Well, just add a new configuration in config.txt within the Login options and server-specific options, or use the same space than loginPinCode (despite being very different mode of operation of each of the final functionality is the same)ever_boy_ wrote:Kore only needs the sequence of digits, which would be something like:
06000503010907040802
This is what we get from the asm function. Then, we gotta make a code that, based on this sequence, and player's PIN code, it will generate the encrypted bytes.
bRO's client asking for PIN Code on log in
Moderator: Moderators
Re: bRO's client asking for PIN Code on log in
Last edited by Kaspy on 14 Dec 2012, 14:14, edited 4 times in total.
-
- Developers
- Posts: 1798
- Joined: 05 Dec 2008, 05:42
- Noob?: Yes
Re: bRO's client asking for PIN Code on log in
#openkore channel (linked from openkore.com) is not good enough?Kurama wrote:we need a chat or anything like that
Re: bRO's client asking for PIN Code on log in
I think you didn't get it: In order to get this into config.txt, first I need to extract these value from the asm function. Either by writing it inside perl, or importing the functions output into perl.KeplerBR wrote:Well, just add a new configuration in config.txt within the Login options and server-specific options, or use the same space than loginPinCode (despite being very different mode of operation of each of the final functionality is the same)
But I don't know how to do that.
Re: bRO's client asking for PIN Code on log in
Edit
Forget what I said, is not a good solution, because, even if he could interpret everything in Perl, it would still have to fix the stack
Forget what I said, is not a good solution, because, even if he could interpret everything in Perl, it would still have to fix the stack
Last edited by Kaspy on 14 Dec 2012, 14:49, edited 3 times in total.
Re: bRO's client asking for PIN Code on log in
@ever_boy_ : eu não tenho um bom inglês e não sei nada além de macros, mas sem usar @eval e essas paradas, só sei aqueles mais comuns de "do" "location" e etc, tem algo que eu possa fazer agora para ajudar? Não gosto de ser sanguessuga.
@ever_boy_ : I don't have a good english but I know a little about macros, but without using @eval and these things, just know those more common "do" "location" and etc, is something I can do now to help you? I don't like to just sit and see you working.
@ever_boy_ : I don't have a good english but I know a little about macros, but without using @eval and these things, just know those more common "do" "location" and etc, is something I can do now to help you? I don't like to just sit and see you working.
Re: bRO's client asking for PIN Code on log in
Here's the asm function:
IDA:
http://pastebin.com/S1CfshTN
Olly:
http://i48.tinypic.com/vo02ed.png
Right now I'm moving the code I've been working with, from ServerType0.pm into bRO.pm.
We need to find a way to either translate this into perl's, or import its output into perl, so that I can code the sequence of digits into proper bytes to be sent by packet 08B8. That's the only thing left to be done, so that kore is up to date on bRO again, and I don't know how to do that.
Actually, I can already log my bots, even though it sucks to input every pin manually, everytime I have to log in. So, if there's anyone out there who cares to help a bit, it would be easier for everyone.
IDA:
http://pastebin.com/S1CfshTN
Olly:
http://i48.tinypic.com/vo02ed.png
Right now I'm moving the code I've been working with, from ServerType0.pm into bRO.pm.
We need to find a way to either translate this into perl's, or import its output into perl, so that I can code the sequence of digits into proper bytes to be sent by packet 08B8. That's the only thing left to be done, so that kore is up to date on bRO again, and I don't know how to do that.
Actually, I can already log my bots, even though it sucks to input every pin manually, everytime I have to log in. So, if there's anyone out there who cares to help a bit, it would be easier for everyone.
Re: bRO's client asking for PIN Code on log in
OK. there is one thing there that I know for 100%. It's "seed" that mutates the answer. At least it was designed for that.ever_boy_ wrote:Here's the asm function:
IDA:
http://pastebin.com/S1CfshTN
Olly:
http://i48.tinypic.com/vo02ed.png
Right now I'm moving the code I've been working with, from ServerType0.pm into bRO.pm.
We need to find a way to either translate this into perl's, or import its output into perl, so that I can code the sequence of digits into proper bytes to be sent by packet 08B8. That's the only thing left to be done, so that kore is up to date on bRO again, and I don't know how to do that.
