TervistRO - Gepard Shield - Problem.

[Beviw]

A lot of people are getting problem with this shield, let's try to work together and find a solution.
Any solution that you have tried yet please post here.
Server link: http://tervistro.net/

Cheers mate

[chrislong93]

Look like no body is trying to work for a solution because

1. The shield is the first of its kind
2. Players in that server are mainly Russian
3. Most of them are maxed out, fully geared, they just play to BG/Woe.
4. Russians are supreme hackers, if they want to bypass it, they will
5. Ive been checking russian bot forum, no solution yet. Maybe they dont want to public it.

[v0nWire]

I had a quick look at this anti-cheat and it looks like gepard.dll is doing the work.
It exports 3 Ordinals (1, 2, 3), I guess Ordinal1 is recv, Ordinal2 is send and Ordinal3 is connect (didn't really check this one out). Same prototypes so I guess it can be used without too much trouble.

If that can help ... (and please correct me if I'm wrong)
I think a bypass exists already.

[flaite]

I had a quick look at this anti-cheat and it looks like gepard.dll is doing the work.
It exports 3 Ordinals (1, 2, 3), I guess Ordinal1 is recv, Ordinal2 is send and Ordinal3 is connect (didn't really check this one out). Same prototypes so I guess it can be used without too much trouble.

If that can help ... (and please correct me if I'm wrong)
I think a bypass exists already.

I think you're on the right way, in my opinion

I'm been taking a look with this program "Process hack" and i reached the same conclusions.

As I see gepard.ddl patch exe with Ordinals 1, 2 and 3 and theres other part of gepard.dll that still resides in memory, I think this part is the anti WPE, NDL, etc... checker.

[v0nWire]

As I see gepard.ddl patch exe with Ordinals 1, 2 and 3 and theres other part of gepard.dll that still resides in memory, I think this part is the anti WPE, NDL, etc... checker.

Yeah everything is done from the DLL. The executable (ragexe.exe) imports the DLL's Ordinals so the DLL is loaded by windows' loader before execution.
As for the "Memory Integrity" scanner, it is using a shellcode that is re-written in memory before each scan occurs, but you can deactivate it without too much trouble.
And only one thread is doing all the work and it's not even the main one (the one the game runs in), it's usually the second one (creation order).

[flaite]

I think that patching ragexe with ordinals and discarding memory checker can be a solution, then we can extract recvpackets and all the rest.
I don't know if this can work.

[gentacomp]

Up this topic
Number one RO private server in Indonesia use this now, and I cant figure it out how to bypass it..

[golbez]

How did you read the DLL ? did you use a decompiler ?

From what i know theres client side and server side of this shield.
If you manage to reverse engineer the client side you'll have trouble with the server side of this shield when connecting to map server.