Update on MzBot ( For UCE developers )

As we know, if you start MzBot before you start your UCE, the UCE will screw up. However, there’s a fix to this. I am actually surprised that no body came up with it.

Look for the handler of IOCTL_CE_INITIALIZE in DBKDrv.c, looks like this: (I formatted it a bit so it looks nice)
i=-25;//takes some longer to load now....
while (i=pinp->AddressOfWin32K) &&
((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ServiceTableAddressOfWin32K+pinp->SizeOfWin32K)) &&
((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ArgumentTable>=pinp->AddressOfWin32K) &&
((UINT_PTR)PossibleKeServiceDescriptorTableShow[i].ArgumentTableAddressOfWin32K+pinp->SizeOfWin32K)) &&
(PossibleKeServiceDescriptorTableShow[i].TableSizeAssociatedIrp.SystemBuffer=(UINT_PTR)KeServiceDescriptorTableShadow;

DbgPrint("KeServiceDescriptorTableShadow[0]=%p",&KeServiceDescriptorTableShadow[0]);
DbgPrint("KeServiceDescriptorTableShadow[1]=%p",&KeServiceDescriptorTableShadow[1]);
DbgPrint("KeServiceDescriptorTableShadow[2]=%p",&KeServiceDescriptorTableShadow[2]);
DbgPrint("KeServiceDescriptorTableShadow[3]=%p",&KeServiceDescriptorTableShadow[3]);

AddSystemServices();
break;
}
}
i++;
}
Then you replace it with:
if ( (ULONG) ((PSERVICE_DESCRIPTOR_TABLE) (((ULONG)KeServiceDescriptorTable)+0x40))->ServiceTable == (ULONG) KeServiceDescriptorTable->ServiceTable ) {
KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE) (((ULONG)KeServiceDescriptorTable)+0x50);
ntStatus=STATUS_SUCCESS;
} else if ( (ULONG) ((PSERVICE_DESCRIPTOR_TABLE) (((ULONG)KeServiceDescriptorTable)+0x140))->ServiceTable == (ULONG) KeServiceDescriptorTable->ServiceTable ) {
KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE) (((ULONG)KeServiceDescriptorTable)+0x150);
ntStatus=STATUS_SUCCESS;
} else if ( (ULONG) ((PSERVICE_DESCRIPTOR_TABLE) (((ULONG)KeServiceDescriptorTable)-0x40))->ServiceTable == (ULONG) KeServiceDescriptorTable->ServiceTable ) {
KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE) (((ULONG)KeServiceDescriptorTable)-0x30);
ntStatus=STATUS_SUCCESS;
} else if ( (ULONG) ((PSERVICE_DESCRIPTOR_TABLE) (((ULONG)KeServiceDescriptorTable)-0x20))->ServiceTable == (ULONG) KeServiceDescriptorTable->ServiceTable ) {
KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE) (((ULONG)KeServiceDescriptorTable)-0x10);
ntStatus=STATUS_SUCCESS;
}

if ( ntStatus == STATUS_SUCCESS ) {
*(UINT_PTR*)Irp->AssociatedIrp.SystemBuffer = (UINT_PTR)KeServiceDescriptorTableShadow;
AddSystemServices();
}

NOTE: I never tried this code before, but I am certain that it will work, if you met any problem, do reply to this post.

MzBot_Lite-2.0.0-Beta! Open for public testing!

Recently I am quite busy, so only till now that I spend sometime into programming/hacking.

The new version of MzBot — 2.0.0, is now under public beta!

However, don’t be too happy:
- Auto-skills not available.
- It is a “Lite” version, only CLi ( Command Line interface ), HKi ( Hotkey Interface ), since Borland lags the hell outta of my comp.

