Boter+

Can someone explain me wtf does this script do? If it is client side is not really useful, or for testing purposes.

I don't really like these kind of scripts, I don't see them useful. But it is always good to have people coding scripts and sharing.

Someday, I will realease one of my BIG scripts (when I get bored of L2), its for WP. It has almost the same features as L2control (or maybe more xD), but ingame.

Ok, I answer myself! xDDDD

The default token for CT1.5 is 6B60CB5B82CE90B1CC2B6C556C6C6C6C, but it is NOT for the first packet. So, what is the token for that packet?

Also, I have 1 packet that is unknown.... The login pck from the client. But it is just after a GGAuth request and an answer, so I suposed the token is OK just it is codec with RSA or smt similar.

Hello! It has been long time since I used to enter this forums and help people :P Now I need some help to start over with new L2 versions.

I'm using CT1.5 with WP6.60, and I cannot get it to decode the LS packets. Just some sort of BlowFish coded data :SSS

Can someone give me some info about how WP works with hellbound (CT1.5) tokens? I know that the new tokens are "variable", some part is static (33313D3D2D...) and some part is sent by the server in the LS first packet. But I don't know want part is the variable token or how to mix it with the static one.

Any info is apreciated. Thanks.

So, if i understood correctly, the loader hacks the core.dll calls and it adds a new encryption right?

This new encryption, replaces blowfish, or just is an addon? That could be a problem.

It could be posible to follow the code and analyse it. Then, it will only need a little bit of codding of a FS script. But anyway I am not playing L2 atm, so i can't help.

I removed the hide. There is no reason to hide this.

ATM there are no servers with token protection (or maybe there are, but I don't know xD), anyway, here is a guide to extract the interlude token directly from memory.

1 - Download this files:

--------------->http://rapidshare.com/files/104921796/NWindow.rar.html (Nwindow GG cracked)

--------------->http://rapidshare.com/files/104921709/CProcess.exe.html (CurProcess)

2 - Copy NWindow.dll to your system, so you will disable GG.

3 - Start the game (L2) form the loader of your server, or directly form l2.exe

4 - Start CProcess.exe and find L2.exe in the upper list, and after that, select Engine.dll in the bottom list.

5 - Press Right Click over Engine.dll and click "Dump Memory", select a file name and as file format (Binary File). Then press "dump memory".

6 - Open the resulting file with any Hex editor (HexProbe, HexComparison, XVI32, etc) and look for the adress: 0x7F8BC0 there will be the token.

The default token for interlude is: 33313D3D2D252640215E2B5D5B3B272E5D39342D

PD: For more information, the PUSH instruction that reads the token is in adress: 0x165E80 in engine.dll

I don't know if this is good or bad, but this "crack" only changed the line in memory:

VIP3.TOWALKER.COM VIP2.TOWALKER.COM VIP1.TOWALKER.COM

Why this:

219.153.45.42 COM 219.153.45.42 COM 219.153.45.42 COM

So, it does not hack the walker, just redirects the auth to a new server....

XorString contains the xor values loop

'i-4' because the encryption starts at fourth byte

 

'and 7' because the loop is 8 bytes long... the effect of the 'and' here is to mask the higher bits. This will result in 0-1-2-3-4-5-6-7-0-1.....

 

'+1' because delphi indices start at 1 instead of 0

Ammm, seems easy. But i would have it done in another way. I usually put the loops outside, you put the loop inside(in the index of the string). :)

Good script. Good job. I don't play there, but its great to see people still helping in the l2 forums.

To made the script is the easy part, but, how did you get that the secuence of XOR was "XorString[((i-4) and 7)+1]"???

Thats complicated :P

I know it was you, I was just informing the people in these forums :P

Saurons WP suports Interlude and RSA. In the last version:

A quote from the user guide:

gSys.tPDecode : int;  - тип де/кодировки пакетов (PDecode),

'-1' стоит автоопределение, но еще не определен.

'0' - нет де/кодировки, выключено,

'2' - LA2, LS: BF;

'2' - LA2, GS: GSDecode/GSDecodej/GSDecodeI (см. gSys.tKeyType)

'2' - RFO: ...

'3'..'14' - резерв.

