Eidolon decrypt

[numerbo]

Code:

// main.cpp
        PatchDecryptGadget(SDK::Memory::BaseAddress + 0x1A901D); 
        for (uintptr_t address = SDK::Memory::BaseAddress; address < SDK::Memory::EndAddress; address += 0x100) {
            DecryptAddress(address);
        }

Code:

// decrypt.hpp
#pragma  once
#include  <stdint.h>

extern "C" {
    uint64_t __fastcall DecryptAddress(uint64_t encryptedPtr);
    extern   uint64_t          FindGadget;
}

inline void PatchDecryptGadget(uintptr_t gadgetVA)
{
    FindGadget = gadgetVA;
}

Code:

// decrypt.asm
PUBLIC  DecryptAddress
PUBLIC  FindGadget

.code
DecryptAddress PROC
    jmp     qword ptr [FindGadget]
DecryptAddress ENDP

.data
    ALIGN 8
FindGadget  dq 0
END

Enjoy.

Just dump with x64 now, or whatever you'd like.

[numerbo]

wink )))))))))))))

[std233]

thanks for sharing~

[numerbo]

61965 it was for the official retail implementation that went up and was removed.


.text:00000000001A901D mov rax, [rcx]
.text:00000000001A9020 retn

[rik.chong]

Code:

// main.cpp
        PatchDecryptGadget(SDK::Memory::BaseAddress + 0x1A901D); 
        for (uintptr_t address = SDK::Memory::BaseAddress; address < SDK::Memory::EndAddress; address += 0x100) {
            DecryptAddress(address);
        }

Code:

// decrypt.hpp
#pragma  once
#include  <stdint.h>

extern "C" {
    uint64_t __fastcall DecryptAddress(uint64_t encryptedPtr);
    extern   uint64_t          FindGadget;
}

inline void PatchDecryptGadget(uintptr_t gadgetVA)
{
    FindGadget = gadgetVA;
}

Code:

// decrypt.asm
PUBLIC  DecryptAddress
PUBLIC  FindGadget

.code
DecryptAddress PROC
    jmp     qword ptr [FindGadget]
DecryptAddress ENDP

.data
    ALIGN 8
FindGadget  dq 0
END

Enjoy.

Just dump with x64 now, or whatever you'd like.

I noticed that some expansions are applying the Eidolon protection.
Can I ask how to run these codes 'internally'? By injecting a dll?

My previous dll injector (using GitHub - guided-hacking/GuidedHacking-Injector: The BEST DLL Injector Library.) did not work.
I tried different injection method with no luck.
In classic expansion the GH-Injector with 'INJECTION_MODE::IM_LdrLoadDll + LAUNCH_METHOD::LM_NtCreateThreadEx' is working perfectly though.

[Saze03]

Tyvm still working with current release but different offsett

[ostapus]

Tyvm still working with current release but different offsett

mind to share offset for current release ?

tia

[w1dl4r]

mind to share offset for current release ?

tia

There is no point in posting an offset for a 2 instruction pattern that will be relocated on every patch. You just need something like the two instructions numbero posted. Just do a pattern scan.
The reason for all of this is to dereference a pointer inside wow.exe so eidolon kicks in and decrypts it on the fly.

[Saze03]

11.2.0.62801

0x4C5AA0

[imnothonorbuddy]

62876 0x4C4950
pattern: 48 8B 01 C3

[imnothonorbuddy]

how did you even figure this thing out ? no refereces, nothing to be honest. works like a charm

[w1dl4r]

It is known for quite some time. Same as in Overwatch. If you look at the ingame memory you can see how parts of the code get decrypted when they are used and encrypted again when not.

[lidoof]

hello guys, can someone orient me to how to dump the binary, i used to use the namreeb dumper , it is not working anymore, do you guys have some tips, on how to dump or create my own ?

[ring3]

EDIT: nevermind

[thateuler]

Code:

0:  48 8b 01                mov    rax,QWORD PTR [rcx]
3:  c3                      ret

Thats pretty clever. Kudos to whoever figured that out.

Any volatile register could be used in place of rax right? I have no idea what the possibility is that this specific pattern can't be found. Probably very unlikely.

I guess there's several variations on this gadget hey.

Code:

0:  80 39 00                cmp    BYTE PTR [rcx],0x0
3:  c3                      ret