Friday, March 12, 2010
Monday, January 4, 2010
Overview of GameFart Part II
Hmm, this is going to be a bit long x.x...
Aight let's start with ini;
[GameFort]
Open=RoxinityRO.bin
Exe=4464D6275A611BF5BF822EDBE66A8DF6
DLL=2A3F6E32BEEFD0C026D52E98D00641CC
Server=4B554C42304868774767514E306E726C7243383D
[Data]
0=92DECAED277BAA1F7F27956007A37A77DADBFAE0E9334B441F7AC30D030FF699
1=73726B522F305141562F57414B7A6372356761486230474231686B69756558487A6D7A63696E6B47716F633D
2=7865704D737A5233
3=784F315073544234
4=7A2B6C4C76444A34
NOTE: All those values are byte hex value's which means they aren't regular string values. (for example 7865704D737A5233 means 0x78, 0x65, 0x70, 0x4D, 0x73, 0x7A, 0x52, 0x33)
When we decrypt Data0 value with our universal key (hard coded and probably won't change on different servers)
char key [] = {0x05, 0xDD, 0x9E, 0x47, 0xE7, 0xA0, 0x41, 0xF1, 0x9A, 0x4B, 0xEB, 0xA4, 0x4D, 0xD7, 0x88, 0x39,
0xD9, 0x82, 0x23, 0xCB, 0x6C, 0x15, 0xBD, 0x5E, 0xFE, 0xA7, 0x48, 0xE8, 0x91, 0x23, 0xC3, 0x74};
by using rijndael algorithm it's going to give us second rijndael key which is used for map packet encryption. (Check first part for it)
So we know how to encrypt map packet but login packet is the problem..
First I'll start with second hard coded value;
hsjshd783738ysucy87gb7vggxgfghf345\QW7E9BCIUYW8W786Jghjgu
Jeez as I thought that was long >_>''
Aight let's start with ini;
[GameFort]
Open=RoxinityRO.bin
Exe=4464D6275A611BF5BF822EDBE66A8DF6
DLL=2A3F6E32BEEFD0C026D52E98D00641CC
Server=4B554C42304868774767514E306E726C7243383D
[Data]
0=92DECAED277BAA1F7F27956007A37A77DADBFAE0E9334B441F7AC30D030FF699
1=73726B522F305141562F57414B7A6372356761486230474231686B69756558487A6D7A63696E6B47716F633D
2=7865704D737A5233
3=784F315073544234
4=7A2B6C4C76444A34
NOTE: All those values are byte hex value's which means they aren't regular string values. (for example 7865704D737A5233 means 0x78, 0x65, 0x70, 0x4D, 0x73, 0x7A, 0x52, 0x33)
When we decrypt Data0 value with our universal key (hard coded and probably won't change on different servers)
char key [] = {0x05, 0xDD, 0x9E, 0x47, 0xE7, 0xA0, 0x41, 0xF1, 0x9A, 0x4B, 0xEB, 0xA4, 0x4D, 0xD7, 0x88, 0x39,
0xD9, 0x82, 0x23, 0xCB, 0x6C, 0x15, 0xBD, 0x5E, 0xFE, 0xA7, 0x48, 0xE8, 0x91, 0x23, 0xC3, 0x74};
by using rijndael algorithm it's going to give us second rijndael key which is used for map packet encryption. (Check first part for it)
So we know how to encrypt map packet but login packet is the problem..
First I'll start with second hard coded value;
hsjshd783738ysucy87gb7vggxgfghf345\QW7E9BCIUYW8W786Jghjgu
This is our second key but this isn't raw key, in order to obtain real key we need its SHA-1 hash value but what's it used for that's the problem. Anyways, we're going to use it in another encryption algorithm called RC4. So basically in order to decrypt Data2, Data3 and Data4 values (which is very important) we need RC4 but before decrypting we need a custom filter. Check the code below for that custom filter and RC4 algorithm.
https://sourceforge.net/projects/clientpatcher/files/Miscellaneous/GameFort/LOGIN_CRYPT.cpp/download
Wednesday, December 30, 2009
Overview of GameFart (aka bypass)
Aight, here's a short synopsis of what's going on inside of gamefort. It's somewhat alike vanguard.
Note
These judgements are based on Angel-Ro gamefort so I'm not sure they'll work on other gamefort protected servers.
File Descriptions
GameFort.dll: Core protector, injecting to client. (packed with ASPack v2.12)
Shield.dll: Encrypted file which contains RipeMD-160 hash values of client and gamefort.dll
Encryption Definition
Basically it's using rijndael with 32 bytes key length 16 bytes block size. There are two different keys; one is for decrypting shield.dll and other's used for encrypting packet.
Key Extraction
Keys are a bit troublesome to extract. I might write an extractor program if I don't feel lazy later on.
