Legacy V3 | Bot + Encryption bypass |

Wrote new code? Fixed a bug? Want to discuss technical stuff? Feel free to post it here.

Moderator: Moderators

Bibian
Perl Monk
Perl Monk
Posts: 416
Joined: 04 Apr 2008, 03:08

Re: Legacy V3 | Bot + Encryption bypass |

#31 Post by Bibian »

My theory is that harmony.dll is being used to overload methods in the winsock2 library of windows
that is how they are encrypting the packets, all you need to do is either make openkore able to use that dll to send packet OR reverse the dll and find out how the encryption is being done.
Kees
Noob
Noob
Posts: 14
Joined: 19 Apr 2008, 11:10

Re: Legacy V3 | Bot + Encryption bypass |

#32 Post by Kees »

Yeah but how would you make Kore use harmony.dll
I went and asked some perl experts but they couldn't tell me much about this either.

Except that they gave me this link. Scroll all the way to the bottom:

Code: Select all

http://www.experts-exchange.com/Programming/Languages/Scripting/Perl/Q_10769361.html
Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: Legacy V3 | Bot + Encryption bypass |

#33 Post by Technology »

I might be wrong but, isn't it possible to use only the needed harmony.dll functions, if you call them with the Win32::API module in perl?

If so, then the next link might be somewhat interresting if you want to know wich calling convention to use after disassembling the dll:
http://www.perlmonks.org/?node_id=548285 (example see last post)
http://search.cpan.org/~cosimo/Win32-API-0.55/API.pm (some more documentation on the matter)

And here is some interresting lecture about ws2_32.dll (WinSock 2.0 32bit Library)
http://www.eathena.ws/board/index.php?s ... try1026547
http://www.auditmypc.com/process/ws2_32.asp
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!
Kees
Noob
Noob
Posts: 14
Joined: 19 Apr 2008, 11:10

Re: Legacy V3 | Bot + Encryption bypass |

#34 Post by Kees »

<Kees> I need it to import the dll and use it to connect a server
<Kees> I wouldn't know where to start though
<LOLZ> Kees I don't know what to suggest -- my Windows-fu is pretty rusty, but it sounds like you need some kind of wrapper around the DLL.
<Kees> Kind of wrapper?
<LOLZ> Kees Well, I'm thinking that your Perl application can't call the functions within a DLL directly, so you'll need some kind of intermediary. That's the wrapper.
<ROFL> Kees: Win32::API

If you figure out how to use this Win32::API, please do tell.


EDIT: Also harmony.dll uses MADHookLIB

<Kees> do you know what MADHookLib is
<LMAO> Kees: MadHookLib is not on CPAN
<LMAO> Kees: so it's almost certainly not public code
<LMAO> Kees: so you'd have to find the author and ask them :)
hal9000
Noob
Noob
Posts: 9
Joined: 04 Apr 2008, 10:20

Re: Legacy V3 | Bot + Encryption bypass |

#35 Post by hal9000 »

to load a dll inside kore you just need this:

Code: Select all

Win32::LoadLibrary("$RealBin/harmony.dll");
But it will not work because it wont overload any method from ws2_32, instead it will find the processid, inject the process memory exchanging 2 functions (send() and connect()).
the exported _dummyfunc is just a dummy :) it does nothing except return nicely, it's used to load the dll, the hexed exe will use that function so that LoadLibraryA() executes DllMain() that initialize the hook in the client.

here is the useless disassembled code commented by IDA: http://www.megaupload.com/it/?d=7W2DM8Q2

...cya in irc ;)
Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: Legacy V3 | Bot + Encryption bypass |

#36 Post by Technology »

Kees wrote:<Kees> I need it to import the dll and use it to connect a server
<Kees> I wouldn't know where to start though
<LOLZ> Kees I don't know what to suggest -- my Windows-fu is pretty rusty, but it sounds like you need some kind of wrapper around the DLL.
<Kees> Kind of wrapper?
<LOLZ> Kees Well, I'm thinking that your Perl application can't call the functions within a DLL directly, so you'll need some kind of intermediary. That's the wrapper.
<ROFL> Kees: Win32::API

If you figure out how to use this Win32::API, please do tell.


