|
You last visited: Today at 09:44
Advertisement
anyone good w/ CE?
Discussion on anyone good w/ CE? within the General Gaming Discussion forum part of the General Gaming category.
05/24/2008, 22:13
|
#31
|
elite*gold: 0
Join Date: Dec 2007
Posts: 55
Received Thanks: 4
|
Quote:
Originally Posted by DeltaX13
Let's start with good old WPE Pro ^^ *DL*
So what to try first? Changing the quest IDs to the one where you had to deliver that girl? Gave an insane amount of Experience. Would be worth a try.
(Wär toll wenn dieses mal nichts public wird. Jeder kennt das Forum hier, ergo könnte man den Entwicklern auch direkt erklären, wo es Sicherheitslücken gibt, statt es hier zu posten)
|
have u done it ?
|
|
|
05/25/2008, 05:18
|
#32
|
elite*gold: 0
Join Date: Mar 2008
Posts: 36
Received Thanks: 4
|
speed hack still works..
i can run from south tower to village like super fast.
i can lay 5 attacks before the monster hits me for his 2nd.
hp,item changing, stats changing is all server side.
|
|
|
05/25/2008, 18:26
|
#33
|
elite*gold: 0
Join Date: Jun 2006
Posts: 12
Received Thanks: 1
|
how do you find the adress for speed ?
if I search for 5.0 I get too many results..
btw I got CE 5.4. I tried atk speed too but it didnt work..
|
|
|
05/25/2008, 21:16
|
#34
|
elite*gold: 0
Join Date: Nov 2006
Posts: 70
Received Thanks: 1
|
Spinnt mein WPE oder bin ich dieses Wochenende über leicht verpeilt gewesen? Ich kann nicht ein Packet senden ohne DC zu kriegen. Bei nem auf japanisch geschriebenem Game kann ich die einzelnen Commands darin auch schlecht übersetzen. Also bin ich zur Zeit nur leicht durch den Wind oder besitzt jedes Packet ein Tag mit Gültigkeitsdauer?
Was die Quests angeht hab ich also nichts zustande gebracht. Bitte um Verzeihung. *verneig*
|
|
|
05/26/2008, 11:28
|
#35
|
elite*gold: 0
Join Date: Nov 2007
Posts: 1,358
Received Thanks: 273
|
btw. if someone found pointers please give me informations about that. i'm working on a bot and can't find out the pointers (my x64 system frooze if i try to start the debugger).
so if anyone give me the information that would speed up the process
|
|
|
05/26/2008, 11:34
|
#36
|
elite*gold: 0
Join Date: Apr 2008
Posts: 19
Received Thanks: 1
|
i can confirm that attack speed is working.
@tekmo:
which item do u use to change the run speed?
@cosmostunes:
i would like to help, but i need to figure out how pointers work. Still noob with CE.
|
|
|
05/26/2008, 12:38
|
#37
|
elite*gold: 196
Join Date: Nov 2005
Posts: 625
Received Thanks: 192
|
Quote:
Originally Posted by DeltaX13
Spinnt mein WPE oder bin ich dieses Wochenende über leicht verpeilt gewesen? Ich kann nicht ein Packet senden ohne DC zu kriegen. Bei nem auf japanisch geschriebenem Game kann ich die einzelnen Commands darin auch schlecht übersetzen. Also bin ich zur Zeit nur leicht durch den Wind oder besitzt jedes Packet ein Tag mit Gültigkeitsdauer?
Was die Quests angeht hab ich also nichts zustande gebracht. Bitte um Verzeihung. *verneig*
|
You were supposed to fail buddy.
This has been written by "clearscreen" (I wish he would answer my PMs...) during the closed beta phase:
Code:
#include <iostream>
#include <winsock2.h>
#include "table.h"
/*
Requiem packet explanation:
Both client and server at all times keep a count of the amount of packets received.
This is stored in an unsigned char so the amount will never exceed 255.
In the first (encrypted) packet of the server, the client receives an offset for his packetcount.
The packetdata is preceded by 7 bytes which are in place to protect from injection.
Packetdata is decrypted by an 8 byte data block which is used on the whole packet.
The offset for this 8 byte block for any particular packet is PacketCount * 8 in CryptTable.
