bRO's client asking for PIN Code on log in

Message

Kaspy · #101 Post by **Kaspy** » 14 Dec 2012, 14:08

ever_boy_ wrote:Kore only needs the sequence of digits, which would be something like:

06000503010907040802

This is what we get from the asm function. Then, we gotta make a code that, based on this sequence, and player's PIN code, it will generate the encrypted bytes.

Well, just add a new configuration in config.txt within the Login options and server-specific options, or use the same space than loginPinCode (despite being very different mode of operation of each of the final functionality is the same)

#102 Post by **EternalHarvest** » 14 Dec 2012, 14:08

Kurama wrote:we need a chat or anything like that

#openkore channel (linked from openkore.com) is not good enough?

ever_boy_ · #103 Post by **ever_boy_** » 14 Dec 2012, 14:17

KeplerBR wrote:Well, just add a new configuration in config.txt within the Login options and server-specific options, or use the same space than loginPinCode (despite being very different mode of operation of each of the final functionality is the same)

I think you didn't get it: In order to get this into config.txt, first I need to extract these value from the asm function. Either by writing it inside perl, or importing the functions output into perl.
But I don't know how to do that.

Kaspy · #104 Post by **Kaspy** » 14 Dec 2012, 14:18

Edit
Forget what I said, is not a good solution, because, even if he could interpret everything in Perl, it would still have to fix the stack

nizdi · #105 Post by **nizdi** » 14 Dec 2012, 14:50

@ever_boy_ : eu não tenho um bom inglês e não sei nada além de macros, mas sem usar @eval e essas paradas, só sei aqueles mais comuns de "do" "location" e etc, tem algo que eu possa fazer agora para ajudar? Não gosto de ser sanguessuga.

@ever_boy_ : I don't have a good english but I know a little about macros, but without using @eval and these things, just know those more common "do" "location" and etc, is something I can do now to help you? I don't like to just sit and see you working.

ever_boy_ · #106 Post by **ever_boy_** » 14 Dec 2012, 15:50

Here's the asm function:

IDA:
http://pastebin.com/S1CfshTN

Olly:
http://i48.tinypic.com/vo02ed.png

Right now I'm moving the code I've been working with, from ServerType0.pm into bRO.pm.
We need to find a way to either translate this into perl's, or import its output into perl, so that I can code the sequence of digits into proper bytes to be sent by packet 08B8. That's the only thing left to be done, so that kore is up to date on bRO again, and I don't know how to do that.
Actually, I can already log my bots, even though it sucks to input every pin manually, everytime I have to log in. So, if there's anyone out there who cares to help a bit, it would be easier for everyone.

#107 Post by **kLabMouse** » 14 Dec 2012, 21:09

ever_boy_ wrote:Here's the asm function:

IDA:
http://pastebin.com/S1CfshTN

Olly:
http://i48.tinypic.com/vo02ed.png

Right now I'm moving the code I've been working with, from ServerType0.pm into bRO.pm.
We need to find a way to either translate this into perl's, or import its output into perl, so that I can code the sequence of digits into proper bytes to be sent by packet 08B8. That's the only thing left to be done, so that kore is up to date on bRO again, and I don't know how to do that.
Actually, I can already log my bots, even though it sucks to input every pin manually, everytime I have to log in. So, if there's anyone out there who cares to help a bit, it would be easier for everyone.

OK. there is one thing there that I know for 100%. It's "seed" that mutates the answer. At least it was designed for that.
packets here:

Code: Select all

// packet: 0x8b7
// len: 10
struct PACKET_HC_SECOND_PASSWD_REQ {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned long AID
  /* this+0x6 */ unsigned long Seed
}

// packet: 0x8b8
// len: 12
struct PACKET_CH_SECOND_PASSWD_ACK {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned long AID
  /* this+0x6 */ char SecondPWIdx[6]
}

// packet: 0x8b9
// len: 4
struct PACKET_HC_SECOND_PASSWD_LOGIN {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned short Result
}

