TwMS v239.1 NGSBypass
轉自GMSBCCRC Bypass
鎖定BlackCipher.aex寫入數據
alloc(newmem1,2048)
label(returnhere1)
label(originalcode1)
newmem1:
push ffffffff
call sleep
originalcode1:
pushfd
push edi
push esp
pop edi
add edi,00000004
jmp returnhere1
"BlackCipher.aes"+26885DE:
jmp newmem1
nop 5
returnhere1:
alloc(newmem2,2048)
label(returnhere2)
label(originalcode2)
newmem2:
push ffffffff
call sleep
originalcode2:
pushfd
sub esp,00000004
jmp returnhere2
"BlackCipher.aes"+201769C:
jmp newmem2
nop 2
returnhere2:
alloc(newmem3,2048)
label(returnhere3)
label(originalcode3)
newmem3:
push ffffffff
call sleep
originalcode3:
pushfd
sub esp,04
mov ,edi
jmp returnhere3
"BlackCipher.aes"+026C1CCA:
jmp newmem3
nop 2
returnhere3:
MSCRC Bypass
鎖定MapleStory寫入數據
define(CRC1,0588FB3C)
define(CRC2,05590C7B)
define(CRC1Reg,ecx)
define(CRC2Reg,edi)
define(CRC1CHANGE,5)
define(CRC2CHANGE,6)
define(CRCSTART,00401000)
define(CRCEND,0640A000)
globalalloc(DisableCRCBypass,200)
alloc(CRCHook,200)
alloc(MemCopy,100700160)
registersymbol(MemCopy)
alloc(MemCopier,200)
registersymbol(MemCopier)
label(Hook1)
label(Hook2)
label(Hook1End)
label(Hook2End)
label(Hook1Ret)
label(Hook2Ret)
label(CopyExit)
label(Hook2Ending)
label(Hook1Ending)
label(Counter)
createthread(MemCopier)
///////////////////////////////////////////////////////////////////////////
MemCopier:
cmp ,1
je CopyExit
push CRCEND-CRCSTART //size
push CRCSTART //*src
push MemCopy //*dest
call memcpy
add esp,0C
CopyExit:
Hook1Ending:
mov eax,
mov bh,
mov BYTE PTR ,bh
mov BYTE PTR ,bh
inc
cmp ,CRC1CHANGE
jl Hook1Ending
mov ,0
Hook2Ending:
mov eax,
mov bh,
mov BYTE PTR ,bh
mov BYTE PTR ,bh
inc
cmp ,CRC2CHANGE
jl Hook2Ending
mov ,0
mov eax,Hook1
sub eax,CRC1+5
mov byte ptr ,E9
mov ,eax
mov eax,Hook2
sub eax,CRC2+5
mov byte ptr ,E9
mov ,eax
mov ,1
jmp terminatethread
Counter:
dd 0
///////////////////////////////////////////////////////////////////////////
CRCHook:
Hook1:
cmp CRC1Reg,CRCSTART
jb Hook1End
cmp CRC1Reg,CRCEND
ja Hook1End
sub CRC1Reg,CRCSTART
add CRC1Reg,MemCopy
jmp Hook1End
Hook1End:
db 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
jmp Hook1Ret
Hook2:
cmp CRC2Reg,CRCSTART
jb Hook2End
cmp CRC2Reg,CRCEND
ja Hook2End
sub CRC2Reg,CRCSTART
add CRC2Reg,MemCopy
jmp Hook2End
Hook2End:
db 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
jmp Hook2Ret
CRC1+CRC1CHANGE:
Hook1Ret:
CRC2+CRC2CHANGE:
Hook2Ret:
/////////////////////////////////////////////////////////////////////////
DisableCRCBypass:
mov eax,
mov bh,
mov ,eax
mov BYTE PTR ,bh
mov eax,
mov bh,
mov ,eax
mov BYTE PTR ,bh
jmp terminatethread
///////////////////////////////////////////////////////////////////////////
createthread(DisableCRCBypass)
dealloc(CRCHook)
dealloc(MemCopy)
dealloc(MemCopier)
unregistersymbol(MemCopy)
unregistersymbol(MemCopier)
本帖最後由 qwas963563 於 2022-1-11 22:37 編輯
某付費外掛就是這種
{:9_406:} 啊这也能过bypass? 64bit將至,確實很多乾貨都出來了,還是感謝大佬轉來啊,都不容易。
頁:
[1]