My theory is that harmony.dll is being used to overload methods in the winsock2 library of windows
that is how they are encrypting the packets, all you need to do is either make openkore able to use that dll to send packet OR reverse the dll and find out how the encryption is being done.
Legacy V3 | Bot + Encryption bypass |
Moderator: Moderators
-
- Perl Monk
- Posts: 416
- Joined: 04 Apr 2008, 03:08
-
- Noob
- Posts: 14
- Joined: 19 Apr 2008, 11:10
Re: Legacy V3 | Bot + Encryption bypass |
Yeah but how would you make Kore use harmony.dll
I went and asked some perl experts but they couldn't tell me much about this either.
Except that they gave me this link. Scroll all the way to the bottom:
I went and asked some perl experts but they couldn't tell me much about this either.
Except that they gave me this link. Scroll all the way to the bottom:
Code: Select all
http://www.experts-exchange.com/Programming/Languages/Scripting/Perl/Q_10769361.html
-
- Super Moderators
- Posts: 801
- Joined: 06 May 2008, 12:47
- Noob?: No
Re: Legacy V3 | Bot + Encryption bypass |
I might be wrong but, isn't it possible to use only the needed harmony.dll functions, if you call them with the Win32::API module in perl?
If so, then the next link might be somewhat interresting if you want to know wich calling convention to use after disassembling the dll:
http://www.perlmonks.org/?node_id=548285 (example see last post)
http://search.cpan.org/~cosimo/Win32-API-0.55/API.pm (some more documentation on the matter)
And here is some interresting lecture about ws2_32.dll (WinSock 2.0 32bit Library)
http://www.eathena.ws/board/index.php?s ... try1026547
http://www.auditmypc.com/process/ws2_32.asp
If so, then the next link might be somewhat interresting if you want to know wich calling convention to use after disassembling the dll:
http://www.perlmonks.org/?node_id=548285 (example see last post)
http://search.cpan.org/~cosimo/Win32-API-0.55/API.pm (some more documentation on the matter)
And here is some interresting lecture about ws2_32.dll (WinSock 2.0 32bit Library)
http://www.eathena.ws/board/index.php?s ... try1026547
http://www.auditmypc.com/process/ws2_32.asp
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...
Mount Doom awaits us, fellowship of OpenKore!
One ST_kRO to bring them all and in the darkness bind them...
Mount Doom awaits us, fellowship of OpenKore!
-
- Noob
- Posts: 14
- Joined: 19 Apr 2008, 11:10
Re: Legacy V3 | Bot + Encryption bypass |
<Kees> I need it to import the dll and use it to connect a server
<Kees> I wouldn't know where to start though
<LOLZ> Kees I don't know what to suggest -- my Windows-fu is pretty rusty, but it sounds like you need some kind of wrapper around the DLL.
<Kees> Kind of wrapper?
<LOLZ> Kees Well, I'm thinking that your Perl application can't call the functions within a DLL directly, so you'll need some kind of intermediary. That's the wrapper.
<ROFL> Kees: Win32::API
If you figure out how to use this Win32::API, please do tell.
EDIT: Also harmony.dll uses MADHookLIB
<Kees> do you know what MADHookLib is
<LMAO> Kees: MadHookLib is not on CPAN
<LMAO> Kees: so it's almost certainly not public code
<LMAO> Kees: so you'd have to find the author and ask them :)
<Kees> I wouldn't know where to start though
<LOLZ> Kees I don't know what to suggest -- my Windows-fu is pretty rusty, but it sounds like you need some kind of wrapper around the DLL.
<Kees> Kind of wrapper?
<LOLZ> Kees Well, I'm thinking that your Perl application can't call the functions within a DLL directly, so you'll need some kind of intermediary. That's the wrapper.
<ROFL> Kees: Win32::API
If you figure out how to use this Win32::API, please do tell.
EDIT: Also harmony.dll uses MADHookLIB
<Kees> do you know what MADHookLib is
<LMAO> Kees: MadHookLib is not on CPAN
<LMAO> Kees: so it's almost certainly not public code
<LMAO> Kees: so you'd have to find the author and ask them :)
-
- Noob
- Posts: 9
- Joined: 04 Apr 2008, 10:20
Re: Legacy V3 | Bot + Encryption bypass |
to load a dll inside kore you just need this:
But it will not work because it wont overload any method from ws2_32, instead it will find the processid, inject the process memory exchanging 2 functions (send() and connect()).
the exported _dummyfunc is just a dummy
it does nothing except return nicely, it's used to load the dll, the hexed exe will use that function so that LoadLibraryA() executes DllMain() that initialize the hook in the client.
here is the useless disassembled code commented by IDA: http://www.megaupload.com/it/?d=7W2DM8Q2
...cya in irc
Code: Select all
Win32::LoadLibrary("$RealBin/harmony.dll");
the exported _dummyfunc is just a dummy

here is the useless disassembled code commented by IDA: http://www.megaupload.com/it/?d=7W2DM8Q2
...cya in irc

-
- Super Moderators
- Posts: 801
- Joined: 06 May 2008, 12:47
- Noob?: No
Re: Legacy V3 | Bot + Encryption bypass |
Where did you find that harmony.dll uses MADHookLIB?Kees wrote:<Kees> I need it to import the dll and use it to connect a server
<Kees> I wouldn't know where to start though
<LOLZ> Kees I don't know what to suggest -- my Windows-fu is pretty rusty, but it sounds like you need some kind of wrapper around the DLL.
