以下是線上蒐集有關nProtect的文章數量極少,希望對nProtect有研究的大蝦能多提供一點 THX
也許這些文章有部分也是看雪裡某位大蝦寫的吧
也希望對正在研究nProtect的朋友有點幫助

==================================================================================================
什么是nProtect？
nProtect是设计用于保护个人电脑终端不被病毒和黑客程序感染的新概念的基于网络的反黑客和反病毒的工具。他帮助确保所有输入个人电脑终端的信息在网络上不落入黑客手中。
在最终用户在执行电子贸易时，可以通过将nProtect配置在那些提供电子商务、进口贸易，电子贸易的金融机构的网站上，来提高安全等级。
--------------------------------------------------------------------------------------------------
nProtect怎样工作?
nProtect是一种基于服务器端的解决方案并且当那些需要保护的任何网络应用被运行时而自动启动。nProtect被载入内存，所以最终用户不需
要安装任何应用程序，只要nProtect启动，就开始拒绝黑客工具和病毒的入侵！
--------------------------------------------------------------------------------------------------
nProtect如何工作？
1. 用户登陆时nProtect自动启动。
2. 浏览器确认和自动安装安全模块到用户的个人电脑。
3. 扫描黑客工具和病毒
4. 通知用户目前的安全状态
5. 如果有黑客工具和病毒尝试删除
6. 在被入侵时端驻留内存来锁定黑客工具直到电脑或者nProtect关闭。
--------------------------------------------------------------------------------------------------
使用此软件的网络游戏还有很多，比如：冒险岛国际服，信长野望online，希望online等等
再来谈谈新版本的冒险岛外挂问题：
目前在服务器上能屏蔽掉的一般都是高速战斗，即两次战斗的数据传输时间间隔少于游戏设定的最少时间（比如说最快的攻击是用小刀砍一下，假设这个时间是2 秒，而某ip长时间以1秒传送一次攻击指令（既含有攻击指令的封包），可以强制让此ip断线，但并不能做为封号的证据）高速采集原理也差不多，还有瞬移等。
什么是封包？客户端和服务器之间往来的数据就是封包
有学过计算机的因该都知道计算机网络被OSI参考模型分为7层：
第1层：物理层；传输单位是比特流，既bit
第2层：数据链路层；传输单位是帧，既frame
第3层：网络层；这一层传输的就是包了，既packet
第4层：传输层；传输单位是段，既segment
第5层：会话层；建立连接并保持连接畅通
第6层：表示层；将信息"表示"为一种格式，可以理解为就是"格式转换"
第7层：应用层。对软件提供接口以使程序能使用网络服务
数据在网络中传输不是一整大段的传输的，而是分成小块传输的，由于比较分散，所以封包。大家可以理解为"搬家的时候把东西打成包好搬运
"。
目前的外挂都是内嵌于游戏中，对游戏所接收和发送的封包进行截取，修改，重构建等。
话说回来，nProtect GameGuard的确很厉害，从冒险岛更新它又来到我的硬盘上以后，我的ZoneAlarm防火墙就开始报警了，说它要监视你的进程，并且欲访问网络，唉，没办法，为了玩冒险，只好放行咯。
试图访问internet
监视冒险岛进程
切出游戏后，你会发现右下角多了个这东西，翻译过来就是"nProtect 游戏监视程序 版本624"
至此，我想大家觉得冒险岛纯净时代再次来临了吧？
不过很可惜，答案是否定的。
-----------------------------------------------------------------------------------------------------------------
截包工具:
http://free.ys168.com/?shoooo
   WPRO.rar  MD5: 2E1E8E48FCC78972905E4F40081B608C
   IRIS.rar  MD5: 6B919165C60D83379C1F825245100545
  WPE 是通过注入dll的方式hook send, recv, WSASend, WSARecv等函数来截取封包, 如果进程有anti wpe , 有可能截不到数据包
  Iris 是sniffer工具, 对网卡进行截包, 需要适当设置IP,port过滤条件, 不可能漏包
调试工具:
  flyOdbg 1.1
  http://download.winzheng.com/SoftView/SoftView_30342.htm
  fly修改的ollydbg汉化第二版, 很棒的调试工具, 你能在bbs.pediy.com (看雪论坛)找到很多教程
分析工具:
  IDA 4.8
  http://www.crsky.com/soft/1604.html
16进制编辑工具:
  UE 11.0
  http://www.ultraedit.com/index.php?name=Downloads&;d_op=getit&lid=1
  http://bbs.pediy.com/upload/2005/10/files/UltraEdit.v11.00.Keymaker.zip
--------------------------------------------------------------------------------------------------
游戏中看到的数据可都是十进制的，在要寻找并修改参数的值时，可以使用Windows提供的计算器来进行十进制和16进制的换算，我们可以在开始菜单里的程序组中的附件中找到它。
现在要了解的知识也差不多了！不过，有个问题在游戏修改中是需要注意的。在计算机中数据的储存方式一般是低位数储存在低位字节，高位数储存在高位字节。比如，十进制数41715转换为16进制的数为A2F3，但在计算机中这个数被存为F3A2。
--------------------------------------------------------------------------------------------------
WPE使用方法：执行WPE会有下列几项功能可选择：
SELECT GAME选择目前在记忆体中您想拦截的程式，您只需双击该程式名称即可。
TRACE追踪功能。用来追踪撷取程式送收的封包。WPE必须先完成点选欲追踪的程式名称，才可以使用此项目。 按下Play键开始撷取程式收送的封包。您可以随时按下 | | 暂停追踪，想继续时请再按下 | | 。按下正方形可以停止撷取封包并且显示所有已撷取封包内容。若您没按下正方形停止键，追踪的动作将依照OPTION里的设定值自动停止。如果您没有撷取到资料，试试将OPTION里调整为Winsock Version 2。WPE 及 Trainers 是设定在显示至少16 bits 颜色下才可执行。
FILTER过滤功能。用来分析所撷取到的封包，并且予以修改。
SEND PACKET送出封包功能。能够让您送出假造的封包。
TRAINER MAKER制作修改器。
OPTIONS设定功能。让您调整WPE的一些设定值。

