[Royalgamer06]

WINDOWS 8 FIX V2


Try this fix first:

http://voksi.dyndns.info/royalgamer06/Borderlands2/Borderlands.2.Crackfix.Only.V2-DMN32.zip

Else:

http://www42.zippyshare.com/v/64847436/file.html

Have fun!

Regards,
Royalgamer06

[Royalgamer06]

Nighthawk441, on 27 October 2012 - 20:17, said:

Hey windows 8 adopters, you can find my beta fix here on the *********

http://the pirate bay dot se/ t0rr3nt /7765811/Borderlands_2_v1.1.3_Windows_8_Fix

darn filter just search for it.

skidrows hooking code in buddha.dll fails on windows 8 since the entry stubs are different.

My dll and patched steam_api.dll should fix it, but i need testers.

Nighthawk441, on 27 October 2012 - 20:52, said:

I stayed up all night programming it.

Direct download: http://www.sendspace.com/file/zdwqe0

"Btw. you are patching CreateFileW and CreateEventA?"

Don't ask me SKiDROW hooks them in buddha.dll. Must be how they work around some CEG crap.

Anyway on windows 8 the stubs for both of those functions are a little bit different assembly code than windows 7, so all i do is fill it with NOP instructions and move the jump code 6 bytes further.

Nighthawk441, on 27 October 2012 - 20:56, said:

Yes whether or not you believe me doesn't really make a difference.

YourEnemyPL, on 27 October 2012 - 21:01, said:

They hook many api's (RegQueryValueW, RegOpenKeyEx, .....)

Under winxp and win7 CreateFileW looks like this:

kernel32.CreateFileW - 8B FF                 - mov edi,edi
kernel32.CreateFileW+2- 55                    - push ebp
kernel32.CreateFileW+3- 8B EC                 - mov ebp,esp
kernel32.CreateFileW+5- 83 EC 58              - sub esp,58
kernel32.CreateFileW+8- 8B 45 18              - mov eax,[ebp+18]
kernel32.CreateFileW+B- 48                    - dec eax

How it looks under win8?

Nighthawk441, on 27 October 2012 - 21:07, said:

You're looking at not quite the right spot, but i'll try and explain better

On Windows 7 for example the CreateEventA stub is something like:

&KERNEL32.CreateEventA:

move edi,edi,
push ebp
move esp, ebp,
something else...
JMP KERNELBASE.CreateEventA

skidrow's buddha.dll hooks this function, so it cuts out the first couple instructions, writes them to a trampoline, and replaces it with a jmp to their CreateEvent function.. blah blah already know this probably.

On windows 8, its just a long jmp, no push's or movs before, and buddha.dll doesn't hook this code correctly.

So to fix this we copy the Windows 8 jmp code, fill it with NOPS so buddha.dll's trampoline will only execute NOPS, reducing the chance of failure, and write the jmp 6 bytes further where it used to be, so buddha.dll will jump to that.


I really can't explain it very well, in a nutshell, i tried to make the win 8 stubs look like the win 7 stubs,
so buddha.dll wouldn't cause an access violation in the faulty trampoline.

This post has been edited by Royalgamer06: 27 October 2012 - 21:09

[YourEnemyPL]

Under winxp CreateEventA looks like this

kernel32.CreateEventA - 8B FF                 - mov edi,edi
kernel32.CreateEventA+2- 55                    - push ebp
kernel32.CreateEventA+3- 8B EC                 - mov ebp,esp
kernel32.CreateEventA+5- 51                    - push ecx
kernel32.CreateEventA+6- 51                    - push ecx
kernel32.CreateEventA+7- 56                    - push esi
kernel32.CreateEventA+8- 33 F6                 - xor esi,esi
kernel32.CreateEventA+A- 39 75 14              - cmp [ebp+14],esi
kernel32.CreateEventA+D- 0F85 B61F0000         - jne kernel32.GetPrivateProfileIntW+11E
kernel32.CreateEventA+13- 56                    - push esi
kernel32.CreateEventA+14- FF 75 10              - push [ebp+10]
kernel32.CreateEventA+17- FF 75 0C              - push [ebp+0C]
kernel32.CreateEventA+1A- FF 75 08              - push [ebp+08]
kernel32.CreateEventA+1D- E8 729EFDFF           - call kernel32.CreateEventW
kernel32.CreateEventA+22- 5E                    - pop esi
kernel32.CreateEventA+23- C9                    - leave 
kernel32.CreateEventA+24- C2 1000               - ret 0010

