1 reply to this topic

[Ethoile]

Hello guys, anyone knows if MuGuard (MU Online) can be easily bypassed? i saw that on hackforums, but i dont know how to do this..

 

 Defeat MUGuard

 

MUguard is an application to detect cheats, developed in website MuGuard.org, its a payed tool and i just do this guide for educational methods.

So once sayed that i just want to give my apologise to the developer but this is for his own good and development of a better "payed" tool.

THIS GUIDE IS FOR PEOPLE THAT KNOW ABOUT CODING !!

1.- Open Ollydbg and we will see this:

Code:

1000D001 > 60 PUSHAD
1000D002 E8 03000000 CALL muguard.1000D00A
1000D007 -E9 EB045D45 JMP 555DD4F7

We dont care about this allmost all unpackers start the same f*cking way.

2.- We can look much more below finding some interesting things like:

Code:

1000D113 FF37 PUSH DWORD PTR DS:[EDI]
1000D115 C607 C3 MOV BYTE PTR DS:[EDI],0C3
1000D118 FFD7 CALL EDI

Lol this is just creating a RETN into a empty space of code and later calling it so it will return again. Well this is done just for confuse and we still dont know what packer is.

3.- Looking more below we can find this tipycal opcodes:

Code:

1000D180 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
1000D182 8BC8 MOV ECX,EAX
1000D184 83E1 03 AND ECX,3
1000D187 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]

Now i laugh so hard caused this is the tipical decryption method used by noob packers, lets put a BREAKPOINT here and run target.

We can see that it copy data from 003E0000 to 10001000 and this last adddress is unpacked territory: 

Code:

DS:[ESI]=[003E0000]=81EC8B55
ES:[EDI]=[10001000]=B2330420

Lets press F8 and everything is unpacked, but we still need the OEP, so how we find it?.

4.- Looking more down from where we are i see this that caught my eyes into attention:

Code:

1000D39A B8 41470000 MOV EAX,4741
1000D39F 50 PUSH EAX
1000D3A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
1000D3A6 59 POP ECX
1000D3A7 0BC9 OR ECX,ECX
1000D3A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
1000D3AF 61 POPAD
1000D3B0 75 08 JNZ SHORT muguard.1000D3BA
1000D3B2 B8 01000000 MOV EAX,1
1000D3B7 C2 0C00 RETN 0C
1000D3BA 68 00000000 PUSH 0
1000D3BF C3 RETN

Hardcoded values, and 2 retns? this is very interesting ill put a breakpoint into MOV EAX, 4741 and see what happen...

Wow after following with F7 the single steps this part:

Code:

1000D3BA 68 00000000 PUSH 0
1000D3BF C3 RETN

Becomes this:

Code:

1000D3BA 68 41470010 PUSH muguard.10004741
1000D3BF C3 RETN

And push with rent its ofcourse like writting JMP 10004741.
We follow this with F7 and voila we are on OEP:

Code:

10004741 /. 55 PUSH EBP

5.- We can dump now but first i want to see if the IAT is touched, i can look into unpacked code and see things like this:

Code:

10004818 $-FF25 64510010 JMP DWORD PTR DS:[10005164] ; msvcrt._initterm
1000481E $-FF25 60500010 JMP DWORD PTR DS:[10005060] ; kernel32.Process32Next
10004824 $-FF25 58500010 JMP DWORD PTR DS:[10005058] ; kernel32.Process32First
1000482A $-FF25 54500010 JMP DWORD PTR DS:[10005054] ; kernel32.CreateToolhelp32Snapshot
10004830 $-FF25 70500010 JMP DWORD PTR DS:[10005070] ; mfc42.#269
10004836 $-FF25 A8500010 JMP DWORD PTR DS:[100050A8] ; mfc42.#826
1000483C >-FF25 98500010 JMP DWORD PTR DS:[10005098] ; mfc42.#600
10004842 $-FF25 9C500010 JMP DWORD PTR DS:[1000509C] ; mfc42.#1578
10004848 $-FF25 A0500010 JMP DWORD PTR DS:[100050A0] ; mfc42.#6467
1000484E $-FF25 A4500010 JMP DWORD PTR DS:[100050A4] ; mfc42.#1255
10004854 $-FF25 6C500010 JMP DWORD PTR DS:[1000506C] ; mfc42.#1253
1000485A $-FF25 AC500010 JMP DWORD PTR DS:[100050AC] ; mfc42.#1570
10004860 $-FF25 B0500010 JMP DWORD PTR DS:[100050B0] ; mfc42.#1197
10004866 $-FF25 B4500010 JMP DWORD PTR DS:[100050B4] ; mfc42.#1243
1000486C $-FF25 B8500010 JMP DWORD PTR DS:[100050B8] ; mfc42.#342
10004872 $-FF25 BC500010 JMP DWORD PTR DS:[100050BC] ; mfc42.#1182
10004878 $-FF25 C0500010 JMP DWORD PTR DS:[100050C0] ; mfc42.#1577
1000487E $-FF25 C4500010 JMP DWORD PTR DS:[100050C4] ; mfc42.#1168
10004884 $-FF25 7C500010 JMP DWORD PTR DS:[1000507C] ; mfc42.#1575
1000488A $-FF25 78500010 JMP DWORD PTR DS:[10005078] ; mfc42.#1176
10004890 $-FF25 74500010 JMP DWORD PTR DS:[10005074] ; mfc42.#1116

Lol no IAT touched seems to be...


6.- OllyDBG>Plugins>OllyDump and we press DUMP buttom since olly can fix our IAT caused ASP doesnt touched it.

7.- We have full unpacked DLL ¬¬, and the packer was... ASPack what a danm noob packer, my grandma protects better the house.

8.- Enjoy and remove demo yourself wich isnt hard, here i left offset for do it:

Code:

10003D78 |. FF15 48500010 CALL DWORD PTR DS:[10005048] ; \Sleep
10003D7E |. 833D B4970010 >CMP DWORD PTR DS:[100097B4],0
10003D85 |. 7E 0D JLE SHORT muguard.10003D94

Code:

10003DDF |. 68 D0070000 |PUSH 7D0 ; /Timeout = 2000. ms
10003DE4 |. FF15 48500010 |CALL DWORD PTR DS:[10005048] ; \Sleep
10003DEA |. E8 D1EFFFFF |CALL muguard.10002DC0
10003DEF |. 25 FF000000 |AND EAX,0FF
10003DF4 |. 85C0 |TEST EAX,EAX
10003DF6 |. 74 19 |JE SHORT muguard.10003E11
10003DF8 |. 81BD C0FEFFFF >|CMP DWORD PTR SS:[EBP-140],12C
10003E02 |. 7C 0D |JL SHORT muguard.10003E11

9.- If you finally tired of this tool you can remove the detection of cheats:

Code:

10003E1D |. 74 0D |JE SHORT muguard.10003E2C

Change to JMP

Code:

10003E98 |. 74 0D ||JE SHORT muguard.10003EA7

And this one too.


10.- Full unpacked + Non Demo + Bypass, is this worth paying, be my guest.


Notes to the developer:

1.- Use better packer
2.- Code your own driver to do RING0 hooks
3.- Use permutation, mutation code
4.- Do not use branches like JE, JNZ for choose between detect or dont.

anyone knows how to do this? ↑↑

[k4mk4ok4o]

or well but I was not familiar enough