its easy
bakeice is injecting lineagebk.dll (unpacked in 2s) into l2.exe (well gameguard.des)
this dll change directly the blowfish function call to change the encryption.
it also get the login/pass directly.
---
hook to blowfish encrypt/decrypt:
100011B0 /$ 53 PUSH EBX
100011B1 |. 56 PUSH ESI
100011B2 |. 57 PUSH EDI
100011B3 |. 68 2CB50110 PUSH 1001B52C ; /pModule = "core.dll"
100011B8 |. 8BF9 MOV EDI,ECX ; |
100011BA |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA
100011C0 |. 8B1D 8CB20110 MOV EBX,DWORD PTR DS:[<&kernel32.GetPr>; kernel32.GetProcAddress
100011C6 |. 8BF0 MOV ESI,EAX
100011C8 |. 68 04B50110 PUSH 1001B504 ; /ProcNameOrOrdinal = "?BlowfishEncrypt@FBlowFish@@QAEXPAEH@Z"
100011CD |. 56 PUSH ESI ; |hModule
100011CE |. FFD3 CALL EBX ; \GetProcAddress
100011D0 |. 85C0 TEST EAX,EAX
100011D2 |. 74 3E JE SHORT 10001212
100011D4 |. 68 B0340010 PUSH 100034B0 ; /Arg2 = 100034B0
100011D9 |. 83C7 3C ADD EDI,3C ; |
100011DC |. 50 PUSH EAX ; |Arg1
100011DD |. 8BCF MOV ECX,EDI ; |
100011DF |. E8 0C2A0000 CALL 10003BF0 ; \unpacked.10003BF0
100011E4 |. 68 DCB40110 PUSH 1001B4DC ; ASCII "?BlowfishDecrypt@FBlowFish@@QAEXPAEH@Z"
100011E9 |. 56 PUSH ESI
100011EA |. FFD3 CALL EBX
100011EC |. 85C0 TEST EAX,EAX
100011EE |. 74 11 JE SHORT 10001201
100011F0 |. 68 60340010 PUSH 10003460 ; /Arg2 = 10003460
100011F5 |. 50 PUSH EAX ; |Arg1
100011F6 |. 8BCF MOV ECX,EDI ; |
100011F8 |. E8 F3290000 CALL 10003BF0 ; \unpacked.10003BF0
Hook to gameguard:
10001230 /$ 56 PUSH ESI
10001231 |. 68 84B50110 PUSH 1001B584 ; /pModule = "engine.dll"
10001236 |. 8BF1 MOV ESI,ECX ; |
10001238 |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA
1000123E |. 68 54B50110 PUSH 1001B554 ; /ProcNameOrOrdinal = "?ResponseAuthGameGuard@UNetworkHandler@@UAEHXZ"
10001243 |. 50 PUSH EAX ; |hModule
10001244 |. FF15 8CB20110 CALL DWORD PTR DS:[<&kernel32.GetProcA>; \GetProcAddress
1000124A |. 85C0 TEST EAX,EAX
1000124C |. 74 10 JE SHORT 1000125E
1000124E |. 68 00100010 PUSH send_en ; /Arg2 = 10001000
10001253 |. 50 PUSH EAX ; |Arg1
10001254 |. 8D4E 3C LEA ECX,DWORD PTR DS:[ESI+3C] ; |
10001257 |. E8 94290000 CALL 10003BF0 ; \unpacked.10003BF0
1000125C |. 5E POP ESI
1000125D |. C3 RET
1000125E |> 68 38B50110 PUSH 1001B538 ; ASCII "ResponseAuthGameGuard Error"
10001263 |. E8 F8370000 CALL 10004A60
10001268 |. 83C4 04 ADD ESP,4
1000126B |. 5E POP ESI
1000126C \. C3 RET
hook to getuseraccount:
100015B3 |. 68 84B50110 PUSH 1001B584 ; /pModule = "engine.dll"
100015B8 |. 89BE C4030000 MOV DWORD PTR DS:[ESI+3C4],EDI ; |
100015BE |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA
100015C4 |. 3BC7 CMP EAX,EDI
100015C6 |. 8946 38 MOV DWORD PTR DS:[ESI+38],EAX
100015C9 |. 75 06 JNZ SHORT 100015D1
100015CB |. 57 PUSH EDI
100015CC |. E8 B0590000 CALL 10006F81
100015D1 |> 53 PUSH EBX
100015D2 |. 8B1D 8CB20110 MOV EBX,DWORD PTR DS:[<&kernel32.GetPr>; kernel32.GetProcAddress
100015D8 |. 68 F4B50110 PUSH 1001B5F4 ; /ProcNameOrOrdinal = "?GetUserAccount@UNetworkHandler@@UAEPAGXZ"
100015DD |. 50 PUSH EAX ; |hModule
100015DE |. FFD3 CALL EBX ; \GetProcAddress
100015E0 |. 3BC7 CMP EAX,EDI
100015E2 |. 8986 C8030000 MOV DWORD PTR DS:[ESI+3C8],EAX
100015E8 |. 75 13 JNZ SHORT 100015FD
100015EA |. 68 D8B50110 PUSH 1001B5D8 ; ASCII "&GetUserAccount Error!!"
100015EF |. E8 6C340000 CALL 10004A60
100015F4 |. 83C4 04 ADD ESP,4
100015F7 |. 5B POP EBX
100015F8 |. 5F POP EDI
100015F9 |. 8BC6 MOV EAX,ESI
100015FB |. 5E POP ESI
100015FC |. C3 RET