logo
Welcome Guest! To enable all features please Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
jayswag  
#1 Posted : Wednesday, May 11, 2011 11:00:19 PM(UTC)
jayswag

Rank: Member

Groups: Registered
Joined: 4/9/2011(UTC)
Posts: 11

Was thanked: 2 time(s) in 1 post(s)
wow trion really put a hurting on updating my offsets... from what Ive heard they implemented something so that XYZ and for instance swim state isnt kept on static pointers..? plus some obfuscation? (correct me if im wrong there)

Im wondering if you have dug through the 1.2 hotfix#1 exe yet and what your thoughts on it were, any way to bypass this static pointer crap...its really lame not being able to find a damn static 8 levels down...

just when i thought I had everything updated...

any of your thoughts/input (possibly a blog on it..? ^_^) would be well appreciated!

Thanks alot!

Sponsor

Wanna join the discussion?! Login to your forum account. New Registrations are disabled.

Da_Teach  
#2 Posted : Thursday, May 12, 2011 8:56:27 AM(UTC)
Da_Teach

Rank: Administration

Groups: Administrators
Joined: 1/24/2011(UTC)
Posts: 541

Thanks: 1 times
Was thanked: 247 time(s) in 79 post(s)
Don't believe everything that you read on the digital internetz...

The only major thing they changed thus far is xor some of the base pointers, all base pointers have a different xor values (to keep things interesting). I would not be surprised if some of the values in the game are xor'ed already or will be xor'ed in the future. They might have xor'ed sub-pointers, but didnt get that far.

Without IDA it can be a bit of a bitch to find out.

I did see some 'strange' usage of ebp (stack) pointers which could point to stack-detection (e.g. is the function called from game code, or from external code). But I ran 'out of time' yesterday. I'll be looking into those functions more soon (tm).

Also the changes that they made caused IDA to take over 2 1/2 hours to complete ! That's probably the most annoying thing, the xor's really dont bother me much and the ebp checks that *might* be in place are nothing more a speedbump.
jayswag  
#3 Posted : Thursday, May 12, 2011 10:16:10 PM(UTC)
jayswag

Rank: Member

Groups: Registered
Joined: 4/9/2011(UTC)
Posts: 11

Was thanked: 2 time(s) in 1 post(s)
Sounds good, so the reason Im not able to find a static base address ...for say "Swim state" flag, is because they are Xor'ing the base address after it executes so the pointer I find is the "right" one but I need to Xor the baseaddress back to normal? The reason I bring that up is because back when I was reversing AutoITv3 scripts malware, some hackers would add an Xor to the function that holds all the programs data.. (thus breaking the decompiler since it was Xor'ed) so to fix this I would use WinHex select the script =>right click -> Xor , which would give me the normal data and the exe would decompile correctly to get to the source of the malware.
and please tell me if Im headed in the wrong direction with that :P

Thank you Da_Teach, I have a good community going on, Im basing it off of community MMO development, basicly helping other learn programming, hacking and RE in general, and I wont be selling hacks like mmoninja, just a one time donation in the future, but of coarse all learning and tutorial content is free. I would be very grateful if you would join the community! We also have a "developer section" which is cut off from the general public. Only My web designer/coder V0gelz and freitag from mmoelites where we post sensitive sometimes raw data or patterns that cannot be leaked. with your knowledge im sure you would be great help for input and advice! Let me know if your interested, and register at the forums ( http://AceticSoft.com )

Thanks again, hope to talk to you soon.

-jay

Quick edit* for example Im looking into swim state and through pointer scanner I found static base "rift.exe"+0164FD1C (of coarse as soon as I exit the game Im sure that it will just change due to the Xor of the base address?..) so how do I go about ..I guess you could say normalizing it so I can use it my programs to find the dma address? Thanks so much if you want to talk in aim or irc(never done it but I can) let ,me know

Edited by user Friday, May 13, 2011 5:28:38 PM(UTC)  | Reason: Not specified

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.