idontcare1 Posted April 22, 2008 Share Posted April 22, 2008 its easy bakeice is injecting lineagebk.dll (unpacked in 2s) into l2.exe (well gameguard.des) this dll change directly the blowfish function call to change the encryption. it also get the login/pass directly. --- hook to blowfish encrypt/decrypt: 100011B0 /$ 53 PUSH EBX 100011B1 |. 56 PUSH ESI 100011B2 |. 57 PUSH EDI 100011B3 |. 68 2CB50110 PUSH 1001B52C ; /pModule = "core.dll" 100011B8 |. 8BF9 MOV EDI,ECX ; | 100011BA |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA 100011C0 |. 8B1D 8CB20110 MOV EBX,DWORD PTR DS:[<&kernel32.GetPr>; kernel32.GetProcAddress 100011C6 |. 8BF0 MOV ESI,EAX 100011C8 |. 68 04B50110 PUSH 1001B504 ; /ProcNameOrOrdinal = "?BlowfishEncrypt@FBlowFish@@QAEXPAEH@Z" 100011CD |. 56 PUSH ESI ; |hModule 100011CE |. FFD3 CALL EBX ; \GetProcAddress 100011D0 |. 85C0 TEST EAX,EAX 100011D2 |. 74 3E JE SHORT 10001212 100011D4 |. 68 B0340010 PUSH 100034B0 ; /Arg2 = 100034B0 100011D9 |. 83C7 3C ADD EDI,3C ; | 100011DC |. 50 PUSH EAX ; |Arg1 100011DD |. 8BCF MOV ECX,EDI ; | 100011DF |. E8 0C2A0000 CALL 10003BF0 ; \unpacked.10003BF0 100011E4 |. 68 DCB40110 PUSH 1001B4DC ; ASCII "?BlowfishDecrypt@FBlowFish@@QAEXPAEH@Z" 100011E9 |. 56 PUSH ESI 100011EA |. FFD3 CALL EBX 100011EC |. 85C0 TEST EAX,EAX 100011EE |. 74 11 JE SHORT 10001201 100011F0 |. 68 60340010 PUSH 10003460 ; /Arg2 = 10003460 100011F5 |. 50 PUSH EAX ; |Arg1 100011F6 |. 8BCF MOV ECX,EDI ; | 100011F8 |. E8 F3290000 CALL 10003BF0 ; \unpacked.10003BF0 Hook to gameguard: 10001230 /$ 56 PUSH ESI 10001231 |. 68 84B50110 PUSH 1001B584 ; /pModule = "engine.dll" 10001236 |. 8BF1 MOV ESI,ECX ; | 10001238 |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA 1000123E |. 68 54B50110 PUSH 1001B554 ; /ProcNameOrOrdinal = "?ResponseAuthGameGuard@UNetworkHandler@@UAEHXZ" 10001243 |. 50 PUSH EAX ; |hModule 10001244 |. FF15 8CB20110 CALL DWORD PTR DS:[<&kernel32.GetProcA>; \GetProcAddress 1000124A |. 85C0 TEST EAX,EAX 1000124C |. 74 10 JE SHORT 1000125E 1000124E |. 68 00100010 PUSH send_en ; /Arg2 = 10001000 10001253 |. 50 PUSH EAX ; |Arg1 10001254 |. 8D4E 3C LEA ECX,DWORD PTR DS:[ESI+3C] ; | 10001257 |. E8 94290000 CALL 10003BF0 ; \unpacked.10003BF0 1000125C |. 5E POP ESI 1000125D |. C3 RET 1000125E |> 68 38B50110 PUSH 1001B538 ; ASCII "ResponseAuthGameGuard Error" 10001263 |. E8 F8370000 CALL 10004A60 10001268 |. 83C4 04 ADD ESP,4 1000126B |. 5E POP ESI 1000126C \. C3 RET hook to getuseraccount: 100015B3 |. 68 84B50110 PUSH 1001B584 ; /pModule = "engine.dll" 100015B8 |. 89BE C4030000 MOV DWORD PTR DS:[ESI+3C4],EDI ; | 100015BE |. FF15 88B20110 CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA 100015C4 |. 3BC7 CMP EAX,EDI 100015C6 |. 8946 38 MOV DWORD PTR DS:[ESI+38],EAX 100015C9 |. 75 06 JNZ SHORT 100015D1 100015CB |. 57 PUSH EDI 100015CC |. E8 B0590000 CALL 10006F81 100015D1 |> 53 PUSH EBX 100015D2 |. 8B1D 8CB20110 MOV EBX,DWORD PTR DS:[<&kernel32.GetPr>; kernel32.GetProcAddress 100015D8 |. 68 F4B50110 PUSH 1001B5F4 ; /ProcNameOrOrdinal = "?GetUserAccount@UNetworkHandler@@UAEPAGXZ" 100015DD |. 50 PUSH EAX ; |hModule 100015DE |. FFD3 CALL EBX ; \GetProcAddress 100015E0 |. 3BC7 CMP EAX,EDI 100015E2 |. 8986 C8030000 MOV DWORD PTR DS:[ESI+3C8],EAX 100015E8 |. 75 13 JNZ SHORT 100015FD 100015EA |. 68 D8B50110 PUSH 1001B5D8 ; ASCII "&GetUserAccount Error!!" 100015EF |. E8 6C340000 CALL 10004A60 100015F4 |. 83C4 04 ADD ESP,4 100015F7 |. 5B POP EBX 100015F8 |. 5F POP EDI 100015F9 |. 8BC6 MOV EAX,ESI 100015FB |. 5E POP ESI 100015FC |. C3 RET Quote Link to comment Share on other sites More sharing options...
