Page 15 of 29

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 10 Mar 2011, 13:36
by heero
Updated 10/28/2011
Unpacked ragexe.exe
you can rename this to valexe.exe so you can use it for valkyrie
This is for people who don't know how to unpack valexe.exe

figured I should post this since people have been having problems with multiple window hexing
Belladonna - credit for the original posts

For the first string, search for USER32.FindWindowA until you find the block that looks something like this:

Code: Select all

* Reference To: user32.FindWindowA, Ord:0000h
:00706E18 FF15B0F37400            Call dword ptr [0074F3B0]
:00706E1E 85C0                    test eax, eax
:00706E20 7407                    je 00706E29    <----------------- This is what we need to look for
:00706E22 C60530F0850001          mov byte ptr [0085F030], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00706E29 53                      push ebx
:00706E2A 33FF                    xor edi, edi
:00706E2C 6A77                    push 00000077
85 C0 74 07 C6 05 30 F0 85 00 01 53 33 FF 6A 77
85 C0 EB 07 C6 05 30 F0 85 00 01 53 33 FF 6A 77

For the second string, search for KERNEL32.CreateMutexA
The values needed are actually under KERNEL32.WaitForSingleObject as seen below

Code: Select all

* Reference To: kernel32.CreateMutexA, Ord:0000h
:007080E5 FF1534F17400            Call dword ptr [0074F134]
:007080EB 50                      push eax

* Reference To: kernel32.WaitForSingleObject, Ord:0000h
:007080EC FF1528F27400            Call dword ptr [0074F228]
:007080F2 85C0                    test eax, eax
:007080F4 0F85CC010000            jne 007082C6    <----------------- This is what we need to look for
:007080FA 0FBE0542217B00          movsx eax, byte ptr [007B2142]
85 C0 0F 85 CC 01 00 00 0F BE 05 42 21 7B 00
85 C0 90 90 90 90 90 90 0F BE 05 42 21 7B 00

The reason for using 90 90 90 90 90 90 is because the old code had je <address> this new code had jne <address> which means it will only need to jump if its not equal so we can just use NOP (90) to ignore the condition and let the code run.

For the third string, search for mss32._AIL_open_3D_provider@4 until you find the block that looks something like this:

Code: Select all

* Reference To: mss32._AIL_open_3D_provider@4, Ord:0000h
:0041C80A FF1504F67400            Call dword ptr [0074F604]
:0041C810 85C0                    test eax, eax
:0041C812 7409                    je 0041C81D    <----------------- This is what we need to look for
:0041C814 5F                      pop edi
:0041C815 5E                      pop esi
:0041C816 32C0                    xor al, al
:0041C818 5B                      pop ebx
:0041C819 8BE5                    mov esp, ebp
:0041C81B 5D                      pop ebp
:0041C81C C3                      ret
85 C0 74 09 5F 5E 32 C0 5B 8B E5 5D C3
85 C0 EB 09 5F 5E 32 C0 5B 8B E5 5D C3

That should enable you to run multiple ragnarok clients now.

To disable GameGuard do this
Search for KERNEL32.CreateMutexA then scroll down until you see the code similar to the one below. I have pointed out the code we need to look for.

Code: Select all

* Reference To: kernel32.CreateMutexA, Ord:0000h
:007080E5 FF1534F17400            Call dword ptr [0074F134]
:007080EB 50                      push eax

* Reference To: kernel32.WaitForSingleObject, Ord:0000h
:007080EC FF1528F27400            Call dword ptr [0074F228]
:007080F2 85C0                    test eax, eax
:007080F4 0F85CC010000            jne 007082C6
:007080FA 0FBE0542217B00          movsx eax, byte ptr [007B2142]
:00708101 0FBE0D41217B00          movsx ecx, byte ptr [007B2141]
:00708108 0FBE1540217B00          movsx edx, byte ptr [007B2140]
:0070810F 03C1                    add eax, ecx
:00708111 0FBE0D3F217B00          movsx ecx, byte ptr [007B213F]
:00708118 03C2                    add eax, edx
:0070811A 0FBE153E217B00          movsx edx, byte ptr [007B213E]
:00708121 03C1                    add eax, ecx
:00708123 0FBE0D3D217B00          movsx ecx, byte ptr [007B213D]
:0070812A 03C2                    add eax, edx
:0070812C 0FBE153C217B00          movsx edx, byte ptr [007B213C]
:00708133 03C1                    add eax, ecx
:00708135 03C2                    add eax, edx
:00708137 3DC9020000              cmp eax, 000002C9
:0070813C 0F8584010000            jne 007082C6
:00708142 B978AB8500              mov ecx, 0085AB78
:00708147 E824B9FBFF              call 006C3A70
:0070814C E8DF47E4FF              call 0054C930    <----------------- This is what we need to look for
:00708151 85C0                    test eax, eax
:00708153 0F846D010000            je 007082C6
E8 DF 47 E4 FF
90 90 90 90 90