MzBot’s not yet freezed for 2.0.0, that means there might be other stuffs added in later.
- Auto-skills might be added in later, no time for that one as of now.
- Scripting might be added in later

If you experience any problem, please do notify me. ( Reply to this post perhaps? )
If you want new features, you may contribute to this project. ( I will consider giving you the source. )
( MzBot might be released under GPL later on. )
If you experience problems regarding auto-potting, do post the log ( those that appear on screen. ), while you are auto-potting. ( You might want to just post a line, and tell me where the HP/MP potting position is set to at that time. )

Also, there is a letter for iNCA embedded in the MzBot, just like the previous versions. ( A command would save it to the disk, can you find it? )

I might open up a website as MzBot’s homepage (probably will include an SVN/CVS), but later on, since I am quite busy recently. ( Check back later on. )
Download mirror1:
http://www.live-share.com/files/175157/MzBot_Lite-2.0.0-Beta.zip.html
Download mirror2: http://www.rogepost.com/n/0665053261
File size: ~ 7k

NOTE: If you hate the command prompt ( CLi ), just ignore it and use the hotkey of previous version. ( There’s no change in the hotkeys, although the whole thing is recoded )
EDIT: download mirror 2 added because live-share doesn’t seemed to support Singapore ISPs… AP File Host + AP ISP == Phail!

MzBot

1. When it all started
Oct/Nov 2006, when my final year examination is over ( In which I slacked and scored only 73% ), I am really have an amount of time for me to spend on hacking.
One of my friend, tsj4j ( Spencer Thang, from RI ), came and ask me for a simple Autoclicker for use in Trickster Online, which also use the nProtect GameGuard. So I just use the same simple method of bypassing the usermode hook, and inject into the game process.
However, he later reported back to me that it doesn’t work!
I instructed him to briefly debug the Autoclicker, it ended up that the loophole of allowing the game process to bypass the SSDT hook is patched.
That inspired me to screw their hook.

2. November holiday, when I am bored
I went back to Taiwan on Mid November…
That was when I thought of the SSDT relocation, which is documented in both my blog ( See the MSBot case ) and in Dual’s blog.

3. Ideas put in action
At the end of the November, I wrote the driver and tested it out. ( The command line debugging utility for MzBot.sys, TiMBuS seen it before. )
The GUI is done on the 1st of December.
That night, my mom went to hospital to look after my grandpa ( who died just recently.. T_T ), so I can sleep anytime I want…
Around the midnight, I thought I want to leave something for the iNCA people, just in case it leaked out, so I wrote and embedded a letter to iNCA in MzBot. ( You all should try to get it out? )
I don’t really treat MzBot as an important project, neither would it be public, that’s why I didn’t really give it a proper protection, I only packed it with ASPR, and added a small anti-unpack ( Still can’t fool SunBeam.. )

4. Sigh…
Around the end of Feb 2007, many people in MSS requested me for MzBot, so I made a version that expires on 15 Feb, and gave it out, by sending it to them individually.
Then, somebody gave it to BrandonMS ( Thanks to SunBeam for notifying me. ), that’s how it all got leaked…

Appedix 1: Regarding the Autopotting:
The autopotting is working on my computer, so I don’t see why it isn’t working on yours…
There’s a way to make MzBot bypass MSBot or MSPro, but it is private. I only told 1 person about it, so if you are the person, you should know better than to leak.

Sigh… I wish I can #undef LEAKERS and LEECHERs…

This have been the major problem for almost all MapleStory cheating community — Leakers, Leechers, and spammers.

There was 3 recent case that discouraged me in great extent:
1. The Rajinn and ZTrainer case:
ZTrainer is one of the internal DA project, just a trainer with most of the usual functions like auto-CC, auto-pot and stuffs, it was made around Aug 2006.
Later, Rajinn was expelled out of the Dark Alliance, the reason being mainly pissing dL off.
However, he already have the ZTrainer source code the time he is expelled. Later, I went to tell him why he is expelled. He is so angry that he asked me to suck his d*ck… ( I ain’t g@y… )
Then, he just renamed ZTrainer into JinnTrainer, without any credit given. Furthermore, he claimed that ZTrainer just sucks…
Halfway through his renaming, he still have the face to come and ask me how to move a label in my ZTrainer… -_-”
2. The Linosal and DA website case:
The Dark Alliance was set up on the new year of 2006, or perhaps before that, by Kenshim and Zaros.
I joined in around April, when I made ZE, the first UCE in the MapleStory hacking history.
Around August, both Kenshim and Zaros went inactive, and I was elected the new leader. I then decided to fork out the DA from the CE Forum. Linosal volunteered to host the new forum.
Everything is fine till this Feb, when all of a sudden, all public can visit the Dark Alliance forum. At first, I thought the DA site is hacked, however, later Linosal say that he “liberated” the forum!
Just to earn a few dollars from the google ads he put up on the site after he “liberate” it, he betrayed all of us…
3. The MzBot issue:
Will be posted in the next blog entry.