Packet encryption
This is a bit tricky. It's not encrypting all packets, it just encrypts one packet while connecting to map server. Yeah, it's called WantToConnection function on eathena. My version of gamefort was doing it like this;
9B 00 36 00 13 FB 20 00 00 6D 21 05 00 62 34 65 00 85 D6 BC 6B 6D C2 93 01 00
skip first two bytes and encrypt only one block which means 16 bytes. It should be something like;
9B 00 C7 A3 E3 70 06 06 1D 39 C9 4E 95 94 CD 32 B8 D9 D6 BC 6B 6D C2 93 01 00
and that's it. You are ready to play.
Angel-Ro Keys
Shield.dll key
Note
These judgements are based on Angel-Ro gamefort so I'm not sure they'll work on other gamefort protected servers.
File Descriptions
GameFort.dll: Core protector, injecting to client. (packed with ASPack v2.12)
Shield.dll: Encrypted file which contains RipeMD-160 hash values of client and gamefort.dll
Encryption Definition
Basically it's using rijndael with 32 bytes key length 16 bytes block size. There are two different keys; one is for decrypting shield.dll and other's used for encrypting packet.
Key Extraction
Keys are a bit troublesome to extract. I might write an extractor program if I don't feel lazy later on.
Packet encryption
This is a bit tricky. It's not encrypting all packets, it just encrypts one packet while connecting to map server. Yeah, it's called WantToConnection function on eathena. My version of gamefort was doing it like this;
9B 00 36 00 13 FB 20 00 00 6D 21 05 00 62 34 65 00 85 D6 BC 6B 6D C2 93 01 00
skip first two bytes and encrypt only one block which means 16 bytes. It should be something like;
9B 00 C7 A3 E3 70 06 06 1D 39 C9 4E 95 94 CD 32 B8 D9 D6 BC 6B 6D C2 93 01 00
and that's it. You are ready to play.
Angel-Ro Keys
Shield.dll key
0xF0, 0x04, 0xC4, 0x5D, 0xFD, 0x97, 0x40, 0xD0, 0x69, 0x02, 0x8A, 0x33, 0xC3, 0x25, 0xAD, 0x3F, 0xC7, 0x50, 0xE0, 0x79, 0x0A, 0x92, 0x1B, 0xA3, 0x34, 0xBC, 0x45, 0xCD, 0x56, 0xFE, 0x87, 0x10
packet key
Thursday, December 17, 2009
Vanguard Bypass
Aight, I wasn't really going to release this but some noobs pissed me off and here's the results, it's the basic bypass for vanguard with source codes. It's especially prepared for intensero and hell yeah, I lifetime guarantee this thing will work (since they're extremely noobs).
Usage: If you're playing on intense just run cstarter.exe (don't worry it's only dll injector and don't forget to rename stupid directx10.bin to Intensero.exe or patch your own diffed exe like me dual clienting curse filter etc.) or else if you're playing on another server protected with vanguard change settings in cstarter.ini and recompile antisex.dll since login, char and map port may vary.
For those who can't diff own exe:
http://www.filefront.com/15153147/IntenseRO.rar
(chat filter, dual client and hallucination fix)
Tuesday, December 15, 2009
Plot summary for antisex
Uh I'm calling it antisex but originally it's called vanguard (elecom noob hackshield) anyways here's what's going on inside of it:
sending packet routine
2 bytes: total packet len
2 bytes: original packet len
2 bytes: 0xFACE (wtf is face -.-) fixed constant
rest of bytes: encrypted packet
encrypted packet routine
it's using rijndael (aes) encryption (16 bytes block size)
4 bytes: total sent packet count (so basically its increasing on each packet send)
rest of bytes: original packet
exceptions:
when logging first to map server it's sending 10 bytes
first two bytes: 0xDEAD (ur dead noob asshole -.-!!) fixed constant
rest of bytes: harddrive serial number (it can be random)
Note: You have to find out key idc how you do it.
Saturday, November 21, 2009
Ragnarok Online monster size modifier
This program might sound an useless program but w/e, a friend asked for it since he was having difficulties to select some small mvps in huge mobs =P so it's for personal use but i thought some other ppl might like it as well x.xIn short it just modifies mobs' sprite size in client by using server packets =P. So it's not a hack or something.
It's usage is simple; set ctool.ini (its pretty easy since there are bunch of examples in file) and then just inject dll file (any dll injector is fine) into client and there you go, also you don't need to restart client when you add new mobs to ctool.ini.
https://sourceforge.net/projects/clientpatcher/files/ctool/
Note: There's high possibility for this tool to crash since client packet buffer size is 2048 bytes and it's injecting new packets illegally which might cause overflow -.-
Friday, October 30, 2009
Simple Executable Packer v0.01a
A simple windows .exe/.dll packer. (Compresses code section and your compiled binaries waste less space) Almost whole codes written in pure C and very minimal also understandable (which makes modifying very easy; like debugger traps, encryption etc.)
Subscribe to:
Posts (Atom)
