Page 1 of 3

pRO relaunch (EXE) xkore 0 ONLY

Posted: 13 Jul 2017, 02:13
by nkorea
Guys I'm putting this new topic so xkore 0 can ask specific questions for the said config. I'm also using xkore 0 and get as far as the map server login and get a timeout. I'm using overlight666's send and recieve as well as recvpackets. If you have further updates please add it here.

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 13 Jul 2017, 03:41
by kali
xKore 0 won't work until the correct keys are figured out.

Until then, no amount of "tweaking" will ever make xKore 0 work. You need the keys, just like you'd need the key to a padlock.

Anyone who says otherwise is likely scamming you.

How do you know you got the correct keys? Ask them to give you the keys, and how the algorithm works. Ask them where the key was obtained from, and what are the elements that go into the key.

For example, the master_login packet has a key which is found in the ragexe. It uses the AES-256-EBC algorithm, and is a symmetrical cipher. I don't have the time yet to post the full explanation (maybe this weekend) but we're already using it in a test branch (which I believe many have been copying without really understanding what's going on).

The reason why the team hasn't released anything yet is because there's no easily reproducible and automated way to get those keys. It makes no sense to release something now and then have users either get banned (because the keys get changed the next maintenance) or break their software again (which brings us back to the beginning, and even worse because now people stop playing the game after having been addicted to botting).

I'm not here to argue so if you don't agree, that's up to you.

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 13 Jul 2017, 05:18
by nkorea
I already have xkore 0 working until the map login. master_login 0A76 should be set correctly at /src/Network/send/pRO and yes it sends 80 bytes with encrypted password correctly. Some have already gone further than this. Others are stuck with the send_move parser. I'll take your word for it that its AES and I took a peek with the mod and it sends MD5 hash if master_login is set. Somehow we can login to with it and get the server and character list.

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 13 Jul 2017, 23:20
by cchotshot
hi nkorea, can you share your work here so we can start debugging, and discuss problem and to solve the problem. thanks

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 15 Jul 2017, 10:39
by omniro
Yup the only problem here is that we don't work with the same files, pano natin matutulungan isa't isa kung di is-share files. Just a cent

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 15 Jul 2017, 11:29
by supportski
kali wrote:xKore 0 won't work until the correct keys are figured out.

Until then, no amount of "tweaking" will ever make xKore 0 work. You need the keys, just like you'd need the key to a padlock.

Anyone who says otherwise is likely scamming you.

How do you know you got the correct keys? Ask them to give you the keys, and how the algorithm works. Ask them where the key was obtained from, and what are the elements that go into the key.

For example, the master_login packet has a key which is found in the ragexe. It uses the AES-256-EBC algorithm, and is a symmetrical cipher. I don't have the time yet to post the full explanation (maybe this weekend) but we're already using it in a test branch (which I believe many have been copying without really understanding what's going on).

The reason why the team hasn't released anything yet is because there's no easily reproducible and automated way to get those keys. It makes no sense to release something now and then have users either get banned (because the keys get changed the next maintenance) or break their software again (which brings us back to the beginning, and even worse because now people stop playing the game after having been addicted to botting).

I'm not here to argue so if you don't agree, that's up to you.
Has the direction changed from using something like Poseidon and directly making calls to CDClient.dll?

Also, ECB would imply a block cipher, correct? Have you noticed that packets are being padded up to the block size? I ran a couple of captures in-game and I saw packets of length 10. I believe that AES always works on a 16-byte block size, so I think that maybe that's not what's being used?

Unless it's a different algorithm for master_login and and encrypted in-game traffic. In-game, it seems to be a stream cipher.

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 15 Jul 2017, 12:11
by kali
Yes they are different. The ones in-game are a lot more complex.

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 15 Jul 2017, 13:18
by supportski
kali wrote:Yes they are different. The ones in-game are a lot more complex.
Got it. Thanks.

Has anybody found anything out yet regarding CDClient.dll? I'll gladly throw an application together to MITM and delegate through to the dll, but a quick disassembly gave me a list of ordinals and that's about where my IDA skills end.

Knowing how the client uses the DLL exactly is going to be key. If we can use it, we will be set.

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 16 Jul 2017, 00:31
by kali
supportski wrote:
kali wrote:Yes they are different. The ones in-game are a lot more complex.
Got it. Thanks.

Has anybody found anything out yet regarding CDClient.dll? I'll gladly throw an application together to MITM and delegate through to the dll, but a quick disassembly gave me a list of ordinals and that's about where my IDA skills end.

Knowing how the client uses the DLL exactly is going to be key. If we can use it, we will be set.
This is also where we are at :( We know the entrypoints, but not the actual calls into the dll. That's what we're trying to figure out now.

Re: pRO relaunch (EXE) xkore 0 ONLY

Posted: 16 Jul 2017, 03:14
by Khunpon
Hello,
the maintainers of Safengine think obliged that we would like
to provide you this information to assist your understanding of our CheatDefender product.
http://www.safengine.com/download/cd_demo.zip