Debian Etch, nVidia x86_64 and Beryl Window Manager.

It was recently that I attempted to install x86_64 nVidia video card driver on my Debian Sarge box, equiped with Sempron 2800+ and onboard nVidia GeForce 6150. Somehow, the driver installer just crash with Segmentation Fault ( Oh… well, it is equivalent to the memory access exception/violation on Windows ). I tried whatever I can, it just doesn’t work. I was very sad, so I boot back with my x86 kernel on Sarge. Then I forget about it…

Debian Linux have a long developement cycle, Sarge is already one and a half year old. More recently, the going-to-release Debian Etch caught my attention. It looks very promising, now the x86_64 ( aka amd64 ) architecture is officially supported. Also, x.org is now the official X Server, implying that XGL/AIGLX/Composite rendering is supported, and we can use the Compiz/Beryl Window Manager.

At first when I tried out the Debian Etch RC1 amd64 version, I met an error, but it was quickly solved by throwing my questions onto the debian-boot mailing list, refer to my post here: http://lists.debian.org/debian-boot/2007/02/msg00167.html

Most of my old problems with Debian Sarge is automatically solved by installing the new Debian Etch, especially the nVidia driver problem. The GeForce 6150 just works great with Debian Etch! Also, the problem with Chinese Input method is also solved.

I also installed the Beryl Window Manager, the GUI’s absolutely sweet ( ha… eye candy! )
Here’s a few screenshots:

The normal desktop.

Displaying the virtual desktops as a cube

Ring alt-tab

Feature similar to Mac OS X’s Expose

That’s what happens when you drag a window?

You can find out more about Beryl Window Manager at its homepage: http://www.beryl-project.org/
Or, you can search for Beryl on YouTube.

The case of exploding Coka Cola

This is probably one of the very rare non-computer related blog entry that you can find in my blog.

In my family, the usual method of “drinking” coka cola is to put it in the fridge, or freezer rather, and let it freeze. Then, later, open the top of the frozen coka cola bottle with can opener, and eat it with a spoon…

It was recently, that the stock of coka cola in my house ran out, so my mom went out to buy another box. The previous box’s brought approximately one year ago, which is during the Chinese New Year.

After this, me and my brother put two bottles of it in the freezer, by around 7pm+, my mom’s in the kitchen cooking, but she heard a pop, she thought something exploded, but somehow she can’t find it… However, later on, around 8pm, when we open the freezer, we witnessed a messy scene in the freezer…

This is what the two bottles of it looks like after the mess in the freezer’s sorted out:

Click to enlarge

Big mess huh?

Water is a very special substance, it expands when coolen below 4 degree Celsius, if there are more water in the Coka Cola, then when frozen, the total volumn would increase more, and would then explode, thus I guess the company’s adding more water in their product to reduce the cost of production. Anyway, who knows?

And just one more old news: MzBot’s still working with nProtect GameGuard rev939… So, should I conclude: “Only private hacks/bots lasts.”?
My advice: Keep your hacking utility private…

( x86_64 & nVidia entry coming up soon.. LoL… )

Really busy recently with school work

School starts on 3rd of Jan in Singapore, and with the start of school terms, means lesser times for hacking. So sorry that I didn’t update my blog for sometime.

I am in Temasek Junior College’s integrated programme this year, the orientation’s quite “fun”, but also quite tiring. I would rather prefer to have lessons and lectures ( I LOVE LECTURES, but I don’t get much of them.. LoL ). I also “gobble” up every piece of homework that comes in my path…

Also, recently, I burnt a stick of DDR… There’s one day when I came home from school that my mom told me that she can’t start the comp, it hangs randomly. I have met this kind of situation before, and the RAM is the prime suspect, I boot from knoppix, and choose memtest86+ @ the isolinux screen. ( It doesn’t hang because the base 64k memory is used, the others are not.. ) And it showed that memory from 200MB~300MB is bad ( approximately ). I removed that stick of DDR (it’s 256MB, by the way) and the comp works again…

Lesson learnt: If your comp hangs randomly during startup process, you should run a RAMTest86+, and remove the bad RAM.
The removed stick of ram’s covered with dust from the CPU’s cooling fan, so I strongly suggest the motherboard makers, DO NOT place the RAM near to the CPU.

