- Game Name
- N/A
- Anticheat
- Nexon Game Security (NGS)
- How long you been coding/hacking?
- what day is it
- Coding Language
- C++
Figured i should do a (very) little writeup to accompany the (partial) bypass i released a while ago since it'd be nice to add to the big anticheat index here.
I spent a few weeks reversing Nexon game security because i was writing that maplestory stuff.
NGS was a good bit of fun, I wrote a call tracer due to it that would log all branches a program took. During this time, I noticed that all the APIs logged were pretty nondescript. After some fine tuning, i found my exceptionally perfect code to be crashing after a set period of time, so i did some further digging.
This is the section that it crashes
Lucky for you, i save random screenshots.
What you're looking at is heaven's gate being dropped into, swapping CS to 0x33 (long mode) to execute x64 code, then swapping it back to 0x23.
In long mode, they fix up some registers as seen in the screenshot, as well as perform a call to some WINAPIs, but the catch is this will go to 64 bit winapis, whilst its running in a 32 bit WoW program.
I'll briefly touch on my bypass because honestly its not that hard. Essentially, what I did was register an exception handler in long mode (by entering heaven's gate myself) and set an x86 exception handler to catch new threads. Then for every thread i found/was created, i placed a HWBP at the location of the calls. This exception will be handled by the x64 handler (called x64handler in the assembly file because im original).
Because i'm too lazy to explain it, here's the raw assembly for the handler:
with the macros defined as:
potato_fn is the address of the "x86Callback" which switches back to x86, calls a handler function to filter the called API, and re-enters x64 before returning.
That's the "smart" part done, everything else is dead simple. I grab the syscall index at the current EIP, and send if its one i wish to "hook", i do stuff with it. For example: You can see if the index is 0x26, i hide any ZwOpenProcess calls which are targeting a program with "cheat" in the name, which enables one to use Cheat engine while playing an NGS protected game.
Like i said, this is a partial bypass because it suited my needs at the time, to get a full bypass, you only need to do one more thing, which another user on this forum has already done.
Also, you don't need to do it my way at all. I just like exceptions. You can achieve the same thing with a simple hook, it's just your hook will be able to be detected by checksums, so check for them, heh.
Too long;give source: Bitbucket
I spent a few weeks reversing Nexon game security because i was writing that maplestory stuff.
NGS was a good bit of fun, I wrote a call tracer due to it that would log all branches a program took. During this time, I noticed that all the APIs logged were pretty nondescript. After some fine tuning, i found my exceptionally perfect code to be crashing after a set period of time, so i did some further digging.
This is the section that it crashes
Lucky for you, i save random screenshots.
What you're looking at is heaven's gate being dropped into, swapping CS to 0x33 (long mode) to execute x64 code, then swapping it back to 0x23.
In long mode, they fix up some registers as seen in the screenshot, as well as perform a call to some WINAPIs, but the catch is this will go to 64 bit winapis, whilst its running in a 32 bit WoW program.
I'll briefly touch on my bypass because honestly its not that hard. Essentially, what I did was register an exception handler in long mode (by entering heaven's gate myself) and set an x86 exception handler to catch new threads. Then for every thread i found/was created, i placed a HWBP at the location of the calls. This exception will be handled by the x64 handler (called x64handler in the assembly file because im original).
Because i'm too lazy to explain it, here's the raw assembly for the handler:
with the macros defined as:
Code:
potato_fn dq 0
macro SAVE_SCRAP
{
push rcx
push r8
push rbx
push rsi
push r15 ; TODO: Perhaps check if our breakpoint is hit immediately after a call, if so, send it to the x86 function to get return value?
push r14
push r13
push r12
push r11
push r10
push rdi
}
macro POP_SCRAP
{
pop rdi
pop r10
pop r11
pop r12
pop r13
pop r14
pop r15
pop rsi
pop rbx
pop r8
pop rcx
}That's the "smart" part done, everything else is dead simple. I grab the syscall index at the current EIP, and send if its one i wish to "hook", i do stuff with it. For example: You can see if the index is 0x26, i hide any ZwOpenProcess calls which are targeting a program with "cheat" in the name, which enables one to use Cheat engine while playing an NGS protected game.
Like i said, this is a partial bypass because it suited my needs at the time, to get a full bypass, you only need to do one more thing, which another user on this forum has already done.
Also, you don't need to do it my way at all. I just like exceptions. You can achieve the same thing with a simple hook, it's just your hook will be able to be detected by checksums, so check for them, heh.
Too long;give source: Bitbucket
Last edited by a moderator:
