More: http://forums.openkore.com/viewtopic.php?f=34&t=1156
Continuation from this topic:
http://forums.openkore.com/viewtopic.ph ... &start=111
Situation: New update with an encryption built in to the client
- Bots do not log in
- normal WPE/rPE does not function (get disconnected)
developments so far:
Tsuki made a working modified rPE. Visit last thread for further details.LRO.exe is indeed packed with MoleBox. Beside the exe itself there are 2 more files packed in that exe - protection system harmony.dll and another "dll". sclientinfo.xml is almost the same - only removed 2 admin lines and chaged version to 11, but it will give you nothing due to protection system.
Protection system is simple: harmony.dll encrypts all sent packets and add some additional packets between them. Algorithm is not long, but increase packet lengths quite a bit what is not nice at all.
To counter this protection there are 2 ways:
1) Reverse the encryption algorithm and append it where you want.
2) Connect the harmony.dll so it will do all the work for you.
The previously posted modified version of rPE was demonstration of the second approach. Open process LRO.exe, capture some data, add some captured packets to send list and send them - works without any problems (i've tested only sit and walk packets though, haven't tested any other features of rPE either).
Just to elaborate more on the encryption.
The client sends an encryption key (well 3 to be exact) to the server that will allow it to decrypt packets sent by the client.
The encryption key packet looks like this 0x89 0x?? 0x?? 0x01 0x00 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? the question marks are different every time because the key is dynamic.
The first key is sent just before account info is sent. The second key is sent at char select. The third key is sent after you've logged into the game.
I dont know if the key will keep changing while you're in game, I'm too lazy to record packets for that long then look through them.
According to "Kees" and "barracks", bots are still being caught on LRO. we do not know how they are doing it.harmony.dll exports just one function that redirect that:
send 0x71a3428a 0x0000428a 19 (0x13) WS2_32.dll C:\WINDOWS\system32\WS2_32.dll Exported Function
It works just like the XKore injection method ... but only with sends
Some more theories:
more on page 4.Bibian wrote:My theory is that harmony.dll is being used to overload methods in the winsock2 library of windows
that is how they are encrypting the packets, all you need to do is either make openkore able to use that dll to send packet OR reverse the dll and find out how the encryption is being done.
How do we get over this? Discuss.