More Tutorials More Hacking
HomeHome  PortalPortal  CalendarCalendar  FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  Log inLog in  
Log in
Log in automatically: 
:: I forgot my password
Astig FM
By: Jhun»

Share | 

 XIGNCODE3 Bypass[SF2]

Go down 

Posts : 65
AP : 21628
Join date : 28/02/2013

PostSubject: XIGNCODE3 Bypass[SF2]   Sat May 31, 2014 12:02 pm

SoldierFront2 XIGNCODE3 bypass stuff:

1. d3d9 codehooks are detected, replace the vtable instead.
2. alot of function calls are detected by checking the return value - use the given function by SilverDeath to fake the return address. there are alot other ways doing this - feel free to do so.
3. have either to manual map the module or unlink it - doesnt matter which way you do it.

Probably an error in your manual mapping code[ ! ]
-Dont use GetAsyncKeyState API. use instead Low-Level keyboard hooks
-Dont use MessageBox
-You can use them faking retn addy

1. create a thread in dllmain, get the size of your module with "GetModuleInformation"
2. Unlink your module
3. hook NtQueryVirtualMemory with a codehook (yes, thats currently undetected...)

NTSTATUS NTAPI NtQueryVirtualMemory_Hook(HANDLE ProcessHandle, DWORD BaseAddress, DWORD Type, MEMORY_BASIC_INFORMATION* Out, ULONG Length, ULONG* NumberOfBytesRead)
    NTSTATUS Temp;

    Temp = NtQueryVirtualMemory_Orig(ProcessHandle, BaseAddress, Type, Out, Length, NumberOfBytesRead);

    if (BaseAddress > (DWORD)MyInstance - 0x1000 && BaseAddress < (DWORD)MyInstance + OwnModuleSize + 0x1000) // Requested Information in our dll range?
        Out->AllocationProtect = PAGE_NOACCESS;
        Out->RegionSize = 0x1000;
        Out->State = MEM_FREE;
        Out->Protect = 0;
        Out->Type = MEM_PRIVATE;
    return Temp;

(you might as well just return a fail return value whatsoever, "MyInstance" is the instance/baseaddress of your dll)

4. Because SilverDeath's of faking a return adress needs a "call ebp" (opcode: 0xFF, 0xD5) in any "allowed module", you have to search for one in any allowed module:
DWORD FindPossibleProxy(DWORD StartAdd, DWORD Size)
    DWORD Rslt = 0;
    DWORD SearchAdd = StartAdd;
    while(SearchAdd < (StartAdd + Size))
        SearchAdd = SD_Tools::Internal::FindFullPattern(SearchAdd, Size - (SearchAdd-StartAdd), (BYTE*)"\xFF\xD5", 2);
        if (!IsBadCodePtr((FARPROC)SearchAdd) || !SearchAdd)
            Rslt = SearchAdd;
        SearchAdd += 2;
    return Rslt;

use like this:
D3dModuleSize = SD_Tools::Internal::GetModuleSize(D3dModule); // you might use any other "allowed" module
PossibleProxyAddress = FindPossibleProxy((DWORD)D3dModule, D3dModuleSize);

5. Now to call any stdcall function (most of winapi) use this function:
template <typename T> __declspec(naked) T _cdecl ProxyCall(void* Target, UINT NumberOfParams, void* ProxyFFD5, ...)
    __asm mov edx, esp; // stackframe on edx - edx points now to the return adress - Target, NumberOfParams, ProxyFFD5, Params after.
    __asm push esp; // save esp
    __asm push ebp; // save ebp
    __asm push esi; // save esi

    __asm lea esi, [edx+8]; // Points to NumberOfParams
    __asm mov ecx, [esi]; // Get Number Of Params
    __asm inc ecx; // Also push ProxyFFD5

    __asm mov eax, [esi+ecx*4]; // Get Parameter from right to left
    __asm push eax; // and push them on the stack
    __asm loop PushParams; // Repeat until all params pushed (ecx != 0) - Stack is done after this

    __asm mov ebp, ReturnHere; // Mov Returnadress into ebp to be called by proxy
    __asm mov eax, [edx+4]; // Get Target
    __asm jmp eax; // jump to target

    __asm add esp, 4; // remove return address from Proxy
    __asm pop esi; // restore esi
    __asm pop ebp; // restore ebp
    __asm pop esp; // restore stack
    __asm retn; // return
if (ProxyCall<SHORT>(&GetAsyncKeyState, 1, (void*)PossibleProxyAddress, VK_INSERT) & (1<<15))
    // todo

// another one:
ProxyCall<HRESULT>((void*)D3d9VTable[106], 3, (void*)PossibleProxyAddress, Device, ShaderBuf->GetBufferPointer(), Shader); //Device->CreatePixelShader((const DWORD*)ShaderBuf->GetBufferPointer(), Shader);

6. Now do whatever you want Wink ...

-As SilverDeath said, codehooks in d3d9 module are detected, replace the vtable of the dx object instead.

-use instant inject on load. most public injectors will cause a detection and as soon xigncode is loaded you cant access the process anymore.

-it should make minor changes to the code, maybe xigncode will pattern the proxycall func, etc.

-In the sample code of SilverDeath using some functions of his SD_Tools namespace which you ofc. dont have, however the names are self-explanatory, should be no problem to reproduce them.

Credits : SilverDeath and kn4ck3r
Back to top Go down
View user profile
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
FTBGUIDE :: MMO FPS Games :: Other MMOFPS (Tools, Tutorials,SourceCode)-
Jump to: