[QUESTION] Dragon Network IL bot

idontcare1 · April 22, 2008

its easy

bakeice is injecting lineagebk.dll (unpacked in 2s) into l2.exe (well gameguard.des)

this dll change directly the blowfish function call to change the encryption.

it also get the login/pass directly.

---

hook to blowfish encrypt/decrypt:

100011B0 /$ 53 PUSH EBX

100011B1 |. 56 PUSH ESI

100011B2 |. 57 PUSH EDI

100011B3 |. 68 2CB50110 PUSH 1001B52C ; /pModule = "core.dll"

100011B8 |. 8BF9 MOV EDI,ECX ; |

100011BA |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA

100011C0 |. 8B1D 8CB20110 MOV EBX,DWORD PTR DS:[<&kernel32.GetPr>; kernel32.GetProcAddress

100011C6 |. 8BF0 MOV ESI,EAX

100011C8 |. 68 04B50110 PUSH 1001B504 ; /ProcNameOrOrdinal = "?BlowfishEncrypt@FBlowFish@@QAEXPAEH@Z"

100011CD |. 56 PUSH ESI ; |hModule

100011CE |. FFD3 CALL EBX ; \GetProcAddress

100011D0 |. 85C0 TEST EAX,EAX

100011D2 |. 74 3E JE SHORT 10001212

100011D4 |. 68 B0340010 PUSH 100034B0 ; /Arg2 = 100034B0

100011D9 |. 83C7 3C ADD EDI,3C ; |

100011DC |. 50 PUSH EAX ; |Arg1

100011DD |. 8BCF MOV ECX,EDI ; |

100011DF |. E8 0C2A0000 CALL 10003BF0 ; \unpacked.10003BF0

100011E4 |. 68 DCB40110 PUSH 1001B4DC ; ASCII "?BlowfishDecrypt@FBlowFish@@QAEXPAEH@Z"

100011E9 |. 56 PUSH ESI

100011EA |. FFD3 CALL EBX

100011EC |. 85C0 TEST EAX,EAX

100011EE |. 74 11 JE SHORT 10001201

100011F0 |. 68 60340010 PUSH 10003460 ; /Arg2 = 10003460

100011F5 |. 50 PUSH EAX ; |Arg1

100011F6 |. 8BCF MOV ECX,EDI ; |

100011F8 |. E8 F3290000 CALL 10003BF0 ; \unpacked.10003BF0

Hook to gameguard:

10001230 /$ 56 PUSH ESI

10001231 |. 68 84B50110 PUSH 1001B584 ; /pModule = "engine.dll"

10001236 |. 8BF1 MOV ESI,ECX ; |

10001238 |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA

1000123E |. 68 54B50110 PUSH 1001B554 ; /ProcNameOrOrdinal = "?ResponseAuthGameGuard@UNetworkHandler@@UAEHXZ"

10001243 |. 50 PUSH EAX ; |hModule

10001244 |. FF15 8CB20110 CALL DWORD PTR DS:[<&kernel32.GetProcA>; \GetProcAddress

1000124A |. 85C0 TEST EAX,EAX

1000124C |. 74 10 JE SHORT 1000125E

1000124E |. 68 00100010 PUSH send_en ; /Arg2 = 10001000

10001253 |. 50 PUSH EAX ; |Arg1

10001254 |. 8D4E 3C LEA ECX,DWORD PTR DS:[ESI+3C] ; |

10001257 |. E8 94290000 CALL 10003BF0 ; \unpacked.10003BF0

1000125C |. 5E POP ESI

1000125D |. C3 RET

1000125E |> 68 38B50110 PUSH 1001B538 ; ASCII "ResponseAuthGameGuard Error"

10001263 |. E8 F8370000 CALL 10004A60

10001268 |. 83C4 04 ADD ESP,4

1000126B |. 5E POP ESI

1000126C \. C3 RET

hook to getuseraccount:

100015B3 |. 68 84B50110 PUSH 1001B584 ; /pModule = "engine.dll"

