본문 바로가기
Security

Bypass REV 833

by Hide­ 2007. 3. 8.
반응형

In this topic, I would like to conclude everything that has been discussed about rev833 or higher so that any confusions can be cleared. Do note that i do NOT write these codes and I'll give credit at the bottom of this topic...

1) Delete this code (in the DBKKernel -> DBKFunc.c)

Delete/comment out this code at BOOLEAN HookInt1(void)
Code:
 
NewInt1.wLowOffset=(WORD)&interrupt1;
NewInt1.wHighOffset=(WORD)((DWORD)&interrupt1 >> 16);
 


....
Code:
 
__asm
{
 PUSHFD //no idea why, I doubt it's usefull, but let's use it too....
CLI
}
idt.vector[1]=NewInt1;
__asm
{
   STI
   POPFD
}
 


and
delete and comment out this code at bottom of
ULONG __stdcall GeneralHandler(,,)

Code:
 
   NewInt1.wLowOffset=(WORD)&interrupt1;
               NewInt1.wHighOffset=(WORD)((DWORD)&interrupt1 >> 16);

               ((PINT_VECTOR)(IDTAddresses[i]))[1]=NewInt1;   
 


2) Add this global value

after
Code:
 
#include "DBKFunc.h"

#ifndef AMD64
void interrupt1( void );
void interrupt3( void );
void interruptD1( void );
#endif

ULONG Int1Address;
ULONG Int3Address;
ULONG IntD1Address;
INT_VECTOR NewInt1;
INT_VECTOR NewIntD1;



add
Code:

BYTE *INT1_Address;
UCHAR OINT1code[10]; // for save original INT1 code
unsigned long reentry_address; //return address of detour func
unsigned long detour_address;
 


3) Add this function after ULONG getCR4(void)

Code:

VOID InterSet( void )
{
   _asm
   {
      CLI
      MOV   EAX, CR0   
      AND EAX, NOT 10000H
      MOV   CR0, EAX
   }
}
VOID InterUnset( void )
{
   _asm
   {
      MOV   EAX, CR0       
      OR   EAX, 10000H       
      MOV   CR0, EAX         
      STI   
   }
}
VOID DetourINT1()
{
   char *actual_function = (char *)INT1_Address;
   int i = 0;

   UCHAR newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00,0x90,0x90};
   
   reentry_address = ((unsigned long)INT1_Address) + 9;
   
   detour_address = (unsigned long)interrupt1;
   
   *( (unsigned long *)(&newcode[1]) ) = detour_address;

   memcpy(OINT1code,INT1_Address,9);

   InterSet();
   for(i=0;i < 9;i++)
   {
      actual_function[i] = newcode[i];
   }
   InterUnset();
}
 


and add INT1_Address = (BYTE *)Int1Address and DetourINT1() call like so.... i donno how to put colour so find urself

Code:

BOOLEAN HookInt1(void)
{
#ifndef AMD64
   IDT idt;

   //DbgPrint("Going to hook int1\n");
   GetIDT(&idt);

   __try
   {
      if (OriginalInt1.wHighOffset==0)
      {
         //DbgPrint("New hook, so storing the original Int1Handler\n");
            OriginalInt1=idt.vector[1];
         NewInt1=idt.vector[1];
         NewIntD1=idt.vector[0xd1];

         Int1Address=idt.vector[1].wLowOffset+(idt.vector[1].wHighOffset << 16); //save the original address of the int3 handler
      INT1_Address = (BYTE *)Int1Address;
      DetourINT1(); //like yo
 


Code:

      //now overwrite the vector so it points to my handler
      //DbgPrint("Changing the vector to point to my handler\n");
-----------------------------------------------------------------------------
We already Deleted this code at 1) step
[u]      __asm
      {
         PUSHFD //no idea why, I doubt it's usefull, but let's use it too....
         CLI
      }
      idt.vector[1]=NewInt1;
      __asm
      {
         STI
         POPFD
      }[/u]
--------------------------------------------------------------------
                      INT1_Address = (BYTE *)Int1Address;
                      DetourINT1(); //call this function at here
      return TRUE;
 


4) Fix the interrupt1() code

Code:

_declspec( naked ) void interrupt1( void )
{

   __asm{
      nop
      cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
      nop
      je Original
      nop       

      PUSHAD   //32       
      push ds //4
      push es //4
      push gs //4
      push fs //4

      mov ax,0x23
      mov ds,ax
      mov es,ax
      mov gs,ax
      mov ax,0x30
      mov fs,ax

      mov eax,esp
      add eax,48
      push eax //the location of the original stack
      PUSH 1 //int 3 identifier
      CALL GeneralHandler //call my regular int handler
      cmp eax,1 //if 1 then do no handle the original handler
      je Exit
      pop fs
      pop gs
      pop es
      pop ds
      POPAD
Original:
             push 0   //Added by dual
             mov word ptr [ESP+2], 0  // 
             jmp [reentry_address ]

Exit:
      pop fs   
      pop gs
      pop es
      pop ds
      POPAD
       
      IRETD
   };


 


5) Add this code after VOID DetourINT1() function

Code:

VOID UnDetourINT1()
{
   int i = 0;

   //DbgPrint("Undetor");
   InterSet();
   for(i =0;i < 9;i++)
   {
      INT1_Address[i] = OINT1code[i];
   }
   InterUnset();
}
 


and call at DriverUnload Routine in DBKDrvr.c
like this:

Code:

void MSJUnloadDriver(PDRIVER_OBJECT DriverObject)
{
   if (ProtectOn)
      return;

   if (KeServiceDescriptorTableShadow && registered) //I can't unload without a shadotw table (system service registered)
   {
      //1 since my routine finds the address of the 2nd element
      KeServiceDescriptorTableShadow[1].ArgumentTable=NULL;
      KeServiceDescriptorTableShadow[1].CounterTable=NULL;
      KeServiceDescriptorTableShadow[1].ServiceTable=NULL;
      KeServiceDescriptorTableShadow[1].TableSize=0;

      KeServiceDescriptorTable[2].ArgumentTable=NULL;
      KeServiceDescriptorTable[2].CounterTable=NULL;
      KeServiceDescriptorTable[2].ServiceTable=NULL;
      KeServiceDescriptorTable[2].TableSize=0;
   }
   
   UnDetourINT1();
...
 


6) At DBKFunc.h, remember to add
Code:

void UnDetourINT1(void);
 


Question: you might ask yourself... why i change everything exactly as above but still get reboots after changing the register???

Answer: well, for this modification to work properly, you have to change MapleStory.exe compatibility to Window 98/ME~~

because of this, I've gotten my com restarted many times as some of you also did. I donno why so, I hope the pros can shed some light about this or help modify the code so that it can be used on Windows XP too

if you feel that this fix is very informative and organize, don't hesitate to + rep 

any problems or if you think anything is missing, do post ur reply here
thanks...

P/S: 1. do not leak ur engine after ur hard work, ppl will send to asiasoft
2. ppl buying UCE's are stupid, why don do it urself?
3. if have so much money, do donate to dark byte 

CREDITS for this fix goes to dual, dark byte as well as other pros 
_________________
Morning brings you Hopes...
Afternoon brings you Faiths...
Evening brings you Love...
Night brings you Rest...
Hope you found them everyday!

'Security' 카테고리의 다른 글

Bypass REV 878  (0) 2007.03.08
About GameGuard  (0) 2007.03.08
Wall Hack 의 원리  (1) 2007.03.08
DB 에러메시지를 이용하여 데이터추출하기  (0) 2007.03.08
XSS  (0) 2007.03.08