 |  
GetPixel uses kernelmode?!
| Cracking/Engineering Discuss, GetPixel uses kernelmode?! at Programmers Lounge forum; i heard masm is good. not sure about tasm though.... |
| Notices | Welcome to the Gamerz Needs forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact us. |
 | | 
08-19-2008, 04:34 PM
|  | Diamond Hole | | | Last Online: Today 04:39 PM Join Date: Jan 2007 Location: California
Posts: 755
Thanks: 144
Thanked 99 Times in 50 Posts
Nominated 6 Times in 3 Posts TOTW/F/M Award(s): 0
Latest Blog: blahh!!!
Rep Power: 6 Points: 1,567.80 Bank: 95,353.27 Total Points: 96,921.07 | | |
i heard masm is good. not sure about tasm though.
|
08-19-2008, 05:31 PM
|  | Registered Users + | | | Last Online: Today 04:31 PM Join Date: Nov 2006 Location: Location:
Posts: 2,063
Thanks: 230
Thanked 221 Times in 145 Posts
Nominated 0 Times in 0 Posts TOTW/F/M Award(s): 0
Latest Blog:
Rep Power: 11 Points: 1,072.60 Bank: 109,849.36 Total Points: 110,921.96 | |
GetPixel clone?
is it like getpixel called 4 times each on a different part of the screen?  also, theres a GPPMX.DLL which bypasses GetPixel in ring3 i think.
it uses the 5 byte jmp
__________________ ~I'm out |
08-19-2008, 05:34 PM
|  | I love GzN! | | | Last Online: 09-09-2008 03:57 PM Join Date: Jul 2007
Posts: 1,672
Thanks: 87
Thanked 119 Times in 84 Posts
Nominated 0 Times in 0 Posts TOTW/F/M Award(s): 0
Latest Blog: Oh
Rep Power: 8 Points: 1,871.80 Bank: 135.15 Total Points: 2,006.95 | | |
All right, is do you any of you know asm?
__________________
I Love Gzn. www.iGzN.com
|
08-19-2008, 05:37 PM
| | Diamond Hole | | | Last Online: Today 04:39 PM Join Date: Jan 2007 Location: California
Posts: 755
Thanks: 144
Thanked 99 Times in 50 Posts
Nominated 6 Times in 3 Posts TOTW/F/M Award(s): 0
Latest Blog: blahh!!!
Rep Power: 6 Points: 1,567.80 Bank: 95,353.27 Total Points: 96,921.07 | | Quote:
Originally Posted by kaswar  GetPixel clone?
is it like getpixel called 4 times each on a different part of the screen? also, theres a GPPMX.DLL which bypasses GetPixel in ring3 i think.
it uses the 5 byte jmp | no, it's not. this also bypasses ring3, but without a 5 byte trampoline. Quote:
Originally Posted by Beast All right, is do you any of you know asm? | i know some asm. not alot though. and could we try to keep on topic? im still curious if getpixel uses ring0.
Last edited by wassssup34579; 08-19-2008 at 05:40 PM..
|
09-11-2008, 10:14 AM
| | X-Staff | | | Last Online: 11-16-2008 03:35 AM Join Date: Jun 2006 Location: England
Posts: 4,729
Thanks: 185
Thanked 1,188 Times in 638 Posts
Nominated 2 Times in 1 Post TOTW/F/M Award(s): 0
Latest Blog: Exam Results
Rep Power: 23 Points: 976.20 Bank: 161,489.27 Total Points: 162,465.47 | | Have just read this thread. First off.. I want to strongly advise you against using this method. I know it is possible but it is really not smart. The code for APIs differ for different machines and different systems so there is a good chance your code will not function correctly on other systems especially if have modified bits and pieces.
Now then, for your main question. Yes, GetPixel does enter kernelspace if used correctly. Go to OllyDbg and press Ctrl-G (on an application which maps gdi32.dll) and enter GetPixel. See that it eventually makes a CALL ?
