Friday, March 12, 2010

Monday, January 4, 2010

Overview of GameFart Part II

Hmm, this is going to be a bit long x.x...

Aight let's start with ini;
[GameFort]
Open=RoxinityRO.bin
Exe=4464D6275A611BF5BF822EDBE66A8DF6
DLL=2A3F6E32BEEFD0C026D52E98D00641CC
Server=4B554C42304868774767514E306E726C7243383D
[Data]
0=92DECAED277BAA1F7F27956007A37A77DADBFAE0E9334B441F7AC30D030FF699
1=73726B522F305141562F57414B7A6372356761486230474231686B69756558487A6D7A63696E6B47716F633D
2=7865704D737A5233
3=784F315073544234
4=7A2B6C4C76444A34


NOTE: All those values are byte hex value's which means they aren't regular string values. (for example 7865704D737A5233 means 0x78, 0x65, 0x70, 0x4D, 0x73, 0x7A, 0x52, 0x33)

When we decrypt Data0 value with our universal key (hard coded and probably won't change on different servers)
char key [] = {0x05, 0xDD, 0x9E, 0x47, 0xE7, 0xA0, 0x41, 0xF1, 0x9A, 0x4B, 0xEB, 0xA4, 0x4D, 0xD7, 0x88, 0x39,
0xD9, 0x82, 0x23, 0xCB, 0x6C, 0x15, 0xBD, 0x5E, 0xFE, 0xA7, 0x48, 0xE8, 0x91, 0x23, 0xC3, 0x74};


by using rijndael algorithm it's going to give us second rijndael key which is used for map packet encryption. (Check first part for it)

So we know how to encrypt map packet but login packet is the problem..

First I'll start with second hard coded value;
hsjshd783738ysucy87gb7vggxgfghf345\QW7E9BCIUYW8W786Jghjgu

This is our second key but this isn't raw key, in order to obtain real key we need its SHA-1 hash value but what's it used for that's the problem. Anyways, we're going to use it in another encryption algorithm called RC4. So basically in order to decrypt Data2, Data3 and Data4 values (which is very important) we need RC4 but before decrypting we need a custom filter. Check the code below for that custom filter and RC4 algorithm.

https://sourceforge.net/projects/clientpatcher/files/Miscellaneous/GameFort/RC4.cpp/download
  

Anyways when we decrypt Data2,3,4 values with this code we'll obtain three values which is going to be for this ini; 813638, 960477 and 224957. Yeah some numbers but written in string. Let's talk about login packet which is 6400. This version of gamefort's encrypting login packet with this routine; modify first two bytes to 2A00 then skip 29 bytes and encrypt 24 bytes (which is password field I assume..). And here's our special encryption algorithm:  

https://sourceforge.net/projects/clientpatcher/files/Miscellaneous/GameFort/LOGIN_CRYPT.cpp/download

Jeez as I thought that was long >_>''

Wednesday, December 30, 2009

Overview of GameFart (aka bypass)

Aight, here's a short synopsis of what's going on inside of gamefort. It's somewhat alike vanguard. 

Note
These judgements are based on Angel-Ro gamefort so I'm not sure they'll work on other gamefort protected servers.

File Descriptions
GameFort.dll: Core protector, injecting to client. (packed with ASPack v2.12)
Shield.dll: Encrypted file which contains RipeMD-160 hash values of client and gamefort.dll

Encryption Definition
Basically it's using rijndael with 32 bytes key length 16 bytes block size. There are two different keys; one is for decrypting shield.dll and other's used for encrypting packet.

Key Extraction
Keys are a bit troublesome to extract. I might write an extractor program if I don't feel lazy later on.

Packet encryption
This is a bit tricky. It's not encrypting all packets, it just encrypts one packet while connecting to map server. Yeah, it's called WantToConnection function on eathena. My version of gamefort was doing it like this;

9B 00 36 00 13 FB 20 00 00 6D 21 05 00 62 34 65 00 85 D6 BC 6B 6D C2 93 01 00

skip first two bytes and encrypt only one block which means 16 bytes. It should be something like;

9B 00 C7 A3 E3 70 06 06 1D 39 C9 4E 95 94 CD 32 B8 D9 D6 BC 6B 6D C2 93 01 00

and that's it. You are ready to play.