FILTER的详细教学
当FILTER在启动状态时 ，ON的按钮会呈现红色。- 当您启动FILTER时，您随时可以关闭这个视窗。FILTER将会保留在原来的状态，直到您再按一次 on / off 钮。- 只有FILTER启用钮在OFF的状态下，才可以勾选Filter前的方框来编辑修改。- 当您想编辑某个Filter，只要双击该Filter的名字即可。
NORMAL MODE：
范例：
当您在 Street Fighter Online ﹝快打旋风线上版﹞游戏中，您使用了两次火球而且击中了对方，这时您会撷取到以下的封包：
SEND-> 0000 08 14 21 06 01 04
SEND-> 0000 02 09 87 00 67 FF A4 AA 11 22 00 00 00 00
SEND-> 0000 03 84 11 09 11 09
SEND-> 0000 0A 09 C1 10 00 00 FF 52 44
SEND-> 0000 0A 09 C1 10 00 00 66 52 44
您的第一个火球让对方减了16滴﹝16 = 10h﹞的生命值，而您观察到第4跟第5个封包的位置4有10h的值出现，应该就是这里了。
您观察10h前的0A 09 C1在两个封包中都没改变，可见得这3个数值是发出火球的关键。
因此您将0A 09 C1 10填在搜寻列﹝SEARCH﹞，然后在修改列﹝MODIFY﹞的位置4填上FF。如此一来，当您再度发出火球时，FF会取代之前的10，也就是攻击力为255的火球了！
ADVANCED MODE：
范例： 当您在一个游戏中，您不想要用真实姓名，您想用修改过的假名传送给对方。在您使用TRACE后，您会发现有些封包里面有您的名字出现。假设您的名字是Shadow，换算成16进位则是﹝53 68 61 64 6F 77﹞；而您打算用moon﹝6D 6F 6F 6E 20 20﹞来取代他。1)
SEND-> 0000 08 14 21 06 01 042)
SEND-> 0000 01 06 99 53 68 61 64 6F 77 00 01 05 3)
SEND-> 0000 03 84 11 09 11 094)
SEND-> 0000 0A 09 C1 10 00 53 68 61 64 6F 77 00 11 5)
SEND-> 0000 0A 09 C1 10 00 00 66 52 44
但是您仔细看，您的名字在每个封包中并不是出现在相同的位置上
在第2个封包里，名字是出现在第4个位置上- 在第4个封包里，名字是出现在第6个位置上
在这种情况下，您就需要使用ADVANCED MODE- 您在搜寻列﹝SEARCH﹞填上：53 68 61 64 6F 77 ﹝请务必从位置1开始填﹞- 您想要从原来名字Shadow的第一个字母开始置换新名字，因此您要选择从数值被发现的位置开始替代连续数值﹝from the position of the chain found﹞。- 现在，在修改列﹝MODIFY﹞000的位置填上：6D 6F 6F 6E 20 20 ﹝此为相对应位置，也就是从原来搜寻栏的+001位置开始递换﹞- 如果您想从封包的第一个位置就修改数值，请选择﹝from the beginning of the packet﹞
了解一点TCP/IP协议常识的人都知道，互联网是将信息数据打包之后再传送出去的。每个数据包分为头部信息和数据信息两部分。头部信息包括数据包的发送地址和到达地址等。数据信息包括我们在游戏中相关操作的各项信息。那么在做截获封包的过程之前我们先要知道游戏服务器的IP地址和端口号等各种信息，实际上最简单的是看看我们游戏目录下，是否有一个SERVER.INI的配置文件，这个文件里你可以查看到个游戏服务器的IP地址，比如金庸群侠传就是如此，那么除了这个我们还可以在DOS下使用NETSTAT这个命令，
NETSTAT命令的功能是显示网络连接、路由表和网络接口信息，可以让用户得知目前都有哪些网络连接正在运作。或者你可以使用木马客星等工具来查看网络连接。工具是很多的，看你喜欢用哪一种了。
NETSTAT命令的一般格式为：NETSTAT [选项]
命令中各选项的含义如下：
-a 显示所有socket，包括正在监听的。
-c 每隔1秒就重新显示一遍，直到用户中断它。
-i 显示所有网络接口的信息。
-n 以网络IP地址代替名称，显示出网络连接情形。
-r 显示核心路由表，格式同"route -e"。
-t 显示TCP协议的连接情况。
-u 显示UDP协议的连接情况。
-v 显示正在进行的工作。
--------------------------------------------------------------------------------------------------
GameGuard nprotect是运行游戏后自动在后台运行的游戏过程中切换回桌面可疑看到在系统
DES ( data encryption Standard) 是一种世界标准的加密形式，已经15年历史了，虽然有些老，可还算是比较可靠的算法。在七十的初期, 随着计算机之间的通信发展，需要有一种标准密码算法为了限制不同算法的激增使它们之间不能互相对话。为解决这个问题, 美国国家安全局(N.S.A ) 进行招标。 I.B.M 公司开发了一种算法， 称为：Lucifer。 经过几年的研讨和修改, 这种算法, 成为了今天的D.E.S，1976 年11月23 日，终于被美国国家安全局采用。
D.E.S 是分块加密的，将明文分割成 64 BITS 的块, 然后它们一个个接起来。它使用56位密钥对64位的数据块进行加密，并对64bits的数据块进行16轮编码。与每轮编码时，一个48bits的“每轮”密钥值由56bits 的完整密钥得出来。DES用软件进行解码需要用很长时间，而用硬件解码速度非常快，1977年，人们估计要耗资两千万美元才能建成一个专门计算机用于 DES的解密，而且需要12个小时的破解才能得到结果。所以，当时DES被认为是一种十分强壮的加密方法。但今天， 只需二十万美圆就可以制造一台破译DES的特殊的计算机，所以现在 DES 对要求“强壮”加密的场合已经不再适用了。
美国军方委托IBM公司研究出来的加密算法，是美国政府的标准加密算法，不是双质数加密法。
DES 算法全称为Data Encryption Standard,即数据加密算法,它是IBM公司于1975年研究成功并公开发表的。DES算法的入口参数有三个:Key、Data、Mode。其中 Key为8个字节共64位,是DES算法的工作密钥;Data也为8个字节64位,是要被加密或被解密的数据;Mode为DES的工作方式,有两种:加密或解密。
DES算法把64位的明文输入块变为64位的密文输出块,它所使用的密钥也是64位，其算法主要分为两步：
1初始置换
其功能是把输入的64位数据块按位重新组合,并把输出分为L0、R0两部分,每部分各长3 2位,其置换规则为将输入的第58位换到第一位,第50位换到第2位……依此类推,最后一位是原来的第7位。L0、R0则是换位输出后的两部分，L0是输出的左32位,R0是右32位,例:设置换前的输入值为D1D2D3……D64,则经过初始置换后的结果为:L0=D58D50……D8;R0= D57D49……D7。
2逆置换
经过16次迭代运算后,得到L16、R16,将此作为输入,进行逆置换,逆置换正好是初始置换的逆运算，由此即得到密文输出。
--------------------------------------------------------------------------------------------------
DES算法的简单说明
DES的每个分组是64位，既明文和密钥都是64位（密钥实际用56位，每字节第8位为校验）。这个算法的核心是Feistel密码，由于其设计的巧妙，加密解密都用一个函数，具体原理请查阅其他资料。DES的流程基本是执行16轮下面的运算：
1 初始变换Initial Permutation
2 右边32位f函数
2.1 E置换
2.2 与轮密钥XOR
2.3 S盒替换
2.4 P置换
2.5 和左边32位XOR
3 左右交换，最终变换final permutation
需要特别注意的是，最后一轮是不需要做左右交换这一部的，有的书在这个问题上写得不够明确，逼得我当时手算了一遍，还好只是64位。
--------------------------------------------------------------------------------------------------
实现分析
可以看出DES里到处都是基于bit的置换，所以我的实现是把明文的64位拆开保存在数组里，再写一个专门处理置换的函数。
private int[] permutation(int[] initial, int[] perm)
{
int[] result = new int[perm.length];
for(int i=0; i<result.length; i++)
{
result[i]=initial[perm[i]-1];
}
return result;
}
剩下的事情就是照着书上的算法描述实现就可以了。
--------------------------------------------------------------------------------------------------
破解nProtect：
nProtect GameGuard在启动后使用SetWindowsHookEx（Inject DLL）方式进入所有的进程，并且在
OpenProcess()
ReadProcessMemory()
WriteProcessMemory()
PostMessage()
......等等函数的头部加入JMP XXXXXX的代码跳入监测程序进行监测，如发现对游戏进行操作便拦截该操作。所以以上函数均无法正常工作。
解决方案：
1. 运行时将要使用的动态连接库（如：user32.dll kernel32.dll）复制后改名，使用LoadLibrary和GetProcAddress载入函数。
要使用LoadLibrary和GetProcAddress载入函数，你需要有Visual Studio .NET，或者其中的 Visual Basic和Visual C++，当然，你还要会使用他们，而且你还要知道nProtect GameGuard运行时到底调用了哪些动态连接库（这时候大家就八仙过海各显神通吧）
2. 恢复JMP XXXXXX处的代码（需要很高的技术并有很大的危险性，而且不知道会不会再被改）
3. 如果nProtect GameGuard非正常关闭，JMP XXXXXX处的代码不会被恢复而监测程序代码却已经被卸载，这时候如果被Hook程序调用函数……
根据论坛里回复帖子，解决方案一是可以实现的，但我在用代码实现的时候遇到了问题。代码和报错信息如下：
#include "stdafx.h"
typedef void (__stdcall *keybd)(
  BYTE bVk,           // virtual-key code
  BYTE bScan,         // hardware scan code
  DWORD dwFlags,      // flags specifying various function options
  DWORD dwExtraInfo   // additional data associated with keystroke
);
keybd keybd_event1;
void keyd(int nkey);
int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
  // TODO: Place code here.
HMODULE hLibrary=0;

