Educated opinions on new Test server anti-MQ code

lifewolf · Post by **lifewolf** » Thu Feb 27, 2003 10:48 pm

Ooh thats great.

So our best approach would be to mass infect a lot of EQ players with a trojan that updates itself at each patch and blocks sending/recieving of this 'memory check' packet.

SOE will end up banning 25% of their playerbase if distribution is high enough, figure out what happened lift the bans (obviously) and ignore the MQ people who are blocking those packets too for... probably a week untill the patch that makes the EQ server just drop you if you dont send the packets, so you cant play untill you fix the problem...

Is there any way that this check shit can be cached? Mabey login and dump the entire client memory space to a file? And just respond to their message with some calculation of the dump? Or can they tell if your functions arent in the right places based on what zone your in/etc..

That'd still be an ignorant ammount of work though. Seems MQ isnt getting its detours redone... And.. like.. every.. function.. needs.. to be .. loaded... inside EQ........... Every one with __asm { atleast =/

dont_know_at_all · Post by **dont_know_at_all** » Thu Feb 27, 2003 11:17 pm

kaz wrote: Actually the answers are not fixed, they vary based on random data the server sends each time and are also based on the actual address space as well as the contents of memory.

Making a memory copy won't work -- too expensive.

What we do is: find the memory checker routine and rewrite it so that if it looking at memory that MQ modified, we put the correct values in. Then we hook the memory checker routine with our new routine.

I'll bet it is a simple routine now and we can do it fairly easily. If they really want to screw us, they will up the complexity of this routine.

lifewolf · Post by **lifewolf** » Fri Feb 28, 2003 1:05 am

dont_know_at_all wrote:
kaz wrote: Actually the answers are not fixed, they vary based on random data the server sends each time and are also based on the actual address space as well as the contents of memory.
Making a memory copy won't work -- too expensive.

What we do is: find the memory checker routine and rewrite it so that if it looking at memory that MQ modified, we put the correct values in. Then we hook the memory checker routine with our new routine.

I'll bet it is a simple routine now and we can do it fairly easily. If they really want to screw us, they will up the complexity of this routine.

Then all they have to do is load MQ and find where it puts itself in EQ's memory space. Then you have to make that function lie back to the EQ server about it.. Anything dynamic in the whole works would make it so complicated that it would be crazy...

Cheese · Post by **Cheese** » Fri Feb 28, 2003 5:07 am

Erm, so we just do like every other game crack does.. NOP the code checks and return that everything is fine. I don't think Verant have started doing 3D Studio style crack checks yet (i'm sure any crackers here will know what I mean lol, it had like 30+ checks and would go wrong 2 hours into testing it and shit)

eq_freak · Post by **eq_freak** » Fri Feb 28, 2003 1:11 pm

Well, if you are to believe Sprite, the client doesnt return "everything is OK" to the server. It returns the contents of the memory the server requests.

Detouring/Hooking the memory check routine would be the elegant solution. Wether there are anyone smart enough still playing EQ/interested in MQ to do this remains to be seen.

If that fails, it should be fairly trivial to make an MQ-lite version by:

- Uncomment the HookChat function(and maybe HookDI too, not sure if its needed)
- Implement something that read/parses the log file instead and you could input commands to MQ through there.

With updated offsets, you should still be able to call functions like WriteChatBuffer so you can get output inside EQ.

I dont personally use MQ for anything else than the /who npc and /target commands, so an MQ-lite version would be fine for my use.

kaz · Post by **kaz** » Fri Feb 28, 2003 2:32 pm

Gooberball · Post by **Gooberball** » Fri Feb 28, 2003 5:32 pm

Couple of points, I've said it before but I'll say it again, they scan the mem check code itself so you cant hook it as hooking it modifies it. two, you cannot have any custom /who /target /face commands without using detours so the mq lite idea with just a few commands wont work either.

You say that "they" scan the mem check code, but really what that means is that the mem check code scans itself. Hence, if we alter the code that checks it to return the same signal it returns with an unmodified version of the function, "they" shouldn't be able to tell the difference, right?

Finally, I can think of a few ways I might fix macroquest to work but Plazmic has always made it clear in the past that macroquest was a game enhancement too and not a cheat or hack program. Defeating verants memory scans def falls in the scope of cheating and hacking, no matter how beneign the reason behind doing it. I dont really think this website is the right place to be discussing it.

