Jump to content

[EXCLUSIVE SHARE] IG WALKER FOR KASHA PROTECTION (L2Elixir,L2Dex etc.) UPDATED!!


TILEMACHOS

Recommended Posts

l2dex use kasha combined with a custom protection made by the l2walker creator.

 

No its just an idea came from Fyyre...

The named 3Kb code antibot that can patch Opcodes and blocks you on Login...

A really powerfull and simple hook Blocker/"detector" that if added and strong Packed the only way to bypass is to unpack and JMP those functions (crack) or make a new system but you can't do this on L2DEX now cause of RINJAEL packet Crypting

_________________________________________________________________________________

L2Dex has :

 

1) Opcode Patcher ( what i was explained before ) Some simple tests on start up that gives you results on login Server..i mean the Auth Failed

 

2) Enigma Protector loaded on client

 

3) AES Packet crypting and to be more accurate RINJAEL (Server Side Authd made Patched by Kasha and Client Side too! Making you unable to connect to Login Server with out the System they Share)

_________________________________________________________________________________

Those 3 Things make his client really Powerfull

 

All those are confirmed after many many days and night searching on how things working on that Server and to a Similar Greek Server that closed  :( the L2Elixir

 

_________________________________________________________________________________

 

Here you can read the Share of Fyyre while talking for his clever 1st version idea of the antibot in an old Lineage Forum that now is closed:

That was firstly the antiphx.dll that some Servers are using still today...

But for Lineage.ro he did wonderfull Job or they tweaked the Code by themselves

 

 

[howto] kill hlapex/l2phx/l2walker with 3k of code

Hi,

 

On this thread smeli mentions about antihlapex. I don't know if anything like this is currently available (or for free) - but it is now.

 

This little project is an ultra simple way of keeping l2phx, hlapex, along with l2walker away from the game client.

 

First I'll say that both l2phx/hlapex depend on one import from ws2_32.dll (connect) in order to function correctly. Since both applications hook ws2_32.connect by way of a jmp at the start of the function - the solution is obvious, we need to replace their hook. The good news is that the first 12 or so bytes for ws2_32.connect is the same across all versions of Windows (yes, this works on X64 too - I tested it), so instead of patching their jmp with another jmp, we'll simply restore the original bytes of ws2_32.connect, and problem solved.

 

L2Walker is completely different - from briefly looking it in OllyDbg... walker seems to operate by calling functions inside of L2's engine itself... It installs its window hook (the home key) by directly calling a function inside of window.dll - L2Walker is really impressive actually... but also makes me wonder if the author might have 'inside information' about how Lineage II works internally, if you get my meaning.

 

Anyways, to the point... the actual bot is LineageII.dll - not the loader application L2Walker.exe - because LineageII.dll is protected with Asprotect... users of the bot can't just rename it to whatever, or Asprotect will get mad D= ... so the simple solution is to query for it with GetModuleHandleA then if we return an address... terminate the game process. I haven't been able to force unload walker's LineageII.dll without causing a GPF in the L2 game client - oh well, who cares...

 

nophx.dll works by adding it to the IAT of engine.dll and importing DllEntryPoint - since our DllEntryPoint is called quite often(no its not called only once...) its always running through the two 'anti bot' sub-routines. Now how to prevent players from just replacing our engine.dll with an older version? Nevyn gets the credit for this idea in his post here - we change the Auth key, so using an older engine.dll means you don't login.

 

Well, that's all, kill three bots with 3kb of code, and we didn't even hook outside of our own process address space (unlike some stupid kernel mode anti-cheat programs) -- I'd like to know what others think of this (if anything), or any holes you might find...

 

The .dll and its source code is attached to this thread...

 

-Fyyre

 

Fyyre here didn't thought that someone can change the name of Lineageii.dll ( L2Walker module ) because of Asprotect (back to those days Asprotect was a strong Packer)

So antiphx.dll that some servers using today are Just Searching for Lineageii.dll to block walker...

They have an alpha Version only of the Module

Fyyre is a really clever guy and he found how to unhook this dll not by name...but by patching!

 

Fyyre Helped a Lot of Private Servers and People with his Free to share Modules ( Gameguard Killer,Blowfish Patcher,Port Changer etc. ).

 

Also he Unpacked from Themida the Original L2.exe and the Engine.dll so he opened big roads for protections to be made on Private Servers

 

Hope all this Informations i am giving help you Guys

Link to comment
Share on other sites

I know i am offtopic in this thread, but you seem like a nice, SMART guy so i would like to ask u this: could u pls take a look at rpg club protection also? :(

I did...There Protections is Similar to L2Dex on detecting by patching...

You can Login with L2Walker but it is Unfunctionable

The only we can do is Unpack the Files are Protected with VMProtect and give a crack to bypass...

I can crack them for sure but i can't Release them from this Packer...

For me now is the Strongest Packer and i can not take a good working Dump file to Crack on

Link to comment
Share on other sites

So ... until u find a way to unpack their files, there is no way to get a working bot there? :(

Do u expect this to happen any time soon?

 

P.S. Happy New Years everybody!

 

It's not ubeatable but it's hard to unpack...

I know a guy named LCF-AT that knows how to unpack those shits and shares some Scripts for OllyDbg but no luck with the existing scripts...

Manual Unpacking is hard but soon we can do this for sure

Link to comment
Share on other sites

Cool coined! Reapairing original walker....really cool!

 

This is the less i done...

The point is that has a changed Proccess name and is undetectable from many Antibots :D

Link to comment
Share on other sites

  • 2 weeks later...

I think that this Server is Protected by Kasha but the only changed thing is the Blowfish...

If they payed for this they are really Jerks

This Server has not the L2.dll (AES) if there was you ll get ConnectionTimeout (Disconnect)

Like L2DEX does...hope you understand me :)

 

This Server has a packed Engine.dll with Enigma so you can't just debbug Dump etc. and find the Moded Blowfish in there...

So i think you find the blowfish while sniffing the TCP connection and you patched a clean system with Bfishy.dll and set in L2.ini IP to Localhost for redirecting the Connection on L2.NET... Am i Right??

 

Offcourse this is a low Protection for servers...and if there are Server patched like this one by Kasha there are LOL easy to break hehe

 

The point guys isn't the engine.dll packed with enigma, but l2.exe packed with Armadillo

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...