nProtect GameGuard.pdf
Sorry if you think my English is bad.
|
would have been useful a year ago :/ kinda already have a nifty system setup that zenma helped me with. Still take a look at it cuz the ring3 bypass that was the only problem was GG requesting packets thanks :01:
ows? MC?
|
fatboy88 is offline
|
|
28th December 2009, 06:47 PM
|
#7
|
Posting Well
Threadstarter
Join Date: Dec 2009
Posts: 29
Reputation: 181
Rep Power: 350
|
Quote:
Originally Posted by fatboy88
would have been useful a year ago :/ kinda already have a nifty system setup that zenma helped me with. Still take a look at it cuz the ring3 bypass that was the only problem was GG requesting packets thanks :01:
ows? MC?
|
Thaaaaaats me. xD
Haven't seen you in a long time.
Last edited by E.T.; 28th December 2009 at 06:50 PM.
|
E.T. is offline
|
|
29th December 2009, 02:33 AM
|
#9
|
Posting Well
Threadstarter
Join Date: Dec 2009
Posts: 29
Reputation: 181
Rep Power: 350
|
Quote:
Originally Posted by barny21
I think i've seen this somewhere before... did you also post this on GD? I wish I had the time to dig in to this.
How long would a guy that took two weeks ,12 hours a day, to make a d3d hack would need to understand this? haha.
|
Yeah, I posted something similar at GD but not as detailed. Just quick info.
|
E.T. is offline
|
|
29th December 2009, 11:28 AM
|
#11
|
A Forum Hero
|
Quote:
Originally Posted by _GHOSTER_
Legendary did this work, I think you got some shit backwards.
|
this is ows he has been fucking w/ GG since Gunz im sure he has done this as i remeber he has bypasses GG in the past...if he didnt(I DOUBT) no one cares dxt are c+p anyways im sure no one will have sympathy . The only original shit there is the bases you sell them.
Last edited by fatboy88; 29th December 2009 at 11:33 AM.
|
fatboy88 is offline
|
|
29th December 2009, 06:14 PM
|
#12
|
Posting Well
Threadstarter
Join Date: Dec 2009
Posts: 29
Reputation: 181
Rep Power: 350
|
Quote:
Originally Posted by fatboy88
this is ows he has been fucking w/ GG since Gunz im sure he has done this as i remeber he has bypasses GG in the past...if he didnt(I DOUBT) no one cares dxt are c+p anyways im sure no one will have sympathy . The only original shit there is the bases you sell them.
|
Thanks bud.
Yeah, I had sold one of the old GG algo codes to this guy who named Kamil, who Legendary knew, when he was asking me for help like over a year ago.
I remember he was having big trouble with emulating GG and would always ask me . I ignored him for a good while because I didn't think he was actually for real. Then after that, I sold my GG algo to him. I think I still got chat logs on my old hd.
Last edited by E.T.; 30th December 2009 at 01:14 AM.
|
E.T. is offline
|
|
29th December 2009, 06:17 PM
|
#13
|
A Forum Hero
|
Quote:
Originally Posted by E.T.
Thanks bud.
Yeah, I had sold one of the old GG algo codes to Legendary's team (DXT) when he was asking me for help like over a year ago.
I remember he was having big trouble with emulating GG and would always ask me . I think I still got chat logs on my old hd.
|
i know i remember one of your first posting of GG (bp an api ) @ MC years ago. I dont doubt you reversed i remeber you working on this years ago also...from your post @ MC.
|
fatboy88 is offline
|
|
29th December 2009, 06:19 PM
|
#14
|
Posting Well
Threadstarter
Join Date: Dec 2009
Posts: 29
Reputation: 181
Rep Power: 350
|
Quote:
Originally Posted by fatboy88
i know i remember one of your first posting of GG (bp an api ) @ MC years ago.
|
That was the first bypass of GG I released but it wasn't a full bypass. It was more shutting off some of GG's abilities so that memory editing would work. GG was still running though.
|
E.T. is offline
|
|
29th December 2009, 06:21 PM
|
#15
|
A Forum Hero
|
Quote:
Originally Posted by E.T.
