Jump to content


Popular Content

Showing content with the highest reputation since 22/06/18 in all areas

  1. 1 point
    sometimes i forget which year i warp to
  2. 1 point
    View File NexonGameThreat (NexonGameSecurity bypass) So I started working on a new NexonGameSecurity bypass about a week ago, because I was very interested in the new security model of their anti-tampering modules, and I am proud to say that this is without doubt the most advanced piece of software that has been developed in the efforts to bypass MapleStory anti-cheat solutions. The primary goal of the bypass, was to make it compatible with any game that runs NexonGameSecurity, and that seems to have been accomplished. However, this bypass will only work on x64 systems, and therefore does not support x86 (32-bit) systems. If the demand for 32-bit support is high, this might be implemented in the future. Since this is a generic bypass, it was not possible to code it as a DLL stub that auto-injects itself (different games has different dependencies), so I've also included a simple MapleStory stub DLL (dinput8.dll), which will auto-load itself, block the internal MapleStory multiclient-checks and load the NexonGameThreat.dll file. If you use this with MapleStory, simply: Drop all files (NexonGameThreat.dll, NexonGameHooks_x64.dll, dinput8.dll) into the MapleStory folder, and run MapleStory as always. If you use this with another game, it is important to understand that: The NexonGameThreat-files assumes that: The game folder is found in an arbitrary location: "<drive>:\<game_path>" The ngs folder is found in an arbitrary location: "<drive>:\<game_path>\<ngs_folder>" Due to the nature of this, the following constraints are in place: NexonGameThreat.dll doesn't care about its own location, as it must be injected manually into the host process. NexonGameHooks_x64.dll must be exactly one folder upstream from the ngs_folder. The wisest would be to place both files exactly one folder upstream from the ngs_folder, as that is the test-environment they were developed in. Submitter NewSprux2.0? Submitted 06/03/18 Category General Resources Virusscan https://virusscan.jotti.org/en-US/filescanjob/nnpmbb8g99  
  3. 1 point
    @NewSprux2.0? you mean this ? https://github.com/RajanGrewal/AuthHook/blob/master/AuthHook/WinsockHax.cpp it has some weird VM_START / VM_END functions is it this? nevermind he explained thats for protecting his DLL from people when he sold it out. I tried it out just now and it doesn't crash I was happy but then at the end when I joined a Channel It didn't show up the proper channel/lobby ports 8484 etc.. seems this MSWOCK is only used for the browser and other useless SSL ports. It gets the connect() and GetPeerName() for the useless ports but the one I want 8484 and other ones it doesn't get. I tried with Page Exceptions / Debug Registers for a Thread. Could only get 1 Connection and it never got back on track again Added this class AwBreakPoint.cpp #include "AwBreakPoint.h" #include <windows.h> #include <cstdio> EXCEPTION_HANDLER AwBreakPoint::Handler; LONG __stdcall Ex_handler(EXCEPTION_POINTERS* ep) { if(ep->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) { EXCEPTION_HANDLER handler = AwBreakPoint::GetHandler(); handler(ep); return EXCEPTION_CONTINUE_EXECUTION; } return EXCEPTION_CONTINUE_SEARCH; } void AwBreakPoint::GetMainThreadFromProcessId() { unsigned long uProcessId = GetCurrentProcessId(); HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,uProcessId); if(!hSnapshot) return; THREADENTRY32 lpThread; lpThread.dwSize = sizeof(THREADENTRY32); if(Thread32First(hSnapshot,&lpThread)) { do { if(lpThread.th32OwnerProcessID == uProcessId && lpThread.th32ThreadID != GetCurrentThreadId()) //Ignore threads from other processes AND the own thread of course { break; } }while(Thread32Next(hSnapshot,&lpThread)); CloseHandle(hSnapshot); AwBreakPoint::m_hThread = OpenThread(THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME,1,lpThread.th32ThreadID); } return; } bool AwBreakPoint::SetExceptionHandler(EXCEPTION_HANDLER eHandler) { AwBreakPoint::Handler = eHandler; AddVectoredExceptionHandler(0, Ex_handler); return true; } EXCEPTION_HANDLER AwBreakPoint::GetHandler() { return AwBreakPoint::Handler; } bool AwBreakPoint::SetHWBreakPoint(unsigned long uAddress, int iIndex) { GetMainThreadFromProcessId(); CONTEXT c = {CONTEXT_DEBUG_REGISTERS | CONTEXT_FULL }; SuspendThread(AwBreakPoint::m_hThread); GetThreadContext(AwBreakPoint::m_hThread,&c); switch(iIndex) { case 0: c.Dr0 = uAddress; c.Dr7 |= 0x00000001; // set 0th bit break; case 1: c.Dr1 = uAddress; c.Dr7 |= 0x00000004; // set 2nd bit break; case 2: c.Dr2 = uAddress; c.Dr7 |= 0x00000010; // set 4th bit break; case 3: c.Dr3 = uAddress; c.Dr7 |= 0x00000040; // set 6th bit break; default: return false; } //c.Dr6 = 0; SetThreadContext(AwBreakPoint::m_hThread,&c); ResumeThread(AwBreakPoint::m_hThread); return true; } bool AwBreakPoint::RemoveHWBreakPoint(int iIndex) { //GetMainThreadFromProcessId(); CONTEXT c = {CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS}; SuspendThread(AwBreakPoint::m_hThread); GetThreadContext(AwBreakPoint::m_hThread,&c); switch(iIndex) { case 0: c.Dr0 = 0; c.Dr7 &= 0xFFF0FFFE; // Clear the 16-19th and 1st bits break; case 1: c.Dr1 = 0; c.Dr7 &= 0xFF0FFFFB; // Clear the 20-23rd and 2nd bits break; case 2: c.Dr2 = 0; c.Dr7 &=0xF0FFFFEF; // Clear the 24-27th and 3rd bits break; case 3: c.Dr3 = 0; c.Dr7 &=0xFFFFFBF; // Clear the 28-31st and 4th bits break; default: return false; } //c.Dr6 = 0; SetThreadContext(AwBreakPoint::m_hThread,&c); ResumeThread(AwBreakPoint::m_hThread); //RemoveVectoredExceptionHandler(Ex_handler); return true; } AwBreakPoint.h #include <windows.h> #include <tlhelp32.h> typedef void(__cdecl* EXCEPTION_HANDLER)(EXCEPTION_POINTERS*); class AwBreakPoint { public: bool SetExceptionHandler(EXCEPTION_HANDLER); bool SetHWBreakPoint(unsigned long,int); bool RemoveHWBreakPoint(int); static EXCEPTION_HANDLER GetHandler(); private: void GetMainThreadFromProcessId(); HANDLE m_hThread; static EXCEPTION_HANDLER Handler; }; DllMain Inject function for dInput8 AwBreakPoint BP; DWORD connectFunctionAddress; typedef int(WINAPI* tconnect)(SOCKET s, const struct sockaddr *name, int namelen); tconnect oconnect; int WINAPI hkconnect(SOCKET s, const struct sockaddr *name, int namelen) { struct sockaddr_in *in = (struct sockaddr_in *)name; printf("Attempting connect %d %d.%d.%d.%d : %d\n", s, in->sin_addr.S_un.S_un_b.s_b1, in->sin_addr.S_un.S_un_b.s_b2, in->sin_addr.S_un.S_un_b.s_b3, in->sin_addr.S_un.S_un_b.s_b4, htons(in->sin_port)); BP.RemoveHWBreakPoint(0); //Remove breakpoint, process the ws2_32.connect below printf("Debug no go\n"); int result = oconnect(s, name, namelen); printf("Oconnect called\n"); BP.SetHWBreakPoint((unsigned long)connectFunctionAddress, 0); //Add breakpoint again for ws2_32.connect printf("reset\n"); //return result; return 0; } void HandleFunction(EXCEPTION_POINTERS* ep) { if (ep->ContextRecord->Eip == (unsigned long)connectFunctionAddress) { ep->ContextRecord->Eip = (unsigned long)&hkconnect; //redirect it to my function. printf("EIP = %x connectFunctionAddress = %x \n", ep->ContextRecord->Eip, connectFunctionAddress); } } static int Injected() { while (!