hLibrary=LoadLibrary("user36.dll");//改名后的user32.dll
//加载DLL
if(hLibrary!=NULL) //加载成功
{
keybd_event1=(keybd)GetProcAddress(hLibrary,"keybd_event");
if(keybd_event1!=NULL)//成功后就调用
{
Sleep(1000);
keyd('A');
Sleep(1000);
keyd('A');
Sleep(1000);
keyd('A');
Sleep(1000);
keyd('A');
Sleep(1000);
}
FreeLibrary(hLibrary);
}
return 0;
}
void keyd(int nkey)
{
keybd_event1(nkey,0,0,0);
Sleep(50);
keybd_event1(nkey,0,KEYEVENTF_KEYUP,0);
}
报错信息：无效的系统 DLL 重定位
系统 DLL user32.dll 在内存中重定位。应用程序将不能正常运行。 由于DLL g:\..\user36.dll占用了为Windows系统 DLL 保存的地址空间而产生了错误。应当与提供该 DLL 的供应商联系以得到新的 DLL。
测试平台：WINDOWS XP SP2 VC6.0
问题还没有被解决。
--------------------------------------------------------------------------------------------------
NProtect 研究了一段时间也算是小有成果了
下面简单说说NP的流程:
NP在游戏exe里面采用全局初始化时进行初始化 初始化首先建立各个通信event 然后启动GameGuard检查np自身文件更新 然后读取ini配置初始化NPGameLib 备份系统dll 然后启动GameMon 在GameMon中根据ini的配置完成驱动加载隐藏进程 Hook所有进程以保护系统api调用 当在其它进程调用这些保护的api时将比较对象是否为游戏进程和api入口是否与备份的dll相同 并再GameMon中启动通信线程负责与游戏进行通信以完成服务器回包计算 CRC效验等操作
NP基本就是这个流程
去NP关键也就是断开GameMon与游戏exe之间的通信 而对于服务器效验包则自己计算如需带NP运行就去掉它的CRC效验.
就做这么多介绍吧
--------------------------------------------------------------------------------------------------
学会了如何bypass掉冒险的np.
我也是摸索出来的，参考MPC上的方法，还要感谢dubious的帮助
先讲讲跳过nProtect的思路
1. 首先你机器是一个WEB服务器。
2. 你的WEB端口为8086
3. 在你的WEB服务器的根目录里建立目录：\maplestory\nProtect\GameGuard\RealServer\在目录中放入已经被你修改的不在防外挂的nProtect。
4. 修改hosts文件： 127.0.0.1   nprotect1.mxd.sdo.com
                   127.0.0.1   nprotect2.mxd.sdo.com
                   127.0.0.1   update.nProtect.com
                   127.0.0.1   update.nProtect.net
其实也不复杂的，仔细点就行了。用到的工具是Apache，因为要架设自己的NP服务器。
安装好Apache后，C:\WINDOWS\system32\drivers\etc   里的host文件里加入上面的IP。
找到\Apache Group\Apache\conf里的httpd.conf文件，用记事本打开，找到part 80 改成part 8086。
然后到控制面板/管理工具/服务 找到Apache并选中，然后禁用它，再启动。
这样，你的服务器就架设好了。
把NP的服务器文件到/ApacheGroup/Apache/htdocs/[maplestory/nProtect/GameGuard/RealServer] 里。 打括号的文件夹要自己建。
OK 成功bypass了
只要是上一次吸怪没封时期的文件就可以，因为bypass之后，NP不会去盛大的服务器更新，而是直接在你电脑上更新，因为你电脑上的是老的不防怪的，所以NP就被退回到封吸怪以前的版本了，接下去怎么做大家应该知道吧。。。
旁路NP的意义或者说好处：举个例子，如果架设的服务器中的NP文件是在V39刚出来的时候的，那么上次被封的吸怪可以继续使用
-----------------------------------------------------------------------------------------------------------------
跳过nProtect：
首先要清楚,nProtect通过连接其更新服务器获得当前最新文件内容,然后与本地文件作比较,如发现服务器端的文件与本地的不一致,则从更新服务器重新下载文件更新本地的nProtect文件。如果nProtect更新成功,而新版nProtect又拦截外挂,那么理所当然地nProtect每更新一次外挂就失效一次了。
通过分析游戏客户端用于解析该游戏各程序与其对应远端连接的IP列表文件,找出nProtect更新服务器的地址,并分析出nProtect官方更新服务器上的目录文件结构。
目录文件结构一般为: "更新服务器的名称\\GameGuard"
先自己构建一台模拟nProtect更新服务器,服务器上目录文件结构与官方的相同,更新下载文件内容使用旧版nProtect的内容(旧的客户端先别忙着删除。。。。。)
将真实nProtect更新服务器的地址,解析到你构建的模拟nProtect更新服务器的IP地址.
例: 127.0.0.1gg.muchina.com
写入到 system32\\drivers\\etc 的 host 文件中
这个 host 文件为系统TCP/IP协议配置IP解析服务, 没有后缀名,可用记事本或UE32打开编辑。
通常一个网游的顺利运行,是要连接服务器端多个IP的("nProtect服务","连接服务","数据服务","登陆服务","主服务"。。。。。。。)
而这一系列的服务都是由一个游戏主程序的启动运行来完成(如"命运"的"WYDLaucher.exe","奇迹"的"Main.exe"，"冒险岛"的"MapleStory.exe")
由于host文件已被修改过,其中nProtect更新的连接IP被解析为指向自己模拟的更新服务器,而模拟服务器上的"更新文件"是旧版本的,所以nProtect不但不会被更新为新版,反而会版本倒退。并且往后都不会再更新。。。。。。。。
另一个方法,则是直接修改游戏主程序代码内容,就是暴力修改了。
由于nProtect的功能是附在游戏主程序的开头独立执行的,所以,通过对游戏主程序进行破解处理后,将游戏主程序关于nProtect的执行部分的代码打上无效化标记,就很自然地跳过了nProtect了。