Jαkє Posted April 22, 2008 Share Posted April 22, 2008 What do we do with these codes? Quote Link to comment Share on other sites More sharing options...
idontcare1 Posted April 22, 2008 Share Posted April 22, 2008 What do we do with these codes? click "follow immediate constant" ;) Quote Link to comment Share on other sites More sharing options...
Jαkє Posted April 22, 2008 Share Posted April 22, 2008 click "follow immediate constant" ;) uh..can't understeand sorry :) can you explain us a bit better what to do? Quote Link to comment Share on other sites More sharing options...
zl4y3r Posted April 22, 2008 Share Posted April 22, 2008 woot woot first haxor are working on walker for DN xD Quote Link to comment Share on other sites More sharing options...
qube123 Posted April 22, 2008 Share Posted April 22, 2008 woot woot first haxor are working on walker for DN xD It's not a haxor it's a ASM dump of memory. Shows us how Bike ICE works. oh and btw l2w works on DN IL i saw a rus guy who gave a res to his bd/se and he got up instantly. ;) Quote Link to comment Share on other sites More sharing options...
Dadman Posted April 22, 2008 Share Posted April 22, 2008 It's not a haxor it's a ASM dump of memory. Shows us how Bike ICE works. oh and btw l2w works on DN IL i saw a rus guy who gave a res to his bd/se and he got up instantly. ;) dude ask him^^ So we have to check russ forums, can you understand russ? cause I can't xD Quote Link to comment Share on other sites More sharing options...
idontcare1 Posted April 23, 2008 Share Posted April 23, 2008 follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand) Won't release until it becomes public enough as usual. U have the key points to make it yourself. last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with - just remember, its way easier than it looks) Quote Link to comment Share on other sites More sharing options...
kiara Posted April 23, 2008 Share Posted April 23, 2008 somebody find a way to l2w on DN? Quote Link to comment Share on other sites More sharing options...
Jαkє Posted April 23, 2008 Share Posted April 23, 2008 follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand) Won't release until it becomes public enough as usual. U have the key points to make it yourself. last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with - just remember, its way easier than it looks) if i could understeand a word of what you told us, it would be easier. we have to hack core.dll then...let's try.. Quote Link to comment Share on other sites More sharing options...
iambored Posted April 23, 2008 Share Posted April 23, 2008 btw in many interlude servers the token is sent by the LS and then used by the client. its random every time. prolly the case in dragon. Quote Link to comment Share on other sites More sharing options...
quangthanh178 Posted April 24, 2008 Share Posted April 24, 2008 so, still noway to walk in Dragon network. Quote Link to comment Share on other sites More sharing options...
pedrorastas Posted April 26, 2008 Share Posted April 26, 2008 ^^ Quote Link to comment Share on other sites More sharing options...
Dadman Posted April 26, 2008 Share Posted April 26, 2008 follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand) Won't release until it becomes public enough as usual. U have the key points to make it yourself. last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with - just remember, its way easier than it looks) could you do it then if it's way easier than it looks? :D I didn't get 90% of what you're saying. Quote Link to comment Share on other sites More sharing options...
tonmp Posted April 26, 2008 Author Share Posted April 26, 2008 btw in many interlude servers the token is sent by the LS and then used by the client. its random every time. prolly the case in dragon. If data is transferred between client an server, then it's crackable :) just someone should do it :| Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.