New Private Server AntiBot System

[l33ts]

Hi, on this weekend a lot of private servers changed its old antibot system (la2.gr, Roxy, L2Dex ...)

 

There are some new dll & files in this patch windrv.dll, unbot.dll, hguard.dll & more.

 

I've been seeing packets with a own made sniffer, and aparently they seem to be normal l2 encripted packets, two bytes with packet length and the rest of bytes encripted with blowfish. But whit the token obtained from the client (Token in memory of l2.exe process) they cant be decoded, and also the packet chechsum fails.

 

I think they have changed the client/server encription method, or the token offset in memory. Also they now prevent the exe to be inyected/loaded.

 

I dont have enought reverse reverse engineer/cracking exp to debug the process and see how the client is coding now the packets, but i would be able to make a l2walker pasarell for the new crypt method.

 

Thx.

 

 

[Hax0r]

hope you'll make it...keep up the good work

[mpj123]

well, if the blowfish/packets haven't changed then rebuilding the system folder with the token should work... I have no idea how to do that but if ever you go on a server building forum and search arround you could maybe find some information.

[khadia]

i think that

loader scans if you run any bot and blocks login

if you dont run anything it unblocks login

by default l2.exe is locked and when you run loader without bot it lets you log in

simple isnt it?

[l33ts]

Its not in that way exactly, the loader looks for a l2walker.exe process in memory if found it connect to an antibot server and logs you.

 

The loader also seem to override some lineage crypt functions or crypt/hide the token, whit a captured login (a valid packet) packet and the debuger running, as you can see in the image the token is _;5.]94-31==-%xT!^[$, but isnt it.

 

 

So... we need a cracker :P

 

 

[rawrz]

well i checked into this because i was a little curious myself... but this antibot system is simple... its adding extra encryption to sent packets, it hooks winsock, hooks ws2_32.connect for god knows what purpose... need to look into it, and hooks ws2_32.send to encrypt the packets before they are sent to the server, this looks like its only on authd packets... hlapex wont work because it happens to hook ws2_32.connect also -.-

 

^ ws2_32.connect/send

[demonas]

mm thats something.

 

i think author (Hint) made hlapex aswell and he might try to block it also ^_^

[rawrz]

i doubt it, if it was made by the maker of hlapex it wouldnt be on GREEK servers + their friends... my guess is that Dex were the ones that either made it or bought it, and then demon (la2.gr) bought it from them

[demonas]

why u think dex is some special server with high class programers ?:)

[me2]

Demonas u are admin on la2.gr right?

Apparently no one has any ideea about how to beat this antibot system :(

 

[xift2006]

k ... I managed to connect with ig bot ... its able to read information like map ...

bot not verified ... so im just able to use the information functions and scripts.

 

btw anyone knows how to craft with a script using the recipe book ?

[mpj123]

ever tried to kill the thread with PE explorer?

[xift2006]

yeah ... didn't manage to :D

didnt find the right one

[xift2006]

there is another problem ... you get disconnected every once in a while. So there seem to be more than just the auth package that differ. You just cant move or write or open inventory ... but u can see others move and write. weired situation.

[me2]

xift i had the problem u talk about with l2 client from c2 to c4. I believe it's a bug from nvidia onboard networkcard. If u have nforce that may be the reason not walker. I've upgraded drivers and dont get it anymore. (still think demonas is admin on la2.gr here to spy for antibot upgrades :D)