The 7 byte protection bytes are constructed as following:
- 1 byte ( Packetcount check ):
PacketCount ^ 0x4B
- 2 bytes ( Packetsize check ):
(Payload + 7) ^ 0xBA7D
Essentially it is (Full Packet Size) ^ 0xBA7D
- 4 bytes ( Packetdata check ):
Initial value = 0xFFFFFFFF
The following is performed for every byte of the un-encrypted payload:
X = Last byte of Value
Y = PayloadByte ^ X
Value = Value >> 8
Value = Value ^ DWORD Table[ ( Y * 4 ) ]
Value = !Value
Value = Value ^ 0xA5F323CD
The functions below are proof of concept.
*/
void CryptData ( unsigned char* pData, unsigned int Length, unsigned char pCount )
{
/*
004012AC |> 8B3402 /MOV ESI,DWORD PTR DS:[EDX+EAX]
004012AF |. 8B7C02 04 |MOV EDI,DWORD PTR DS:[EDX+EAX+4]
004012B3 |. 3375 08 |XOR ESI,DWORD PTR SS:[EBP+8]
004012B6 |. 337D 0C |XOR EDI,DWORD PTR SS:[EBP+C]
004012B9 |. 8930 |MOV DWORD PTR DS:[EAX],ESI
004012BB |. 8978 04 |MOV DWORD PTR DS:[EAX+4],EDI
004012BE |. 83C0 08 |ADD EAX,8
004012C1 |. 49 |DEC ECX
004012C2 |.^75 E8 JNZ SHORT Requiem.004012AC
*/
unsigned int CryptOffset = 0;
for ( unsigned int i = 0; i < Length; i++ )
{
if ( CryptOffset == 8 ) CryptOffset = 0;
pData[i] = pData[i] ^ ( CryptTable[CryptOffset + (pCount * 8)] );
CryptOffset++;
}
}
void Calculate1Byte(unsigned char pCount) { printf ( "Calculated 1 byte: %.2Xn", pCount ^ 0x4B ); }
void Calculate2Byte(unsigned short pSize) { printf ( "Calculated 2 byte: %.4Xn", pSize ^ 0xBA7D ); }
void Calculate4Byte(unsigned char* payload, unsigned short Length, unsigned char* Dest)
{
/*
Please note: This is only valid for the Client -> Server checksum!
The Server -> Client checksum performs some extra operations, not important for us.
00401330 |> 8B5424 08 /MOV EDX,DWORD PTR SS:[ESP+8]
00401334 |. 0FB61411 |MOVZX EDX,BYTE PTR DS:[ECX+EDX]
00401338 |. 8BF0 |MOV ESI,EAX
0040133A |. 81E6 FF000000 |AND ESI,0FF
00401340 |. 33D6 |XOR EDX,ESI
00401342 |. C1E8 08 |SHR EAX,8
00401345 |. 330495 8865830>|XOR EAX,DWORD PTR DS:[EDX*4+836588]
0040134C |. 41 |INC ECX
0040134D |. 3B4C24 0C |CMP ECX,DWORD PTR SS:[ESP+C]
00401351 |.^72 DD JB SHORT Requiem.00401330
00401353 |. 5E POP ESI
00401354 |> F7D0 NOT EAX
00401115 |. 35 CD23F3A5 XOR EAX,A5F323CD
*/
unsigned char Value[4] = { 0xFF, 0xFF, 0xFF, 0xFF };
for ( unsigned short i = 0; i < Length; i++ )
{
unsigned char Offset = Value[0]; // MOV ESI, EAX - AND ESI, 0FF
Offset ^= payload[i]; // XOR EDX, ESI
(*(unsigned int *)Value) >>= 8; // SHR EAX, 8
for ( unsigned int x = 0; x < 4; x++ ) Value[x] ^= ProtectionTable[(Offset*4)+x]; // XOR EAX,DWORD PTR DS:[EDX*4+836588]
}
(*(unsigned int *)(Dest+3)) = (~(*(unsigned int *)Value)) ^ 0xA5F323CD; // NOT EAX - XOR EAX,A5F323CD
}
// Overload send function.
void send ( SOCKET s, unsigned char* Data, unsigned int len, unsigned char &PacketCount )
{
unsigned char* Packet = new unsigned char[len+7];
// Calculate protection bytes.
Packet[0] = PacketCount ^ 0x4B;
*(unsigned short*)(Packet+1) = (len + 7) ^ 0xBA7D;
Calculate4Byte ( Data, len, Packet );
// Encrypt payload and copy to packet buffer.
CryptData ( Data, len, PacketCount );
memcpy ( Packet + 7, Data, len );
send ( s, (char *)Packet, len + 7, 0 );
PacketCount++;
delete[] Packet;
}
int main()
{
SOCKET s;
WSADATA wsa;
unsigned char ServerPacketCount = 0;
unsigned char ClientPacketCount = 0;
unsigned char VersionInfo[16] = { 0x10, 0x00, 0x21, 0xCB, 0xB8, 0x6E, 0x83, 0x00, 0x03, 0x0C, 0x43, 0x04, 0x00, 0x00, 0x00, 0x00 };
WSAStartup ( wsa.wVersion, &wsa );
SOCKADDR_IN target;
target.sin_family = AF_INET;
target.sin_port = htons ( 7110 );
target.sin_addr.s_addr = inet_addr ( "38.103.63.161" );
s = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP );
connect(s, (SOCKADDR *)&target, sizeof(target));
unsigned char* PacketBuffer = new unsigned char[8092];
unsigned int ReceivedBytes = TRUE;
ReceivedBytes = recv(s, (char *)PacketBuffer, 8092, 0);
while ( ReceivedBytes != 0 && ReceivedBytes != 0xFFFFFFFF )
{
unsigned int DataSize = ReceivedBytes - 7;
unsigned char Protection[7];
unsigned char* PacketData = new unsigned char[DataSize];
memcpy ( Protection, PacketBuffer, 7 );
memcpy ( PacketData, PacketBuffer + 7, DataSize );
// Decryption example.
CryptData ( PacketData, DataSize, ServerPacketCount );
for ( unsigned int i = 0; i < DataSize; i++ ) printf ( "%.2X ", PacketData[i] );
printf ( "n" );
unsigned short cDataSize = *(unsigned short *)PacketData;
unsigned short cDataOpcode = *(unsigned short *)(PacketData+2);
unsigned char* cData = new unsigned char[cDataSize-8];
memcpy ( cData, PacketData + 8, cDataSize );
switch ( cDataOpcode )
{
case 50001:
ClientPacketCount += cData[0];
send ( s, VersionInfo, 16, ClientPacketCount );
break;
case 52002:
closesocket ( s );
break;
default:
printf ( "Unknown opcode: %d", cDataOpcode );
}
ServerPacketCount++;
delete[] cData;
delete[] PacketData;
ReceivedBytes = recv(s, (char *)PacketBuffer, 8092, 0);
}
WSACleanup();
system("PAUSE");
return 0;
}
So, simply sending packets which were already sent won't work.
|
|
|
05/26/2008, 12:48
|
#38
|
elite*gold: 0
Join Date: Dec 2007
Posts: 55
Received Thanks: 4
|
Quote:
Originally Posted by CosmosTunes
btw. if someone found pointers please give me informations about that. i'm working on a bot and can't find out the pointers (my x64 system frooze if i try to start the debugger).
so if anyone give me the information that would speed up the process
|
same here ...
|
|
|
05/26/2008, 14:52
|
#39
|
elite*gold: 0
Join Date: Nov 2006
Posts: 70
Received Thanks: 1
|
Lol this is insane xD I can't waste too much time on this project as I'm busy with school n all that stuff so til someone comes up with more information I won't give it another try.
|
|
|
05/26/2008, 15:49
|
#40
|
elite*gold: 0
Join Date: Dec 2007
Posts: 36
Received Thanks: 1
|
hmmmmm
i cant beleive for a game that has no antihack system that we know of this sure is a tough cookie to crack. i cannot manage to get the movement speed down, i have the attack speed figured out but it is useless to me because i am not a melee character. since the cooldown timers are server side attacking fast as a long range character is still limited to your skill casting, which could shoot fast if the server didnt control the cooldown.
|
|
|
05/26/2008, 16:27
|
#41
|
elite*gold: 0
Join Date: Nov 2007
Posts: 1,358
Received Thanks: 273
|
Quote:
Originally Posted by nop0x90
You were supposed to fail buddy.