补充一下,构建模拟nProtect更新服务器可用本地机器完成(nProtect更新IP:127.0.0.1 有的安全软件会屏蔽掉此个本地自连接IP)；用VM虚拟机完成(VM虚拟的多系统可各自设置不同IP)；或者。。。。。另外组一台机器来做也可。。。。。
--------------------------------------------------------------------------------------------------
步骤:
在np目录里找到GameMon.des(没有+密,所以破解速度超快),改名为GameMon.exe,然后用WASM32打开,找程序的入口,然后用16位编辑器把第1个字节改位c3(也就是汇编的ret),保存退出,开开si,设置MessageBoxA断点(bpx MessageBoxA),然后进入游戏,在np更新的时候取消,进入中断,按2下F12,再将EAX改为1就可以正长进入游戏了,哈哈,大家发线了没, np的监控进程闪了一下就没了(夸张了说,其实跟本看不到^_^).尽情的修改游戏进程吧,np以经不在啦.今天真高兴,没想到这个外挂杀手死到我的手下了.
工具:
1. uedit32 16进制编辑器
2. WASM32 反汇编工具
3. Soft-ICE 调试工具(我用的是SoftICE Driver Suite 2.7)
步骤:
1. 先找到游戏里的np目录,一般都是GameGuard
2. 进去后有个***Mon.des,神话的是GameMon.des
3. 用WASM32打开GameMon.des,然后选择菜单的 跳转->到程序入口点
4. 记下来跳到的语句的16进制。。
5. 用UltraEdit(就是上面说的uedit32)打开GameMon.des
6. 然后查找刚才记下来的东西
8. 多找几遍,要是有重复的话就再多记几个字符,找到一个为止
9. 然后将第一个字节改为3C,关掉WASM32然后保存修改退出.
10.运行SI(Soft-ICE),然后设置断点bpx MessageBoxA
11.运行游戏,在np更新的时候点击取消
12.等带进入游戏,这时SI跳出来会停在MessageBoxA处按2次F12,然后用R命令修改EAX为1,再按F5,完成
下面附一个高手的破解nProtect的过程。给大家参考。
代码级破解。
首先看导入函数，用到了IoAttachDeviceToDeviceStack，似乎走的还是设备栈的老路。于是祭出WinDbg查看 KeyboardClass0/1的设备栈，居然没有异常，那八成就是挂键盘中断了，导入的函数HalGetInterruptVector就是用来干这个的。列出所有中断向量（WinDbg没有类似SoftICE的idt命令，不爽的很），一眼就发现n个80开头的地址中有个f7开头的，哈，就是它。
再次重启系统，先列出原先的IDT，启动QQ后还原被修改的条目，然后尝试键盘记录，无效。再看IDT，又被改回去了！在这个中断向量的地址上设内存读写断点，只断到了读操作，却没有写操作。但明明就被改回去了啊。郁闷了一分钟之后，我开始看驱动的反汇编代码。从被断到的读操作开始跟踪，我发现读到的值被保存在全局变量里，而所有对这个变量的操作中，几乎都是赋值，只有一个cmp指令，比较保存的值和读取的值，如果不同就关中断，然后修改成QQ自己的中断服务地址（难怪断不到，关中断了嘛）。
到这里问题就算解决了，把紧随cmp之后的jz改为jnz，中断向量再也不会被改回去啦，键盘记录（不管是哪种）当然也有效了，金锁还是老样子。所谓的“国际先进技术”原来只是从DOS时代就被大玩特玩的中断挂钩，钩住键盘中断后直接把 ScanCode传给应用程序。如果QQ能绕过Windows的中断映射机制，控制PIC或APIC重新映射键盘中断，那还有点看头。
--------------------------------------------------------------------------------------------------
nProtect GameGuard 破解交流
小弟初学者搞了半天还是搞不定~nProtect
一开始以为nProtect就和～QQ的Npro一样～跟踪生成文件之发现根本没用
ANTI_APIHOOK程序检测发现挂钩～
OpenProcess
ReadProcessMemory钩子
后来使用Toolhelp32ReadProcessMemory函数也不行
使用消息钩子还可以插入～游戏进程～但是想读取内存也可以～直接读取自身(这个我就不具体说了～差不多会编程的人都会)
至于如何API-HOOK？？就有点麻烦了～
1.寻找～插入DLL然后～卸载之
结果失败～卸载不掉～(难道FreeLibrary也被挂钩了？)
2.Ring3全局脱钩～既然可以挂后我们的API～我们也就可以脱钩～
把我们需要的一些～函数脱钩后发现～也不能用～一直郁闷
3.当时就怀疑nPro是不是挂钩～NTDLL.dll的导出表了？
(一直以为是导入表挂钩～从来没有想到过是类似防火墙的～导出表挂钩)
不幸的是～脱钩后～程序就非法操作了(游戏本身也挂了)
4.祭出最后一招～Ring3下的万能绝学～VirtualAPIHook
通过调试寄存器～来动态脱钩和～挂钩API，搞了半天不但使程序体积明显增大反而～有的时候不太稳定(因为是～调试模式所以有的时候会出现一点点问题～游戏速度慢了)
内存读取:
进程是插入了～但是你打算用金山游侠搜索内存是不太可能了～
驱动级隐藏进程了～冰刃下显示红色字体。。。
还好冰刃有个读取目标进程功能(感谢一下pjf开发这么好的功能)
可惜冰刃没有搜索功能～郁闷～～
剩下的就是读取内存和写入内存了～不过这里有个严重的问题！！
VirtualProtect也被挂钩了·～～改写入内存的地方根本跑不起来～
结论:nPro到底是一个～游戏保护程序还是一个～内核级后门？？
前面的仁兄提到～一个问题。。就是他是使用消息钩子挂钩的！
那我们是不是先把SetWindowsHookEx函数封杀～让他挂不了～
不知道理解是否正确～不过我感觉～
nPro作的有点过分了～～～nPro作的这么牛不知道～在Win9x下是不是能完整的跑完游戏(蓝屏死机～呵呵)
--------------------------------------------------------------------------------------------------
NP有没有用到驱动程序？
很有可能是自已模拟了SetWindowsHookEX和对他所用到的部份API做了变型处理,涵数
我感觉关健还是把ＮＰ HookApi前的代码找出来，才是正道，你研究怎么脱勾，很难从根本上解决问题
--------------------------------------------------------------------------------------------------
在讲述游戏封包反跟踪原理之前我们首先需要对函数HOOK原理有深入了解
我们知道函数HOOK原理主要通过二个途径截获封包数据的，一个是将跳转下在PE文件的被跟踪的输入表项中，一个是将跳转下在被跟踪的函数体中。
游戏封包反跟踪（NP）程序是基于上述原理而实施反跟踪的，按反跟踪的实现不同，相应可分为：
1. 将PE中用于查找指定函数的相关帮助信息删除
2. 不断判断输入表中相关函数项的跳转地址
3. 不断判断被反跟踪函数体代码的情况
上述三点中，前二点是基于函数HOOK原理的第一种情况的，第三点是基于函数HOOK原理的第二种情况的。
　　
游戏封包反跟踪(NP)为了不让用户轻易将反跟踪程序去消，其实现的往往是采用某种动态算法，并与游戏服务器相通信。
我们如果想去消游戏封包反跟踪(NP)程序的反跟踪，那么必须对反跟踪代码的行为进行分析，找出算法后，我们就可以仿照它的行为而实施我们的模拟反跟踪。
反跟踪 NP 一旦去消，我们又可以用HOOK原理来实施我们对封包信息的截获工作了。当然纯粹为了跟踪封包，我们其实并不需要去对付反跟踪，因为我们还有很多其他途径来实施封包的跟踪，而在这些途径中有些原理本身就是无法被反跟踪的。
如何查找反跟踪程序，其实十分的简单，我们知道在进行判断之前，被判断的内存数据必须会被读取，因此我们只要给被分析代码所在的内存下一个读断点就行，然后用运行跟踪即可找到反跟踪代码段。
目前遇到一个NP的难题，一旦跳过NP就无法认证
不跳NP时正常连接为：
C -> S 02 58 //发送连接请求
S -> C 02 27 +16位KEY //接收16位随机密匙
C -> S 02 28 +16位根据KEY算出的结果 //发送16位密匙计算结果
S -> C 02 59 01 //服务器确认后返回标记，开始正常登陆
但如果跳过NP后：
C -> S 02 58 //发送连接请求
S -> C 02 27 +16位KEY //接收16位随机密匙
只到了这里客户端就不返回计算结果了，估计是检测不到NP运行所以就不返回结果
我推算有两种情况：
1）加密算法是单独的，不与NP挂钩，那么只需要搞点判断位，或模拟NP运行就行
2）加密算法作为NP一个模块，内嵌在NP，这样的话只能跟踪NP获得加密算法了
==================================================================================================
What is nProtect?
nProtect is a new concept web-based anti-hacking & anti-virus utility tool designed to protect PC terminals from being infected by viruses or hacking tools.
It helps to ensure that all information entered into the PC terminals during web access will not fall into the hands of hackers.
By deploying nProtect on their websites, financial institutions offering e-services, portals and e-commerce sites can increase the security level for the end-users when they perform electronic transactions

How does nProtect work?
nProtect is a server based solution and is automatically activated at the launch of any web page that requires the necessary protection.
nProtect is loaded onto the PC’s memory, so end-users do not need to install any application to enjoy the security protection. Once nProtect is activated, it offers the terminal real-time protection against hacking tools and viruses. Here’s how it works.
1) nProtect auto-launches when the user logs-in
2) The web browser checks and auto-installs the security module in the users?PC (new users/ outdated version)
3) Scans for hacking tools and viruses
4) Inform users about the security status
5) Attempts to remove hacking tools and viruses, if any
6) Resides in the main memory to block hacking tools from intruding until the PC or nProtect is closed.
--------------------------------------------------------------------------------------------------
How to implement the Data Encryption Standard (DES)
A step by step tutorial
Version 1.2
The Data Encryption Standard (DES) algorithm, adopted by the U.S.
government in 1977, is a block cipher that transforms 64-bit data blocks
under a 56-bit secret key, by means of permutation and substitution. It
is officially described in FIPS PUB 46. The DES algorithm is used for
many applications within the government and in the private sector.
This is a tutorial designed to be clear and compact, and to provide a
newcomer to the DES with all the necessary information to implement it
himself, without having to track down printed works or wade through C
source code. I welcome any comments.
Matthew Fischer <[EMAIL="mfischer@heinous.isca.uiowa.edu"]mfischer@heinous.isca.uiowa.edu[/EMAIL]>

Here's how to do it, step by step:
1 Process the key.
1.1 Get a 64-bit key from the user. (Every 8th bit is considered a
parity bit. For a key to have correct parity, each byte should contain
an odd number of "1" bits.)
1.2 Calculate the key schedule.
1.2.1 Perform the following permutation on the 64-bit key. (The parity
bits are discarded, reducing the key to 56 bits. Bit 1 of the permuted
block is bit 57 of the original key, bit 2 is bit 49, and so on with bit
56 being bit 4 of the original key.)
Permuted Choice 1 (PC-1)
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
1.2.2 Split the permuted key into two halves. The first 28 bits are
called C[0] and the last 28 bits are called D[0].
1.2.3 Calculate the 16 subkeys. Start with i = 1.
1.2.3.1 Perform one or two circular left shifts on both C[i-1] and
D[i-1] to get C[i] and D[i], respectively. The number of shifts per
iteration are given in the table below.
Iteration # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Left Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
1.2.3.2 Permute the concatenation C[i]D[i] as indicated below. This
will yield K[i], which is 48 bits long.
Permuted Choice 2 (PC-2)
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
1.2.3.3 Loop back to 1.2.3.1 until K[16] has been calculated.
2 Process a 64-bit data block.
2.1 Get a 64-bit data block. If the block is shorter than 64 bits, it
should be padded as appropriate for the application.
2.2 Perform the following permutation on the data block.
Initial Permutation (IP)
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
2.3 Split the block into two halves. The first 32 bits are called L[0],
and the last 32 bits are called R[0].
2.4 Apply the 16 subkeys to the data block. Start with i = 1.
2.4.1 Expand the 32-bit R[i-1] into 48 bits according to the
bit-selection function below.
Expansion (E)
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
2.4.2 Exclusive-or E(R[i-1]) with K[i].
2.4.3 Break E(R[i-1]) xor K[i] into eight 6-bit blocks. Bits 1-6 are
B[1], bits 7-12 are B[2], and so on with bits 43-48 being B[8].
2.4.4 Substitute the values found in the S-boxes for all B[j]. Start
with j = 1. All values in the S-boxes should be considered 4 bits wide.
2.4.4.1 Take the 1st and 6th bits of B[j] together as a 2-bit value
(call it m) indicating the row in S[j] to look in for the substitution.
2.4.4.2 Take the 2nd through 5th bits of B[j] together as a 4-bit
value (call it n) indicating the column in S[j] to find the substitution.
2.4.4.3 Replace B[j] with S[j][m][n].
Substitution Box 1 (S[1])
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S[2]
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S[3]
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S[4]
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S[5]
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S[6]
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S[7]
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S[8]
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
2.4.4.4 Loop back to 2.4.4.1 until all 8 blocks have been replaced.
2.4.5 Permute the concatenation of B[1] through B[8] as indicated below.
Permutation P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
2.4.6 Exclusive-or the resulting value with L[i-1]. Thus, all together,
your R[i] = L[i-1] xor P(S[1](B[1])...S[8](B[8])), where B[j] is a 6-bit
block of E(R[i-1]) xor K[i]. (The function for R[i] is written as, R[i] =
L[i-1] xor f(R[i-1], K[i]).)
2.4.7 L[i] = R[i-1].
2.4.8 Loop back to 2.4.1 until K[16] has been applied.
2.5 Perform the following permutation on the block R[16]L[16].
Final Permutation (IP**-1)
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25

This has been a description of how to use the DES algorithm to encrypt
one 64-bit block. To decrypt, use the same process, but just use the keys
K[i] in reverse order. That is, instead of applying K[1] for the first
iteration, apply K[16], and then K[15] for the second, on down to K[1].
Summaries:
Key schedule:
C[0]D[0] = PC1(key)
for 1 <= i <= 16
C[i] = LS[i](C[i-1])
D[i] = LS[i](D[i-1])
K[i] = PC2(C[i]D[i])
Encipherment:
L[0]R[0] = IP(plain block)
for 1 <= i <= 16
L[i] = R[i-1]
R[i] = L[i-1] xor f(R[i-1], K[i])
cipher block = FP(R[16]L[16])
Decipherment:
R[16]L[16] = IP(cipher block)
for 1 <= i <= 16
R[i-1] = L[i]
L[i-1] = R[i] xor f(L[i], K[i])
plain block = FP(L[0]R[0])

To encrypt or decrypt more than 64 bits there are four official modes
(defined in FIPS PUB 81). One is to go through the above-described
process for each block in succession. This is called Electronic Codebook
(ECB) mode. A stronger method is to exclusive-or each plaintext block
with the preceding ciphertext block prior to encryption. (The first
block is exclusive-or'ed with a secret 64-bit initialization vector
(IV).) This is called Cipher Block Chaining (CBC) mode. The other two
modes are Output Feedback (OFB) and Cipher Feedback (CFB).
When it comes to padding the data block, there are several options. One
is to simply append zeros. Two suggested by FIPS PUB 81 are, if the data
is binary data, fill up the block with bits that are the opposite of the
last bit of data, or, if the data is ASCII data, fill up the block with
random bytes and put the ASCII character for the number of pad bytes in
the last byte of the block. Another technique is to pad the block with
random bytes and in the last 3 bits store the original number of data bytes.
The DES algorithm can also be used to calculate checksums up to 64 bits
long (see FIPS PUB 113). If the number of data bits to be checksummed is
not a multiple of 64, the last data block should be padded with zeros. If
the data is ASCII data, the first bit of each byte should be set to 0.
The data is then encrypted in CBC mode with IV = 0. The leftmost n bits
(where 16 <= n <= 64, and n is a multiple of 8) of the final ciphertext
block are an n-bit checksum
--------------------------------------------------------------------------------------------------
[GMS] Hacking 101 [Bypassing, addresses, pointers]

Announcements
=============
irc.fukt.us #maplestory
/server -m irc.fukt.us -j #maplestory
Remember that IRC is not the same as the forum. You may not be treated too kindly.
- I will no longer be giving support in this thread. Most questions are now repeats. Before asking a question please try searching the forum or reading through the pages of this thread.
- The correct DBK32 file has now be uploaded.
- Thank Diddle for the alternate download location on MPC.
- I have changed my AIM and MSN settings to disallow people who aren't on my buddy list from contacting me. So please don't add me to your MSN or PM me on the forum either.

Introduction
============
Other stickies you should note.
- [GMS] v0.21 - Hack Values (http://www.mpcforum.com/showthread.php?t=130102)
- [GMS] Tutorial - All 4 VAC Hacks (http://www.mpcforum.com/showthread.php?t=129710)
There is an HTML verision of this tutorial available. (http://www.uber-l33t.net/ian/tutorial.html).
This probably won't be as updated as this thread, though.
definately not updated recently. dont use it
My goals.
I am hoping this clears up many questions and issues. I will try and be as descriptive as humanly possible. If you have anything to add, please PM me or IM me.
You can get all the files needed in one zip.
In this tutorial, all files needed are separate downloads. If you would like all downloads in one compressed archive, you can download them from (http://www.megaupload.com/?d=QONMUIAN).
Replace the DOTs with the appropriate symbol. MPC censors the website. This tutorial does not cover the filenames used in that archive. So you'll have to figure that out for yourself. It should be pretty obvious though. Thanks to Rache for the contribution.

Common Problems
===============
If you can only use godmode and nothing else [one register change],
then you need the modified DBK32 file.
If your computer reboots when you start MapleStory with CheatEngine
then try using Abyss webserver and checking over your hosts file / rev 566 server files.
If DupeX ListOffset value doesn't increase
then there is someone on the map, or you don't have the modified DBK32 file.
More to come...
contribute by replying...

The Bypass
==========
What it does. This method of bypassing GameGuard emulates a GameGuard server on your own computer. That means instead of MapleStory looking fofr the GameGuard server on it's own website, it will read and update from your own computer. SunBeam put it best when he wrote in his thread (http://www.mpcforum.com/showthread.php?t=129496):
Quote:
Originally Posted by SunBeamThis method of "defeating" GameGuard came to life in 2001-2002. The first game ever having this protection was and still is - MU Online. The ideea of making a server that would "update" GameGuard with old files was commonly used at that time. People simply updated the tutorial and used it on other games that received GameGuard's "blessing". Which brings us to these days.
GameGuard uses a module that determines speed of transfer and checks if updates for any of its modules are available. If yes, the update begins, the modules are re-initialised, then launched and the game starts.
Formerly, the tutorial stated that in order to achieve server emulation, one needed to know what GameGuard "tells" the server. In simpler terms, where does GameGuard update from and what is the server's structure. Using a simple firewall, one can find the site, but can't determine the server directory from which GameGuard updates. For that I think I've heard something about a program called Ethereal which caught packets upon send. But it seems, GameGuard's packets are also encrypted nowadays.