I might do somemore GameGuard killing during the weekend…. Another post regarding nVidia Linux driver and the x86_64 Linux Kernel coming up soon…

Cont: Detour hooking without GetProcAddress() and VirtualProtect()?

It was quite some time since I last blog, since I am really quite busy. Not only did I finished my kernelmode unhooker, I also finished my usermode unhooker.

A few days ago, Uligor suggested that npggnt.des calls GetProcAddress() and VirtualProtect() by directly importing ntdll’s function — NtProtectVirtualMemory() and LdrGetProcedureAddress(). I thought, “Hey how stupid of me to not to think of that?”. The usual kernel32.dll that we import our kernel subsystem functions from, actually re-directs our request to ntdll, and GameGuard is a public software, they are expecting people to attack them for certain. Thus they should be ready for it.

However, things are not like what me and Uligor imagined. I thought in order to defeat npggnt.des, I have to know it well, so I unpacked it, and analysed it.

* Note: Click to enlarge

I viewed the IAT with LordPE, there is no sight of ntdll. This is weird, so I disassemble npggnt.des, so to see wassup in there. I also noticed that npggnt.des have 3 exports.

After some disassembly, this is what I think they are doing:
1. Inject npggnt.des
2. GameMon calls CreateRemoteThread to call the 3rd export in every running process.
3. The 3rd export hook the functions, and mean while set up a “Hook Table”.
4. It start a thread and return.
5. The thread constantly check for modification to their hook, and overwrite if found.
6. Also check for modification in npggnt.des’s first 0×9000 bytes, if found, notify GameMon through filemapping, and GameMon will close the game.

I guess I am lazy this time, so I just give their “CRC” routine and Hook check routine a “Tick ZF”… And GameGuard’s usermode hook == GameOver.

But how do they do the hooking without calling the functions mentioned in the blog entry topic? I guess I hooked the function incorrectly or they overwrited my hook, LoL!

( Note: I didn’t release where to “Tick ZF” as it is too “anti-leaking” to be left public. )

Arrogant and stubborn — Priceless. MSBot working on GameGuard rev896.

I am an arrogant and stubborn person, and being arrogant and stubborn at the wrong time can cost alot…

You might think that finally, this is one blog entry that doesn’t concerns computing. Then you are wrong. I am not going to talk about how I pay the price for being arrogant, instead, I am going to ellaborate on how GameGuard made the mistake, and pay the price.

Let me first explain how GameGuard blocks SendInput. GameGuard use hooking technic, in both usermode and kernelmode. GameGuard detour hook SendInput in usermode, and SSDT hook NtUserSendInput in kernelmode.

MSBot mainly bypass the usermode hook, by using Windows’ NCI ( Native Call Interface ), thus bypassing GameGuard’s usermode detour hook in user32.dll. The kernel-mode hook is somewhat tricky, TiMBuS (Author of MSBot) found out that in GameGuard’s kernel-mode hooks, GameGuard allows maplestory to call NtUserSendInput. Se he injected MSBot’s code in MapleStory.exe’s address space, and viola! It works!

Things are not so good after GameGuard rev8960+, they patched MSBot, by not allowing Maple to pass in its NtUserSendInput hook.

GameGuard prevent their SSDT hook from being unhooked, by repeatly checking that the hook is still there, and overwrite it again if changed. If they detect some entries changed, they will

mov al, 0FEh
out 64h, al

Common sense tells us that we will get a reboot… Nice huh?

