Jump to content

Antibot Dex-ternet (www.lineage.ro) - Frintezza (www.frintezza.com)..impossible?


Recommended Posts

The antibot of Dex and Frintezza is same, i search for internet and find this Antibot system in Postpacific:


[howto] kill hlapex/l2phx/l2walker with 3k of code



On this thread smeli mentions about antihlapex. I don't know if anything like this is currently available (or for free) - but it is now.


This little project is an ultra simple way of keeping l2phx, hlapex, along with l2walker away from the game client.


First I'll say that both l2phx/hlapex depend on one import from ws2_32.dll (connect) in order to function correctly. Since both applications hook ws2_32.connect by way of a jmp at the start of the function - the solution is obvious, we need to replace their hook. The good news is that the first 12 or so bytes for ws2_32.connect is the same across all versions of Windows (yes, this works on X64 too - I tested it), so instead of patching their jmp with another jmp, we'll simply restore the original bytes of ws2_32.connect, and problem solved.


L2Walker is completely different - from briefly looking it in OllyDbg... walker seems to operate by calling functions inside of L2's engine itself... It installs its window hook (the home key) by directly calling a function inside of window.dll - L2Walker is really impressive actually... but also makes me wonder if the author might have 'inside information' about how Lineage II works internally, if you get my meaning.


Anyways, to the point... the actual bot is LineageII.dll - not the loader application L2Walker.exe - because LineageII.dll is protected with Asprotect... users of the bot can't just rename it to whatever, or Asprotect will get mad D= ... so the simple solution is to query for it with GetModuleHandleA then if we return an address... terminate the game process. I haven't been able to force unload walker's LineageII.dll without causing a GPF in the L2 game client - oh well, who cares...


nophx.dll works by adding it to the IAT of engine.dll and importing DllEntryPoint - since our DllEntryPoint is called quite often(no its not called only once...) its always running through the two 'anti bot' sub-routines. Now how to prevent players from just replacing our engine.dll with an older version? Nevyn gets the credit for this idea in his post here - we change the Auth key, so using an older engine.dll means you don't login.


Well, that's all, kill three bots with 3kb of code, and we didn't even hook outside of our own process address space (unlike some stupid kernel mode anti-cheat programs) -- I'd like to know what others think of this (if anything), or any holes you might find...


The .dll and its source code is attached to this thread...




is this the ultimate antibot system? is impossible break the antibot?


PD: sorry for my english :S

PD2: Information about antibot --> http://postpacific.com/showthread.php?t=12182

Link to comment
Share on other sites

So you mean the "new" fire.dll (2mb file) is actually nophx.dll itself?

I thought fire.dll pointed to Fyyre's nophx.dll which would then be executed.

Nothing is unbreakable.

The 2mb fire.dll file is protected by Themida. Once someone unpacks it, then we'll have some more info. Too bad my skills aren't good enough to break it yet, although I've managed to dump it using IDA (olly/windasm/others just close, that's a known Themida behaviour).

Never say something is impossible...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...