Jump to content

Recommended Posts

Posted

Hi, on this weekend a lot of private servers changed its old antibot system (la2.gr, Roxy, L2Dex ...)

 

There are some new dll & files in this patch windrv.dll, unbot.dll, hguard.dll & more.

 

I've been seeing packets with a own made sniffer, and aparently they seem to be normal l2 encripted packets, two bytes with packet length and the rest of bytes encripted with blowfish. But whit the token obtained from the client (Token in memory of l2.exe process) they cant be decoded, and also the packet chechsum fails.

 

I think they have changed the client/server encription method, or the token offset in memory. Also they now prevent the exe to be inyected/loaded.

 

I dont have enought reverse reverse engineer/cracking exp to debug the process and see how the client is coding now the packets, but i would be able to make a l2walker pasarell for the new crypt method.

 

Thx.

 

 

Posted

well, if the blowfish/packets haven't changed then rebuilding the system folder with the token should work... I have no idea how to do that but if ever you go on a server building forum and search arround you could maybe find some information.

Posted

i think that

loader scans if you run any bot and blocks login

if you dont run anything it unblocks login

by default l2.exe is locked and when you run loader without bot it lets you log in

simple isnt it?

Posted

Its not in that way exactly, the loader looks for a l2walker.exe process in memory if found it connect to an antibot server and logs you.

 

The loader also seem to override some lineage crypt functions or crypt/hide the token, whit a captured login (a valid packet) packet and the debuger running, as you can see in the image the token is _;5.]94-31==-%xT!^[$, but isnt it.

 

dbg543hz0.th.jpg

 

So... we need a cracker :P

 

 

Posted

well i checked into this because i was a little curious myself... but this antibot system is simple... its adding extra encryption to sent packets, it hooks winsock, hooks ws2_32.connect for god knows what purpose... need to look into it, and hooks ws2_32.send to encrypt the packets before they are sent to the server, this looks like its only on authd packets... hlapex wont work because it happens to hook ws2_32.connect also -.-

 

untitled4ny1.jpg

^ ws2_32.connect/send

Posted

i doubt it, if it was made by the maker of hlapex it wouldnt be on GREEK servers + their friends... my guess is that Dex were the ones that either made it or bought it, and then demon (la2.gr) bought it from them

  • 2 weeks later...
Posted

k ... I managed to connect with ig bot ... its able to read information like map ...

bot not verified ... so im just able to use the information functions and scripts.

 

btw anyone knows how to craft with a script using the recipe book ?

Posted

there is another problem ... you get disconnected every once in a while. So there seem to be more than just the auth package that differ. You just cant move or write or open inventory ... but u can see others move and write. weired situation.

Posted

xift i had the problem u talk about with l2 client from c2 to c4. I believe it's a bug from nvidia onboard networkcard. If u have nforce that may be the reason not walker. I've upgraded drivers and dont get it anymore. (still think demonas is admin on la2.gr here to spy for antibot upgrades :D)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...