FTBGUIDE

More Tutorials More Hacking
 
HomeHome  PortalPortal  CalendarCalendar  FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  Log inLog in  
Log in
Username:
Password:
Log in automatically: 
:: I forgot my password
Astig FM
By: Jhun»

Share | 
 

 XIGNCODE3 Bypass[SF2]

Go down 
AuthorMessage
Jhun»
VIPMEMBER
VIPMEMBER
avatar

Posts : 65
AP : 20978
Join date : 28/02/2013

PostSubject: XIGNCODE3 Bypass[SF2]   Sat May 31, 2014 12:02 pm

SoldierFront2 XIGNCODE3 bypass stuff:



1. d3d9 codehooks are detected, replace the vtable instead.
2. alot of function calls are detected by checking the return value - use the given function by SilverDeath to fake the return address. there are alot other ways doing this - feel free to do so.
3. have either to manual map the module or unlink it - doesnt matter which way you do it.


Probably an error in your manual mapping code[ ! ]
-Dont use GetAsyncKeyState API. use instead Low-Level keyboard hooks
-Dont use MessageBox
-You can use them faking retn addy





HowTo:
1. create a thread in dllmain, get the size of your module with "GetModuleInformation"
2. Unlink your module
3. hook NtQueryVirtualMemory with a codehook (yes, thats currently undetected...)

Code:
NTSTATUS NTAPI NtQueryVirtualMemory_Hook(HANDLE ProcessHandle, DWORD BaseAddress, DWORD Type, MEMORY_BASIC_INFORMATION* Out, ULONG Length, ULONG* NumberOfBytesRead)
{
    NTSTATUS Temp;

    Temp = NtQueryVirtualMemory_Orig(ProcessHandle, BaseAddress, Type, Out, Length, NumberOfBytesRead);

    if (BaseAddress > (DWORD)MyInstance - 0x1000 && BaseAddress < (DWORD)MyInstance + OwnModuleSize + 0x1000) // Requested Information in our dll range?
    {
        Out->AllocationProtect = PAGE_NOACCESS;
        Out->RegionSize = 0x1000;
        Out->State = MEM_FREE;
        Out->Protect = 0;
        Out->Type = MEM_PRIVATE;
    }
    return Temp;
}

(you might as well just return a fail return value whatsoever, "MyInstance" is the instance/baseaddress of your dll)



4. Because SilverDeath's of faking a return adress needs a "call ebp" (opcode: 0xFF, 0xD5) in any "allowed module", you have to search for one in any allowed module:
Code:
DWORD FindPossibleProxy(DWORD StartAdd, DWORD Size)
{
    DWORD Rslt = 0;
    DWORD SearchAdd = StartAdd;
    while(SearchAdd < (StartAdd + Size))
    {
        SearchAdd = SD_Tools::Internal::FindFullPattern(SearchAdd, Size - (SearchAdd-StartAdd), (BYTE*)"\xFF\xD5", 2);
        if (!IsBadCodePtr((FARPROC)SearchAdd) || !SearchAdd)
        {
            Rslt = SearchAdd;
            break;
        }
        SearchAdd += 2;
    }
    return Rslt;
}

use like this:
Code:
D3dModuleSize = SD_Tools::Internal::GetModuleSize(D3dModule); // you might use any other "allowed" module
PossibleProxyAddress = FindPossibleProxy((DWORD)D3dModule, D3dModuleSize);

5. Now to call any stdcall function (most of winapi) use this function:
Code:
template <typename T> __declspec(naked) T _cdecl ProxyCall(void* Target, UINT NumberOfParams, void* ProxyFFD5, ...)
{
    __asm mov edx, esp; // stackframe on edx - edx points now to the return adress - Target, NumberOfParams, ProxyFFD5, Params after.
    __asm push esp; // save esp
    __asm push ebp; // save ebp
    __asm push esi; // save esi

    __asm lea esi, [edx+8]; // Points to NumberOfParams
    __asm mov ecx, [esi]; // Get Number Of Params
    __asm inc ecx; // Also push ProxyFFD5

PushParams:
    __asm mov eax, [esi+ecx*4]; // Get Parameter from right to left
    __asm push eax; // and push them on the stack
    __asm loop PushParams; // Repeat until all params pushed (ecx != 0) - Stack is done after this

    __asm mov ebp, ReturnHere; // Mov Returnadress into ebp to be called by proxy
    __asm mov eax, [edx+4]; // Get Target
    __asm jmp eax; // jump to target

ReturnHere:
    __asm add esp, 4; // remove return address from Proxy
    __asm pop esi; // restore esi
    __asm pop ebp; // restore ebp
    __asm pop esp; // restore stack
    __asm retn; // return
}
Example:
Code:
if (ProxyCall<SHORT>(&GetAsyncKeyState, 1, (void*)PossibleProxyAddress, VK_INSERT) & (1<<15))
{
    // todo
}

// another one:
ProxyCall<HRESULT>((void*)D3d9VTable[106], 3, (void*)PossibleProxyAddress, Device, ShaderBuf->GetBufferPointer(), Shader); //Device->CreatePixelShader((const DWORD*)ShaderBuf->GetBufferPointer(), Shader);

6. Now do whatever you want Wink ...



general:
-As SilverDeath said, codehooks in d3d9 module are detected, replace the vtable of the dx object instead.

-use instant inject on load. most public injectors will cause a detection and as soon xigncode is loaded you cant access the process anymore.

-it should make minor changes to the code, maybe xigncode will pattern the proxycall func, etc.

-In the sample code of SilverDeath using some functions of his SD_Tools namespace which you ofc. dont have, however the names are self-explanatory, should be no problem to reproduce them.




Credits : SilverDeath and kn4ck3r
Back to top Go down
View user profile
 
XIGNCODE3 Bypass[SF2]
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
FTBGUIDE :: MMO FPS Games :: Other MMOFPS (Tools, Tutorials,SourceCode)-
Jump to: