Legacy V3 | Bot + Encryption bypass |

[Aris]

i think removing the encrypted packets would be kinda like playing with the old client eh?

[olivers]

I'm guessing the server only accepts encrypted packets. I'd follow tsuki's method and have kore send packets to the encryption process rather than the server itself.

[Mushroom]

Hey Aris, didn't you say that you got a working client??
Well, I was looking at the (un)supported private server, and there was one with the same anti-bot, but no ways to kore connect.

They have an unknown type of antibot, encrypted client and files. Kore doesn't work on this server.

or

This server have a strong self-made packet encrypt based on dynamic tables and own server emulator based on jAthena. So if you try to run Openkore, you can receive a ban for your account, ip-address or your hardware ID (mac-adress of your network card, login packets sends you mac).

Maybe this is what we have here in Legacy. But both still aren't supported ''/

[Aris]

no.

if you're wondering, lro uses harmony...

[Barracks]

Most of us have unpacked the .exe, it consists of harmony.dll, valour.dll and sakexe.exe. I'm currently experimenting with editting strings atm, will try other things soon. Anyone who is willing to HELP with this should come into IRC more, keep in mind some people that come in may or may not be LRO staff, but brainstorming is a + any way.

[Kees]

cough ^_^

[Whocares]

anyone got modified version of wpe please?

[Kees]

To elaborate more on this molebox unpacking thing, I asked someone to do it for us.
What he said was this.

You're saying harmony prevents apps from injecting something ?
It's only 50 kb and exports a function called _dummyfunc which does nothing but

Code: Select all

PUSH EBP 
MOV EBP,ESP 
POP EBP 
RETN 

Anyway, it is not actually bound to the import table (not from what I've seen so far anyway), so without explicitly loading it, it wont be executed.

I found the dll patching the main exe's import table to reroute GetProcAddress and some ws2_32.dll address to an address inside the dll from within its entrypoint.

If the program actually needs that dll, it looks like you've got to add a new section and do LoadLibrary on it, otherwise it won't get loaded.

The second dll isn't really a dll, I guess he thought he's uberly smart adding .dll to the file name

To download the unpacked version:

Code: Select all

http://www.zshare.net/download/1162500488692bd6/

Took me alot of time to find someone as nice as him.. lol... :/

[Barracks]

here's another mirror, i find faster.

http://www.megaupload.com/?d=EA6QS155

Still credit to Kees.

[hal9000]

the whole real code is in the DllMain(x,x,x)

Code: Select all

BOOL __stdcall DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)

_dummyfunc doesn nothing


and valour.dll's header is:

Code: Select all

4d 61 73 74 65 72 20 6f 66 20 4d 61 67 69 63  Master of Magic

so it's a grf

In harmony.dll there are some chunks of data, it imports connect() and send() from the winsock library and redirects these calls to his own functions it's a very simple method to inject and redirect system calls in a software. it's something like RoApp no sp teleport thing