(unsigned long)GetModuleHandle(L"ws2_32.dll")) Sleep(100);// Wait until loaded BP.SetExceptionHandler(HandleFunction); oconnect = reinterpret_cast<tconnect>(GetProcAddress(GetModuleHandle(L"WS2_32.dll"), "connect")); connectFunctionAddress = (DWORD)GetProcAddress(GetModuleHandle(L"WS2_32.dll"), "connect"); printf("ws2_32.dll connect function address = %x", connectFunctionAddress); BP.SetHWBreakPoint((unsigned long)connectFunctionAddress, 0); } Seems oconnect() creates a infinite loop on the first address and if I call GetMainThreadFromProcessId(); in the RemoveHWBreakPoint the above screenshot happens otherwise with it commented only 1 appears.. it looks like you cannot make another 1 from the same thread or something i cant figure it out. Seems I cannot SuspendThread of the GetCurrentThread() as I won't be able to do ResumeThread() after idk how to fix it.
  4. 1 point
  5. 1 point
    Hey! Since so manny people seam to have problems building the new bypass I have made a pretty noob friendly video guide. I will continiously update this to make it easier to follow and troubleshoot. I just wanna say thanks to everyone who helped me figure all of this out in the other tutorial thread. Special thanks to Sprux, Hippo, xScritZx, Razz and DAVHEED Before you ask questions in this thread make sure they have not yet been awnserd in Hippos tutorial thread. links to his thread at the bottom of this post. What do I need? This guide requires you to have visual studio installed. Visual studio 2013 be downloded from here: https://go.microsoft.com/fwlink/?LinkId=532495&clcid=0x409 you will also need to have a MSCRC bypass installed on the computer you will use to hack. Downloads and instructions can be foud at the bottom of this post. 2 computers. or a virtual machine. Video Guide (Updated: No need for Detour!) In order to remove detour Delete this code from XignCode Client>Source>main.cpp. Delete the code that is marked in red below. The line that you should add at line 3 in XignCode CLient>Network>Client.cpp is marked in red below. Troubleshooting XignCode Host.exe closes as soon as i start it. this is because your filepath is incorrect. Dubblechect the path and copy past it to eliminate spelling errors. Make sure that the path has dubble \\ insted of singel \ by each folder. make sure that the folder name in XignCode Host>XignCode>XignCode.cpp matches your own. I needed to change it from XingCode3 to XingCode. The game sends heartbeat but the host does not reply. Check your firewall. You will need to let thrugh trafic on port 38666. To test this out ty to disabel your entire firewall on both your main computer and server computer. When building the solution i get errors if the error is simular to this: error MSB3073: The command "copy /Y "C:\XignCode3 Bypass\Release\XignCode Client.dll" "G:\Games\MapleStory (Europe)\XignCode\x3.xem" then the dll is still created and will work. if the error is simular to this: error C4996: 'inet_addr': Use inet_pton() or InetPton() instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings then add: #define _WINSOCK_DEPRECATED_NO_WARNINGS to the top of Xingcode Client>Network>clinent.cpp document, so it will be like this: #ifndef _CRT_SECURE_NO_WARNINGS #define _CRT_SECURE_NO_WARNINGS #define _WINSOCK_DEPRECATED_NO_WARNINGS #endif Changes Removed the need for Detour, credits to Sprux for showing me this. Remade the Video so its now alot easier to follow. Added spoilers with easy to follow instructions, as a compliment to the video.
This leaderboard is set to Amsterdam/GMT+02:00


  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up