Actually, I can already log my bots, even though it sucks to input every pin manually, everytime I have to log in. So, if there's anyone out there who cares to help a bit, it would be easier for everyone.
packets here:
Code: Select all
// packet: 0x8b7
// len: 10
struct PACKET_HC_SECOND_PASSWD_REQ {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned long AID
/* this+0x6 */ unsigned long Seed
}
// packet: 0x8b8
// len: 12
struct PACKET_CH_SECOND_PASSWD_ACK {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned long AID
/* this+0x6 */ char SecondPWIdx[6]
}
// packet: 0x8b9
// len: 4
struct PACKET_HC_SECOND_PASSWD_LOGIN {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned short Result
}
// packet: 0x8ba
// len: 16
struct PACKET_CH_MAKE_SECOND_PASSWD {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned long AID
/* this+0x6 */ unsigned long Seed
/* this+0xa */ char SecondPWIdx[6]
}
// packet: 0x8bb
// len: 4
struct PACKET_HC_MAKE_SECOND_PASSWD {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned short Result
}
// packet: 0x8bc
// len: 16
struct PACKET_CH_DELETE_SECOND_PASSWD {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned long AID
/* this+0x6 */ unsigned long Seed
/* this+0xa */ char SecondPWIdx[6]
}
// packet: 0x8bd
// len: 4
struct PACKET_HC_DELETE_SECOND_PASSWD {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned short Result
}
// packet: 0x8be
// len: 16
struct PACKET_CH_EDIT_SECOND_PASSWD {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned long AID
/* this+0x6 */ unsigned long Seed
/* this+0xa */ char SecondPWIdx[6]
}
// packet: 0x8bf
// len: 4
struct PACKET_HC_EDIT_SECOND_PASSWD {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned short Result
}
== Edit.
the CharacterInfo struct:
Code: Select all
struct CHARACTER_INFO {
/* this+0x0 */ unsigned long GID
/* this+0x4 */ int exp
/* this+0x8 */ int money
/* this+0xc */ int jobexp
/* this+0x10 */ int joblevel
/* this+0x14 */ int bodystate
/* this+0x18 */ int healthstate
/* this+0x1c */ int effectstate
/* this+0x20 */ int virtue
/* this+0x24 */ int honor
/* this+0x28 */ short jobpoint
/* this+0x2a */ int hp
/* this+0x2e */ int maxhp
/* this+0x32 */ short sp
/* this+0x34 */ short maxsp
/* this+0x36 */ short speed
/* this+0x38 */ short job
/* this+0x3a */ short head
/* this+0x3c */ short weapon
/* this+0x3e */ short level
/* this+0x40 */ short sppoint
/* this+0x42 */ short accessory
/* this+0x44 */ short shield
/* this+0x46 */ short accessory2
/* this+0x48 */ short accessory3
/* this+0x4a */ short headpalette
/* this+0x4c */ short bodypalette
/* this+0x4e */ unsigned char[0x18] name
/* this+0x66 */ unsigned char Str
/* this+0x67 */ unsigned char Agi
/* this+0x68 */ unsigned char Vit
/* this+0x69 */ unsigned char Int
/* this+0x6a */ unsigned char Dex
/* this+0x6b */ unsigned char Luk
/* this+0x6c */ unsigned char CharNum
/* this+0x6d */ unsigned char haircolor
/* this+0x6e */ short bIsChangedCharName
/* this+0x70 */ int nRobe
}
// Or this one:
struct CHARACTER_INFO_NEO {
/* this+0x0 */ unsigned long GID
/* this+0x4 */ int exp
/* this+0x8 */ int money
/* this+0xc */ int jobexp
/* this+0x10 */ int joblevel
/* this+0x14 */ int bodystate
/* this+0x18 */ int healthstate
/* this+0x1c */ int effectstate
/* this+0x20 */ int virtue
/* this+0x24 */ int honor
/* this+0x28 */ short jobpoint
/* this+0x2a */ int hp
/* this+0x2e */ int maxhp
/* this+0x32 */ short sp
/* this+0x34 */ short maxsp
/* this+0x36 */ short speed
/* this+0x38 */ short job
/* this+0x3a */ short head
/* this+0x3c */ short weapon
/* this+0x3e */ short level
/* this+0x40 */ short sppoint
/* this+0x42 */ short accessory
/* this+0x44 */ short shield
/* this+0x46 */ short accessory2
/* this+0x48 */ short accessory3
/* this+0x4a */ short headpalette
/* this+0x4c */ short bodypalette
/* this+0x4e */ unsigned char[0x18] name
/* this+0x66 */ unsigned char Str
/* this+0x67 */ unsigned char Agi
/* this+0x68 */ unsigned char Vit
/* this+0x69 */ unsigned char Int
/* this+0x6a */ unsigned char Dex
/* this+0x6b */ unsigned char Luk
/* this+0x6c */ unsigned char CharNum
/* this+0x6d */ unsigned char haircolor
/* this+0x6e */ int nRobe
}
struct CHARACTER_INFO_NEO_UNION {
CHARACTER_INFO_NEO, offset = 0x0
/* this+0x72 */ short bIsChangedCharName
}
Re: bRO's client asking for PIN Code on log in
A user posted this before:
This user was able to reproduce the numbers position using olly's functionality, by passing the 08B9's seed as arguments (4 bytes in the packet), and it successfully gave us the right numbers' position for a given seed.
