In this topic, I would like to conclude everything that has been discussed about rev833 or higher so that any confusions can be cleared. Do note that i do NOT write these codes and I'll give credit at the bottom of this topic...
1) Delete this code (in the DBKKernel -> DBKFunc.c)
Delete/comment out this code at BOOLEAN HookInt1(void)
Code:
NewInt1.wLowOffset=(WORD)&interrupt1;
NewInt1.wHighOffset=(WORD)((DWORD)&interrupt1 >> 16);
....
Code:
__asm
{
PUSHFD //no idea why, I doubt it's usefull, but let's use it too....
CLI
}
idt.vector[1]=NewInt1;
__asm
{
STI
POPFD
}
and
delete and comment out this code at bottom of
ULONG __stdcall GeneralHandler(,,)
Code:
NewInt1.wLowOffset=(WORD)&interrupt1;
NewInt1.wHighOffset=(WORD)((DWORD)&interrupt1 >> 16);
((PINT_VECTOR)(IDTAddresses[i]))[1]=NewInt1;
2) Add this global value
after
Code:
#include "DBKFunc.h"
#ifndef AMD64
void interrupt1( void );
void interrupt3( void );
void interruptD1( void );
#endif
ULONG Int1Address;
ULONG Int3Address;
ULONG IntD1Address;
INT_VECTOR NewInt1;
INT_VECTOR NewIntD1;
add
Code:
BYTE *INT1_Address;
UCHAR OINT1code[10]; // for save original INT1 code
unsigned long reentry_address; //return address of detour func
unsigned long detour_address;
3) Add this function after ULONG getCR4(void)
Code:
VOID InterSet( void )
{
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
}
VOID InterUnset( void )
{
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
}
VOID DetourINT1()
{
char *actual_function = (char *)INT1_Address;
int i = 0;
UCHAR newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00,0x90,0x90};
reentry_address = ((unsigned long)INT1_Address) + 9;
detour_address = (unsigned long)interrupt1;
*( (unsigned long *)(&newcode[1]) ) = detour_address;
memcpy(OINT1code,INT1_Address,9);
InterSet();
for(i=0;i < 9;i++)
{
actual_function[i] = newcode[i];
}
InterUnset();
}
and add INT1_Address = (BYTE *)Int1Address and DetourINT1() call like so.... i donno how to put colour so find urself
Code:
BOOLEAN HookInt1(void)
{
#ifndef AMD64
IDT idt;
//DbgPrint("Going to hook int1\n");
GetIDT(&idt);
__try
{
if (OriginalInt1.wHighOffset==0)
{
//DbgPrint("New hook, so storing the original Int1Handler\n");
OriginalInt1=idt.vector[1];
NewInt1=idt.vector[1];
NewIntD1=idt.vector[0xd1];
Int1Address=idt.vector[1].wLowOffset+(idt.vector[1].wHighOffset << 16); //save the original address of the int3 handler
INT1_Address = (BYTE *)Int1Address;
DetourINT1(); //like yo
Code:
//now overwrite the vector so it points to my handler
//DbgPrint("Changing the vector to point to my handler\n");
-----------------------------------------------------------------------------
We already Deleted this code at 1) step
[u] __asm
{
PUSHFD //no idea why, I doubt it's usefull, but let's use it too....
CLI
}
idt.vector[1]=NewInt1;
__asm
{
STI
POPFD
}[/u]
--------------------------------------------------------------------
INT1_Address = (BYTE *)Int1Address;
DetourINT1(); //call this function at here
return TRUE;
4) Fix the interrupt1() code
Code:
_declspec( naked ) void interrupt1( void )
{
__asm{
nop
cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
nop
je Original
nop
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 1 //int 3 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
je Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
push 0 //Added by dual
mov word ptr [ESP+2], 0 //
jmp [reentry_address ]
Exit:
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
5) Add this code after VOID DetourINT1() function
Code:
VOID UnDetourINT1()
{
int i = 0;
//DbgPrint("Undetor");
InterSet();
for(i =0;i < 9;i++)
{
INT1_Address[i] = OINT1code[i];
}
InterUnset();
}
and call at DriverUnload Routine in DBKDrvr.c
like this:
Code:
void MSJUnloadDriver(PDRIVER_OBJECT DriverObject)
{
if (ProtectOn)
return;
if (KeServiceDescriptorTableShadow && registered) //I can't unload without a shadotw table (system service registered)
{
//1 since my routine finds the address of the 2nd element
KeServiceDescriptorTableShadow[1].ArgumentTable=NULL;
KeServiceDescriptorTableShadow[1].CounterTable=NULL;
KeServiceDescriptorTableShadow[1].ServiceTable=NULL;
KeServiceDescriptorTableShadow[1].TableSize=0;
KeServiceDescriptorTable[2].ArgumentTable=NULL;
KeServiceDescriptorTable[2].CounterTable=NULL;
KeServiceDescriptorTable[2].ServiceTable=NULL;
KeServiceDescriptorTable[2].TableSize=0;
}
UnDetourINT1();
...
6) At DBKFunc.h, remember to add
Code:
void UnDetourINT1(void);
Question: you might ask yourself... why i change everything exactly as above but still get reboots after changing the register???
Answer: well, for this modification to work properly, you have to change MapleStory.exe compatibility to Window 98/ME~~
because of this, I've gotten my com restarted many times as some of you also did. I donno why so, I hope the pros can shed some light about this or help modify the code so that it can be used on Windows XP too
if you feel that this fix is very informative and organize, don't hesitate to + rep
any problems or if you think anything is missing, do post ur reply here
thanks...
P/S: 1. do not leak ur engine after ur hard work, ppl will send to asiasoft
2. ppl buying UCE's are stupid, why don do it urself?
3. if have so much money, do donate to dark byte
CREDITS for this fix goes to dual, dark byte as well as other pros
_________________
Morning brings you Hopes...
Afternoon brings you Faiths...
Evening brings you Love...
Night brings you Rest...
Hope you found them everyday!
'Security > Reversing' 카테고리의 다른 글
| 언패커모음사이트 (0) | 2007.03.09 |
|---|---|
| Bypass REV 939 (0) | 2007.03.08 |
| Bypass REV 878 (0) | 2007.03.08 |
| About GameGuard (0) | 2007.03.08 |
| Wall Hack 의 원리 (1) | 2007.03.08 |
