Disabling The CRC Check On ModuleC:
In this tutorial i'm going to show you guys how to disable the crc check done on moduleC via the VM. Note you must be ok with patching moduleC also you must be aware that doing this incorrectly may cause you to be banned. Now that you are aware of this we can move on to the tutorial itself. I will jsut be giving code here how and where to apply it in your hook you must figure out. There is very much a correct place to do this if you want to avoid any detections at all.
Code:
 
// 0x55 / 85 = Crc check.
PDWORD dwJumpTable = (PDWORD)0x01704957;
DWORD dwBackup = dwJumpTable[85];
dwJumpTable[85] = (DWORD)&CrcCheckBlock;
DWORD dwSize = 0;
DWORD dwOffset = 0;
DWORD dwCrcConstant = 0;

// This is what the crc check fucntion would look like if it were a function.
// Reversed by me thanks to ltfxguy for the other one as it helped me.
DWORD CrcFunction( DWORD dwStartOffset, int iSize )
{
    int        iSizeInWords    = (iSize / 4);
    DWORD        dwCrc            = 0;
    DWORD        dwCount        = 0;
    PDWORD *    dwCurrent        = (PDWORD)dwStartOffset;

    while( iSizeInWords > 0 )
    {
        dwCrc += (*dwCurrent ^ dwCount);
        dwCount += 4;
        dwCurrent++;
        iSizeInWords--;
    }

    return( dwCrc );
}

__declspec( naked ) void PushStackAddress( DWORD dwAddress )
{
    _asm { mov        eax, [ecx+0x60] };
    _asm { mov        edx, [ecx+0x64] };
    _asm { push        esi };
    _asm { mov        esi, [esp+0x04] };
    _asm { mov        eax, [eax] };
    _asm { mov        [edx+eax*0x04], esi };
    _asm { mov        ecx, [ecx+0x60] };
    _asm { pop        esi };
    _asm { inc        dword ptr [ecx] };
    _asm { ret };
}
__declspec( naked ) DWORD PopStackAddress( void )
{
    _asm { mov        ecx, [ebp+0x08] };
    _asm { mov        eax, [ecx+0x60] };
    _asm { dec        dword ptr [eax] };
    _asm { mov        eax, [ecx+0x60] };
    _asm { mov        ecx, [ecx+0x64] };
    _asm { mov        eax, [eax] };
    _asm { mov        eax, [ecx+eax*0x04] };
    _asm { ret };
}
// Use this before you have logged the correct constant.
__declspec( naked ) void CrcCheckBlock( void )
{
    // Pop the size from the vm's stack.
    _asm { push    ecx };
    _asm { mov    ecx, [ebp+0x08] };
    dwSize = PopStackAddress( );
    _asm { pop    ecx };
     
    add_log( "Size 0x%X", dwSize );

    // Pop the start offset off the stack.
    _asm { push    ecx };
    _asm { mov    ecx, [ebp+0x08] };
    dwOffset = PopStackAddress( );
    _asm { pop    ecx };
     
    add_log( "StartOffset 0x%X", dwOffset );
     
    dwJumpTable[85] = dwBackup;   
    DWORD dwResult = CrcFunction( dwOffset, (int)dwSize );
    dwJumpTable[85] = (DWORD)&CrcCheckBlock;
    dwCrcConstant = dwResult;
    add_log( "CrcConstant 0x%X", dwCrcConstant );
     
    _asm { mov [ebp-0x9C], dwResult };
    _asm { jmp short 0x01702D0A };
}

// atfer logging the constant use this.
__declspec( naked ) void CrcCheckBlock( void )
{
    // Pop the size from the vm's stack.
    _asm { push    ecx };
    _asm { mov    ecx, [ebp+8] };
    dwSize = PopStackAddress( );
    _asm { pop    ecx };
     
    add_log( "Size 0x%X", dwSize );

    // Pop the start offset off the stack.
    _asm { push    ecx };
    _asm { mov    ecx, [ebp+8] };
    dwOffset = PopStackAddress( );
    _asm { pop    ecx };
     
    add_log( "StartOffset 0x%X", dwOffset );
     
    _asm { mov [ebp-0x9C], 0xConstanthere };
    _asm { jmp short 0x01702D0A };
}


Make note that you must always pop the arguments used in this opcode or could mess the VM.

顶`

what is this?