Click the call and press enter to follow it. You will probably see something like this : Code: 773ECCC6 B8 C6100000 MOV EAX,10C6
773ECCCB BA 0003FE7F MOV EDX,7FFE0300
773ECCD0 FF12 CALL DWORD PTR DS:[EDX]
773ECCD2 C2 0C00 RETN 0C
0x7FFE0300 is your system-call API structure member and 0x10C6 is your ServiceID for this function. I'm not gonna say much more now because I do know a bit more about kernelmode but it's not something I'm comfortable talking about right now.. (don't feel like saying something wrong and looking like a ****tard lol).
If you REALLY must use your method instead of a trampoline.. what I suggest you do is to fetch the bytes of GetPixel dynamically and store it in a buffer and then write them back to an empty procedure when you want to use them. You will need to do it before GameGuard starts though. That way you can ensure the GetPixel you have is the correct copy for the system your application is running on. | | The Following User Says Thank You to Slugsnack For This Useful Post: | |
09-11-2008, 05:18 PM
| | Diamond Hole | | | Last Online: Today 04:39 PM Join Date: Jan 2007 Location: California
Posts: 755
Thanks: 144
Thanked 99 Times in 50 Posts
Nominated 6 Times in 3 Posts TOTW/F/M Award(s): 0
Latest Blog: blahh!!!
Rep Power: 6 Points: 1,567.80 Bank: 95,353.27 Total Points: 96,921.07 | | |
but if it uses kernelmode, why doesnt gameguard hook it in ring0?
|
09-11-2008, 06:13 PM
|  | Gunbound UnderGround Level 3 | | | Last Online: Today 02:27 PM Join Date: Aug 2005 Age: 20
Posts: 4,399
Thanks: 2
Thanked 8,571 Times in 797 Posts
Nominated 32 Times in 17 Posts  TOTW/F/M Award(s): 1
Latest Blog:
Rep Power: 23 Points: 41,360.36 Bank: 258,277.65 Total Points: 299,638.01 | | Quote:
Originally Posted by Slugsnack [COLOR=\"blue\"]Have just read this thread. First off.. I want to strongly advise you against using this method. I know it is possible but it is really not smart. The code for APIs differ for different machines and different systems so there is a good chance your code will not function correctly on other systems especially if have modified bits and pieces.
Now then, for your main question. Yes, GetPixel does enter kernelspace if used correctly. Go to OllyDbg and press Ctrl-G (on an application which maps gdi32.dll) and enter GetPixel. See that it eventually makes a CALL ?
Click the call and press enter to follow it. You will probably see something like this :[/color] Code: 773ECCC6 B8 C6100000 MOV EAX,10C6
773ECCCB BA 0003FE7F MOV EDX,7FFE0300
773ECCD0 FF12 CALL DWORD PTR DS:[EDX]
773ECCD2 C2 0C00 RETN 0C
[COLOR=\"Blue\"]0x7FFE0300 is your system-call API structure member and 0x10C6 is your ServiceID for this function. I'm not gonna say much more now because I do know a bit more about kernelmode but it's not something I'm comfortable talking about right now.. (don't feel like saying something wrong and looking like a ****tard lol).
If you REALLY must use your method instead of a trampoline.. what I suggest you do is to fetch the bytes of GetPixel dynamically and store it in a buffer and then write them back to an empty procedure when you want to use them. You will need to do it before GameGuard starts though. That way you can ensure the GetPixel you have is the correct copy for the system your application is running on.[/color] | this is where dynamically fetching the first 5 bytes presents a problem. on Rakion for example, all methods of injecting a dll before gg fully loads are patched. I guess the only reason trampolining works on Gunbound is because both gme's are loaded at the same time (right when you click start game).
__________________  Hacks of mine that you can get if you buy premium:- Gunz Multi Hack (IJJI)
- Wolfteam Multi Hack (WIS, WLS)
- Gunbound Multi Hack (GBNA, GIS, GBEU)
- Rakion Legit Hack (RIS, RLS, RSS)
So support GzN, buy premium, and start hacking today! |
09-12-2008, 12:23 AM
| | X-Staff | | | Last Online: 11-16-2008 03:35 AM Join Date: Jun 2006 Location: England
Posts: 4,729
Thanks: 185
Thanked 1,188 Times in 638 Posts
Nominated 2 Times in 1 Post TOTW/F/M Award(s): 0
Latest Blog: Exam Results
Rep Power: 23 Points: 976.20 Bank: 161,489.27 Total Points: 162,465.47 | | | |
