Discussion Smart Guard's Smart Crypt Is A Scam!

[kavar.dyminsky]

I represent all clients that bought this software. 

Smart guard, be honest with yourself and refund every noob that you sold it to.

 

Instructions:

Decrypt any files protected by SmartCrypt with effectively two lines of code.

 

SmartCrypt can be bypassed simply by loading the file you want into memory via the Core.dll method appLoadFileToArray

The array loaded by appLoadFileToArray will be completely free of any encryption, it can then be saved to file, I personally use appSaveArrayToFile as the Core already has this function for us.

 

This proof of concept was created on the Interlude client but should work without issue on any client version.

The following code must be compiled using Visual Studio as a DLL and the resulting DLL should be attached to l2.bin

 

Attaching DLL Instructions

Download Explorer Suite http://www.ntcore.com/exsuite.php

Use CFF Explorer to open L2.bin

On the left side, click "Import Adder"

Click "Add", locate your compiled DLL file

In "Exported Functions" box click "DllMain" then click "Import By Name"

Click "Rebuild Import Table"

On the left side, click "Rebuilder"

Click "Bind Import Table" check box then click "Rebuild"

Save L2.bin (Keep a backup of original ofc)

 

#include <windows.h>
 
void DumpFile()
{
typedef void (__cdecl *f_appLoadFileToArray)(char *, wchar_t *, int);
typedef void (__cdecl *f_appSaveArrayToFile)(char *, wchar_t *, int);
 
f_appLoadFileToArray appLoadFileToArray = (f_appLoadFileToArray)GetProcAddress(GetModuleHandleA("Core.dll"), "?appLoadFileToArray@@YAHAAV?$TArray@E@@PBGPAVFFileManager@@@Z");
f_appSaveArrayToFile appSaveArrayToFile = (f_appSaveArrayToFile)GetProcAddress(GetModuleHandleA("Core.dll"), "?appSaveArrayToFile@@YAHABV?$TArray@E@@PBGPAVFFileManager@@@Z");
 
char TArray[0x14];
memset(TArray,0,0x14);
 
appLoadFileToArray(TArray, L"..\\System\\Interface.u", *((int *)GetProcAddress(GetModuleHandleA("Core.dll"), "?GFileManager@@3PAVFFileManager@@A")));
appSaveArrayToFile(TArray, L"..\\System\\Interface.decrypted.u", *((int *)GetProcAddress(GetModuleHandleA("Core.dll"), "?GFileManager@@3PAVFFileManager@@A")));
}
bool dumped = false;
void StartCheck()
{
// wait until WinDrv is loaded just so we know everything we need is initialized correctly
if (GetModuleHandleA("WinDrv.dll") != NULL) {
if (!dumped) {
DumpFile();
dumped = true;
}
}
}
__declspec(dllexport) BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
StartCheck();
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

 

Below are screenshots of a successfully decrypted SmartCrypt protected Interface.u with source fully viewable via UTPT

 

 

The words of the developer:

"Private encryption keys - 100% safety!"

"Protected files are guaranteed from being modified or viewed"

 

That's your chance to claim your money back and quit wasting money.

 

 

I wasn't sure where was the best place to stick this topic as it didn't really fit into the categories so if a mod feels it's better placed somewhere else feel free to move it, thanks!

[Szakalaka]

xD

 

That was obvious since day one. If the game engine has to be "fed" the real data, it has to be decrypted at some point

[imtheboss2012]

hmm so it means server files can be hacked?d

Edited September 3, 2016 by imtheboss2012

[Szakalaka]

hmm so it means server files can be hacked?d

 

Yea, and you can take all the donation money

[imtheboss2012]

*haha*

 

 

 

not

 

thought it was some bypass for smartguard, people will still buy it, no matter if there are some backdoors on files. eglobal also had some shitty things on their system and people still played there. 

[bravetobe]

Lol that post "forced" me to prepare popcorn ... I want to see Akumu answer on that.

 

:troll:

[Sdw]

It's true for everything, see how themida managed to protect retail client files, wow

[bravetobe]

Akumu where are u Kappa

[Szakalaka]

It's true for everything, see how themida managed to protect retail client files, wow

 

Do you realise they are using 10 yo version without any special features? There are even scripts for those who do not know how to unpack basic stuff

[AlmostGood]

and i was wondering why ScritpsGuard hooks these functions, maybe they are not that gavno :D

[Szakalaka]

then copy starting bytes and jump to the function xDD

[bravetobe]

akumu?

[korami]

This has been patched I think, it didn't work for me....

[vampir]

I am willing to pay for teaching me how to make this work on smartguard protected server.

[Szakalaka]

A co potrzebujesz?