100015B8 |. 89BE C4030000 MOV DWORD PTR DS:[ESI+3C4],EDI ; |

100015BE |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA

100015C4 |. 3BC7 CMP EAX,EDI

100015C6 |. 8946 38 MOV DWORD PTR DS:[ESI+38],EAX

100015C9 |. 75 06 JNZ SHORT 100015D1

100015CB |. 57 PUSH EDI

100015CC |. E8 B0590000 CALL 10006F81

100015D1 |> 53 PUSH EBX

100015D2 |. 8B1D 8CB20110 MOV EBX,DWORD PTR DS:[<&kernel32.GetPr>; kernel32.GetProcAddress

100015D8 |. 68 F4B50110 PUSH 1001B5F4 ; /ProcNameOrOrdinal = "?GetUserAccount@UNetworkHandler@@UAEPAGXZ"

100015DD |. 50 PUSH EAX ; |hModule

100015DE |. FFD3 CALL EBX ; \GetProcAddress

100015E0 |. 3BC7 CMP EAX,EDI

100015E2 |. 8986 C8030000 MOV DWORD PTR DS:[ESI+3C8],EAX

100015E8 |. 75 13 JNZ SHORT 100015FD

100015EA |. 68 D8B50110 PUSH 1001B5D8 ; ASCII "&GetUserAccount Error!!"

100015EF |. E8 6C340000 CALL 10004A60

100015F4 |. 83C4 04 ADD ESP,4

100015F7 |. 5B POP EBX

100015F8 |. 5F POP EDI

100015F9 |. 8BC6 MOV EAX,ESI

100015FB |. 5E POP ESI

100015FC |. C3 RET

Jαkє · April 22, 2008

What do we do with these codes?

idontcare1 · April 22, 2008

What do we do with these codes?

click "follow immediate constant" ;)

Jαkє · April 22, 2008

click "follow immediate constant" ;)

uh..can't understeand sorry :)

can you explain us a bit better what to do?

zl4y3r · April 22, 2008

woot woot first haxor are working on walker for DN xD

qube123 · April 22, 2008

woot woot first haxor are working on walker for DN xD

It's not a haxor it's a ASM dump of memory. Shows us how Bike ICE works.

oh and btw l2w works on DN IL i saw a rus guy who gave a res to his bd/se and he got up instantly. ;)

Dadman · April 22, 2008

It's not a haxor it's a ASM dump of memory. Shows us how Bike ICE works.

oh and btw l2w works on DN IL i saw a rus guy who gave a res to his bd/se and he got up instantly. ;)

dude ask him^^

So we have to check russ forums, can you understand russ? cause I can't xD

idontcare1 · April 23, 2008

follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand)

Won't release until it becomes public enough as usual. U have the key points to make it yourself.

last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with - just remember, its way easier than it looks)

kiara · April 23, 2008

somebody find a way to l2w on DN?

Jαkє · April 23, 2008

follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand)

Won't release until it becomes public enough as usual. U have the key points to make it yourself.

last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with - just remember, its way easier than it looks)

if i could understeand a word of what you told us, it would be easier.

we have to hack core.dll then...let's try..

iambored · April 23, 2008

btw in many interlude servers the token is sent by the LS and then used by the client. its random every time. prolly the case in dragon.

quangthanh178 · April 24, 2008

so, still noway to walk in Dragon network.

pedrorastas · April 26, 2008

^^

Dadman · April 26, 2008

follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand)

Won't release until it becomes public enough as usual. U have the key points to make it yourself.

last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with - just remember, its way easier than it looks)

could you do it then if it's way easier than it looks? :D

I didn't get 90% of what you're saying.

tonmp · April 26, 2008

btw in many interlude servers the token is sent by the LS and then used by the client. its random every time. prolly the case in dragon.

If data is transferred between client an server, then it's crackable :) just someone should do it :|

[QUESTION] Dragon Network IL bot

Recommended Posts

idontcare1

Jαkє

idontcare1

Jαkє

zl4y3r

qube123

Dadman

idontcare1

kiara

Jαkє

iambored

quangthanh178

pedrorastas

Dadman

tonmp

Join the conversation

Posts

Topics

Browse

Activity

Store