Jump to content

Recommended Posts

Posted
I represent all clients that bought this software. 
Smart guard, be honest with yourself and refund every noob that you sold it to.
 
Instructions:
Decrypt any files protected by SmartCrypt with effectively two lines of code.
 
SmartCrypt can be bypassed simply by loading the file you want into memory via the Core.dll method appLoadFileToArray
The array loaded by appLoadFileToArray will be completely free of any encryption, it can then be saved to file, I personally use appSaveArrayToFile as the Core already has this function for us.
 
This proof of concept was created on the Interlude client but should work without issue on any client version.
The following code must be compiled using Visual Studio as a DLL and the resulting DLL should be attached to l2.bin
 
Attaching DLL Instructions


Download Explorer Suite http://www.ntcore.com/exsuite.php
Use CFF Explorer to open L2.bin
On the left side, click "Import Adder"
Click "Add", locate your compiled DLL file
In "Exported Functions" box click "DllMain" then click "Import By Name"
Click "Rebuild Import Table"
On the left side, click "Rebuilder"
Click "Bind Import Table" check box then click "Rebuild"
Save L2.bin (Keep a backup of original ofc)

 
#include <windows.h>
 
void DumpFile()
{
typedef void (__cdecl *f_appLoadFileToArray)(char *, wchar_t *, int);
typedef void (__cdecl *f_appSaveArrayToFile)(char *, wchar_t *, int);
 
f_appLoadFileToArray appLoadFileToArray = (f_appLoadFileToArray)GetProcAddress(GetModuleHandleA("Core.dll"), "?appLoadFileToArray@@YAHAAV?$TArray@E@@PBGPAVFFileManager@@@Z");
f_appSaveArrayToFile appSaveArrayToFile = (f_appSaveArrayToFile)GetProcAddress(GetModuleHandleA("Core.dll"), "?appSaveArrayToFile@@YAHABV?$TArray@E@@PBGPAVFFileManager@@@Z");
 
char TArray[0x14];
memset(TArray,0,0x14);
 
appLoadFileToArray(TArray, L"..\\System\\Interface.u", *((int *)GetProcAddress(GetModuleHandleA("Core.dll"), "?GFileManager@@3PAVFFileManager@@A")));
appSaveArrayToFile(TArray, L"..\\System\\Interface.decrypted.u", *((int *)GetProcAddress(GetModuleHandleA("Core.dll"), "?GFileManager@@3PAVFFileManager@@A")));
}
bool dumped = false;
void StartCheck()
{
// wait until WinDrv is loaded just so we know everything we need is initialized correctly
if (GetModuleHandleA("WinDrv.dll") != NULL) {
if (!dumped) {
DumpFile();
dumped = true;
}
}
}
__declspec(dllexport) BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
StartCheck();
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
 
Below are screenshots of a successfully decrypted SmartCrypt protected Interface.u with source fully viewable via UTPT
 
post-193482-0-83528400-1472863106_thumb.jpg
post-193482-0-41080000-1472863098_thumb.jpg
 
The words of the developer:
"Private encryption keys - 100% safety!"
"Protected files are guaranteed from being modified or viewed"
 
That's your chance to claim your money back and quit wasting money.
 
 
I wasn't sure where was the best place to stick this topic as it didn't really fit into the categories so if a mod feels it's better placed somewhere else feel free to move it, thanks!
  • Thanks 1
Posted

*haha*

 

 

 

not

 

thought it was some bypass for smartguard, people will still buy it, no matter if there are some backdoors on files. eglobal also had some shitty things on their system and people still played there. 

Posted

It's true for everything, see how themida managed to protect retail client files, wow

 

Do you realise they are using 10 yo version without any special features? There are even scripts for those who do not know how to unpack basic stuff

  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...