Hello and welcome from the Armored Software team and in this article, we will talk about reverse engineering and circumvention of game protection. This time a guest in our studio providing protection for MMORPG MuOnline, the so-called MuGuard Protection, located on address http://muguard.ru. Unlike previous NSEngine, this protection is an order of magnitude over his rival, although there is no special popularity of this protection it is just for a couple of other servers. The cost of $200.
If you go to the website and there you can see the description of the product, but unfortunately this description is only a text, no relation to reality do not have what we now prove.
Also note that you should not confuse this MuGuard.ru with MuGuard.org, because they are completely different products, even though they have the same emblem. The second anti-cheat will be discussed in the next article.
Stage 0×00. Exploration and Preparation
We will bypass protection from MuOnline server http://murred.ru lets register and download the game client.
Enigma Protector covers the client application main.exe. As it turned out, wz.dll is an Anticheat library and also protected by Enigma. To simplify the analysis, we use the script from the famous cracker LCF-AT and unpack main.exe and wz.dll. Now all the necessary modules are prepared for analysis.
Also if you look at the traffic you will notice that it circulates without any third-party encryption, protection packages are based on a unique EncDec key, what can be satisfied by comparing enc1.dat files, dec2.dat with a standard.
Let’s go back to the module library and see what there is. The code snippet download libraries from DllMain as follows:
As you can see anti-cheat sets its hooks into the input/output events of keyboard and mouse. Also, it intercepts send() function from Winsock library. The interceptors are implemented different methods of detection clickers, for example here as embodied in detecting keyboard interceptor clickers keyboard events:
Then take a look at the Interceptor function send(), as can be seen from the figure below is called the procedure verification system. Such interceptor is convenient because it calls out the code from the main flow of the game, thus creating obstacles to stop the anti-cheat flow. In the beginning, send() function directly recording uncompressed keys in main.exe memory :
The StartProtection() function initially performs checking for primitive debugger performs a running process, check for SpeedHack and compares the contents of the code section main.exe preliminary image prepared earlier in DllMain. If something went wrong says ten times hello to “SmallHabit”:
Now lets back to the DllMain function and look inside. I where got interested in the two parts of the code. It is the primitive test for the launcher before start:
and the function to check the checksum of critical files that is done on hardcoded MD5 hashes, which are easily identified as strings:
Also in the library, you can find a lot of parts of code which is directly modifying main.exe memory. From which one can infer the presence of the client customizations in the most anti-cheat library, it is confirmed as a string found in the library:
So we made a brief study of protection and had gathered all the necessary information, proceed to the next step.
Stage 0×01. Search and implementing gaps
Our goal is to remove protection entirely, but as we saw in the library contains part of the client customizations. If we will completely remove a library, then customization will be lost, which of course is a sad moment. Therefore, in today’s article, we will try to disable security without removing it from the client. There are some problems because the client files and protection packed (unpacked version is very buggy), but we need to take root in the process and the patch library somehow. But the library is packed, it is necessary to patch it at some point: after how it will unpack itself and before it begins to carry out its protection functions. The task is quite solvable.
The client also uses non-standard encryption keys, to protect traffic. We don’t need to think how to bypass this protection since this has already been done in the article about the attack on the encryption MuOnline.
To load our library, we can use the good old technique DLL hijacking, replacing the library wzVideo.dll our with the library, from which we have embarked on the process and reload the original wzVideo.dll. Now we need to catch the right moment and the anti-cheat patch library for this, let’s take a look at the very first image of this article, we’ll see that before the initialization protection there is a call LoadRegConfigInt function that contains WinAPI call RegOpenKeyExA. We can intercept the call and through it to determine that our library is running and performs initialization. This space is ideal for so that we can set our hotfix.
Then we can only patch unnecessary checks and put it all in the library. Since the anti-cheat module unpacked, I will not detail disassemble it and where will the patch, all the details can be found in the source.
Stage 0×03. Conclusion
Our expert protection rating 2.1 / 5
Careless code algorithms and programs for a couple with an unmatched 60% description of products have left us no choice in quality assessment. It is also important to note that no small role in the play Protect standard remedies games that assessment is not included, for obvious reasons.
A short video showing the result of our work around.
Binaries and source code can be downloaded from here.
Thank you for your attention.