That should disable GameGuard for Valkyrie/New Chaos.

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 10 Mar 2011, 16:53
by kompli

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 10 Mar 2011, 18:31
by bgksbot
i follow every singe steps in unpacking val.exe using may original one and it works FINE and im using it quite some time.. but guess what when i install AVG 2011 and run a FULL system Scan it deleted my HEXED val exe.

and it detects a win32 huer virus

any comments?

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 13 Mar 2011, 08:59
by rapitiks
Belladonna wrote: Remove Gameguard:

Search: E8 E4 19 E3 FF
Replace: 90 90 90 90 90

Open Multiple RO Windows

Search: 85 C0 74 07 C6 05 A8 9A 86 00 01
Replace: 85 C0 EB 07 C6 05 A8 9A 86 00 01

Search: 85 C0 74 0E 5F 5E B8 01 00 00 00
Replace: 85 C0 EB 0E 5F 5E B8 01 00 00 00

Search: 85 C0 74 09 5F 5E 32 C0 5B 8B E5
Replace: 85 C0 EB 09 5F 5E 32 C0 5B 8B E5
I don't know which hex code affects the shortcut key toggling alt 1~0
for example i pressed alt+1 but it will activate the shortcut in alt+2. xD

can someone fix this?

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 15 Mar 2011, 10:15
by ujin11
bgksbot wrote:i follow every singe steps in unpacking val.exe using may original one and it works FINE and im using it quite some time.. but guess what when i install AVG 2011 and run a FULL system Scan it deleted my HEXED val exe.

and it detects a win32 huer virus

any comments?

i also experience this same problem dunno what's wrong with avg... it also deleted my backup files for dual login and disabling gg..

Even the unpacked exe is being detected as virus need help on this

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 16 Mar 2011, 03:36
by benj1320
its another False-Positive alarm from another updated antivirus software....

solutions are.. 1 disable you antivirus ( that you don't want to do because this will make you vulnerable to virus attacks )

2. is to hex the UPDATED CLIENT.. ( ragexe / valexe )

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 16 Mar 2011, 04:47
by bgksbot
benj1320 wrote:its another False-Positive alarm from another updated antivirus software....

solutions are.. 1 disable you antivirus ( that you don't want to do because this will make you vulnerable to virus attacks )

2. is to hex the UPDATED CLIENT.. ( ragexe / valexe )
oh.. thnx for clarifying Sir benj1320

but what do you mean by "hex the updated client"? because AVG is deleting my HEXED val.exe not the original val.exe?

thanks again

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 16 Mar 2011, 06:32
by benj1320
unpack and hex the updated client such as ragexe or valexe ( for valkyrie ) itself... no renaming clients.

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 16 Mar 2011, 07:01
by EyeOfMySharingan
dual client is now gone in pRO. what the new hex for disabling the gameguard? thx for the reply

Re: [HEX STRINGS] < Disable GameGuard > < Valkyrie >

Posted: 16 Mar 2011, 07:05
by bgksbot
EyeOfMySharingan wrote:dual client is now gone in pRO. what the new hex for disabling the gameguard? thx for the reply
i'm able to run my dual by using my backup hexed val.exe but the alt+Q, alt+e etc is not working kindly help plz
benj1320 wrote:unpack and hex the updated client such as ragexe or valexe ( for valkyrie ) itself... no renaming clients.
ahh i see thanks again sir benj1320