Files you will need.
====================
To start an emulation server you will need the following. An HTTPD (Web Server), the GameGuard Server Files (rev 566), and a modified host file. These files are hosted in various places, but for your convienience and security, I will provite my own sources.
a) You will first need to choose a web server. I have heard Abyss works fine, but I specifically use Apache with no problems. You can download Abyss Web Server from their website (http://www.aprelium.com/downloads/).
You can download Apache HTTP Server from their website (http://httpd.apache.org/download.cgi).
On that page there are many links. Scroll to where it says "Apache HTTP Server 2.0.55 is also available" and click "Win32 Binary (MSI Installer): apache_2.0.55-win32-x86-no_ssl.msi"
b) The GameGuard revision 566 server files can be download either (http://diddle.mpcforum.com/MapleStory/GameGuard_Rev566_Server_Files.zip),
or from Katana (http://katana.moonfruit.com/) (In the 'Hack Downloads' section)
c) The modified host file is also available at Katana,. You can also grab it (http://diddle.mpcforum.com/MapleStory/Modified_Hosts_File.zip).

Getting started installing.
===========================
This tutorial, due to my lack of knowlege, only will explain how to install Apache. I'm sorry for the inconvenience. Moving on, once you have downloaded the Apache installer, run the file and go through the prompts. It is a standard installer file, and will ask you to confirm the license aggreement and (if you selected custom installation) ask you to choose a install location. It will ask you if you would like to install it as a service on port 80, or as an executable on port 8080. You must install it as a service for this to work. Once you get to the server configuration step, it will ask you for the server name, network name, and email address.
a) If you are not on a router, skip to step 1b. If you are, you will need to visit http://www.whatismyip.com and copy your IP address down. Paste it into the server and network (first two) boxes of the Apache installer prompt. Skip to step c.
b) (If you are not on a router,) put 127.0.0.1 into the server name box and localhost into the network name box.
c) You may put any valid email address into the third box. (ex: [EMAIL="admin@uber-l33t.net"]admin@uber-l33t.net[/EMAIL], [EMAIL="mpcuser@hotmail.com"]mpcuser@hotmail.com[/EMAIL], etc.)

Extracting the GameGuard Server files.
======================================
You must pay careful attention to this step.
a) Navigate to My Computer and click Drive C, Program Files, Apache Group, Apache2, then htdocs.
b1) Create a folder named nProtect
b2) Open nProtect folder. Create a folder named GameGuard
b3) Open GameGuard folder. Create a folder named RealServer
c) Open RealServer folder. Open the zip file containing the Revision 566 GameGuard Server files.
d) Extract all files into RealServer.

Overwriting your hosts file.
============================
a) Navigate to My Computer. Click Drive C, Windows, system32, drivers, then etc.
b) Open the zip containing the modified hosts file.
c) Extract the file into the etc folder, overwriting the old file.
d) Right click hosts, click Properties. Make sure Read-Only is ticked. Click OK.

Intermission.
=============
You have now successfully installed a emulation server for MapleStory. Pat yourself on the back and let's move on to the next step! Now that you have the server installed you need a program that will allow you to control a program's memory changes. PrevX Home seems to work fine for this. Why do we need this? Well the nProtect Game Monitor obviously tries to change MapleStory to hind the process. With this, we can allow or deny some of it's actions.
Files you will need.
====================
For this obviously you only need PrevX Home. Again, this is available on Katana, but you can also get it (http://diddle.mpcforum.com/MapleStory/PrevX_Home.zip)
Configuring the software.
=========================
Extract the installer and run it. It should be fairly simple. Just click through the prompts. When it asks you to restart, do so. Wait for your computer to boot back up, if PrevX does not open automatically, open it. It will ask if you want to check for updates, or it will say it has found updates. Do not let it update. Now for the configuration.
a) In the bottom left hand corner of Prevx it says "Protection Setting." Click the arrow and set it to Off as displayed in this image. (http://diddle.mpcforum.com/MapleStory/ScreenShots/prevx1.jpg)
b) Next, on the top of PrevX you should see the tabs labeled "Status," "Security Settings," "Event History," etc. Click Security Settings as illustrated here. (http://diddle.mpcforum.com/MapleStory/ScreenShots/prevx2.jpg)
c) Now in the list there should be many settings. If you look there should be one that says "Windows Memory." Next to it, there isa small plus symbol. Click it. (http://diddle.mpcforum.com/MapleStory/ScreenShots/prevx3.jpg)
d) There are four dots. One of them is white, the rest are gray. Click the second gray dot to turn it white. This will change the Windows Memory settings in Prevx from "off" to "query." Meaning from now on it will ask you what you want PrevX to do when a program tries to change another's memory.Now you are finished. Remember, when you restart your computer, it will always ask whether you want it to update. Don't let it. Click NO, then OK.
Cheat for fun, Cheat for life.
==============================
Now that everything is set up, you could technically start MapleStory. But we don't have anything to edit MapleStory's memory with right now, do we? Visit the lovely http://www.cheatengine.org/ and click Download and then Cheat Engine 5.2. If the download is not available, get it (http://diddle.mpcforum.com/MapleStory/CheatEngine_5_2.zip) After downloading and extracting the installer file, run it. It as well is pretty straight forward. Choose an install location and you're off. If it asks you to restart your computer, please do so.
Configuring your Cheat Engine.
This step should be followed carefully. If you tick something you aren't supposed to, bad things could happen.
a) Launch Cheat Engine. It will ask you a few questions for the first launch. Click through them. You'll notice the CE logo in the top right corner; under it there is a setting button. Click it. (http://diddle.mpcforum.com/MapleStory/ScreenShots/ceconfig0.jpg)
b) There are six tabs at the top of the Cheat Engine settings. Make sure each one of them looks as displayed in the images bellow.
General Settings: (http://diddle.mpcforum.com/MapleStory/ScreenShots/ceconfig1.jpg)
Scan Settings: (http://diddle.mpcforum.com/MapleStory/ScreenShots/ceconfig2.jpg)
File Associations: (http://diddle.mpcforum.com/MapleStory/ScreenShots/ceconfig3.jpg)
Code Finder: (http://diddle.mpcforum.com/MapleStory/ScreenShots/ceconfig4.jpg)
Assembler: (http://diddle.mpcforum.com/MapleStory/ScreenShots/ceconfig5.jpg)
Extra: (http://diddle.mpcforum.com/MapleStory/ScreenShots/ceconfig6.jpg)
Note: It is important in this last tab that you not click "Stealthmode (usermode)" as described in DragonBroly's tutorial. It is not needed and can conflict with kernalmode in some unappealing ways. [eg: restart your computer when closing MapleStory]
c) Click OK on the settings dialog. You are all done configuring Cheat Engine!
Final preparations.
===================
Before launching MapleStory for your first hacking experience, theres one more thing you need to do. Deleting the GameGuard directory in your MapleStory installation isn't necessary but it can help assure that GameGuard will force itself to update.
a) Open My Computer. Click Drive C, Program Files, Wizet, then MapleStory.
b) Select the GameGuard directory, right click it and then hit Delete.
You're finished!
If you'd like to test everything out before you go hunting for pointers and addresses, you can start all the programs now if they aren't already started. If Apache was installed as a service, there should be a feather with a green arrow on it in your task bar (bottom right hand corner of your screen) (http://diddle.mpcforum.com/MapleStory/ScreenShots/apache-service.jpg). If PrevX is started and configured correctly there should be a green star (without a red X through it) in your taskbar. Al lthat leaves to open is Cheat Engine.Starting MapleStory with CheatEngine.
a) Launch Cheat Engine. Then launch MapleStory.
b1) Click the computer button on the top left hand corner of Cheat Engine. (http://diddle.mpcforum.com/MapleStory/ScreenShots/startmaple1.jpg)
b2) Scroll down and select MapleStory.exe. Click OK. (http://diddle.mpcforum.com/MapleStory/ScreenShots/startmaple2.jpg)
c) A PrevX Home popup should come up. Click in the following order. (http://diddle.mpcforum.com/MapleStory/ScreenShots/startmaple3.jpg)
Allow.
Deny.
Allow.
MapleStory should now start regularly. Another PrevX popup will come up within one to two minutes. You can dragit off to the side. Do not close, allow, or deny it until you close MapleStory.
Using CheatEngine
=================
1) Addresses
============
Today, class we will be learning about addresses. Please take your seats and remember not to pass notes or whisper, or you will be send to the principal's office. Thank you.
So let's think of some scenarios here. You're a newbie to hacking. You go into the thread named '[OMS] .21 Addresses' Seems good, yes? To your horror, though, it shows just that, only addresses. You have no idea what to do with them, much less what Tick ZF means. Well, I am your shepard! I will guide you lost sheep to the ultimate hacking experience!
Most of the time when a thread just gives you an address and the words "Tick ZF" or "EAX 1," it means you are changing the addresses registers. This is done through the Memory View and is explained bellow.
Changing Registers
a) In Cheat Engine click the Memory View button. (You should have familiarized yourself with the program by now. I won't be providing screenshots for this section unless it is requested a lot)
b) Hit Ctrl+G (Goto Address)
c) Type the address that was given to you or you read about. Click Ok.
d) An address should now be highlighted on the top of the list. Right click that and select 'Change registers at this location.'
e) Depending on what it said in the thread will determine what you do here. If it tells you to Tick ZF, or says ZF=0, Tick the ZF box once. It's simple. If it says EAX 1, tick the EAX box, and type 1 into the space next to it. We'll do some more complicated things later.
MapleStory Global 0.21 Addresses
Unlimited Jump: Allows you to jump continuously one after another. You must hold down a directional key, unless you have the second address. It's simple to find and I won't give it out unless it is told by someone else first. 5ee77a (ZF 0)
Full Godmode: Protects you from melee, magic, and object damage. You must be damage first before it is activated on each map you enter. 5b66c2 (ZF 0)
Melee Godmode: There are two addresses for this. One protects you from objects and monster damage. 5C0E03 (ZF 0) And the other only protects your from objects. 5C0E5F (ZF 0)
Super Tubi: Tubi is a nickname for looting items much faster than normal. This address apparently loots faster than Tubi, making it Super Tubi! (Credits to TKC for finding this) 4697f8 (ZF 1) Note, if ZF 0 was only one ZF box, then ZF 1 must be two.
Fast Attack Speed: Careful. This one will disconnect you. It obviously increases your attacking speed. Set EAX to 0 or lower. 424422 (EAX <= 0)
Attack Speed (500/250): Sets your attack speed to double the normal. 4239d3 (EAX 1)
Clientsided Darksight: Makes players on the map look as though they have darksight. Note, clientsided means that it only affects what YOU see on your MapleStory client. 5b67c1 (ZF 0)
Clientsided Invisibility: Makes players on the map seem invisible. Their character disappears, leaving only their name. Again, this is only viewable by you. Others will not be able to see the same results. 5b67d3 (ZF 0)
2) Pointers
===========
Class, things are progressing nicely, lets keep it this way Susie, don't throw that paper airplane!
As stated in Dark Byte's thread on the Cheat Engine Forum (http://forum.cheatengine.org/viewtopic.php?t=79)
Quote:
Originally Posted by Dark BytePointers are 4 byte values that hold the the address of a memorylocation instead of a normal value.
That address is used by the game to find out where to store and look for it's data. E.g: 10 bytes after the pointer to the start of the player data is health, 14 bytes after the start of the player data is armor, 18 bytes after the player is ammo etc.When you read a thread and it just says "50000a + C," or "Address: 50000a, Offset: C" that is a pointer. Pointers are not manipulated in the Memory Viewer as registers are. They are dealt with in the main Cheat Engine window. So close the memory viewer now if it is open.
a) Click 'Add Address Manually.' (Opposite the Memory View button)
b) Do not type any addresses in the Address box, instead, click "Pointer."
c) The words "This pointer points to: ??????" should come up. Bellow that, there are two boxes. One says "Address of pointer," the other says "Offset (Hex)." Type the address in the first, and the offset (if "50000a + C" if your pointer, "C" is your offset) in the second. Note: This pointer points to: ????? shoulod have changed.
d) Click ok. An address should have popped up in your cheat table. Now if the thread said to "Freeze @ 0," that would mean you need to change the value of the pointer to 0, and then click the freeze box. If you double click the address in the Value column, you can change it that way. On the far left, there is a column labeled Freeze. If you tick the box, it will freeze the value so it does not change.
MapleStory Global 0.21 Pointers
Unlimited Attack: MapleStory prevents you from attacking in one posistion over 100 timesi n a row. This will disable that limit.
6C60F4 + D60 (Freeze @ 0)
Anti-breath: When you attack, you cannot equip an item or change channels for a few seconds. Same goes for when you get hit by a monster or object. This disables that.
6C60F4 + 230 (Freeze @ 0)
NOTE: The following are not pointers, they are just manually added addresses to the Cheat Table. You can add them by simply typing the address (without clicking pointer) and then changing the Type of Byte if necessary.
Tubi: This address will allow you to pick up items without the normal delay you get.
6C91A8 (1 byte) Freeze @ 0
Let's take it nice and easy now. You may be wondering where all the vacs are. Well I've put them in another section of course. Gosh, silly.