EDIT: Also harmony.dll uses MADHookLIB

<Kees> do you know what MADHookLib is
<LMAO> Kees: MadHookLib is not on CPAN
<LMAO> Kees: so it's almost certainly not public code
<LMAO> Kees: so you'd have to find the author and ask them :)
Where did you find that harmony.dll uses MADHookLIB?

I'm not sure about anything, tough i found this on the eAthena forum:
* one that use an other DLL ( Madchook.dll ) to inject the "support" dll ( symphony.dll ) into the client ( I saw this in an english server.)
The names of these 2 dll's seem to have some sort of connection to what we are dealing with right now.
Is the resemblance just coïncidence? I think not.

symphony.dll with madCHook.dll => symphonia, latin for "sounding together"
harmony.dll with (MADHookLIB???) => harmonia = latin for "agreement, joint, concord"

If this theory is right, then its needless to say that whoever made these bot-countermeasures started off with 2 .dll's, wich were working together as in a symphony and that now he has merged/joined them into 1 .dll.
*IMO, i'd be very important to get our hands on: symphony.dll and Madchook.dll* DONE http://www.megaupload.com/nl/?d=ZRDXPYDK
RebirthRO was using these in the past, but now they seem to have another way to inject their symphony.dll into the client.

Here is a bit info on the madCHook.dll, wich seems to be a library:
http://www.madshi.net/madCodeHookDescription.htm (homepage)
( http://topic.csdn.net/u/20070607/01/1c6 ... b002b.html )

Here is a topic on rofan.ru about a workaround for servers that use anti-bot protections. (translated page babelfish)
http://rofan.ru/viewtopic.php?t=2868&po ... sc&start=0
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!
Barracks
Human
Human
Posts: 23
Joined: 19 Apr 2008, 13:00

Re: Legacy V3 | Bot + Encryption bypass |

#37 Post by Barracks »

Great find Technology, I'll take a look at this when I get off work.
darkfate
Super Moderators
Super Moderators
Posts: 61
Joined: 22 Apr 2008, 02:22
Noob?: No
Location: Zurich, Switzerland

Re: Legacy V3 | Bot + Encryption bypass |

#38 Post by darkfate »

harmony.dll
mh take a look at sub_100019D0
You can't make people smarter. You can expose them to information, but your responsibility stops there.
- Mark Rippetoe
darkfate
Super Moderators
Super Moderators
Posts: 61
Joined: 22 Apr 2008, 02:22
Noob?: No
Location: Zurich, Switzerland

Re: Legacy V3 | Bot + Encryption bypass |

#39 Post by darkfate »

Oh and the strange thing is actually that if I try to connect with openkore, I only get disconnected at the map login. So I compared the packets from game and char login which the client sends with the ones that openkore sends.
The client packets are encrypted and a key packet is sent before every packet, but still I can login and choose a char with openkore? What sense does that make?

It seems the server accepts normal packets for game and char login too :S

//e: moved to dev corner
You can't make people smarter. You can expose them to information, but your responsibility stops there.
- Mark Rippetoe
pokemonleung
Noob
Noob
Posts: 5
Joined: 02 May 2008, 12:44
Noob?: Yes

Re: Legacy V3 | Bot + Encryption bypass |

#40 Post by pokemonleung »

darkfate wrote:Oh and the strange thing is actually that if I try to connect with openkore, I only get disconnected at the map login. So I compared the packets from game and char login which the client sends with the ones that openkore sends.
The client packets are encrypted and a key packet is sent before every packet, but still I can login and choose a char with openkore? What sense does that make?

It seems the server accepts normal packets for game and char login too :S

//e: moved to dev corner
Yep, that has been the case. Even with the old client, you are only able to connect to the char server but not the map server (get d/ced)