idRO Not Working after 27-01-2010 | All Version

[michaelaw]

how about injecting xyz.dll into openkore, just like we inject NetRedirect.dll ?

or shall we use the xyz.dll to route the connection just like the client does

[kali]

how about injecting xyz.dll into openkore, just like we inject NetRedirect.dll ?

or shall we use the xyz.dll to route the connection just like the client does

I don't think you know what you are talking about.

[renjfk]

From my short analysis it only hooks recv function, (idk maybe it's hooking send or more functions later on)

Code: Select all

blahblah (regular routine)
0020FEF7  |. FF15 64552100  CALL DWORD PTR DS:[215564]               ;  call original recv
0020FEFD  |. 8BD8           MOV EBX,EAX
0020FEFF  |. 85DB           TEST EBX,EBX
0020FF01  |. 0F84 84000000  JE xyz.0020FF8B                          ;  packet error check
0020FF07  |. 83FB FF        CMP EBX,-1
0020FF0A  |. 74 7F          JE SHORT xyz.0020FF8B                    ;  more checks
0020FF0C  |. A1 0C342100    MOV EAX,DWORD PTR DS:[21340C]
0020FF11  |. 8038 00        CMP BYTE PTR DS:[EAX],0
0020FF14  |. 74 75          JE SHORT xyz.0020FF8B                    ;  more more checks
0020FF16  |. C745 FC 100000>MOV DWORD PTR SS:[EBP-4],10
0020FF1D  |. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-4]
0020FF20  |. 50             PUSH EAX
0020FF21  |. 8D45 E4        LEA EAX,DWORD PTR SS:[EBP-1C]
0020FF24  |. 50             PUSH EAX
0020FF25  |. 56             PUSH ESI
0020FF26  |. E8 C83F0400    CALL xyz.00253EF3                        ;  it's out of code section maybe VM or something?
some more calculations error checks etc.

err, that function out of code section doing something important but I can't really trace w/o running client is there a way for me to run client on idRO with my current latest kRO?

[h4rry84]

currently not possible since the xyz lib check the binary to logon. or you could simply repack the clientinfo.xml with ip : 202.43.167.67.

Code: Select all

<?xml version="1.0" encoding="euc-kr" ?>

<clientinfo>
	
	<servicetype>indonesia</servicetype>
	<servertype>primary</servertype>
	<hideaccountlist></hideaccountlist>
	<passwordencrypt></passwordencrypt>
	<extendedslot></extendedslot>
	<connection>
		<display>Indonesia Server</display>
		<desc>None</desc>
		<address>202.43.167.67</address>
		<port>6900</port>
		<version>2</version>
		<langtype>6</langtype>
		<registrationweb>http://www.ragnarok.co.id</registrationweb>
		<aid>
			<admin>100004</admin><admin>100005</admin><admin>100045</admin><admin>100046</admin><admin>100047</admin><admin>100048</admin><admin>100049</admin><admin>100050</admin><admin>100051</admin>
			<admin>100052</admin><admin>100053</admin><admin>100054</admin><admin>100055</admin><admin>100056</admin><admin>100057</admin><admin>100058</admin><admin>100059</admin><admin>100060</admin>
			<admin>100061</admin><admin>100062</admin>
		</aid>
	</connection>

	<loading>
		<image>loading00.jpg</image>
		<image>loading01.jpg</image>
		<image>loading02.jpg</image>
		<image>loading03.jpg</image>
		<image>loading04.jpg</image>
		<image>loading05.jpg</image>
	</loading>

</clientinfo>

oh yeah here's the new lib that they update again or you won't be able to lgin :
http://rapidshare.com/files/343472373/latestxyz.7z


Note: use Indonesian Proxies to be able to play

[RaynDaVouz]

...

[kLabMouse]

err, that function out of code section doing something important but I can't really trace w/o running client is there a way for me to run client on idRO with my current latest kRO?

Well. I've tried to Analize xyz.dll too. At least I know, that it can be Dumped using PE Tool's, also RAMOlly fail's and it's detected (donno what Plugins/Options to use). Plus, it uses some kind of VM to Virtualize Import table, and call's to external functions.
(And, I can't locate Entry Point).


If you Can, Please Gimme some Hint's on what to use so it's not Detected by xyz.dll internal packer.

[renjfk]

protection id is telling me VM Protect v1.60 - v2.03 (or newer) detected but when i check sections i see some upx tags, so it's mainly packed with upx and then with vm protect (which is kinda impossible to use two packers also i believe it has virtualized functions) or packed with vm protect and using fake section names to trick ppl. At any rate i don't think it's necessary to fully unpack if we're going to analyze what's it using to encrypt packets since we can disassemble w/o unpacking. But like i said, i believe it's using virtualized function which will be hard to solve. Umm, i'll try to investigate further by logging on actual server so all these are based on theories..

[kLabMouse]

protection id is telling me VM Protect v1.60 - v2.03 (or newer) detected but when i check sections i see some upx tags, so it's mainly packed with upx and then with vm protect (which is kinda impossible to use two packers also i believe it has virtualized functions) or packed with vm protect and using fake section names to trick ppl. At any rate i don't think it's necessary to fully unpack if we're going to analyze what's it using to encrypt packets since we can disassemble w/o unpacking. But like i said, i believe it's using virtualized function which will be hard to solve. Umm, i'll try to investigate further by logging on actual server so all these are based on theories..

I've Checked. No Virtualized Functions. Only Imported Functons are called thu packer section to make dumping less possible.
As it's Delphi 7 DLL, it could be reconstructed Easily, I just need EP of DLLMain and some Hint's on How to Hide Debugger.

[renjfk]

I see, it makes sense. Well, about hiding; don't attach the dll injected random process right away, wait a bit and a message should pop about telling this is wrong binary blahblah, attach after it. About EP i'm sure you can use that message to your advantage since EP should be close to that message box.

[kLabMouse]

I see, it makes sense. Well, about hiding; don't attach the dll injected random process right away, wait a bit and a message should pop about telling this is wrong binary blahblah, attach after it. About EP i'm sure you can use that message to your advantage since EP should be close to that message box.

Donno. May-be my Debugger is not good, or something else. But Target App just Crash when I try in Attach with RAMOlly v1.1.
Any Hint's on this situation?