[QUESTION] Dragon Network IL bot

[idontcare1]

its easy

bakeice is injecting lineagebk.dll (unpacked in 2s) into l2.exe (well gameguard.des)

this dll change directly the blowfish function call to change the encryption.

it also get the login/pass directly.

 

 

---

hook to blowfish encrypt/decrypt:

 

100011B0  /$  53                  PUSH EBX

100011B1  |.  56                  PUSH ESI

100011B2  |.  57                  PUSH EDI

100011B3  |.  68 2CB50110        PUSH 1001B52C                          ; /pModule = "core.dll"

100011B8  |.  8BF9                MOV EDI,ECX                            ; |

100011BA  |.  FF15 88B20110      CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA

100011C0  |.  8B1D 8CB20110      MOV EBX,DWORD PTR DS:[<&kernel32.GetPr>;  kernel32.GetProcAddress

100011C6  |.  8BF0                MOV ESI,EAX

100011C8  |.  68 04B50110        PUSH 1001B504                          ; /ProcNameOrOrdinal = "?BlowfishEncrypt@FBlowFish@@QAEXPAEH@Z"

100011CD  |.  56                  PUSH ESI                              ; |hModule

100011CE  |.  FFD3                CALL EBX                              ; \GetProcAddress

100011D0  |.  85C0                TEST EAX,EAX

100011D2  |.  74 3E              JE SHORT 10001212

100011D4  |.  68 B0340010        PUSH 100034B0                          ; /Arg2 = 100034B0

100011D9  |.  83C7 3C            ADD EDI,3C                            ; |

100011DC  |.  50                  PUSH EAX                              ; |Arg1

100011DD  |.  8BCF                MOV ECX,EDI                            ; |

100011DF  |.  E8 0C2A0000        CALL 10003BF0                          ; \unpacked.10003BF0

100011E4  |.  68 DCB40110        PUSH 1001B4DC                          ;  ASCII "?BlowfishDecrypt@FBlowFish@@QAEXPAEH@Z"

100011E9  |.  56                  PUSH ESI

100011EA  |.  FFD3                CALL EBX

100011EC  |.  85C0                TEST EAX,EAX

100011EE  |.  74 11              JE SHORT 10001201

100011F0  |.  68 60340010        PUSH 10003460                          ; /Arg2 = 10003460

100011F5  |.  50                  PUSH EAX                              ; |Arg1

100011F6  |.  8BCF                MOV ECX,EDI                            ; |

100011F8  |.  E8 F3290000        CALL 10003BF0                          ; \unpacked.10003BF0

 

 

Hook to gameguard:

 

10001230  /$  56                  PUSH ESI

10001231  |.  68 84B50110        PUSH 1001B584                          ; /pModule = "engine.dll"

10001236  |.  8BF1                MOV ESI,ECX                            ; |

10001238  |.  FF15 88B20110      CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA

1000123E  |.  68 54B50110        PUSH 1001B554                          ; /ProcNameOrOrdinal = "?ResponseAuthGameGuard@UNetworkHandler@@UAEHXZ"

10001243  |.  50                  PUSH EAX                              ; |hModule

10001244  |.  FF15 8CB20110      CALL DWORD PTR DS:[<&kernel32.GetProcA>; \GetProcAddress

1000124A  |.  85C0                TEST EAX,EAX

1000124C  |.  74 10              JE SHORT 1000125E

1000124E  |.  68 00100010        PUSH send_en                          ; /Arg2 = 10001000

10001253  |.  50                  PUSH EAX                              ; |Arg1

10001254  |.  8D4E 3C            LEA ECX,DWORD PTR DS:[ESI+3C]          ; |

10001257  |.  E8 94290000        CALL 10003BF0                          ; \unpacked.10003BF0

1000125C  |.  5E                  POP ESI

1000125D  |.  C3                  RET

1000125E  |>  68 38B50110        PUSH 1001B538                          ;  ASCII "ResponseAuthGameGuard Error"

10001263  |.  E8 F8370000        CALL 10004A60

10001268  |.  83C4 04            ADD ESP,4

1000126B  |.  5E                  POP ESI

1000126C  \.  C3                  RET

 

 

hook to getuseraccount:

 

100015B3  |.  68 84B50110        PUSH 1001B584                          ; /pModule = "engine.dll"