Could you paste CreateEventA from win8?

[Nighthawk441]

YourEnemyPL, on 27 October 2012 - 21:20, said:

Under winxp CreateEventA looks like this

kernel32.CreateEventA - 8B FF                 - mov edi,edi
kernel32.CreateEventA+2- 55                    - push ebp
kernel32.CreateEventA+3- 8B EC                 - mov ebp,esp
kernel32.CreateEventA+5- 51                    - push ecx
kernel32.CreateEventA+6- 51                    - push ecx
kernel32.CreateEventA+7- 56                    - push esi
kernel32.CreateEventA+8- 33 F6                 - xor esi,esi
kernel32.CreateEventA+A- 39 75 14              - cmp [ebp+14],esi
kernel32.CreateEventA+D- 0F85 B61F0000         - jne kernel32.GetPrivateProfileIntW+11E
kernel32.CreateEventA+13- 56                    - push esi
kernel32.CreateEventA+14- FF 75 10              - push [ebp+10]
kernel32.CreateEventA+17- FF 75 0C              - push [ebp+0C]
kernel32.CreateEventA+1A- FF 75 08              - push [ebp+08]
kernel32.CreateEventA+1D- E8 729EFDFF           - call kernel32.CreateEventW
kernel32.CreateEventA+22- 5E                    - pop esi
kernel32.CreateEventA+23- C9                    - leave 
kernel32.CreateEventA+24- C2 1000               - ret 0010

Could you paste CreateEventA from win8?

When i boot my win7 machine i'll show you everything i did and why

[YourEnemyPL]

Nighthawk441, on 27 October 2012 - 21:21, said:

When i boot my win7 machine i'll show you everything i did and why

I know that skidrow patch CreateEventA like this:

kernel32.CreateEventA - E9 C209A983           - jmp buddha.Ordinal2
kernel32.CreateEventA+5- 51                    - push ecx
kernel32.CreateEventA+6- 51                    - push ecx
kernel32.CreateEventA+7- 56                    - push esi

This post has been edited by YourEnemyPL: 27 October 2012 - 21:26

[Lilith.]

Has anyone even tested it yet or is it just gonna be a discussion what to move in a .dll?

[Nighthawk441]

Here: http://pastie.org/pr...c8ngarrxn628eqa

CPU Disasm WINDOWS 7 STUB
Address   Hex dump          Command                                  Comments
76944E1D   $- FF25 84099476 JMP DWORD PTR DS:[<&API-MS-Win-Core-Sync
76944E23      90            NOP
76944E24      90            NOP
76944E25      90            NOP
76944E26      90            NOP
76944E27      90            NOP
76944E28      8BFF          MOV EDI,EDI                              ; HANDLE KERNEL32.CreateEventA(pSecurity,ManualReset,InitialState,Name)
76944E2A  /.  55            PUSH EBP
76944E2B  |.  8BEC          MOV EBP,ESP
76944E2D  |.  5D            POP EBP
76944E2E  \.- EB ED         JMP SHORT <JMP.&API-MS-Win-Core-Synch-L1 ; Jump to KERNELBASE.CreateEventA


CPU Disasm WINDOWS 8 
Address   Hex dump          Command                                  Comments
772578D2      CC            INT3
772578D3      CC            INT3
772578D4      CC            INT3
772578D5      CC            INT3
772578D6      CC            INT3
772578D7      CC            INT3
772578D8   .- FF25 300A2677 JMP DWORD PTR DS:[<&api-ms-win-core-sync ; HANDLE KERNEL32.CreateEventA(pSecurity,ManualReset,InitialState,Name)
772578DE      CC            INT3
772578DF      CC            INT3
772578E0  /.  CC            INT3
772578E1  |.  CC            INT3
772578E2  |.  CC            INT3
772578E3  |.  CC            INT3


As you can see , the two differ by quite a bit.

