본문 바로가기
Security

How to way Bypass CRC Check

by Hide­ 2007. 7. 9.
반응형

외국 해커들 중 실력이 너무 뛰어난 애들이 많아서 부럽습니다. 영어 원문 그대로 싣습니다. 번역하면 원뜻이 많이 훼손되므로..

This is the one on CEF:

Many of you have being saying CRC its patched, ITS NOT. The CRC script still works. But GameGuard has enabled its own CRC check aswell. The CRC script we use, bypasses Maplestory CRC, but not Gameguard's. When Maplestory detects a change in the process memory it just disconnects you to login screen (We can bypass that with our script and .cem file), after that GameGuard CRC will come up, if will detect the parameters changed, and you will get the error: Hacking Attempt Detected.

GameGuard has two main components that MapleStory loads; GameGuard.des & GameMon.des. Before MapleStory loads either of those files it first starts reading from MapleStory.INI, MapleStory.INI contains all the parameters for GameGuard's loading.

This its a decrypted MapleStory.ini:

Code:
[GAMEMON]
G:AME_NAME=MapleStoryUS
UPDATE_SERVER=gameguard.mapleglobal.com
UPDATE_PATH=/nProtect/GameGuard/RealServer/
BACKUP_SERVER=63.251.217.184
BACKUP_PATH=/nProtect/GameGuard/RealServer/
OPTION_VALUE=0
SPEEDCHECK_INTERVAL=1000
SENDERL=1
GAMECRC=2
REVISION=47

On the line ''GAMECRC'' we notice a 2 right? A while ago it was 0 (Disabled) , but recently it changed to 2, enabling the GameGuard CRC. Now lets try to fix that ok? What its disconecting us, its that when we change the MapleStoryCRC ,GameGuard compares and notices the parameters of both CRC had been changed. So lets check it out:

First of all you will need an Unpacked .39 client. (Attachment)

oMS_0.39.rar
Open up MapleStory with OllyDBG and set a breakpoint on CreateProcessA so GameMon traces backwards until you land on the GameGuard.des execution call, step over it and continue scrolling down manually until you see the MapleStory.INI file getting loaded then pay close attention until you see the GAMECRC being addressed, in that you should see a "PUSH 2"
[Code]
 
52                  PUSH EDX
6A  00             PUSH 2
68  64E07C00   PUSH MapleSto.007CE064 ;ASCII "GAMECRC"
E8  05660000    CALL MapleSto.00714A00

By changing the ''PUSH 2'' it to "PUSH 0" it turns the CRC off completely, succesfully bypassing the Gameguard CRC.

Credits:
-xor
-KittonKicker (Kiki)
-Nuclear 898
-S3NSA


그러니까 한줄요약하면

maplestory.ini 읽어질때까지 보면서 올리디버그 step over 하다가 PUSH 2 다음에 PUSH MapleStory.@@@@@@@@@@@; ASCII "GameCRC" 나오는 부분에서 PUSH 0으로 바꾸랍니다.


잡담 : 오늘 찰리채플린의 "살인광시대"를 봤는데 나름 재미있던데요 ㅎㅎ

'Security' 카테고리의 다른 글

Cheat v.42  (0) 2007.07.09
GameGuard Nop 처리 부분  (1) 2007.07.09
Shield from DLL Injection  (0) 2007.07.09
XSS  (0) 2007.06.14
KISA 2007 보고서  (0) 2007.06.14