Subject: XIGNCODE3 Bypass[SF2] Sat May 31, 2014 12:02 pm
SoldierFront2 XIGNCODE3 bypass stuff:
1. d3d9 codehooks are detected, replace the vtable instead. 2. alot of function calls are detected by checking the return value - use the given function by SilverDeath to fake the return address. there are alot other ways doing this - feel free to do so. 3. have either to manual map the module or unlink it - doesnt matter which way you do it.
Probably an error in your manual mapping code[ ! ] -Dont use GetAsyncKeyState API. use instead Low-Level keyboard hooks -Dont use MessageBox -You can use them faking retn addy
HowTo: 1. create a thread in dllmain, get the size of your module with "GetModuleInformation" 2. Unlink your module 3. hook NtQueryVirtualMemory with a codehook (yes, thats currently undetected...)
(you might as well just return a fail return value whatsoever, "MyInstance" is the instance/baseaddress of your dll)
4. Because SilverDeath's of faking a return adress needs a "call ebp" (opcode: 0xFF, 0xD5) in any "allowed module", you have to search for one in any allowed module:
D3dModuleSize = SD_Tools::Internal::GetModuleSize(D3dModule); // you might use any other "allowed" module PossibleProxyAddress = FindPossibleProxy((DWORD)D3dModule, D3dModuleSize);
5. Now to call any stdcall function (most of winapi) use this function:
Code:
template <typename T> __declspec(naked) T _cdecl ProxyCall(void* Target, UINT NumberOfParams, void* ProxyFFD5, ...) { __asm mov edx, esp; // stackframe on edx - edx points now to the return adress - Target, NumberOfParams, ProxyFFD5, Params after. __asm push esp; // save esp __asm push ebp; // save ebp __asm push esi; // save esi
__asm lea esi, [edx+8]; // Points to NumberOfParams __asm mov ecx, [esi]; // Get Number Of Params __asm inc ecx; // Also push ProxyFFD5
PushParams: __asm mov eax, [esi+ecx*4]; // Get Parameter from right to left __asm push eax; // and push them on the stack __asm loop PushParams; // Repeat until all params pushed (ecx != 0) - Stack is done after this
__asm mov ebp, ReturnHere; // Mov Returnadress into ebp to be called by proxy __asm mov eax, [edx+4]; // Get Target __asm jmp eax; // jump to target
ReturnHere: __asm add esp, 4; // remove return address from Proxy __asm pop esi; // restore esi __asm pop ebp; // restore ebp __asm pop esp; // restore stack __asm retn; // return }
Example:
Code:
if (ProxyCall<SHORT>(&GetAsyncKeyState, 1, (void*)PossibleProxyAddress, VK_INSERT) & (1<<15)) { // todo }
general: -As SilverDeath said, codehooks in d3d9 module are detected, replace the vtable of the dx object instead.
-use instant inject on load. most public injectors will cause a detection and as soon xigncode is loaded you cant access the process anymore.
-it should make minor changes to the code, maybe xigncode will pattern the proxycall func, etc.
-In the sample code of SilverDeath using some functions of his SD_Tools namespace which you ofc. dont have, however the names are self-explanatory, should be no problem to reproduce them.
Subject: XIGNCODE3 Bypass[SF2] ![XIGNCODE3 Bypass[SF2] Icon_minitime](https://2img.net/i/fa/subsilver/icon_minitime.gif){kind=icon}
Sat May 31, 2014 12:02 pm
...