Jump to content
Moopler Closing Read more... ×
Moopler

kino0924

Member
  • Content Count

    9
  • Joined

  • Last visited

  • Days Won

    1

kino0924 last won the day on September 25 2018

kino0924 had the most liked content!

Community Reputation

1 Neutral

About kino0924

  • Rank
    Newbie

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. kino0924

    Question Two different teleport function

    Hello everyone, I have been digging into Kami script lately and found two different teleport functions. Kami1 v202.4 Hook_0291DA10: // ???? mov esi,[03697E84] // CUserLocal: 8B 3D ?? ?? ?? ?? 8B CF F3 lea ecx,[esi+04] mov eax,[esi+04] mov eax,[eax+20] call eax test eax,eax je Teleport_End add eax,10 push [MobY] push [MobX] push eax call 028F66E0 // ???? Teleport_End: // Original Code push ebp mov ebp, esp sub esp, 10 JMP 0291DA10+6 // Return to Original Kami2 v202.4 Hook_012B3BBE: // ???? mov esi,[03697E84] // CUserLocal: 8B 3D ?? ?? ?? ?? 8B CF F3 lea ecx,[esi+04] mov eax,[esi+04] mov eax,[eax+20] call eax test eax,eax je Teleport_End push [MobY] push [MobX] push 00 mov ecx,eax call 00D0BA30 // 55 8B EC ? ? 10 ? FF ? 10 8D ? 10 FF ? 0C 56 FF 50 40 85 C0 79 0C 68 ? ? ? ? ? ? E8 ? ? ? ? 5E [first] JMP 012B3BBE+5 // Return to Original Teleport_End: ret Can someone tell me what is the main difference between two implementation? Kami2 is the one that I found from latest public script. I dont remember where I got the Kami1 but surely both of hook teleports character into desired coordinate. Thank you so much for reading this
  2. kino0924

    Release NexonGameThreat (NexonGameSecurity bypass)

    Any plans to reveal or update this model of implementation? Thanks!
  3. kino0924

    Question Need some help with locating KMS MSCRC

    Yea that was one of my assumption to check. Before I get DC, for about minute, I didnt see any bp are happening and game was acting weird before it gets crash (unable to change channel and etc) I made small generic debugger with hwbp. Initially it got detected by themida but unpacked binary was able to get me through first huddle Anyhow, at this moment, my only method to achieve my goal is defeating mscrc... I cannot think of any other work around All Im trying to do is hook incoming chat message and log meso when it gets changed. I already have points to hook and confirmed its working as I expected. mscrc is only remaining blocker but most challenging obstacle haha. Thanks NewSprux2.0 once again
  4. kino0924

    Question Need some help with locating KMS MSCRC

    It is typical crc32 algo but I said it looks too different other MSCRC functions. I was referring patching area of MSCRC not the actual algo. On the other hand, I was playing around with hardware bp but again, theres some kind of detection going on and client gets crashed in 10 min or so
  5. kino0924

    Question Need some help with locating KMS MSCRC

    Yes I was able to find one location where it seems to be doing CRC checksum. However, the fuction look far too different with other MSCRC and having some trouble of understanding how it actually works even with IDA's help This is portion of function and pseudo code that got generated by hexray. My next plan is to find calculated value before mem edit, and inject with hardware bp and apply mem patch again.
  6. kino0924

    Question Need some help with locating KMS MSCRC

    Why are you keep giving me bad news 😱 Thank you so much for your all info. I will do some work and see how it goes.
  7. kino0924

    Question Need some help with locating KMS MSCRC

    OMG why would they do that to me Curse Nexon and Wizet haha Do you know approximate number of CRC checks within KMS?
  8. kino0924

    Question Need some help with locating KMS MSCRC

    Thank you so much sharing valuable information. Also, I am very appreciated your valuable releases over years and that helped me alot to go through all the way here. I thought about your comment for few hours and thought about polymorphic mscrc routines. What I thought is that if you were referring polymorphic routine in malware world, mscrc routine will exists in memory dynamically. If you were referring it as programming world, it would get called from multiple places and would require delicate touch of function. However, in either case, I cannot locate the routine. If it is polymorphic code, I should be able to locate the routine within 0x0~0x7fffffff but I failed to find If it is polymorphic function, I should still see break if I make bp on it, it should break but its not On the other hand, I spend some time on understasnding how msea bypass work. mainly, theres two crc. crc of main code, and crc of crc which is funny. So, as long as I can locate the routine in KMS, I should be unblocked but its confusing me too much. Any further hints you can share?
  9. Hello everyone. I am dying hard to find MSCRC bypass for KMS but currently out of luck. The approach that I made was first understand how other MS gets bypassed, (GMS, MSEA) and apply same technique into KMS I first approached with GMS MSCRC bypass technique. The way it uses is that xor al, al and ret I found same function in KMS client but doesnt do too much of its job. I changed this function just like how GMS was applied, but I still get DCed Since this function is not getting called, even resetting al reg and ret doesnt do anything much Second approach was looking into MESA MSCRC bypass My understanding of this bypass is that creates copy of code section and use it as calculating CRC I looked into the script and realize that CRC code is located outside of code section. This made me little difficult to analyze with IDA but was not big of deal. I found pretty same code in KMS client as well but again... its not getting called This screenshot is comparison of MESA and KMS. Both code located outside of code section but when I make bp on KMS, it never gets triggered. If anyone can help me with bypassing MSCRC in KMS, I would be very appreciated. I don't mind donating some lesson fee if it is required. I just want to win this long battle with KMS and understand how it actually work. Thank you so much for reading this post. I am not sure how other MS reacts on MSCRC but in KMS, I get dc and kicked out to login screen when I change channel or map even with 1byte of change in code section. Also, I get random dc when I use skill or do other stuff even without changing channel
×