RELEASE: GGKILLER V.1.2
Posted: July 30th, 2009, 1:56 pm
FOREWORD
Not long before a BMR patch was out, a clientless bot called TzPhQy sailed over internet.Many people beleive it to have malicious functions to stole your accounts, so to clear this out (i'm also using it, and don't want to lose my accounts ) i started my IDA and loaded bot's GameMon.des into it. After all weeks of study in disassembler i haven't found any evidence of it being a trojan or how most people prefer to call it "keylogger", but studied alot about how it works.How it connects to server, decrypts and encrypts packets, how it emulates GameGuard in order to stay connected. The most amazing thing that the used approach is actually very easy and can be appiled for original client as well, i even wonder why no one have done it before (or does it stays in UG?) Anyway, i have done it and now releasing this to public. Enjoy!
Note:This is complete bypass, NOT some kind of "downgrade".It brings down all GameGuard's security measures (rootkit,Tychoon AV,client process protection,CRC checks,API hooks,and so on).This way, it allows you to:
* Use any kind of packet sniffers (WPE,...)
* Use any kind of scripts or pixel/memory based bots (2MBot,AutoIt scripts,...)
* Use any kind of memory-based hacks (UCE, Rev.Engine,...)
* Attach a debugger to client process
* Run unpacked or modified client exectuable
* Run multiple clients at the same time without any hassle
* Avoid all common errors related to GameGuard
===== HOW TO USE =====
1) Backup your bin\GameGuard folder (this is optional.If something goes wrong, you could always restore your working client)
2) Extract attached archive to bin folder, make sure to overwrite 2 files - GameGuard\GameMon.des and GameGuard\npggNT.des
3) Purely optional : copy launcher.exe to any desired location. You may as well leave it in bin folder and create a shortcut to it.Launcher does not have to be in the same folder with client exe.
4) Start launcher.exe - a window will appear:
Following things are available to change here:
* "Game path" - enter client exetuable name and path here.You may specify only exe-name without path, if launcher is located in the same folder with client.You may also to press "..." button to bring up file selection dialog.
* "..." button allows you to select game exectuable
* "Process write address" - Address used for DLL injection.If you experiencing client crash right after pressing "Launch" button, try changing it. However, the default value should be OK in most cases.
* "Autoclose launcher" - self explanatory
* "Launch" button - press to start client with GameGuard bypass
Notes:
- You may select either dekaron.exe or dekaron_nsse.exe
- It WILL work even with unpacked (y0da crypter/ASProtect or both is removed) client exe, but it MAY NOT work properly if you have altered client code, related to GameGuard.
5) Press "Launch" button. In case of success, client loading screen will appear, you will NOT see GameGuard upgrading, and inversed shield icon in system tray will appear
CREDIT GOES TO NEBULAR
Not long before a BMR patch was out, a clientless bot called TzPhQy sailed over internet.Many people beleive it to have malicious functions to stole your accounts, so to clear this out (i'm also using it, and don't want to lose my accounts ) i started my IDA and loaded bot's GameMon.des into it. After all weeks of study in disassembler i haven't found any evidence of it being a trojan or how most people prefer to call it "keylogger", but studied alot about how it works.How it connects to server, decrypts and encrypts packets, how it emulates GameGuard in order to stay connected. The most amazing thing that the used approach is actually very easy and can be appiled for original client as well, i even wonder why no one have done it before (or does it stays in UG?) Anyway, i have done it and now releasing this to public. Enjoy!
Note:This is complete bypass, NOT some kind of "downgrade".It brings down all GameGuard's security measures (rootkit,Tychoon AV,client process protection,CRC checks,API hooks,and so on).This way, it allows you to:
* Use any kind of packet sniffers (WPE,...)
* Use any kind of scripts or pixel/memory based bots (2MBot,AutoIt scripts,...)
* Use any kind of memory-based hacks (UCE, Rev.Engine,...)
* Attach a debugger to client process
* Run unpacked or modified client exectuable
* Run multiple clients at the same time without any hassle
* Avoid all common errors related to GameGuard
===== HOW TO USE =====
1) Backup your bin\GameGuard folder (this is optional.If something goes wrong, you could always restore your working client)
2) Extract attached archive to bin folder, make sure to overwrite 2 files - GameGuard\GameMon.des and GameGuard\npggNT.des
3) Purely optional : copy launcher.exe to any desired location. You may as well leave it in bin folder and create a shortcut to it.Launcher does not have to be in the same folder with client exe.
4) Start launcher.exe - a window will appear:
Following things are available to change here:
* "Game path" - enter client exetuable name and path here.You may specify only exe-name without path, if launcher is located in the same folder with client.You may also to press "..." button to bring up file selection dialog.
* "..." button allows you to select game exectuable
* "Process write address" - Address used for DLL injection.If you experiencing client crash right after pressing "Launch" button, try changing it. However, the default value should be OK in most cases.
* "Autoclose launcher" - self explanatory
* "Launch" button - press to start client with GameGuard bypass
Notes:
- You may select either dekaron.exe or dekaron_nsse.exe
- It WILL work even with unpacked (y0da crypter/ASProtect or both is removed) client exe, but it MAY NOT work properly if you have altered client code, related to GameGuard.
5) Press "Launch" button. In case of success, client loading screen will appear, you will NOT see GameGuard upgrading, and inversed shield icon in system tray will appear
CREDIT GOES TO NEBULAR