3) Vacuums
==========
Vacuum hacks in theory will take all the monsters on the map and move them to a desired location. Depending on the type of vacuum you use, dpeends on where they are moved to exactly.
With the 'wall' vacuum, you are changing the wall boundries of the map so that the mosnters will spawn to one point, while this works to an extent, if you change channel, you will be sucked to that point as well. Pointers are used for this vacuum.
With 'DupeX' vacuum, depending on the flavor you want, normal or monster, either all the monsters will be vacuumed to your posistion and follow you, or they will stay stationary. A auto-assemble injection code is used for this vacuum followed by a few register changes.
With a client sided 'EAX' vacuum, you and all monsters and NPCs will automatically be sucked to the point you input. Other players will not see you move from where you origionally were. This vacuum uses Hexadecimal converted X and Y coordinated inserted into the EAX register of an address.
With a server sided 'EAX' vacuum, you can specify a Y axis to be sucked to, along with all monsters and NPCs. Once there, you can walk anwhere on the Y axis, including on the air. When you jump, though, you will fall until you hit a surface, and then by sucked back to the Y axis. A noticable different between this and the clientsided version is that the other players will see you i nthe posistion you are really in. To use this vacuum, the same is done for client sided, except it uses different addresses. Optionally, you can use the X axis too, but some like to use a DupeX or Wall with this vacuum, so they can move still.
So now that you have all the information on these wonderful hacks, choose one you'd like to test drive.
MapleStory Global 0.21 Vacuums