Please explain how MQ with the same capability it had before, just undetectable by Sony, is more of a cheat/hack than it was before, because I guess I just don't see it.

dont_know_at_all · Post by **dont_know_at_all** » Fri Feb 28, 2003 5:37 pm

kaz wrote:Couple of points, I've said it before but I'll say it again, they scan the mem check code itself so you cant hook it as hooking it modifies it.

If I hook it, then my mem check code will do the calculations for the checksum with the original memory values before I hooked it. It's all a matter of determining the algorithm of mem checker code and replacing it.

This is a really bad solution anyway since the client/server communication is all UDP which is unreliable. I think a lot of these bizarre disconnects are from lost mem check UDP packets.

L124RD · Post by **L124RD** » Fri Feb 28, 2003 9:23 pm

Salutations,
I will say that yes, I have scanned the memory check, yes I know one way to get around it. If we do it, then MQ is not going to work... fantastic that would be.

On another point, if people start mentioning ways to do this like um... "change 0x00400000 to 0xC3 and everything works' (that'll just make it so the program ends on starting i think actually :p) I will lock this topic. This is not an offsetting board. Things closer to 'We shouldn't overwrite the existing functions, we should just overwrite the existing DI calls in dinput.dll and make them so they will call us first' (I dunno anything about what I just said, i'm just making an example) are suitable for this board.

Let the discussion continue

eq_freak · Post by **eq_freak** » Sat Mar 01, 2003 5:30 pm

Couple of points, I've said it before but I'll say it again, they scan the mem check code itself so you cant hook it as hooking it modifies it. two, you cannot have any custom /who /target /face commands without using detours so the mq lite idea with just a few commands wont work either.

It seems like very few people here actually understand how mq works and how it does what it does, I would suggest studying the code and trying to understand whats going on before making suggestions on how to fix it.

How about you look at it yourself before spouting BS?

/target is merely altering a pointer in memory. No detouring involved in that.

/who is merely running through a list in memory and calling a function to write it to the chat buffer. No detouring involved in that.

You could scan the log or note file for when to call your "/who" or "/target" routines without altering a single thing that the mem scan routine can pick up on.[/list]

kaz · Post by **kaz** » Sat Mar 01, 2003 7:38 pm

Amadeus · Post by **Amadeus** » Sat Mar 01, 2003 8:01 pm

hehe ..that little display was humerous.

"Detours" is not a descriptive word of what's going on, it's actually the technique that MQ is using. Even when you type /sit ..it's detouring -- it's just that MQ tells itself to let EQ do the interpretation rather than MQ.

OldNecro · Post by **OldNecro** » Sat Mar 01, 2003 8:27 pm

Please see http://research.microsoft.com/sn/detours/ to learn more about what "Detours" is and how it works.

eq_freak · Post by **eq_freak** » Sat Mar 01, 2003 11:25 pm

Hello, I know what detours is. I checked the ppt presentation and I have looked at the code and know how detouring is used in MQ.

I was responding to Kaz who obviously did NOT read(or understand) what I meant with MQ-lite. So please take a second to read it AGAIN:

- Implement something that read/parses the log file instead and you could input commands to MQ through there.

This is exactly what I have done in the last few hours. I have uncommented ALL the 3 HookXXX functions. Instead I have implemented some log polling in InsertCommands(in this section):

Code: Select all

	while (!gbUnload) {
		// Enter log monitor loop.
		log_MonitorLogfiles(&log_sLogfiles);
		//Sleep(1000);
	}

Which reads commands from the logfile(well, specifically the notes.txt file for command input atm, but can be expanded to monitor the normal ones for triggering purposes as well). So I do "/note /who", my logfile poller reads it from the notes.txt and pass on the "/who" part to the DoCommand-function.

This works, I can use the WriteChatColor functions to output in the game, once I found the new offsets. Have gotten a dumbed down version of /who working now(Name+Level), havent bothered to find the offsets for GetRaceByID/GetClassByID though so just commented it out.

Now, is that clear enough for you damn posers? If not, I dont really care, it is not exactly flowing with worthwhile contributions in this thread so I am not really expecting anything from you. It annoys me when people tell me I dont understand something when it is they themselves that did not bother to read and comprehend my original post.

Now there might be some of the more fancier stuff you cannot do without the dinput hooks(which I removed), like /sendkey and stuff. But for my own use which is primarily /who and /target, this way should be good enough.

Educated opinions on new Test server anti-MQ code

Re: