Legacy V3 | Bot + Encryption bypass |

[Bibian]

My theory is that harmony.dll is being used to overload methods in the winsock2 library of windows
that is how they are encrypting the packets, all you need to do is either make openkore able to use that dll to send packet OR reverse the dll and find out how the encryption is being done.

[Kees]

Yeah but how would you make Kore use harmony.dll
I went and asked some perl experts but they couldn't tell me much about this either.

Except that they gave me this link. Scroll all the way to the bottom:

Code: Select all

http://www.experts-exchange.com/Programming/Languages/Scripting/Perl/Q_10769361.html

[Technology]

I might be wrong but, isn't it possible to use only the needed harmony.dll functions, if you call them with the Win32::API module in perl?

If so, then the next link might be somewhat interresting if you want to know wich calling convention to use after disassembling the dll:
http://www.perlmonks.org/?node_id=548285 (example see last post)
http://search.cpan.org/~cosimo/Win32-API-0.55/API.pm (some more documentation on the matter)

And here is some interresting lecture about ws2_32.dll (WinSock 2.0 32bit Library)
http://www.eathena.ws/board/index.php?s ... try1026547
http://www.auditmypc.com/process/ws2_32.asp

[Kees]

<Kees> I need it to import the dll and use it to connect a server
<Kees> I wouldn't know where to start though
<LOLZ> Kees I don't know what to suggest -- my Windows-fu is pretty rusty, but it sounds like you need some kind of wrapper around the DLL.
<Kees> Kind of wrapper?
<LOLZ> Kees Well, I'm thinking that your Perl application can't call the functions within a DLL directly, so you'll need some kind of intermediary. That's the wrapper.
<ROFL> Kees: Win32::API

If you figure out how to use this Win32::API, please do tell.


EDIT: Also harmony.dll uses MADHookLIB

<Kees> do you know what MADHookLib is
<LMAO> Kees: MadHookLib is not on CPAN
<LMAO> Kees: so it's almost certainly not public code
<LMAO> Kees: so you'd have to find the author and ask them :)

[hal9000]

to load a dll inside kore you just need this:

Code: Select all

Win32::LoadLibrary("$RealBin/harmony.dll");

But it will not work because it wont overload any method from ws2_32, instead it will find the processid, inject the process memory exchanging 2 functions (send() and connect()).
the exported _dummyfunc is just a dummy it does nothing except return nicely, it's used to load the dll, the hexed exe will use that function so that LoadLibraryA() executes DllMain() that initialize the hook in the client.

here is the useless disassembled code commented by IDA: http://www.megaupload.com/it/?d=7W2DM8Q2

...cya in irc

[Technology]

<Kees> I need it to import the dll and use it to connect a server
<Kees> I wouldn't know where to start though
<LOLZ> Kees I don't know what to suggest -- my Windows-fu is pretty rusty, but it sounds like you need some kind of wrapper around the DLL.
<Kees> Kind of wrapper?
<LOLZ> Kees Well, I'm thinking that your Perl application can't call the functions within a DLL directly, so you'll need some kind of intermediary. That's the wrapper.
<ROFL> Kees: Win32::API

If you figure out how to use this Win32::API, please do tell.


EDIT: Also harmony.dll uses MADHookLIB

<Kees> do you know what MADHookLib is
<LMAO> Kees: MadHookLib is not on CPAN
<LMAO> Kees: so it's almost certainly not public code
<LMAO> Kees: so you'd have to find the author and ask them

Where did you find that harmony.dll uses MADHookLIB?

I'm not sure about anything, tough i found this on the eAthena forum:

* one that use an other DLL ( Madchook.dll ) to inject the "support" dll ( symphony.dll ) into the client ( I saw this in an english server.)

The names of these 2 dll's seem to have some sort of connection to what we are dealing with right now.
Is the resemblance just coïncidence? I think not.

symphony.dll with madCHook.dll => symphonia, latin for "sounding together"
harmony.dll with (MADHookLIB???) => harmonia = latin for "agreement, joint, concord"

If this theory is right, then its needless to say that whoever made these bot-countermeasures started off with 2 .dll's, wich were working together as in a symphony and that now he has merged/joined them into 1 .dll.
*IMO, i'd be very important to get our hands on: symphony.dll and Madchook.dll* DONE http://www.megaupload.com/nl/?d=ZRDXPYDK
RebirthRO was using these in the past, but now they seem to have another way to inject their symphony.dll into the client.

Here is a bit info on the madCHook.dll, wich seems to be a library:
http://www.madshi.net/madCodeHookDescription.htm (homepage)
( http://topic.csdn.net/u/20070607/01/1c6 ... b002b.html )

Here is a topic on rofan.ru about a workaround for servers that use anti-bot protections. (translated page babelfish)
http://rofan.ru/viewtopic.php?t=2868&po ... sc&start=0

[Barracks]

Great find Technology, I'll take a look at this when I get off work.

[darkfate]

harmony.dll
mh take a look at sub_100019D0

[darkfate]

Oh and the strange thing is actually that if I try to connect with openkore, I only get disconnected at the map login. So I compared the packets from game and char login which the client sends with the ones that openkore sends.
The client packets are encrypted and a key packet is sent before every packet, but still I can login and choose a char with openkore? What sense does that make?

It seems the server accepts normal packets for game and char login too :S

//e: moved to dev corner

[pokemonleung]

Oh and the strange thing is actually that if I try to connect with openkore, I only get disconnected at the map login. So I compared the packets from game and char login which the client sends with the ones that openkore sends.
The client packets are encrypted and a key packet is sent before every packet, but still I can login and choose a char with openkore? What sense does that make?

It seems the server accepts normal packets for game and char login too :S

//e: moved to dev corner

Yep, that has been the case. Even with the old client, you are only able to connect to the char server but not the map server (get d/ced)