But now we need to find a way to translate this into perl, so that kore can execute this same function. Or is there another way?
In the picture above, if we type the PIN code: 1111, the client will send to the server -> 32 32 32 32
If we type in 7777, the client will send to the server -> 34 34 34 34
And so on.
edit:
Example: seed 1B 7F C4 0B gives this result: 06 00 09 04 07 01 03 05 02 08
which matches the PIN numbers position for that given seed:
6 0 9
4 7 1
3 5 2
8
edit2:
does that 'sub pin_encode' in Utils.pm work in this case?
Whenever we login to the account server, we get this seed along with packet 08B9, which indicates the numbers position on the PIN screen.Kurama wrote:
first digit -> second digit
This user was able to reproduce the numbers position using olly's functionality, by passing the 08B9's seed as arguments (4 bytes in the packet), and it successfully gave us the right numbers' position for a given seed.
But now we need to find a way to translate this into perl, so that kore can execute this same function. Or is there another way?
In the picture above, if we type the PIN code: 1111, the client will send to the server -> 32 32 32 32
If we type in 7777, the client will send to the server -> 34 34 34 34
And so on.
edit:
Example: seed 1B 7F C4 0B gives this result: 06 00 09 04 07 01 03 05 02 08
which matches the PIN numbers position for that given seed:
6 0 9
4 7 1
3 5 2
8
edit2:
does that 'sub pin_encode' in Utils.pm work in this case?
Re: bRO's client asking for PIN Code on log in
So the "Seed" changes the Image only? or the sent packet too?ever_boy_ wrote:edit:
Example: seed 1B 7F C4 0B gives this result: 06 00 09 04 07 01 03 05 02 08
which matches the PIN numbers position for that given seed:
6 0 9
4 7 1
3 5 2
8
edit2:
does that 'sub pin_encode' in Utils.pm work in this case?
it it changes, then it's a new algo. If not, then it should be something simple.
the "pin_encode" was made for old LoginPin codes, when they first where used, also it was used for PIN code on Kafra.
Edit: You can just place a BP on the part of "case" that forms and sends the packet. that way you can check what functions transmutates the PIN code itself, and what is used as input.
Re: bRO's client asking for PIN Code on log in
Here's a received packet:kLabMouse wrote:So the "Seed" changes the Image only? or the sent packet too?
Code: Select all
08 B9 1B 7F C4 0B XX XX XX XX 01 00
and the last 2 bytes are the FLAG.
the 4 bytes after the packet's ID (1B 7F C4 0B) are the seed, that determine the PIN's numbers position on the screen. In this case, it would be:
Code: Select all
6 0 9
4 7 1
3 5 2
8
Now, when we send the PIN code (for example 7777) to the server, the packet looks like this:
Code: Select all
08 B8 XX XX XX XX 34 34 34 34
Code: Select all
30(6) 31(0) 32(9)
33(4) 34(7) 35(1)
36(3) 37(5) 38(2)
39(8)
So, we have the fixed positions, which are sent within the packet (30 - 39). And we have the real digits (0 - 9). When we click on a digit, the clients send the position (34), instead of the digit itself (7).
What BP?kLabMouse wrote:Edit: You can just place a BP on the part of "case" that forms and sends the packet. that way you can check what functions transmutates the PIN code itself, and what is used as input.