Jump to content
Moopler
  • 0
Sign in to follow this  
kino0924

Question Need some help with locating KMS MSCRC

Question

Hello everyone.

I am dying hard to find MSCRC bypass for KMS but currently out of luck.
The approach that I made was first understand how other MS gets bypassed, (GMS, MSEA) and apply same technique into KMS

I first approached with GMS MSCRC bypass technique.
The way it uses is that xor al, al and ret
I found same function in KMS client but doesnt do too much of its job.
I changed this function just like how GMS was applied, but I still get DCed

kmscrc1.thumb.png.09d48f946d39b435654fa05fd74b3099.png

Since this function is not getting called, even resetting al reg and ret doesnt do anything much 

 

Second approach was looking into MESA MSCRC bypass
My understanding of this bypass is that creates copy of code section and use it as calculating CRC

I looked into the script and realize that CRC code is located outside of code section.
This made me little difficult to analyze with IDA but was not big of deal.

I found pretty same code in KMS client as well but again... its not getting called

kmscrc.thumb.png.301d90bcbef8c329712105cc3fb594e2.png

This screenshot is comparison of MESA and KMS.
Both code located outside of code section but when I make bp on KMS, it never gets triggered.

 

If anyone can help me with bypassing MSCRC in KMS, I would be very appreciated.
I don't mind donating some lesson fee if it is required.
I just want to win this long battle with KMS and understand how it actually work.

 

Thank you so much for reading this post.

I am not sure how other MS reacts on MSCRC but in KMS, I get dc and kicked out to login screen when I change channel or map even with 1byte of change in code section.
Also, I get random dc when I use skill or do other stuff even without changing channel
 

Edited by kino0924

Share this post


Link to post

12 answers to this question

Recommended Posts

  • 1

The current GMS method you explained is based on the fact that the function that executes the mscrc in GMS isn’t vital, so people just return it and skip the entire mscrc scheme at the cost of having minor memory leaks (they return a cleanup function for maps iirc)

 

The MSEA version is the one you should focus on. However, KMS has polymorphic mscrc routines, so you cannot make static hooks - you have to be smart ;)

  • Like 1
  • Thanks 1

Share this post


Link to post
  • 0

Thank you so much sharing valuable information.
Also, I am very appreciated your valuable releases over years and that helped me alot to go through all the way here.

I thought about your comment for few hours and thought about polymorphic mscrc routines.
What I thought is that if  you were referring polymorphic routine in malware world, mscrc routine will exists in memory dynamically.
If you were referring it as programming world, it would get called from multiple places and would require delicate touch of function.

However, in either case, I cannot locate the routine.
If it is polymorphic code, I should be able to locate the routine within 0x0~0x7fffffff but I failed to find
If it is polymorphic function, I should still see break if I make bp on it, it should break but its not

On the other hand, I spend some time on understasnding how msea bypass work.
mainly, theres two crc. crc of main code, and crc of crc which is funny.

So, as long as I can locate the routine in KMS, I should be unblocked but its confusing me too much.

Any further hints you can share? ;)

  • Like 1

Share this post


Link to post
  • 0

KMS has an entire web of dynamically allocated interconnected CRCs checking eachother across the net, making it very hard to bypass

  • Sad 1

Share this post


Link to post
  • 0

Why are you keep giving me bad news 😱
Thank you so much for your all info.
I will do some work and see how it goes.

Share this post


Link to post
  • 0

Honsetly I find this subject really interesting even though I'm not much into the MSCRC checks.

I'm curious why it's not possible to find at least 1CRC if you break point any address and see what it accesses?

Shouldn't it be working like that otherwise how is the CRC able to detect any changes in the memory?

Share this post


Link to post
  • 0
36 minutes ago, Schwan said:

Honsetly I find this subject really interesting even though I'm not much into the MSCRC checks.

I'm curious why it's not possible to find at least 1CRC if you break point any address and see what it accesses?

Shouldn't it be working like that otherwise how is the CRC able to detect any changes in the memory?

Yes I was able to find one location where it seems to be doing CRC checksum.

However, the fuction look far too different with other MSCRC and having some trouble of understanding how it actually works even with IDA's help

mscrc2.thumb.png.f5509baaa460e6f081683f3ccee6a885.png

This is portion of function and pseudo code that got generated by hexray.
My next plan is to find calculated value before mem edit, and inject with hardware bp and apply mem patch again.

Share this post


Link to post
  • 0

It looks like any average crc32 algo, idk why you think otherwise.

the CRCs doesn’t always access memory, some or them might just access eachother. Also, most CRCs are put in specific memory positions making them trigger on special events.

 

Share this post


Link to post
  • 0
19 hours ago, NewSprux2.0? said:

It looks like any average crc32 algo, idk why you think otherwise.

the CRCs doesn’t always access memory, some or them might just access eachother. Also, most CRCs are put in specific memory positions making them trigger on special events.

 

It is typical crc32 algo but I said it looks too different other MSCRC functions.

I was referring patching area of MSCRC not the actual algo.

On the other hand, I was playing around with hardware bp but again, theres some kind of detection going on and client gets crashed in 10 min or so

Share this post


Link to post
  • 0
1 minute ago, NewSprux2.0? said:

There’s anti-breakpoint routines too. Iirc, KMS, they even reset the flags upon detection.

Yea that was one of my assumption to check.
Before I get DC, for about minute, I didnt see any bp are happening and game was acting weird before it gets crash (unable to change channel and etc)

I made small generic debugger with hwbp.
Initially it got detected by themida but unpacked binary was able to get me through first huddle

Anyhow, at this moment, my only method to achieve my goal is defeating mscrc... I cannot think of any other work around

All Im trying to do is hook incoming chat message and log meso when it gets changed.
I already have points to hook and confirmed its working as I expected.

mscrc is only remaining blocker but most challenging obstacle haha.

 

Thanks NewSprux2.0 once again

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×