Recently, I was reverse engineering GameGuard’s core — dump_wmimmc.sys… and I came across this: ( I commented it.. )

This is the first time I seen them thinking for us… Probe if their hook function exist before overwriting to prevent a BSOD… ( Or they are thinking for their customer service I guess… )

Alt_KeSDTST2 is loaded on DriverEntry, with the address of KeServiceDescriptorTableShadow->ServiceTable. It is never again loaded with new value, because GameGuard strongly believes in what it believes.. ( -_-” Duh! ) I have adviced it many times to update their SSDT Service Table pointer to my dummy ServiceTable! ( LoL ) But GameGuard is arrogant and stubborn! It refuse to listen to me!

Their arrogance and stubborn comes with a price, I can misuse it to bypass their hooks…
Here’s my plan:

Note: Click to enlarge

If GameGuard is so arrogant on the address of ServiceTable base address, we can change it, without them knowing.
So this is what I will do:
1. Allocate KeServiceDescriptorTable->TableSize*sizeof( PVOID ) byte of memory
2. Copy KeServiceDescriptorTable->ServiceTable into the memory
3. Set KeServiceDescriptorTable->ServiceTable to point to the memory.
4. Wait for GameGuard to load, they will hook the memory allocated instead of the real SSDT
5. Restore KeServiceDescriptorTable->ServiceTable with the original address.
6. Do the same to KeServiceDescriptorTableShadow….

And viola! MSBot works again on rev896!!

Lesson Learned: Don’t use outdated software

Actually there’s another episode behind the KeygenMe blog entry….

It begin, as I am tired of using Visual C++’s inline assembler to code KeygenMe. Thus, I decided that, it’s time for me to code real assembly, and it should be assembled with real assembler! ( not crappy cl.exe… LoL )

As an open source supporter, my first choice is nasm, also known as Netwide Assembler by Peter H. Anvin. I didn’t try GAS (GNU Assembler) because I don’t really like AT&T assembly syntax, I just use it for jokes.. ( not funny ) At the end, I didn’t use nasm as nasm is not really suited to Windows, I would definatly use nasm on Linux. With nasm, most APIs are not supported, and it doesn’t even come with a linker! ( On windows, of course… )

My next try would be something that is designed for Windows. So that’s either masm, also known as Microsoft Macro Assembler, or tasm, also know as Turbo Assembler, by Inprise/Borland. I don’t have masm with me, or rather, it comes with Windows XP Driver Development Kit, and doesn’t have complete support for all the usual user mode calls like printf, VirtualAlloc.. etc

Turbo Assembler comes with Borland Developer Studio, and the path is already set up, so I gave tasm a try. In fact, I gave it more than a try, I downloaded many sample code and read them. I also read many tutorials. The KeygenMe in my previous blog entry is assembeld with Turbo Assembler.

However, there’s an unexpected problem, after uploading it. Xentar messaged me that the file is missing one critical DLL — cc3270.dll. I instantly know that it’s a borland DLL. After some googling, I found out that I used the RTL .lib (cw32i.dll), instead, I should use the static .lib (cw32.lib) to link my KeygenMe. I happily modified my makefile and assembled it again, then uploaded it. I reckon that there’s not going to be anymore trouble…

However, the trouble is not over yet, after uploading it, I tried it myself. My KeygenMe terminated immediately after running. Something is very wrong. As it is late, I have no choice but to sleep first and solve the problem tomorrow. I uploaded the old KeygenMe with cc3270.dll from my system32/

The next day, after a whole morning of debugging with OllyDbg…

I found out that the stream is not initialize. with the static build. Unfortunately, the cw32.lib’s routine isn’t documented, I have no choice but to give up.

The main problem I have with Turbo Assembler is that:
- Many routines undocumented
- New Windows NT APIs are not completely supported
- Not much tutorial ( comparing to masm )
- Not much sample codes ( comparing to masm )

All this, is because Turbo Pascal is no longer supported by Borland, and they are not releasing new assemblers. This taught me a lesson, don’t use obsolete software.

Another conclusion about assembly programming:
Use gas if you want to be called a nerd. Just kidding ( LoL, brian )
Use gas if you need to be compatible with gcc, or you are working with Linux Kernel….
Use tasm if it’s year 2000 now.
Use nasm if you are with any POSIX system.
Use masm, if the above doesn’t fit….

You can expect my next KeygenMe to be assembled with masm.