-
Автор темы
- #1
1) General information about the loader:
Protector - Themida
PE - x32
2) Authorisation:
1. A large message is sent to the server consisting of : (login/password/hwid (hash) / Computer Components).
2. On successful authorisation from the server comes the name of the cheat for which we paid on the forum and inject, obviously we will only have access to it, other cheats will be unavailable.
3) Inject:
1. When you click on the inject button, from the server we get the size of the dll read and some modules whose addresses he received in the future (client.dll, engine2.dll and something else).
2. Allocate memory for the cheat with the size that we received earlier from the server (from the driver).
3. Hide the memory of the cheat (from the driver, about this will also be a little more information).
4. After hiding the cheat memory, it sends all import addresses from the gameplay (which it received before allocating memory for the cheat).
5. Further from the server we receive already fixed binary - cheat inuria (PE in the binary from the server - no, Imports - fixed) and at the end of the addresses of entry points for the call.
6. Write and call EP, this step already happens under VM along with the driver, because of which I was too lazy to do this point.
4) Crack options:
1- Initially I tried to pull the binary it got from the server, I managed to find it and try to run it, but since this option had its own nuances and in general I lacked the necessary data for a successful injection, I didn't continue with this method.
2. After some time I decided to return to the function that hid the cheat memory (it could not be found at all in the debugger or in anything else from the usermod), but I decided to see what arguments the call took after which the programme memory was hidden, the arguments were as follows:
1. the base address of the cheat code (which was allocated earlier)
2. the PID of the gameplay.
Then I decided to change the address that was passed for hiding to an address that I had allocated myself. And that's when the fun started, my memory was hidden and the injection happened, so I bypassed the software memory hiding and had a clean version, and it was a simple matter to dump and run the dump. (Also before that I tried just cancelling the call after which the memory was hidden, but that resulted in me getting a "Failed to write" error or something like that).
5) Dumping:
1. due to the fact that I had to dump the cheat before calling EP, and I knew which address was the entry point due to what the server was sending.
2. I simply connected the debugger to the gameplay during the memory allocation phase and set the breakpoint to the address of the entry point (since the EP address was sent by the server later along with the binary, I took the address from the last injection and made an RVA version).
3. I then waited for the cheat to write, and after a couple of seconds my breakpoint on the entry point triggered.
4. I reset the cheat memory, but since the imports are still there, and they are not encrypted in any way in the iniuria, I just found the IAT and parsed it, getting a formula like this {iat addr, modulename, importname}.
5. I then run my mapper. Got an error that it failed to connect to the driver or something like that. I didn't pay attention to it, as the initialisation in the binary read was done locally and all the necessary data was already in the chit, not coming from the server or from the driver.
6. I found jumps with a condition in which if the driver is not found I was thrown to crash, I just wrote there jmp and the errors stopped coming out, and then the cheat fully runned.
Inject:
That's the end of my first article, I didn't tell you much about the driver itself, as I didn't pay attention to it and tried to get more information from the loader itself.
I was very much surprised by the memory hiding, I've never seen this before but I think it's very cool. I would also like to apologise for not providing any screenshots as I did the crack a couple of days ago and wasn't planning to write an article.
A funny moment:
Protector - Themida
PE - x32
2) Authorisation:
1. A large message is sent to the server consisting of : (login/password/hwid (hash) / Computer Components).
2. On successful authorisation from the server comes the name of the cheat for which we paid on the forum and inject, obviously we will only have access to it, other cheats will be unavailable.
3) Inject:
1. When you click on the inject button, from the server we get the size of the dll read and some modules whose addresses he received in the future (client.dll, engine2.dll and something else).
2. Allocate memory for the cheat with the size that we received earlier from the server (from the driver).
3. Hide the memory of the cheat (from the driver, about this will also be a little more information).
4. After hiding the cheat memory, it sends all import addresses from the gameplay (which it received before allocating memory for the cheat).
5. Further from the server we receive already fixed binary - cheat inuria (PE in the binary from the server - no, Imports - fixed) and at the end of the addresses of entry points for the call.
6. Write and call EP, this step already happens under VM along with the driver, because of which I was too lazy to do this point.
4) Crack options:
1- Initially I tried to pull the binary it got from the server, I managed to find it and try to run it, but since this option had its own nuances and in general I lacked the necessary data for a successful injection, I didn't continue with this method.
2. After some time I decided to return to the function that hid the cheat memory (it could not be found at all in the debugger or in anything else from the usermod), but I decided to see what arguments the call took after which the programme memory was hidden, the arguments were as follows:
1. the base address of the cheat code (which was allocated earlier)
2. the PID of the gameplay.
Then I decided to change the address that was passed for hiding to an address that I had allocated myself. And that's when the fun started, my memory was hidden and the injection happened, so I bypassed the software memory hiding and had a clean version, and it was a simple matter to dump and run the dump. (Also before that I tried just cancelling the call after which the memory was hidden, but that resulted in me getting a "Failed to write" error or something like that).
5) Dumping:
1. due to the fact that I had to dump the cheat before calling EP, and I knew which address was the entry point due to what the server was sending.
2. I simply connected the debugger to the gameplay during the memory allocation phase and set the breakpoint to the address of the entry point (since the EP address was sent by the server later along with the binary, I took the address from the last injection and made an RVA version).
3. I then waited for the cheat to write, and after a couple of seconds my breakpoint on the entry point triggered.
4. I reset the cheat memory, but since the imports are still there, and they are not encrypted in any way in the iniuria, I just found the IAT and parsed it, getting a formula like this {iat addr, modulename, importname}.
5. I then run my mapper. Got an error that it failed to connect to the driver or something like that. I didn't pay attention to it, as the initialisation in the binary read was done locally and all the necessary data was already in the chit, not coming from the server or from the driver.
6. I found jumps with a condition in which if the driver is not found I was thrown to crash, I just wrote there jmp and the errors stopped coming out, and then the cheat fully runned.
Inject:
Пожалуйста, авторизуйтесь для просмотра ссылки.
That's the end of my first article, I didn't tell you much about the driver itself, as I didn't pay attention to it and tried to get more information from the loader itself.
I was very much surprised by the memory hiding, I've never seen this before but I think it's very cool. I would also like to apologise for not providing any screenshots as I did the crack a couple of days ago and wasn't planning to write an article.
A funny moment:
Пожалуйста, авторизуйтесь для просмотра ссылки.
Последнее редактирование:
