TomatoDePotato Posted March 14, 2019 Report Share Posted March 14, 2019 Hi has anyone saved this 1.298 ASM code from the old Snoxd? I've searched the ASM section but it has not been added. TIA 1 Quote Link to comment Share on other sites More sharing options...
0 Gilad Posted March 15, 2019 Report Share Posted March 15, 2019 (edited) Hi Tomato, You can read the discussion Hidden Content Give reaction to this post to see the hidden content. . Basically only some of the content has been restored thanks to @ForcePower for doing all the hard work. If you won't manage to find it, It wouldn't be hard to re-create that patch. You'll need to find the starting point of the application and basically validate in some way, if the command line arguments has been passed to the KnightOnline.exe, If no arguments, then call some new function you created that shows a message-box to execute "Please excute tata..." in order to start the application. That's the simplest approach. To do a better job, patch the Launcher.exe when it creates the KnightOnline.exe process to pass some custom arguments, say "blabla-1253", and then patch the KnightOnline.exe to validate if the argument passed from the Launcher is equals to "blabla-1253", if it does, start the application normally, if not, show the message-box. You don't really need to have strong assembly skills to do that, just the basics of C++ and knowledge of program flow. You could use Hidden Content Give reaction to this post to see the hidden content. to disassemble some code in C++ you created for that job. i.e, create a console application that checks for arguments passed to the exe, if no arguments passed, create your message box popup. Then you could use radare2 to disassemble that code of that function and copy the assembly code and patch it into your client in some unused location, then find the starting point of KnightOnline.exe to call your validation function. Hope that helps. Regards. Edited March 15, 2019 by Gilad 37 2 1 1 Quote Link to comment Share on other sites More sharing options...
0 TomatoDePotato Posted March 16, 2019 Author Report Share Posted March 16, 2019 Thanks very much for the constructive reply it makes perfect sense especially the part about mocking up something in a console app first then converting it to machine code to patch EXEs with jumps to a code cave and back etc using ollydgb, I do understand programming flow and small amounts of C++ but nothing on a professional level but I guess its pretty simple and I can always use google for further help (with the C++). I do still have my old client EXE unpacked with the launcher check already patched inside it so I guess I could always try and find the entry point into Knight Online and pull the original ASM patch from inside there with ollydbg, I think I will go this way first then if I do manage to find it I could always post it in the ASM section for others to use. Thanks again. Quote Link to comment Share on other sites More sharing options...
0 Gilad Posted March 16, 2019 Report Share Posted March 16, 2019 (edited) Gladly You could do something simple as: Hidden Content Give reaction to this post to see the hidden content. Then once you open the assembly code of that program, you can re-build your own assembly function from that OR you could actually tell VS(Visual Studio) to output assembly code of your compiled object by going to project properties: C++ -> Output Files -> Assembler Output: Assembly With Source Code (/FAs). A good place for you to put your validation call, would probably be before windows calls Hidden Content Give reaction to this post to see the hidden content. function or if you prefer, right at the main function, make a call to your validation code. As for the launcher part, I guess you can look for the part where windows calls(module imports) to Hidden Content Give reaction to this post to see the hidden content. so you can find where it starts the process of KnightOnline.exe, then for the arguments you can add additional "blabla-123" argument so KnightOnline.exe will read that. I guess that's a pretty decent approach to force people starting the client through the launcher. Just saying; the creator of IDA Hidden Content Give reaction to this post to see the hidden content. on 2 Feb 2018 that they released a Hidden Content Give reaction to this post to see the hidden content. version of IDA, but many of the features won't be available to you such as the decompiler, debugger etc... But it's still good for analyzing program flow and creates accurate graphs, unless you like opensource projects, there is a GUI for radera2 called Hidden Content Give reaction to this post to see the hidden content. that you can also use that uses snowman for decompiling C++ applications. If you got any questions, always feel free to post them. Edited March 17, 2019 by Gilad 26 2 1 2 Quote Link to comment Share on other sites More sharing options...
0 TomatoDePotato Posted March 17, 2019 Author Report Share Posted March 17, 2019 1 Quote Link to comment Share on other sites More sharing options...
0 Gilad Posted March 17, 2019 Report Share Posted March 17, 2019 (edited) Good job! Even though it will lose the purpose of it when people will find out that you can pass any argument there to start without using the launcher, as you only jump into that code if command line arguments passed. The official client code looks like this: Hidden Content Give reaction to this post to see the hidden content. I guess they used it for some licensing or auto login bypass. So by doing these 2 calls one after another: 0064C173 JLE 006A276F 0064C181 JGE 006A276F You basically saying: if ( lpCmdLine && (lstrlenA(lpCmdLine) <= 0 || lstrlenA(lpCmdLine) >= 512) ) Then go to the custom function you implemented in: 006A276F Then, for the new jump call: Hidden Content Give reaction to this post to see the hidden content. I left you comments so it's more clear to understand what this code is doing. The last 2 lines of your ASM you can basically remove and you missed a CALL instruction to 006747A7. That's why I think if you would do it by comparing if the parameter passed to the client as you actually expect it to be and the launcher will be synced with the client, then it will make it harder for people by-passing this patch, unless they unpack your exe and looking at the ASM code, which very low percentage of people would do so, but even if they do, then on your next release patch you can change the codes to annoy them. I edited my previous post so you can see the code is a little bit different to match with the KO signatures. Edited March 17, 2019 by Gilad 18 1 1 2 Quote Link to comment Share on other sites More sharing options...
0 TomatoDePotato Posted March 17, 2019 Author Report Share Posted March 17, 2019 That's a good point indeed! I wish I could attain your level of understanding with the Source and ASM but I'm quiet long in the tooth now and I think my cups almost full so to speak! But I still try my best. I guess for now its a good start and as always we still have the version checking and private key to add a bit more annoyance for those pesky Launcher "bypassers" but for now I will leave it as is but anyone else is most welcome to contribute and improve upon the function a bit more and I welcome it, Hell you've provided some good solid information in a very constructive and non criticising way and I thank you very much 1 Quote Link to comment Share on other sites More sharing options...
Question
TomatoDePotato
Hi has anyone saved this 1.298 ASM code from the old Snoxd?
I've searched the ASM section but it has not been added.
TIA
Link to comment
Share on other sites
6 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.