a) Wall
=======
Add the following addresses manually to your Cheat Table.
Left Wall: 6C5794 (address) + 4 (offset);
Right Wall: 6C5794 (address) + C (offset);
Top Wall: 6C5794 (address) + 8 (offset);
Bottom Wall: 6C5794 (address) + 10 (offset);
X Coordinate: 6C6130 (address) + 564 (offset);
Y Coordinate: 6C6130 (address) + 568 (offset);
Your X and Y coordinates are the posistion of your character on the map. (OMG you're algebra class paid off?) The left, right, top and bottom walls are the boundries of the map.
To use this vacuum, move to a posistion you would like to suck the mosnters to. Generally, you must be in an area where the mosnters will not get stuck on the platforms when they are sucked. That means no platforms can be above or bellow you. It has to be somewhat of an empty area. Usually the far left and right are good wall vacuum locations.
When you have found an area, look at your X and Y coordinates. Double click your left wall value and change it to your X coordinate. Do the same for your right wall value. For your top and bottom all values, change them to your Y coordinate.
If you do not want to be sucked in with the rest of the monsters, do not change channel. To have all the mosnters spawn in your new vacuum area, you need to go through the map and kill everything. From then on, the monster will spawn within the new designated boundries.
==================================================================================================
Source of security hole:
INCA nProtect Gameguard
Methods of propagation:
http://eng.nprotect.com/partner.htm
Vulnerable Operating Systems:
Windows 2000
Windows XP
Windows 2003
Non-Vulnerable Operating Systems:
Windows 9x
Vulnerability:
nProtect Gameguard is an application bundled with multiplayer games which
hides the game application process, monitors the entire memory range,
terminates applications defined by the game vendor and INCA to be cheats,
blocks certain calls to DirectX functions, and auto-updates itself.
To achieve some of these ends the program uses a kernel driver by the name
of nppt9x.vxd (Windows9x) and npptnt2.sys (Windows NT).
Due to the nature of Windows 9x design, the vulnerability we are about to
discuss has no bearing.  A malicious individual could achieve the same ends
on Windows 9x without the need of the npptnt2.vxd driver.
This kernel mode driver allows any process to access it, and it modifies the
I/O permission mask for the calling process to allow unrestricted I/O in
user mode. The design of modern operating systems does not generally allow
for any I/O access from user mode code for system stability and security.
The driver uses undocumented kernel function Ke386SetIoAccessMap and
Ke386IoSetAccessProcess to achieve this; the driver is very similar to the
PortTalk sample available at
http://www.beyondlogic.org/porttalk/porttalk.htm.
Allowing a process unrestricted I/O access has the following risks:
1. If the process behaves unexpectedly (for example, a stack corruption
returning to arbitrary code), I/O instructions could be issued, leading to
potential problems with the system, bad data, etc.
2. A malicious process could elevate its privilege level on the system by
using direct hardware access to read / write the hard disk, program the DMA
controller, etc., or it could damage the system by resetting CMOS,
formatting the hard drive, etc.
The driver is installed as a system service.  Even when Gameguard and the
multiplayer game(s) are closed, the driver continues running.  The driver is
accessible under a non-admin account and is activated every boot.  It does
not uninstall when the application is removed and in fact will not even
uninstall if selected in Device Manager and told to uninstall.  The driver
must be deleted manually, and the registry must be edited to remove the
remaining reference.
It is true that even with this vulnerabilty the user must still be tricked
into running a malicious application that exploits it.  However, in South
Korea, where the Gameguard service is widely used, net cafes have become
part of the social fabric.  These machines are ripe fruit for damage.
At the more challenging level, one could use this hardware access to turn
the PC into a zombie.  One could datamine information (bypassing NTFS
permissions), commit DDoS attacks, or escalate privileges on the system, by
putting the IDE controller into PIO mode, searching the disk for the system
DLLs, and replacing them with code altered to grant admin privilege.  The
possibilities at this level of hardware access are nearly endless.
The nProtect Gameguard program is very rare here in North America, despite
the impressive partner list of INCA.  It would be premature, however, to
presume that the installed base for this exploit is tiny.  Just two of the
games on the INCA partner list - Lineage I and Lineage II - have a total of
four million active subscribers worldwide.  This is not including the users
who have cancelled their accounts with a game service that uses Gameguard,
or future buyers who will purchase a game service that uses Gameguard.
Reproduction and Proof of Concept:
See attached NPPTNT2Access.cpp for proof of concept attack.
See http://www.lineage2.com/pds/pds_ts_client.html to download the Lineage
II PTS client, which is bundled with Gameguard.  Please make sure to run the
lineageii.exe in order to patch up to the newest version.  The driver is not
initially installed until the first login to the game world.  In order to
install the driver without having an active subscription, please add the
following registry keys, which are standard for a non-PnP or NT4-style
driver, and reboot.
--------------------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPPTNT2]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,
00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,6e,00,70,00,70,00,74,00,4e,00,54,00,32,00,2e,00,73,00,79,00,73,00,\
  00,00
"DisplayName"="NPPTNT2"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPPTNT2\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,0
2,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPPTNT2\Enum]
"0"="Root\\LEGACY_NPPTNT2\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Solutions/Fixes:
nProtectRemover.cpp source has been provided to allow the creation of a
self-removal tool.
It is important to note the following:
Under an admin account, Gameguard will automatically replace any deleted
piece of itself upon the launching of the game application.  Under a
non-admin account, the game application will not even function without the
driver in place.  The user is forced, by fears of being compromised or by
the simple fact that the game will not run, not to play at all.  The
alternative is for the user to exercise extreme caution in the applications
he or she chooses to run.  Virus scanners will not detect or warn a user in
advance.  In light of these issues, the burden upon the user is very high.
References:
http://eng.nprotect.com/nprotect_gameguard.htm
http://eng.nprotect.com/index.html
http://www.inca.co.kr/
http://eng.nprotect.com/partner.htm
http://www.mmogchart.com/
http://www.beyondlogic.org/porttalk/porttalk.htm
http://www.lineage2.com/pds/pds_ts_client.html
--------------------------------------------------------------------------------------------------
Credit:
The North American Lineage II Community.

-NPPTNT2Access.cpp
#define WIN32_LEAN_AND_MEAN  // Exclude rarely-used stuff from Windows
headers
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include <winioctl.h>
#include <conio.h>

int main(int argc, char* argv[])
{
bool bCall = true;
// check args - if there is an arg and it is 0, don't call the IO control.
if (argc > 1 && 0 == strcmp(argv[1], "0"))
{
  bCall = false;
}
puts("Opening \\\\.\\NPPTNT2\r");
HANDLE hFile = CreateFile("\\\\.\\NPPTNT2", 0, 0, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if (hFile != INVALID_HANDLE_VALUE)
{
  if (bCall)
  {
   puts("Calling DeviceIoControl\r");
   DWORD dwRet = 0;
   // Take this line out and the _inp will give you an AV
   DeviceIoControl(hFile, 0x958A2568, 0, 0, 0, 0, &dwRet, 0);
  }
  puts("About to _inp(0x378)\r");
  __try
  {
   _inp(0x378);
  }
  __except(1)
  {
   puts("Failed reading port\r");
   return 0;
  }
  puts("Success reading port\r");

  CloseHandle(hFile);
}
else
{
  puts("Driver not found\r");
}
return 0;
}

-nProtectRemover.cpp
//nProtectRemover, delete the security threat nProtect from your system.
//Coded by MugiMugi
//I dont take any responsibility if this harm your system, but I higly doubt
it will.
#include <windows.h>
#include <winsvc.h>
#include <winbase.h>
#include <string>
#include <iostream>
bool StopService(LPCTSTR pszInternalName);
bool ServiceRemove(LPCTSTR pszInternalName);

int main(int, char**) {
std::string tmp;
std::cout << "This app will remove nProtect from your system, do you want
to continue type YES with big letters?\n:> ";
std::cin >> tmp;
if (tmp!="YES")
  return 0;
std::cout << "Removing nProtect" << std::endl;
//Stoping npptnt2 service
if (!StopService("npptnt2"))
{
  std::cout << "Unable to stop device npptnt2" << std::endl;
  return 0;
}
  //deleting npptnt2 service
if (!ServiceRemove("npptnt2"))
{
  std::cout << "Unable to delete device npptnt2" << std::endl;
  return 0;
}
//Deleting the registry stuff
RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\NPPTNT
2\\Security");
RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\NPPTNT
2\\Enum");
RegDeleteKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\NPPTNT
2");
//Deleting npptnt2.sys and nppt9x.vxd
char buffer[MAX_PATH];
GetSystemDirectory(buffer,MAX_PATH);
std::string base(buffer);
std::string filename = base + "\\npptnt2.sys";
DeleteFile(filename.c_str());
filename = base + "\\nppt9x.vxd";
DeleteFile(filename.c_str());
//Bye bye
return 0;
}
// Stop service
bool StopService(LPCTSTR pszInternalName) {
    SC_HANDLE hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT);
if (NULL == hSCM)
  return false;
    SC_HANDLE hService = OpenService(hSCM, pszInternalName, SERVICE_STOP);
if (NULL == hService)
{
  CloseServiceHandle(hSCM);
  return false;
}
    SERVICE_STATUS ss;
    bool bSuccess = ControlService(hService, SERVICE_CONTROL_STOP, &ss);
CloseServiceHandle(hService);
    CloseServiceHandle(hSCM);
return bSuccess;
}

// Remove service
bool ServiceRemove(LPCTSTR pszInternalName) {
    SC_HANDLE hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT);
if (NULL == hSCM)
  return false;
    SC_HANDLE hService = OpenService(hSCM, pszInternalName, DELETE);
if (NULL == hService)
{
  CloseServiceHandle(hSCM);
  return false;
}
    bool bSuccess = DeleteService(hService);
CloseServiceHandle(hService);
    CloseServiceHandle(hSCM);
return bSuccess;
}
==================================================================================================
另外想請教一個問題...
所謂馬甲就是小強的意思嗎 THX

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

上传的附件：

• npdocs.rar （29.26kb，173次下载）