Please Execute KnightOnline.exe via Launcher

[TomatoDePotato]

Hi has anyone saved this 1.298 ASM code from the old Snoxd?

I've searched the ASM section but it has not been added.

TIA

[Gilad]

Hi Tomato,

You can read the discussion

Hidden Content

Give reaction to this post to see the hidden content.

.

Basically only some of the content has been restored thanks to @ForcePower for doing all the hard work.

If you won't manage to find it, It wouldn't be hard to re-create that patch. You'll need to find the starting point of the application and basically validate in some way, if the command line arguments has been passed to the KnightOnline.exe,  If no arguments, then call some new function you created that shows a message-box to execute "Please excute tata..." in order to start the application. That's the simplest approach. 

To do a better job, patch the Launcher.exe when it creates the KnightOnline.exe process to pass some custom arguments, say "blabla-1253",  and then patch the KnightOnline.exe to validate if the argument passed from the Launcher is equals to "blabla-1253", if it does, start the application normally, if not, show the message-box.

You don't really need to have strong assembly skills to do that, just the basics of C++ and knowledge of program flow. You could use

Hidden Content

Give reaction to this post to see the hidden content.

to disassemble some code in C++ you created for that job.

i.e, create a console application that checks for arguments passed to the exe, if no arguments passed, create your message box popup. Then you could use radare2 to disassemble that code of that function and copy the assembly code and patch it into your client in some unused location, then find the starting point of KnightOnline.exe to call your validation function.

Hope that helps.

Regards.

 

Edited March 15, 2019 by Gilad

[TomatoDePotato]

Thanks very much for the constructive reply it makes perfect sense especially the part about mocking up something in a console app first then converting it to machine code to patch EXEs with jumps to a code cave and back etc using ollydgb, I do understand programming flow and small amounts of C++ but nothing on a professional level but I guess its pretty simple and I can always use google for further help (with the C++).

I do still have my old client EXE unpacked with the launcher check already patched inside it so I guess I could always try and find the entry point into Knight Online and pull the original ASM patch from inside there with ollydbg, I think I will go this way first then if I do manage to find it I could always post it in the ASM section for others to use.

Thanks again.

[Gilad]

Gladly

You could do something simple as:

Hidden Content

Give reaction to this post to see the hidden content.

Then once you open the assembly code of that program, you can re-build your own assembly function from that OR you could actually tell VS(Visual Studio) to output assembly code of your compiled object by going to project properties: C++ -> Output Files -> Assembler Output: Assembly With Source Code (/FAs).

A good place for you to put your validation call, would probably be before windows calls 

Hidden Content

Give reaction to this post to see the hidden content.

 function or if you prefer, right at the main function, make a call to your validation code.

As for the launcher part, I guess you can look for the part where windows calls(module imports) to 

Hidden Content

Give reaction to this post to see the hidden content.

 so you can find where it starts the process of KnightOnline.exe, then for the arguments you can add additional "blabla-123" argument so KnightOnline.exe will read that. I guess that's a pretty decent approach to force people starting the client through the launcher.

Just saying; the creator of IDA

Hidden Content

Give reaction to this post to see the hidden content.

on 2 Feb 2018 that they released a 

Hidden Content

Give reaction to this post to see the hidden content.

version of IDA, but many of the features won't be available to you such as the decompiler, debugger etc... But it's still good for analyzing program flow and creates accurate graphs, unless you like opensource projects, there is a GUI for radera2 called

Hidden Content

Give reaction to this post to see the hidden content.

that you can also use that uses snowman for decompiling C++ applications.

If you got any questions, always feel free to post them.

Edited March 17, 2019 by Gilad

[TomatoDePotato]

 

[Gilad]

Good job!  Even though it will lose the purpose of it when people will find out that you can pass any argument there to start without using the launcher, as you only jump into that code if command line arguments passed. The official client code looks like this:

Hidden Content

Give reaction to this post to see the hidden content.

I guess they used it for some licensing or auto login bypass.

So by doing these 2 calls one after another:

0064C173	JLE 006A276F
0064C181	JGE 006A276F

You basically saying:

if ( lpCmdLine && (lstrlenA(lpCmdLine) <= 0 || lstrlenA(lpCmdLine) >= 512) )

Then go to the custom function you implemented in: 006A276F

Then, for the new jump call:

Hidden Content

Give reaction to this post to see the hidden content.

I left you comments so it's more clear to understand what this code is doing.

The last 2 lines of your ASM you can basically remove and you missed a CALL instruction to 006747A7.

That's why I think if you would do it by comparing if the parameter passed to the client as you actually expect it to be and the launcher will be synced with the client, then it will make it harder for people by-passing this patch, unless they unpack your exe and looking at the ASM code, which very low percentage of people would do so, but even if they do, then on your next release patch you can change the codes to annoy them. 

I edited my previous post so you can see the code is a little bit different to match with the KO signatures. 

Edited March 17, 2019 by Gilad

[TomatoDePotato]

That's a good point indeed! I wish I could attain your level of understanding with the Source and ASM but I'm quiet long in the tooth now and I think my cups almost full so to speak!  But I still try my best.

I guess for now its a good start and as always we still have the version checking and private key to add a bit more annoyance for those pesky Launcher "bypassers" but for now  I will leave it as is but anyone else is most welcome to contribute and improve upon the function a bit more and I welcome it, Hell you've provided some good solid information in a very constructive and non criticising way and I thank you very much