 

gSys.tKeyType : int; - тип ключа для де/кодировки (зависит от PDecode и типа трафика)

(при включенной системе Auto Detect устанавливается автоматически)

значениния tKeyType:

LA2:

1 - GS: GSDecodeJ (C4/C5 ключ 8 байт, инкрементация половины ключа , L2J сервера)

2 - GS: GSDecode (C4/C5 ключ 8 байт, инкрементация всего ключа , official сервер LA2)

3 - GS: GSDecodeI (Interlude ключ 16 байт, инкрементация второй половины)

1 - LS: BF decode

2 - LS: BF decode, RSA present

Dinamic token for every conection?, wow thats new.

I've got to do some test, I never used C6 before.

I still can conect with my OOG. I don't know yet what did they "patched"....

Ii was only a test version of the bot. When the token changed it stopped working.

I think that you are messing things. The only thing that changes from one time to another is the BuyID (or smt like that, to identify your buy sesion)

The ItemID in that pcks are "6D 0F 00 00"

For thouse who don't believe me: http://rapidshare.com/files/64630310/WalkerSupreme.rar.html

USE IT AT YOUR OWN RISK.

Will only work few hours till the change, and the skills might be buggy (the script is not complete). I changed only the necesary parts to make it work, it could be detected my an admin easily. There are plenty of things that does not happen like in the oficial client.

Ok, then, later I'll post a video. Or better than that. The bot :P

Onepex you are an admin? Bah, why I ask...

I started to work in this bot, let me count 1...2....3.... yes, 4 days ago!

So, I supose I could be able to break a new one in other 4 days.

BTW, that $18 and $54 XOR security in the GS is very poor, totally useless. And you should know that with a perfect emulating bot, it has the same packets as the oficial one. Imposible to detect.

I don't play in the server, but if I would. I wouldn't tell anyone I can bot. I'm sure the server is plenty of people that can bot and the admins have no idea.

I have a fully working OOG finally. ^^

But I haven't automatized the token change yet.

JAJJAJAJA I have the token ^^^^

Received packet:

000000 27 51 48 4C 3D 22 47 49 | 2F 28 39 51 46 39 5F 5F    'QHL="GI/(9QF9__

000010 4F 5C 50 49 59 45 3F 46 | 3D 46 47 59 49 45 C6 2F    O\PIYE?F=FGYIEÆ/

000020 2C 5E 57 5D 2C 20 3F 3D | 58 C6 24 28 C6 39 49 2A    ,^W],.?=XÆ$(Æ9I*

000030 57 36 36 3A                                          W66:

Token inside: 5B 33 24 5B 3D 3D 2D 3E 32 2B 3B 27 5D 24 5F 24 25 3B 2B 27

Your protection will be enough for noobs, but you will have to put it much harder for us mcrabben xDDDDDDD Now I only have to do a way to make it automatically.

sltbnjr you were right, the token changer code is inside l2.exe sl2.exe is just a small security patch :P

Soon we will have a full OOG xD

PD: There is no perfect protection agains walker, because walker is a client part app ^^

I'll post an IG screenshot in a minute - kekekekekekeke

 

and btw mc7 your client crashes extremely often ;<

hotkey crashes happen like every 10 minutes

 

edit: there you go

 

 

^^ I imagine how you did it :P

I'll try to, I'm sure it will work. But the main question is, and the OOG? xD

I think is sl2.exe, the data send & recive is done before l2.exe starts. If I stop the data transfer l2.exe does not start.

And, no, is a token. I'm sure, because every time you boot the client the packet send is the same. But if you wait some hours, and boot the client, the data is diferent.

And there is no change in the first 2 bytes, so probably is a token changer.

I'll try to do some more tests.

Well I will post some news now, but there are not good news... sry :S

The protection in L2 supreme is mainly based on a variable Token. The server changes his LS token frecuently. And has a "server" to update the clients Token.

The client (Sl2.exe) to get the new token conects to 64.72.114.34:14977, sends the packet "23 51 2D 24 34 4A 56 3B 24 5B 39 7D 5E 34 2C 39 40 2B 30 38 2A". And waits for the token. But as everyone would think, the token that the sl2.exe gets is encrypted :S

Then, Sl2.exe opens L2.exe and patches L2.exe memory with the new token.

If there is any other protection I don't know cos I am not able to pass the Ls token protection to go further.