100015B8  |.  89BE C4030000      MOV DWORD PTR DS:[ESI+3C4],EDI        ; |

100015BE  |.  FF15 88B20110      CALL DWORD PTR DS:[<&kernel32.GetModul>; \GetModuleHandleA

100015C4  |.  3BC7                CMP EAX,EDI

100015C6  |.  8946 38            MOV DWORD PTR DS:[ESI+38],EAX

100015C9  |.  75 06              JNZ SHORT 100015D1

100015CB  |.  57                  PUSH EDI

100015CC  |.  E8 B0590000        CALL 10006F81

100015D1  |>  53                  PUSH EBX

100015D2  |.  8B1D 8CB20110      MOV EBX,DWORD PTR DS:[<&kernel32.GetPr>;  kernel32.GetProcAddress

100015D8  |.  68 F4B50110        PUSH 1001B5F4                          ; /ProcNameOrOrdinal = "?GetUserAccount@UNetworkHandler@@UAEPAGXZ"

100015DD  |.  50                  PUSH EAX                              ; |hModule

100015DE  |.  FFD3                CALL EBX                              ; \GetProcAddress

100015E0  |.  3BC7                CMP EAX,EDI

100015E2  |.  8986 C8030000      MOV DWORD PTR DS:[ESI+3C8],EAX

100015E8  |.  75 13              JNZ SHORT 100015FD

100015EA  |.  68 D8B50110        PUSH 1001B5D8                          ;  ASCII "&GetUserAccount  Error!!"

100015EF  |.  E8 6C340000        CALL 10004A60

100015F4  |.  83C4 04            ADD ESP,4

100015F7  |.  5B                  POP EBX

100015F8  |.  5F                  POP EDI

100015F9  |.  8BC6                MOV EAX,ESI

100015FB  |.  5E                  POP ESI

100015FC  |.  C3                  RET

 

 

 

[Jαkє]

What do we do with these codes?

[idontcare1]

What do we do with these codes?

click "follow immediate constant" ;)

[Jαkє]

click "follow immediate constant" ;)

uh..can't understeand sorry :)

can you explain us a bit better what to do?

[zl4y3r]

woot woot first haxor are working on walker for DN xD

[qube123]

woot woot first haxor are working on walker for DN xD

It's not a haxor it's a ASM dump of memory. Shows us how Bike ICE works.

 

oh and btw l2w works on DN IL i saw a rus guy who gave a res to his bd/se and he got up instantly. ;)

[Dadman]

It's not a haxor it's a ASM dump of memory. Shows us how Bike ICE works.

 

oh and btw l2w works on DN IL i saw a rus guy who gave a res to his bd/se and he got up instantly. ;)

dude ask him^^

So we have to check russ forums, can you understand russ? cause I can't xD

[idontcare1]

follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand)

Won't release until it becomes public enough as usual. U have the key points to make it yourself.

 

last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with  - just remember, its way easier than it looks)

[kiara]

somebody find a way to l2w on DN?

[Jαkє]

follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand)

Won't release until it becomes public enough as usual. U have the key points to make it yourself.

 

last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with  - just remember, its way easier than it looks)

if i could understeand a word of what you told us, it would be easier.

 

we have to hack core.dll then...let's try..

[iambored]

btw in many interlude servers the token is sent by the LS and then used by the client. its random every time. prolly the case in dragon.

[quangthanh178]

so, still noway to walk in Dragon network.

[pedrorastas]

^^

[Dadman]

follow immediate constant in ollybgd;p this brings u the mini-binary "blob" that is injected to modify the algorithm. then either you make another dll that does the same stuff, but without the "anti botting" either you modify core.dll (and engine if u like but thats less a big deal), or u make a proxy that does it, or u use WP and a script that does it (in those cases its easy to convert back to "normal" packets that L2W will understand)

Won't release until it becomes public enough as usual. U have the key points to make it yourself.

 

last things, this dll is simply expanded by bakeice when you start the loader so just copy it and unpack it (asprotect 2.12, there are even automated unpackers everywhere on the net), tools u need, ollydbg+plugins, imprec, some hex editor, and some coding stuff for the proxy/dll/whatever u wanna make (visualstudio, basic, python,whatever u like to start with  - just remember, its way easier than it looks)

 

could you do it then if it's way easier than it looks? :D

I didn't get 90% of what you're saying.

[tonmp]

btw in many interlude servers the token is sent by the LS and then used by the client. its random every time. prolly the case in dragon.

 

If data is transferred between client an server, then it's crackable :) just someone should do it :|