Wednesday, December 30, 2009

Overview of GameFart (aka bypass)

Aight, here's a short synopsis of what's going on inside of gamefort. It's somewhat alike vanguard. 

These judgements are based on Angel-Ro gamefort so I'm not sure they'll work on other gamefort protected servers.

File Descriptions
GameFort.dll: Core protector, injecting to client. (packed with ASPack v2.12)
Shield.dll: Encrypted file which contains RipeMD-160 hash values of client and gamefort.dll

Encryption Definition
Basically it's using rijndael with 32 bytes key length 16 bytes block size. There are two different keys; one is for decrypting shield.dll and other's used for encrypting packet.

Key Extraction
Keys are a bit troublesome to extract. I might write an extractor program if I don't feel lazy later on.

Packet encryption
This is a bit tricky. It's not encrypting all packets, it just encrypts one packet while connecting to map server. Yeah, it's called WantToConnection function on eathena. My version of gamefort was doing it like this;

9B 00 36 00 13 FB 20 00 00 6D 21 05 00 62 34 65 00 85 D6 BC 6B 6D C2 93 01 00

skip first two bytes and encrypt only one block which means 16 bytes. It should be something like;

9B 00 C7 A3 E3 70 06 06 1D 39 C9 4E 95 94 CD 32 B8 D9 D6 BC 6B 6D C2 93 01 00

and that's it. You are ready to play.

Angel-Ro Keys

Shield.dll key

0xF0, 0x04, 0xC4, 0x5D, 0xFD, 0x97, 0x40, 0xD0, 0x69, 0x02, 0x8A, 0x33, 0xC3, 0x25, 0xAD, 0x3F, 0xC7, 0x50, 0xE0, 0x79, 0x0A, 0x92, 0x1B, 0xA3, 0x34, 0xBC, 0x45, 0xCD, 0x56, 0xFE, 0x87, 0x10

packet key

0xA0, 0x49, 0xD9, 0x6A, 0xF2, 0x8B, 0x14, 0x94, 0x1D, 0xA5, 0x2E, 0xBE, 0x4F, 0x71, 0x02, 0x8A, 0x13, 0x9B, 0x24, 0xAC, 0x35, 0xB5, 0x46, 0xCE, 0x57, 0xDF, 0x60, 0xE8, 0x71, 0xB2, 0x43, 0xD3

Thursday, December 17, 2009

Vanguard Bypass

Aight, I wasn't really going to release this but some noobs pissed me off and here's the results, it's the basic bypass for vanguard with source codes. It's especially prepared for intensero and hell yeah, I lifetime guarantee this thing will work (since they're extremely noobs).

Usage: If you're playing on intense just run cstarter.exe (don't worry it's only dll injector and don't forget to rename stupid directx10.bin to Intensero.exe or patch your own diffed exe like me dual clienting curse filter etc.) or else if you're playing on another server protected with vanguard change settings in cstarter.ini and recompile antisex.dll since login, char and map port may vary.

For those who can't diff own exe:

(chat filter, dual client and hallucination fix)

Tuesday, December 15, 2009

Plot summary for antisex

Uh I'm calling it antisex but originally it's called vanguard (elecom noob hackshield) anyways here's what's going on inside of it:

sending packet routine

2 bytes: total packet len
2 bytes: original packet len
2 bytes: 0xFACE (wtf is face -.-) fixed constant
rest of bytes: encrypted packet

encrypted packet routine

it's using rijndael (aes) encryption (16 bytes block size) 

4 bytes: total sent packet count (so basically its increasing on each packet send)
rest of bytes: original packet


when logging first to map server it's sending 10 bytes

first two bytes: 0xDEAD (ur dead noob asshole -.-!!) fixed constant
rest of bytes: harddrive serial number (it can be random)

Note: You have to find out key idc how you do it.