Hello everyone. I've been trying to get my CRC bypass working fine however I seem to always crash after the .text detour is applied. I've taken the old D2ROffline (from Ferib) and D2RModding (from Shalzuth) and updated it to the correct offsets for the shellcode to get .text start and .text size and only changed the part where I don't start the process suspended but grab the running D2R instance. Using these I still face the same crash. Those were just ran as examples to see if it was my code that was wrong, however same results from them.
My program is just a basic C++ one where I pass the PID in command line to conduct the bypass. I'm doing everything the same as those articles (except re applying the section with SEC_NO_ACCESS after). If I don't apply any patches, I can keep the client running (so it looks like it's the shellcode being put in as the problem). I'm using Capstone & Keystone for generating my shellcode from assembly. Here's an example of the output from a run (without modifying the application):
Code:
Attempting to bypass 11608
base 00007FF798B40000...00007FF79A7FFFFF (30146560 bytes)
.text 00007FF798B41000...00007FF79A4F1C00 (26938368 bytes)
Wrote the copy region to 0000019080000000
Found CRC check at 00007FF798CC6BD0
Detour at 00007FF798CC6BD0:
push rbx
movabs rbx, 0000020BA39B0000
call rbx
pop rbx
CRC bypass at 0000020BA39B0000:
push rcx
movabs rcx, 00007FF798B41000
cmp rdx, rcx
jl cleanup
movabs rcx, 00007FF79A4F1C00
cmp rdx, rcx
jg cleanup
swap_crc:
movabs rcx, 00007FF798B40000
sub rdx, rcx
movabs rcx, 0000019080000000
add rdx, rcx
cleanup:
pop rcx
normal_crc:
crc32 rdi, qword ptr [rdx + rax*8]
inc rax
cmp rax, rcx
jb normal_crc
ret
Expanding detour 1 byte with a NOP
With the above, I see what I'd expect to be injected, and the process keeps running (.text not modified) however the remap has been done, and that seems to not trigger anything along with the Suspend & Resume process.
When I allow it to write, and I keep the process suspended I have checked the code injected and it does exactly what is expected. The scan is finding 5 areas in the game .text to patch. I've reviewed the crash dump files and see the minidump containing the error: The thread tried to read from or write to a virtual address for which it does not have the appropriate access.
Also, I noticed that the last call is the RtlCaptureContext in the associated crash.txt file, however I'm unsure how to do anything about that. If there's any tips, it would be greatly appreciated. I can show the code that I'm doing in a gist if you would like.