A few months back I started reversing nProtect's GameGuard and I had created an emulator for it for a game called GunZ. Unfortunately, my emulator was leaked late in April and since then, GameGuard has updated.
I have not had any interest to update any of the code (even though INCA only changed very little.).
I am just posting this for those who want to know how GameGuard worked. It is probably the most powerful anti-Tool I have ever dealt with by far, coming from a guy who has dealt with PunkBuster, Hackshield, xTrap and more...
Before I show the code, you guys should know GameGuard uses the generic encryption "Blowfish" within their algorithm.
The C Version of blowfish (the one I use) can be found here: http://www.schneier.com/code/bfsh-koc.zip
Now, I will get into how the algorithm works,
The server sends 4 DWORDs (index, value1, value2, value3) to the game client, and these values are specific to its index. GameGuard, packed by Themida, uses a virtual machine to virtualize a portion of its code. That portion being the switch case based on the index. It's a big switch case (500 cases index 0 - 500).
However, this switch case cannot be decrypted (even though I found the decrypt function for the VM). To decrypt it, a valid key must be used and you can only receive valid keys from the server. The server changes it's index once every few hours (and one or twice for a few minutes or so in between).
This means you have to unpack, run through memory and decrypt each case of the 500 switch case everytime you get a key with a different index.
In my code, I was able to reverse 7 indexes, which seemed to be the main ones that Gunz was using as it never really was using anything other than those - which was good news. Though everytime I had been disconnected, that means I received a key with a different index that I did not know how to handle, check my packet logs and reverse that index and add it to my code.
Basically, GameMon gets the key from the server, decrypts it through blowfish, runs it through its algorithm, reencrypts it with blowfish using its own salt and gives it back to the game and the game gives it to the server.
Credits goes to Legion for inspiration, Gene for starting it out with me and of course DXTLegendaryHacker for helping me reverse the cases! =]
Sorry I have removed the code as I do not feel comfortable releasing it now.
unsigned long *outkey = inca__keygen ( pointer to received key ); respond_to_server(outkey); free(outkey);
0 comentarios:
Publicar un comentario