Angel-Ro Keys

Shield.dll key

0xF0, 0x04, 0xC4, 0x5D, 0xFD, 0x97, 0x40, 0xD0, 0x69, 0x02, 0x8A, 0x33, 0xC3, 0x25, 0xAD, 0x3F, 0xC7, 0x50, 0xE0, 0x79, 0x0A, 0x92, 0x1B, 0xA3, 0x34, 0xBC, 0x45, 0xCD, 0x56, 0xFE, 0x87, 0x10

packet key

0xA0, 0x49, 0xD9, 0x6A, 0xF2, 0x8B, 0x14, 0x94, 0x1D, 0xA5, 0x2E, 0xBE, 0x4F, 0x71, 0x02, 0x8A, 0x13, 0x9B, 0x24, 0xAC, 0x35, 0xB5, 0x46, 0xCE, 0x57, 0xDF, 0x60, 0xE8, 0x71, 0xB2, 0x43, 0xD3

Thursday, December 17, 2009

Vanguard Bypass

Aight, I wasn't really going to release this but some noobs pissed me off and here's the results, it's the basic bypass for vanguard with source codes. It's especially prepared for intensero and hell yeah, I lifetime guarantee this thing will work (since they're extremely noobs).

Usage: If you're playing on intense just run cstarter.exe (don't worry it's only dll injector and don't forget to rename stupid directx10.bin to Intensero.exe or patch your own diffed exe like me dual clienting curse filter etc.) or else if you're playing on another server protected with vanguard change settings in cstarter.ini and recompile antisex.dll since login, char and map port may vary.

https://sourceforge.net/projects/clientpatcher/files/Miscellaneous/Vanguard%20Bypass/antis.zip/download


For those who can't diff own exe:

http://www.filefront.com/15153147/IntenseRO.rar

(chat filter, dual client and hallucination fix)

Tuesday, December 15, 2009

Plot summary for antisex

Uh I'm calling it antisex but originally it's called vanguard (elecom noob hackshield) anyways here's what's going on inside of it:

sending packet routine

2 bytes: total packet len
2 bytes: original packet len
2 bytes: 0xFACE (wtf is face -.-) fixed constant
rest of bytes: encrypted packet

encrypted packet routine

it's using rijndael (aes) encryption (16 bytes block size) 

4 bytes: total sent packet count (so basically its increasing on each packet send)
rest of bytes: original packet

exceptions:

when logging first to map server it's sending 10 bytes

first two bytes: 0xDEAD (ur dead noob asshole -.-!!) fixed constant
rest of bytes: harddrive serial number (it can be random)

Note: You have to find out key idc how you do it.

Saturday, November 21, 2009

Ragnarok Online monster size modifier

This program might sound an useless program but w/e, a friend asked for it since he was having difficulties to select some small mvps in huge mobs =P so it's for personal use but i thought some other ppl might like it as well x.x

In short it just modifies mobs' sprite size in client by using server packets =P. So it's not a hack or something. 

It's usage is simple; set ctool.ini (its pretty easy since there are bunch of examples in file) and then just inject dll file (any dll injector is fine) into client and there you go, also you don't need to restart client when you add new mobs to ctool.ini.

https://sourceforge.net/projects/clientpatcher/files/ctool/

Note: There's high possibility for this tool to crash since client packet buffer size is 2048 bytes and it's injecting new packets illegally which might cause overflow -.-

Friday, October 30, 2009

Simple Executable Packer v0.01a

A simple windows .exe/.dll packer. (Compresses code section and your compiled binaries waste less space) Almost whole codes written in pure C and very minimal also understandable (which makes modifying very easy; like debugger traps, encryption etc.)





https://sourceforge.net/projects/sepacker/