L2phx and BAKE ICE

[mylove1412]

i found another way for l2phx work on BAKE ICE loader. when u press Start u go to run l2phx. And add "gameguard.des" to program list. But we have problem: some server change login port to 2110 or another different 2106.....and l2phx cant get packet. Any one can fix it? Maybe u need open l2phx source and change something ( i cant do that, i dnt know delphil, dont know how to compare ....blah blah).

Thx for reading, i'm waiting reply.

[ADAL13]

The most of the Bake-Ice servers changes the login port to 9998, but what u said maybe will work, unfortunally i don't have the enought Delphi knowledge to do that :(

[hitaiwan666]

i thought u cant even open it when bakeice loader is running, either one of the system will crush...

i believe it's not the port, it's injection part which bakeice detectes it.

[queijo]

i could use wpe with a bake-iced server.. i saw the packets, and their first numbers are the same as with l2phx, but the rest is encrypted... if someone could decrypt it i think wpe should work xD

[knoxville]

 

Maybe this topic can be very interesting, not let it die.

 

I am looking analyzing that could get done with the information provided by mylove1412

[mylove1412]

i can decrypt packet was encrypted.

But our l2phx cant snif packet becouse l2phx don't read packet form other port .

 

p/s i will share all exploit i knew for who help this plan, becouse if l2phx dead all most exploit are useless.

thx for reading

[Topa]

this sounds intresting but not too many ppl really into it :/

[queijo]

i can decrypt packet was encrypted.

But our l2phx cant snif packet becouse l2phx don't read packet form other port .

 

p/s i will share all exploit i knew for who help this plan, becouse if l2phx dead all most exploit are useless.

thx for reading

 

How can you Decrypt and encrypt packets? Could you please tell us? If it is possible, so we can use other packet senders... for example wpe...

[mylove1412]

packet was encrypted by fomula. i'm just use my brain for found the fomula. Maybe fomula i found didnt exactly 100% but enough to exploit like standard packet.

[foxer]

No matter what no matter how. if you post that hack and if it works it will fall to the rong hands somehow... i dont have a lot of posts but it doesnt mean that i am stupid as someone mentioned before.... i have lots of stuff to do than burning on the forum. and i dont think that anyone has the right to ban  whoever he wants just because he think that some players are retards and they annoy them but only the GM of the server. and finally dont forget... its just a game......... JUST A GAME...

[anath3ma]

so the program cant sniff packets

and u need one version with port selection

mmm its not to easy to view clear the source of the program

maybe u can take 50% of the program source

u must have good decompiler and maybe view 90% of the source

to work this program on this ports winsock must modyfied

and need to add some strings of code

 

 

[mylove1412]

so the program cant sniff packets

and u need one version with port selection

mmm its not to easy to view clear the source of the program

maybe u can take 50% of the program source

u must have good decompiler and maybe view 90% of the source

to work this program on this ports winsock must modyfied

and need to add some strings of code

 

 

but we heve l2phx source :|

[Blitztrager]

http://forum.coderx.ru/uploads/l2phx_src_320.rar - here you are - source for l2phx 3.2.0 from original site

[anath3ma]

i have check sources again and again and again

program dont ignore ports or use some ports

and dont have problem with ports becouse it use the port of every program u add

what i mean

the program inject to the selected app and recives the remote address and port

i have test it with other aplication i have make a small client server system to test it

i have test and on WoW clietn

 

and look at this

Οπξοΰςχεν νξβϋι κλθενς wow.exe (1872) <------- application ID

[glow=red,2,300]Οεπευβΰχεν κξννεκς νΰ 127.0.0.1:1208

Οεπευβΰχεν κξννεκς νΰ 80.239.186.34:80# <-------This is bypass

Ρξηδΰνξ νξβξε ρξεδθνενθε - 0                # <-------This is bypass

Οεπευβΰχεν κξννεκς νΰ 127.0.0.1:1210    # <-------This is bypass

Οεπευβΰχεν κξννεκς νΰ 80.239.178.130:80# <-------This is bypass

Οεπευβΰχεν κξννεκς νΰ 127.0.0.1:1213    # <-------This is bypass

Οεπευβΰχεν κξννεκς νΰ 127.0.0.1:1215    # <-------This is bypass

Ρξηδΰνξ νξβξε ρξεδθνενθε - 1[/glow] ##

Ρξεδθνενθε 0 πΰηξπβΰνξ

Οεπευβΰχεν κξννεκς νΰ [glow=red,2,300]195.70.35.147:3724[/glow]<------WoW port

Ρξηδΰνξ νξβξε ρξεδθνενθε - 0

Ρξεδθνενθε 0 πΰηξπβΰνξ

Οεπευβΰχεν κξννεκς νΰ [glow=red,2,300]195.70.35.147:3724[/glow]<------WoW port

Ρξηδΰνξ νξβξε ρξεδθνενθε - 0

 

im sure 100% its ur problem and i think u mustn add gameguards or uknown formats for program [glow=red,2,300]BECOUSE PROGRAM CANT INJECT IN THIS TYPES[/glow]

[MrAnderson]

l2phx works like this. it targets the l2.exe, gets the keys used for encryption when the client and the server first connect, then uses those to encrypt/decrypt the packets and makes the l2.exe send the packes that where modified (all of this is done by injecting a dll module into the EXE's memory and hooking the API functions that actually do all the stuff, then the injected module is driven from l2phx). If l2phx can't read the packets it's just coz it can't either inject the DLL into the targetted module, or b/c the dll can't hook the APIs (there are several ways to deny API hooking). No port problems.

 

Anyways there could be a way to find the encryption/decryptin keys without sniffing them at start.

If there is ANY packet sent by the client which we already know the plain text form and it's actually always the same packet (which I believe not possible), we could just compute the keys by reverting the algorithm (you know the plain text form, the encrypted form -> you can find the key 90% of the times). GL trying this tho...