That was the first bypass of GG I released but it wasn't a full bypass. It was more shutting off some of GG's abilities so that memory editing would work. GG was still running though.
|
I know ) i still use it in games that dont request packets w/ a bunch of jmp's :-skull
|
fatboy88 is offline
|
|
29th December 2009, 09:02 PM
|
#16
|
Posting Well
Join Date: Dec 2009
Posts: 28
Reputation: 157
Rep Power: 350
|
Quote:
Originally Posted by barny21
I think i've seen this somewhere before... did you also post this on GD? I wish I had the time to dig in to this.
How long would a guy that took two weeks ,12 hours a day, to make a d3d hack would need to understand this? haha.
|
It's a stickied thread on his older alias, "Vrillion".
Quote:
Originally Posted by Gellin
One of my good buddies was working on MU Online and hes said that they changed their algorithm every 2 hours ? And that he had to reverse around 200 different keys for it before it was complete.
|
Like ET said, some games use a large switch/case statement (As he said, another that has its own would be Gunz); most do not, however.
Quote:
Originally Posted by iExclusive
Not elaboratively in-depth, though interesting, although, I remember hearing this somewhere a few back and it doesn't always work for some particular games. Maybe things changed over years (allowing more vulnerabilities or the opposite), although, I'd blatantly assume "over the years" that more enhanced schemes has come over these kinds of things. Good work, although!
|
No, it should work fine; unless other games use other keys generated by the game (e.g. The games code segment, or some value the game has to send to the GG client), making it more difficult. This is GG's only reliable defense from being completely disabled on the client-end.
__
"It only deobfuscates the code with a REAL in key from the server" - are you saying that it's encrypted? If so, isn't that what they're doing basically remote code execution? (i.e. A specially crafted key could generate a different sequence of instructions that do something malicious..)
Either way, glad you finally finished the ebook; but weren't you going to message me before you posted it? :P
|
Guy` is offline
|
|
|
29th December 2009, 10:47 PM
|
#17
|
Posting Well
Threadstarter
Join Date: Dec 2009
Posts: 29
Reputation: 181
Rep Power: 350
|
Quote:
Originally Posted by Guy`
"It only deobfuscates the code with a REAL in key from the server" - are you saying that it's encrypted? If so, isn't that what they're doing basically remote code execution? (i.e. A specially crafted key could generate a different sequence of instructions that do something malicious..)
Either way, glad you finally finished the ebook; but weren't you going to message me before you posted it? :P
|
It's polymorphic. :P The key is used as part of the deobfuscation. And if it's a fake key, no proper code is deobfuscated. :boggled:
|
E.T. is offline
|
|
30th December 2009, 12:36 AM
|
#18
|
Posting Well
Join Date: Dec 2009
Posts: 28
Reputation: 157
Rep Power: 350
|
Quote:
Originally Posted by E.T.
It's polymorphic. :P The key is used as part of the deobfuscation. And if it's a fake key, no proper code is deobfuscated. :boggled:
|
Obfuscated code would run fine, it'd just appear to be very confusing.
Encrypted code wouldn't run.
Is it encrypted or obfuscated?
Anyways, I meant if the key is crafted to have the code result as a certain set of instructions, different than acting as part of the switch/case statement, this could mean that GG's capable of RCE.
|
Guy` is offline
|
|
30th December 2009, 01:23 AM
|
#19
|
Master Contributor
|
it is interesting ill give you that, still twenty times more fun to sneak by anticheats undetected, but very interesting.
it goes without mentioning almost, but there IS other ways (easier even) to bypass GG than emulating it completely.
gj.
|
s0beit is offline
|
|
30th December 2009, 01:27 AM
|
#20
|
Posting Well
Threadstarter
Join Date: Dec 2009
Posts: 29
Reputation: 181
Rep Power: 350
|
Quote:
Originally Posted by s0beit
it is interesting ill give you that, still twenty times more fun to sneak by anticheats undetected, but very interesting.
it goes without mentioning almost, but there IS other ways (easier even) to bypass GG than emulating it completely.
gj.
|
I'm guessing you are referring to sandboxing?
|
E.T. is offline
|
|
We strive to provide all our services for free and not interrupt your visit with overly intrusive advertisements or restrictions - support us by disabling your ad blocker or whitelisting our site.
All times are GMT. The time now is 10:16 AM.
|
|
sponsored advertisement |
| | |