// packet: 0x8ba
// len: 16
struct PACKET_CH_MAKE_SECOND_PASSWD {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned long AID
  /* this+0x6 */ unsigned long Seed
  /* this+0xa */ char SecondPWIdx[6]
}

// packet: 0x8bb
// len: 4
struct PACKET_HC_MAKE_SECOND_PASSWD {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned short Result
}

// packet: 0x8bc
// len: 16
struct PACKET_CH_DELETE_SECOND_PASSWD {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned long AID
  /* this+0x6 */ unsigned long Seed
  /* this+0xa */ char SecondPWIdx[6]
}

// packet: 0x8bd
// len: 4
struct PACKET_HC_DELETE_SECOND_PASSWD {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned short Result
}

// packet: 0x8be
// len: 16
struct PACKET_CH_EDIT_SECOND_PASSWD {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned long AID
  /* this+0x6 */ unsigned long Seed
  /* this+0xa */ char SecondPWIdx[6]
}

// packet: 0x8bf
// len: 4
struct PACKET_HC_EDIT_SECOND_PASSWD {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned short Result
}

Now. about function itself. it's looks like simple string ( *char ) manipulation. HexRays should be able to handle it without problems.

== Edit.
the CharacterInfo struct:

Code: Select all

struct CHARACTER_INFO {
  /* this+0x0 */ unsigned long GID
  /* this+0x4 */ int exp
  /* this+0x8 */ int money
  /* this+0xc */ int jobexp
  /* this+0x10 */ int joblevel
  /* this+0x14 */ int bodystate
  /* this+0x18 */ int healthstate
  /* this+0x1c */ int effectstate
  /* this+0x20 */ int virtue
  /* this+0x24 */ int honor
  /* this+0x28 */ short jobpoint
  /* this+0x2a */ int hp
  /* this+0x2e */ int maxhp
  /* this+0x32 */ short sp
  /* this+0x34 */ short maxsp
  /* this+0x36 */ short speed
  /* this+0x38 */ short job
  /* this+0x3a */ short head
  /* this+0x3c */ short weapon
  /* this+0x3e */ short level
  /* this+0x40 */ short sppoint
  /* this+0x42 */ short accessory
  /* this+0x44 */ short shield
  /* this+0x46 */ short accessory2
  /* this+0x48 */ short accessory3
  /* this+0x4a */ short headpalette
  /* this+0x4c */ short bodypalette
  /* this+0x4e */ unsigned char[0x18] name
  /* this+0x66 */ unsigned char Str
  /* this+0x67 */ unsigned char Agi
  /* this+0x68 */ unsigned char Vit
  /* this+0x69 */ unsigned char Int
  /* this+0x6a */ unsigned char Dex
  /* this+0x6b */ unsigned char Luk
  /* this+0x6c */ unsigned char CharNum
  /* this+0x6d */ unsigned char haircolor
  /* this+0x6e */ short bIsChangedCharName
  /* this+0x70 */ int nRobe
}

// Or this one:
struct CHARACTER_INFO_NEO {
  /* this+0x0 */ unsigned long GID
  /* this+0x4 */ int exp
  /* this+0x8 */ int money
  /* this+0xc */ int jobexp
  /* this+0x10 */ int joblevel
  /* this+0x14 */ int bodystate
  /* this+0x18 */ int healthstate
  /* this+0x1c */ int effectstate
  /* this+0x20 */ int virtue
  /* this+0x24 */ int honor
  /* this+0x28 */ short jobpoint
  /* this+0x2a */ int hp
  /* this+0x2e */ int maxhp
  /* this+0x32 */ short sp
  /* this+0x34 */ short maxsp
  /* this+0x36 */ short speed
  /* this+0x38 */ short job
  /* this+0x3a */ short head
  /* this+0x3c */ short weapon
  /* this+0x3e */ short level
  /* this+0x40 */ short sppoint
  /* this+0x42 */ short accessory
  /* this+0x44 */ short shield
  /* this+0x46 */ short accessory2
  /* this+0x48 */ short accessory3
  /* this+0x4a */ short headpalette
  /* this+0x4c */ short bodypalette
  /* this+0x4e */ unsigned char[0x18] name
  /* this+0x66 */ unsigned char Str
  /* this+0x67 */ unsigned char Agi
  /* this+0x68 */ unsigned char Vit
  /* this+0x69 */ unsigned char Int
  /* this+0x6a */ unsigned char Dex
  /* this+0x6b */ unsigned char Luk
  /* this+0x6c */ unsigned char CharNum
  /* this+0x6d */ unsigned char haircolor
  /* this+0x6e */ int nRobe
}

