Wednesday, December 30, 2009

Overview of GameFart (aka bypass)

Aight, here's a short synopsis of what's going on inside of gamefort. It's somewhat alike vanguard. 

These judgements are based on Angel-Ro gamefort so I'm not sure they'll work on other gamefort protected servers.

File Descriptions
GameFort.dll: Core protector, injecting to client. (packed with ASPack v2.12)
Shield.dll: Encrypted file which contains RipeMD-160 hash values of client and gamefort.dll

Encryption Definition
Basically it's using rijndael with 32 bytes key length 16 bytes block size. There are two different keys; one is for decrypting shield.dll and other's used for encrypting packet.

Key Extraction
Keys are a bit troublesome to extract. I might write an extractor program if I don't feel lazy later on.

Packet encryption
This is a bit tricky. It's not encrypting all packets, it just encrypts one packet while connecting to map server. Yeah, it's called WantToConnection function on eathena. My version of gamefort was doing it like this;

9B 00 36 00 13 FB 20 00 00 6D 21 05 00 62 34 65 00 85 D6 BC 6B 6D C2 93 01 00

skip first two bytes and encrypt only one block which means 16 bytes. It should be something like;

9B 00 C7 A3 E3 70 06 06 1D 39 C9 4E 95 94 CD 32 B8 D9 D6 BC 6B 6D C2 93 01 00

and that's it. You are ready to play.

Angel-Ro Keys

Shield.dll key

0xF0, 0x04, 0xC4, 0x5D, 0xFD, 0x97, 0x40, 0xD0, 0x69, 0x02, 0x8A, 0x33, 0xC3, 0x25, 0xAD, 0x3F, 0xC7, 0x50, 0xE0, 0x79, 0x0A, 0x92, 0x1B, 0xA3, 0x34, 0xBC, 0x45, 0xCD, 0x56, 0xFE, 0x87, 0x10

packet key

0xA0, 0x49, 0xD9, 0x6A, 0xF2, 0x8B, 0x14, 0x94, 0x1D, 0xA5, 0x2E, 0xBE, 0x4F, 0x71, 0x02, 0x8A, 0x13, 0x9B, 0x24, 0xAC, 0x35, 0xB5, 0x46, 0xCE, 0x57, 0xDF, 0x60, 0xE8, 0x71, 0xB2, 0x43, 0xD3

Thursday, December 17, 2009

Vanguard Bypass

Aight, I wasn't really going to release this but some noobs pissed me off and here's the results, it's the basic bypass for vanguard with source codes. It's especially prepared for intensero and hell yeah, I lifetime guarantee this thing will work (since they're extremely noobs).

Usage: If you're playing on intense just run cstarter.exe (don't worry it's only dll injector and don't forget to rename stupid directx10.bin to Intensero.exe or patch your own diffed exe like me dual clienting curse filter etc.) or else if you're playing on another server protected with vanguard change settings in cstarter.ini and recompile antisex.dll since login, char and map port may vary.

For those who can't diff own exe:

(chat filter, dual client and hallucination fix)

Tuesday, December 15, 2009

Plot summary for antisex

Uh I'm calling it antisex but originally it's called vanguard (elecom noob hackshield) anyways here's what's going on inside of it:

sending packet routine

2 bytes: total packet len
2 bytes: original packet len
2 bytes: 0xFACE (wtf is face -.-) fixed constant
rest of bytes: encrypted packet

encrypted packet routine

it's using rijndael (aes) encryption (16 bytes block size) 

4 bytes: total sent packet count (so basically its increasing on each packet send)
rest of bytes: original packet


when logging first to map server it's sending 10 bytes

first two bytes: 0xDEAD (ur dead noob asshole -.-!!) fixed constant
rest of bytes: harddrive serial number (it can be random)

Note: You have to find out key idc how you do it.

Saturday, November 21, 2009

Ragnarok Online monster size modifier

This program might sound an useless program but w/e, a friend asked for it since he was having difficulties to select some small mvps in huge mobs =P so it's for personal use but i thought some other ppl might like it as well x.x

In short it just modifies mobs' sprite size in client by using server packets =P. So it's not a hack or something. 

It's usage is simple; set ctool.ini (its pretty easy since there are bunch of examples in file) and then just inject dll file (any dll injector is fine) into client and there you go, also you don't need to restart client when you add new mobs to ctool.ini.

Note: There's high possibility for this tool to crash since client packet buffer size is 2048 bytes and it's injecting new packets illegally which might cause overflow -.-

Friday, October 30, 2009

Simple Executable Packer v0.01a

A simple windows .exe/.dll packer. (Compresses code section and your compiled binaries waste less space) Almost whole codes written in pure C and very minimal also understandable (which makes modifying very easy; like debugger traps, encryption etc.)

Monday, October 19, 2009

Client Patcher

I coded this program long time ago but I think it's still good example for assembly language since it's coded in pure x86 asm.

Jenga Simulator

Poor commented but good usage of ray picking in OGL, ray-triangle intersection and physics engine

DS-OCR v0.52

This might be the dumbest program ever but some people might like it so I'm sharing it with source codes. Simply, it just analyses letters on ds emulator screen and puts them into a textbox so you can copy and paste on a translator like this and understand a game before they release engrish version x.x ... Anyway I'm just too lazy to explain program, if you're interested just check program no worries its pretty easy to use anyway. It's coded in visual basic so you can play on codes easily, たぶん .-. (Oh, btw google how to extract nftr from ds roms)

Sunday, October 18, 2009

ONE-Downloader v1.00

Ok, first blog post and it's about useful program (at least for me =), anyway. This program downloads manga images from the most popular manga portal which is It's pretty easy to use; after adding manga sub link (for example naruto) and a few settings just start and wait for whole manga archive to download. It also checks manga updates without downloading whole images. In the settings dialog there are three update options. I guess no need to explain what is first option. <.< ... Update means; the program checks every manga image checksum (which is a lot of work and not recommended). Use this option if you think some of images are missing. And fast update means; the program only checks main folders of manga roots. (Use this option to check weekly updates) About source code; it's coded in pure c but compiled with c++ (mingw) If you're interested about source codes; あの, i dunno beg for it =D