<Kees> Kind of wrapper?
<LOLZ> Kees Well, I'm thinking that your Perl application can't call the functions within a DLL directly, so you'll need some kind of intermediary. That's the wrapper.
<ROFL> Kees: Win32::API
If you figure out how to use this Win32::API, please do tell.
EDIT: Also harmony.dll uses MADHookLIB
<Kees> do you know what MADHookLib is
<LMAO> Kees: MadHookLib is not on CPAN
<LMAO> Kees: so it's almost certainly not public code
<LMAO> Kees: so you'd have to find the author and ask them
I'm not sure about anything, tough i found this on the eAthena forum:
The names of these 2 dll's seem to have some sort of connection to what we are dealing with right now.* one that use an other DLL ( Madchook.dll ) to inject the "support" dll ( symphony.dll ) into the client ( I saw this in an english server.)
Is the resemblance just coïncidence? I think not.
symphony.dll with madCHook.dll => symphonia, latin for "sounding together"
harmony.dll with (MADHookLIB???) => harmonia = latin for "agreement, joint, concord"
If this theory is right, then its needless to say that whoever made these bot-countermeasures started off with 2 .dll's, wich were working together as in a symphony and that now he has merged/joined them into 1 .dll.
*IMO, i'd be very important to get our hands on: symphony.dll and Madchook.dll* DONE http://www.megaupload.com/nl/?d=ZRDXPYDK
RebirthRO was using these in the past, but now they seem to have another way to inject their symphony.dll into the client.
Here is a bit info on the madCHook.dll, wich seems to be a library:
http://www.madshi.net/madCodeHookDescription.htm (homepage)
( http://topic.csdn.net/u/20070607/01/1c6 ... b002b.html )
Here is a topic on rofan.ru about a workaround for servers that use anti-bot protections. (translated page babelfish)
http://rofan.ru/viewtopic.php?t=2868&po ... sc&start=0
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...
Mount Doom awaits us, fellowship of OpenKore!
One ST_kRO to bring them all and in the darkness bind them...
Mount Doom awaits us, fellowship of OpenKore!
-
- Human
- Posts: 23
- Joined: 19 Apr 2008, 13:00
Re: Legacy V3 | Bot + Encryption bypass |
Great find Technology, I'll take a look at this when I get off work.
-
- Super Moderators
- Posts: 61
- Joined: 22 Apr 2008, 02:22
- Noob?: No
- Location: Zurich, Switzerland
Re: Legacy V3 | Bot + Encryption bypass |
harmony.dll
mh take a look at sub_100019D0
mh take a look at sub_100019D0
You can't make people smarter. You can expose them to information, but your responsibility stops there.
- Mark Rippetoe
- Mark Rippetoe
-
- Super Moderators
- Posts: 61
- Joined: 22 Apr 2008, 02:22
- Noob?: No
- Location: Zurich, Switzerland
Re: Legacy V3 | Bot + Encryption bypass |
Oh and the strange thing is actually that if I try to connect with openkore, I only get disconnected at the map login. So I compared the packets from game and char login which the client sends with the ones that openkore sends.
The client packets are encrypted and a key packet is sent before every packet, but still I can login and choose a char with openkore? What sense does that make?
It seems the server accepts normal packets for game and char login too :S
//e: moved to dev corner
The client packets are encrypted and a key packet is sent before every packet, but still I can login and choose a char with openkore? What sense does that make?
It seems the server accepts normal packets for game and char login too :S
//e: moved to dev corner
You can't make people smarter. You can expose them to information, but your responsibility stops there.
- Mark Rippetoe
- Mark Rippetoe
-
- Noob
- Posts: 5
- Joined: 02 May 2008, 12:44
- Noob?: Yes
Re: Legacy V3 | Bot + Encryption bypass |
Yep, that has been the case. Even with the old client, you are only able to connect to the char server but not the map server (get d/ced)darkfate wrote:Oh and the strange thing is actually that if I try to connect with openkore, I only get disconnected at the map login. So I compared the packets from game and char login which the client sends with the ones that openkore sends.
The client packets are encrypted and a key packet is sent before every packet, but still I can login and choose a char with openkore? What sense does that make?
It seems the server accepts normal packets for game and char login too :S
//e: moved to dev corner