Here were my observations.

On Windows 7, 
MOV EDI,EDI 
PUSH EBP
MOVE EBP<ESP
POP EBP


were all cut out and replaced with
E9 C209A983           - jmp buddha.Ordinal2

However on windows 8, somethign went wrong

772578D8   .- FF25 300A2677 JMP DWORD PTR DS:

was replaced E9 C209A983           - jmp buddha.Ordinal2, 5 bytes with a byte left over from the original instruction.

When i examined the trampoline in buddha.dll via ollydbg it was trying to access an invalid memory location. 

I didn't really reverse their entire hooking code, that was too much work, the easiest solution would have been to just make the Stub look as much like win 7 as possible, 
since its the only apparent change thats breaking the game.

So what we do is move the JMP DWORD PTR DS code to offset 772578D8 + 5 and prefix it with all nops.
buddha.dll should overwrite only the NOP instructions, and jmp back to the instruction succeeding the nops, which is the jump to the KERNEL32.CreateEvent code entry.

[YourEnemyPL]

1) Download it
2) copy&paste&overwrite steam_api.dll to Win32
3) copy&paste&overwrite Winderlands8.dll to Win32
(didn't test it, don't have win8)

(sorry about that "renaming stuff", my mistake)

This post has been edited by YourEnemyPL: 27 October 2012 - 21:56

[Royalgamer06]

YourEnemyPL, on 27 October 2012 - 21:46, said:

1) Download it
2) rename steam_api_win8.dll to steam_api.dll
3) copy&paste&overwrite steam_api.dll to Win32
4) copy&paste&overwrite Winderlands8.dll to Win32

(didn't test it, don't have win8)

Rename? Why rename? There isn't even a dll called steam_api_win8.dll

[Lilith.]

Atleast the Win8 people will stop "crying" for a while that they can't play... Dat feel of freedom...

[YourEnemyPL]

@Nighthawk441
Maybe I'm wrong, but we could make like this:

Code:

Spoiler

// dllmain.cpp : Defines the entry point for the DLL application.
#include "windows.h"
#include "stdafx.h"

void fixAddress(BYTE *address)
{
    //winxp and win7, just in case
    if ((*(address+0) == 0x8B) && (*(address+1) == 0xFF) &&
	    (*(address+2) == 0x55) && (*(address+3) == 0x8B) &&
	    (*(address+4) == 0xEC)) return;

	if(*address == 0x90 || *address == 0xe9) return;

	DWORD dwback,dbshit;

	BYTE codebuffer[6];
	ZeroMemory(codebuffer,sizeof(codebuffer));

	VirtualProtect(address,0xD,PAGE_EXECUTE_READWRITE, &dwback);

	memcpy(codebuffer,address,6);
	memset(address,0x90,12);
	memcpy((address+5),codebuffer,6);

	DWORD dblol;
	VirtualProtect(address,0xD,dwback,&dbshit);

}

__declspec(dllexport) void skidrowsucksasshole()
{
	OutputDebugString("t(-_-t) you shitrow - <3 Everybody");
}

__declspec(dllexport) BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{

	fixAddress((BYTE*)&CreateFileW);
	fixAddress((BYTE*)&CreateEventA);
	LoadLibrary(_T("buddha_skid.dll"))

	return TRUE;
}

Then compile above as buddha.dll,
Win8 user will rename skidrow's "buddha.dll" to buddha_skid.dll, and paste our buddha.dll.

