Rezlind Posted August 16, 2021 Posted August 16, 2021 I googled around a bit on the other forum and found some old method involving a hex edit for what looked like Conquer 1.0. Sadly this does not work for current Conquer 2.0. Curious if anyone has pointers on what I should look for to allow more than 2 clients open at once.Thanks! Quote
Relic Posted August 19, 2021 Posted August 19, 2021 (edited) I'll give a quick breakdown on how I went about patching this. Assembly basics, debugging assembly and DLL injecting/hooking is beyond the scope of this tutorial. You'll need to learn/practice this on your own if you want to understand what's truly happening.So when you open > 2 clients, a browser window pops up and takes you to "http://co.91.com/signout/". We can use this URL string to see where it's being accessed in the client.For this tutorial I'm assuming you'll be using x64dbg as the debugger. You should also have 2 version 5187 clients open.1. Open up Conquer.exe in a debugger2. Go to "Symbols" tab => double click "Conquer.exe" module3. Right click => Search For => Current Module => String references4. Enter the URL "http://co.91.com/signout/"5. Double click on the first result6. Set a breakpoint (F2)In order to launch conquer within x64dbg you'll need to set the "blacknull" process argument:1. Open File => Change Command Line => Add "blacknull" to end of line (will look like "../path/to/conquer/conquer.exe" blacknull)2. Close the session (square icon)3. Restart the session (refresh icon)When you restart, the breakpoint we set earlier should be hit. From here you:1. Click on the "Call Stack" tab2. Double click on the second entryYou should see some code similar to this:Notice the "jmp ecx" instruction at address "0x004ED6F4". We want to patch this so it jumps to address "0x004ED70C" which essentially skips the multi-client check logic:1. Click space => change "jmp ecx" to "jmp 0x004ED70C"Now you can either directly patch the Conquer.exe with this instruction change (not recommended) or you can write your own DLL to inject.To patch directly: 1. Right click => Patches => Patch File => Save As Conquer.exe2. Save your old Conquer.exe, replace with this new oneTo patch via C++ DLL it would look something like this which you'd compile and inject into the Conquer.exe: void Patch(char* dst, char* src, int size) { DWORD oldprotect; VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect); memcpy(dst, src, size); VirtualProtect(dst, size, oldprotect, &oldprotect); } void Patch(int address, const char* opcodes, int size) { Patch((char*)address, (char*)opcodes, size); } DWORD WINAPI MyThread(LPVOID lpParameter) { // Overwrites the memory at this address by two of our own bytes Patch(0x004ED6F4, "\xEB\x16", 2); return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { CreateThread(NULL, 0, MyThread, NULL, 0, NULL); break; } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } If you have any questions let me know. Edited August 20, 2021 by Relic Quote
Rezlind Posted August 20, 2021 Author Posted August 20, 2021 I'll give a quick breakdown on how I went about patching this. Assembly basics, debugging assembly and DLL injecting/hooking is beyond the scope of this tutorial. You'll need to learn/practice this on your own if you want to understand what's truly happening.So when you open > 2 clients, a browser window pops up and takes you to "http://co.91.com/signout/". We can use this URL string to see where it's being accessed in the client.For this tutorial I'm assuming you'll be using x64dbg as the debugger. You should also have 2 version 5187 clients open.1. Open up Conquer.exe in a debugger2. Go to "Symbols" tab => double click "Conquer.exe" module3. Right click => Search For => Current Module => String references4. Enter the URL "http://co.91.com/signout/"5. Double click on the first result6. Set a breakpoint (F2)In order to launch conquer within x64dbg you'll need to set the "blacknull" process argument:1. Open File => Change Command Line => Add "blacknull" to end of line (will look like "../path/to/conquer/conquer.exe" blacknull)2. Close the session (square icon)3. Restart the session (refresh icon)When you restart, the breakpoint we set earlier should be hit. From here you:1. Click on the "Call Stack" tab2. Double click on the second entryYou should see some code similar to this:Notice the "jmp ecx" instruction at address "0x004ED6F4". We want to patch this so it jumps to address "0x004ED70C" which essentially skips the multi-client check logic:1. Click space => change "jmp ecx" to "jmp 0x004ED70C"Now you can either directly patch the Conquer.exe with this instruction change (not recommended) or you can write your own DLL to inject.To patch directly: 1. Right click => Patches => Patch File => Save As Conquer.exe2. Save your old Conquer.exe, replace with this new oneTo patch via C++ DLL it would look something like this which you'd compile and inject into the Conquer.exe: void Patch(char* dst, char* src, int size) { DWORD oldprotect; VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect); memcpy(dst, src, size); VirtualProtect(dst, size, oldprotect, &oldprotect); } DWORD WINAPI MyThread(LPVOID lpParameter) { // Overwrites the memory at this address by two of our own bytes Patch(0x004ED6F4, "\xEB\x16", 2); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { CreateThread(NULL, 0, MyThread, NULL, 0, NULL); break; } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } If you have any questions let me know.This was incredibly thorough, thank you. I explored a bit and followed your instructions. The only thing that differed for me was being unable to open the client with the x64 debugger. I was forced to use x32 because even attempting to initially open conquer.exe with the x64 advised me to switch to the 32 bit debugger. A potentially naïve question here - when using the hook method of altering the memory does the order in which you apply changes to memory with your hook potentially alter the memory addresses of other things you may be trying to edit.I.e. If I inject a dll that modifies number of clients I can open, followed by the resolution does manipulating the first affect the memory addresses that the second edit would have changed? Quote
Relic Posted August 20, 2021 Posted August 20, 2021 This was incredibly thorough, thank you. I explored a bit and followed your instructions. The only thing that differed for me was being unable to open the client with the x64 debugger. I was forced to use x32 because even attempting to initially open conquer.exe with the x64 advised me to switch to the 32 bit debugger. Yeah my bad, forgot to mention to use the x32 version.A potentially naïve question here - when using the hook method of altering the memory does the order in which you apply changes to memory with your hook potentially alter the memory addresses of other things you may be trying to edit.I.e. If I inject a dll that modifies number of clients I can open, followed by the resolution does manipulating the first affect the memory addresses that the second edit would have changed?No, the two shouldn't affect each other. In the above edit, all we're doing is changing (patching) the instruction bytes at the static address 0x004ED6F4 from "FF E1" (jmp ecx) to "EB 16" (jmp 0x004ED70C). For a custom resolution edit, you'd be patching a completely different address (or addresses) . Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.