CRC bypass question

[scizzydo]

Hello everyone. I've been trying to get my CRC bypass working fine however I seem to always crash after the .text detour is applied. I've taken the old D2ROffline (from Ferib) and D2RModding (from Shalzuth) and updated it to the correct offsets for the shellcode to get .text start and .text size and only changed the part where I don't start the process suspended but grab the running D2R instance. Using these I still face the same crash. Those were just ran as examples to see if it was my code that was wrong, however same results from them.

My program is just a basic C++ one where I pass the PID in command line to conduct the bypass. I'm doing everything the same as those articles (except re applying the section with SEC_NO_ACCESS after). If I don't apply any patches, I can keep the client running (so it looks like it's the shellcode being put in as the problem). I'm using Capstone & Keystone for generating my shellcode from assembly. Here's an example of the output from a run (without modifying the application):

Code:

Attempting to bypass 11608
base       00007FF798B40000...00007FF79A7FFFFF (30146560 bytes)
.text      00007FF798B41000...00007FF79A4F1C00 (26938368 bytes)
Wrote the copy region to 0000019080000000
Found CRC check at 00007FF798CC6BD0
Detour at 00007FF798CC6BD0:
        push rbx
        movabs rbx, 0000020BA39B0000
        call rbx
        pop rbx

CRC bypass at 0000020BA39B0000:
        push rcx
        movabs rcx, 00007FF798B41000
        cmp rdx, rcx
        jl cleanup
        movabs rcx, 00007FF79A4F1C00
        cmp rdx, rcx
        jg cleanup
swap_crc:
        movabs rcx, 00007FF798B40000
        sub rdx, rcx
        movabs rcx, 0000019080000000
        add rdx, rcx
cleanup:
        pop rcx
normal_crc:
        crc32 rdi, qword ptr [rdx + rax*8]
        inc rax
        cmp rax, rcx
        jb normal_crc
        ret
Expanding detour 1 byte with a NOP

With the above, I see what I'd expect to be injected, and the process keeps running (.text not modified) however the remap has been done, and that seems to not trigger anything along with the Suspend & Resume process.

When I allow it to write, and I keep the process suspended I have checked the code injected and it does exactly what is expected. The scan is finding 5 areas in the game .text to patch. I've reviewed the crash dump files and see the minidump containing the error: The thread tried to read from or write to a virtual address for which it does not have the appropriate access.

Also, I noticed that the last call is the RtlCaptureContext in the associated crash.txt file, however I'm unsure how to do anything about that. If there's any tips, it would be greatly appreciated. I can show the code that I'm doing in a gist if you would like.

[scizzydo]

Here's the gist of my latest attempts: crc bypass used in d2r (testing) . GitHub

Again, if I don't do the CRC writes I'm good which makes me think it's the detour & cave code that has an issue, however it appears to be exactly as others say it should be... so I'm at a loss.

[ejt]

Without disclosing to much I'll just say that first of all you're over complicating things by doing it like previous projects, you don't need code caves or anything like that, just jump over it.

In release they also added more integrity checks, one of them tests against a memory region that is a clean D2R.exe image (just look for a region that has same size as base). There is more but not going to disclose that here, just letting you know things are a little more complicated now.