I think it would work like this:
- skidrow steam_api.dll will import our fake buddha.dll
- fake buddha.dll will patch some memory and then import buddha_skid.dll (skidrow's dll file)

That way we don't have to use "CFF Explorer" for future updates.
Only "good old fake buddha.dll" and "renaming".

This post has been edited by YourEnemyPL: 27 October 2012 - 22:39

[Nighthawk441]

YourEnemyPL, on 27 October 2012 - 22:38, said:

@Nighthawk441
Maybe I'm wrong, but we could make like this:

Code:

Spoiler

// dllmain.cpp : Defines the entry point for the DLL application.
#include "windows.h"
#include "stdafx.h"

void fixAddress(BYTE *address)
{
    //winxp and win7, just in case
    if ((*(address+0) == 0x8B) && (*(address+1) == 0xFF) &&
	    (*(address+2) == 0x55) && (*(address+3) == 0x8B) &&
	    (*(address+4) == 0xEC)) return;

	if(*address == 0x90 || *address == 0xe9) return;

	DWORD dwback,dbshit;

	BYTE codebuffer[6];
	ZeroMemory(codebuffer,sizeof(codebuffer));

	VirtualProtect(address,0xD,PAGE_EXECUTE_READWRITE, &dwback);

	memcpy(codebuffer,address,6);
	memset(address,0x90,12);
	memcpy((address+5),codebuffer,6);

	DWORD dblol;
	VirtualProtect(address,0xD,dwback,&dbshit);

}

__declspec(dllexport) void skidrowsucksasshole()
{
	OutputDebugString("t(-_-t) you shitrow - <3 Everybody");
}

__declspec(dllexport) BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{

	fixAddress((BYTE*)&CreateFileW);
	fixAddress((BYTE*)&CreateEventA);
	LoadLibrary(_T("buddha_skid.dll"))

	return TRUE;
}

Then compile above as buddha.dll,
Win8 user will rename skidrow's "buddha.dll" to buddha_skid.dll, and paste our buddha.dll.

I think it would work like this:
- skidrow steam_api.dll will import our fake buddha.dll
- fake buddha.dll will patch some memory and then import buddha_skid.dll (skidrow's dll file)

That way we don't have to use "CFF Explorer" for future updates.
Only "good old fake buddha.dll" and "renaming".

ya thats a good idea.

[Nighthawk441]

http://www.sendspace.com/file/xc7hed

shouldnt require mscvr110.dll

[paperboy666]

Nighthawk441, on 28 October 2012 - 03:10, said:

http://www.sendspace.com/file/xc7hed

shouldnt require mscvr110.dll

[Evil Scorpio]

-----

This post has been edited by Evil Scorpio: 28 October 2012 - 11:43

[kRuSnIk]

Works fine on Win8 pro Thanks for the fix

This post has been edited by kRuSnIk: 28 October 2012 - 11:35

[Evil Scorpio]

Forget my previous post, I'm just stupid. I've figured out the reason why it won't started - I've forgot to reinstall Steam. Now it works fine. Thanks for the fix, dude.

[Royalgamer06]

kRuSnIk, on 28 October 2012 - 11:35, said:

Works fine on Win8 pro Thanks for the fix

Evil Scorpio, on 28 October 2012 - 11:45, said:

Forget my previous post, I'm just stupid. I've figured out the reason why it won't started - I've forgot to reinstall Steam. Now it works fine. Thanks for the fix, dude.

Glad it's working for you Win8 dudes

[QueensBlade089]

Gives me the same error above unable to start correctly however with all dlc and updates i can play with compa win 98 but it lags as hell oh well hope this is fix soon note i got windows 8 32 bit pro

[Staph]

Nighthawk441, on 28 October 2012 - 03:10, said:

http://www.sendspace.com/file/xc7hed

shouldnt require mscvr110.dll

Only "Borderlands 2 has stopped working" for me. =(