Legacy V3 | Bot + Encryption bypass |

[pokemonleung]

Update (by darkfate): Encryption was cracked. (at least for now)
More: http://forums.openkore.com/viewtopic.php?f=34&t=1156

Continuation from this topic:
http://forums.openkore.com/viewtopic.ph ... &start=111

Situation: New update with an encryption built in to the client

- Bots do not log in
- normal WPE/rPE does not function (get disconnected)

developments so far:

LRO.exe is indeed packed with MoleBox. Beside the exe itself there are 2 more files packed in that exe - protection system harmony.dll and another "dll". sclientinfo.xml is almost the same - only removed 2 admin lines and chaged version to 11, but it will give you nothing due to protection system.

Protection system is simple: harmony.dll encrypts all sent packets and add some additional packets between them. Algorithm is not long, but increase packet lengths quite a bit what is not nice at all.

To counter this protection there are 2 ways:
1) Reverse the encryption algorithm and append it where you want.
2) Connect the harmony.dll so it will do all the work for you.

The previously posted modified version of rPE was demonstration of the second approach. Open process LRO.exe, capture some data, add some captured packets to send list and send them - works without any problems (i've tested only sit and walk packets though, haven't tested any other features of rPE either).

Tsuki made a working modified rPE. Visit last thread for further details.

Just to elaborate more on the encryption.

The client sends an encryption key (well 3 to be exact) to the server that will allow it to decrypt packets sent by the client.

The encryption key packet looks like this 0x89 0x?? 0x?? 0x01 0x00 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? the question marks are different every time because the key is dynamic.

The first key is sent just before account info is sent. The second key is sent at char select. The third key is sent after you've logged into the game.

I dont know if the key will keep changing while you're in game, I'm too lazy to record packets for that long then look through them.

harmony.dll exports just one function that redirect that:
send 0x71a3428a 0x0000428a 19 (0x13) WS2_32.dll C:\WINDOWS\system32\WS2_32.dll Exported Function

It works just like the XKore injection method ... but only with sends

According to "Kees" and "barracks", bots are still being caught on LRO. we do not know how they are doing it.

Some more theories:

My theory is that harmony.dll is being used to overload methods in the winsock2 library of windows
that is how they are encrypting the packets, all you need to do is either make openkore able to use that dll to send packet OR reverse the dll and find out how the encryption is being done.

more on page 4.

How do we get over this? Discuss.

[Tsuki]

Both Standard and Custom filters work. You just need to understand what you are writing there instead of dumb copy&paste examples.

[olivers]

Both Standard and Custom filters work. You just need to understand what you are writing there instead of dumb copy&paste examples.

I can confirm this.

Just curious, but how did you change where rPE hooks into process tsuki? I only looked at a few packets, but it looked like rPE was just watching packets being sent to the encryption process.

[pokemonleung]

Fixed.

[olivers]

Check the packet type you are sending / receiving using the modified rPE

[pokemonleung]

Problem resolved Re: RPE custom filters. update/solution added to first post re: error in SendIfMatch.
Thank you guys~

There's still the problem with logging into the server with kore. Please discuss and input further developments

thank you.

[Kees]

Still a problem logging in with Kore? My client crashes when kore tries to plugin.

[Barracks]

I think we'll need a new serverType to login tbh.

[pokemonleung]

I have not botted for a long time. But logically speaking, you must send encrypted packets to the server for it to "understand" because it is designed to accept only those encrypted packets.

The reason why the normal version of WPE and rPE didnt work is because it sent normal packets. Because of this, the server rejects them and you get disconnected.

same principle lies with kore. just changing server type and modify settings won't help. You must work with the encryption, send encrypted packets so the server will accept them. Otherwise, (again) the server will reject you.

If you read the first post, the new client sends 3 encryption keys (different every time you log in). After you have successfully sent the encryption keys, you are allowed to go into the map server. if you use the old client, you will only get to the character server, but you will be disconnected when you try to go into map server. this is most likely because you aren't sending the encryption key the server needs to interpret your encrypted packets.

After you have logged into the map server, you have to keep sending encrypted packets. otherwise, the server will not be able to understand what the packets are "saying" and you will get disconnected.

Using the above as principle, in order to make a bot work. you must
1) be able to send a encryption key to the server when you login
2) send encrypted packets

This is all speculations based on the research I have done just testing out the normal WPE and the technical information gathered from other people. I think it's a fairly accurate speculation.

[Mushroom]

Ok, but can't we just "remove" the thing that makes us send encrypted packets or we need this to play?