struct CHARACTER_INFO_NEO_UNION {
  CHARACTER_INFO_NEO, offset = 0x0
  /* this+0x72 */ short bIsChangedCharName
}

ever_boy_ · #108 Post by **ever_boy_** » 14 Dec 2012, 21:24

A user posted this before:

Kurama wrote:
first digit -> second digit

Whenever we login to the account server, we get this seed along with packet 08B9, which indicates the numbers position on the PIN screen.

This user was able to reproduce the numbers position using olly's functionality, by passing the 08B9's seed as arguments (4 bytes in the packet), and it successfully gave us the right numbers' position for a given seed.

But now we need to find a way to translate this into perl, so that kore can execute this same function. Or is there another way?

In the picture above, if we type the PIN code: 1111, the client will send to the server -> 32 32 32 32
If we type in 7777, the client will send to the server -> 34 34 34 34
And so on.

edit:
Example: seed 1B 7F C4 0B gives this result: 06 00 09 04 07 01 03 05 02 08

which matches the PIN numbers position for that given seed:

6 0 9
4 7 1
3 5 2
8

edit2:

does that 'sub pin_encode' in Utils.pm work in this case?

#109 Post by **kLabMouse** » 14 Dec 2012, 21:38

ever_boy_ wrote:edit:
Example: seed 1B 7F C4 0B gives this result: 06 00 09 04 07 01 03 05 02 08

which matches the PIN numbers position for that given seed:

6 0 9
4 7 1
3 5 2
8

edit2:

does that 'sub pin_encode' in Utils.pm work in this case?

So the "Seed" changes the Image only? or the sent packet too?
it it changes, then it's a new algo. If not, then it should be something simple.

the "pin_encode" was made for old LoginPin codes, when they first where used, also it was used for PIN code on Kafra.

Edit: You can just place a BP on the part of "case" that forms and sends the packet. that way you can check what functions transmutates the PIN code itself, and what is used as input.

ever_boy_ · #110 Post by **ever_boy_** » 14 Dec 2012, 21:58

kLabMouse wrote:So the "Seed" changes the Image only? or the sent packet too?

Here's a received packet:

Code: Select all

08 B9 1B 7F C4 0B XX XX XX XX 01 00

where XX are my account ID.
and the last 2 bytes are the FLAG.

the 4 bytes after the packet's ID (1B 7F C4 0B) are the seed, that determine the PIN's numbers position on the screen. In this case, it would be:

Code: Select all

Because the result of the function with the arguments 1B 7F C4 0B (08B9 packet's bytes) is 06 00 09 04 07 01 03 05 02.

Now, when we send the PIN code (for example 7777) to the server, the packet looks like this:

Code: Select all

08 B8 XX XX XX XX 34 34 34 34

where XX are my account ID. And 32 stands for 7's position on the PIN screen:

Code: Select all

30(6) 31(0) 32(9)
33(4) 34(7) 35(1)
36(3) 37(5) 38(2)
39(8)

So, we have the fixed positions, which are sent within the packet (30 - 39). And we have the real digits (0 - 9). When we click on a digit, the clients send the position (34), instead of the digit itself (7).

kLabMouse wrote:Edit: You can just place a BP on the part of "case" that forms and sends the packet. that way you can check what functions transmutates the PIN code itself, and what is used as input.

What BP?

Openkore.com

bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in

Re: bRO's client asking for PIN Code on log in