This has been written by "clearscreen" (I wish he would answer my PMs...) during the closed beta phase:
Code:
#include <iostream>
#include <winsock2.h>
#include "table.h"
/*
Requiem packet explanation:
Both client and server at all times keep a count of the amount of packets received.
This is stored in an unsigned char so the amount will never exceed 255.
In the first (encrypted) packet of the server, the client receives an offset for his packetcount.
The packetdata is preceded by 7 bytes which are in place to protect from injection.
Packetdata is decrypted by an 8 byte data block which is used on the whole packet.
The offset for this 8 byte block for any particular packet is PacketCount * 8 in CryptTable.
The 7 byte protection bytes are constructed as following:
- 1 byte ( Packetcount check ):
PacketCount ^ 0x4B
- 2 bytes ( Packetsize check ):
(Payload + 7) ^ 0xBA7D
Essentially it is (Full Packet Size) ^ 0xBA7D
- 4 bytes ( Packetdata check ):
Initial value = 0xFFFFFFFF
The following is performed for every byte of the un-encrypted payload:
X = Last byte of Value
Y = PayloadByte ^ X
Value = Value >> 8
Value = Value ^ DWORD Table[ ( Y * 4 ) ]
Value = !Value
Value = Value ^ 0xA5F323CD
The functions below are proof of concept.
*/
void CryptData ( unsigned char* pData, unsigned int Length, unsigned char pCount )
{
/*
004012AC |> 8B3402 /MOV ESI,DWORD PTR DS:[EDX+EAX]
004012AF |. 8B7C02 04 |MOV EDI,DWORD PTR DS:[EDX+EAX+4]
004012B3 |. 3375 08 |XOR ESI,DWORD PTR SS:[EBP+8]
004012B6 |. 337D 0C |XOR EDI,DWORD PTR SS:[EBP+C]
004012B9 |. 8930 |MOV DWORD PTR DS:[EAX],ESI
004012BB |. 8978 04 |MOV DWORD PTR DS:[EAX+4],EDI
004012BE |. 83C0 08 |ADD EAX,8
004012C1 |. 49 |DEC ECX
004012C2 |.^75 E8 JNZ SHORT Requiem.004012AC
*/
unsigned int CryptOffset = 0;
for ( unsigned int i = 0; i < Length; i++ )
{
if ( CryptOffset == 8 ) CryptOffset = 0;
pData[i] = pData[i] ^ ( CryptTable[CryptOffset + (pCount * 8)] );
CryptOffset++;
}
}
void Calculate1Byte(unsigned char pCount) { printf ( "Calculated 1 byte: %.2Xn", pCount ^ 0x4B ); }
void Calculate2Byte(unsigned short pSize) { printf ( "Calculated 2 byte: %.4Xn", pSize ^ 0xBA7D ); }
void Calculate4Byte(unsigned char* payload, unsigned short Length, unsigned char* Dest)
{
/*
Please note: This is only valid for the Client -> Server checksum!
The Server -> Client checksum performs some extra operations, not important for us.
00401330 |> 8B5424 08 /MOV EDX,DWORD PTR SS:[ESP+8]
00401334 |. 0FB61411 |MOVZX EDX,BYTE PTR DS:[ECX+EDX]
00401338 |. 8BF0 |MOV ESI,EAX
0040133A |. 81E6 FF000000 |AND ESI,0FF
00401340 |. 33D6 |XOR EDX,ESI
00401342 |. C1E8 08 |SHR EAX,8
00401345 |. 330495 8865830>|XOR EAX,DWORD PTR DS:[EDX*4+836588]
0040134C |. 41 |INC ECX
0040134D |. 3B4C24 0C |CMP ECX,DWORD PTR SS:[ESP+C]
00401351 |.^72 DD JB SHORT Requiem.00401330
00401353 |. 5E POP ESI
00401354 |> F7D0 NOT EAX
00401115 |. 35 CD23F3A5 XOR EAX,A5F323CD
*/
unsigned char Value[4] = { 0xFF, 0xFF, 0xFF, 0xFF };
for ( unsigned short i = 0; i < Length; i++ )
{
unsigned char Offset = Value[0]; // MOV ESI, EAX - AND ESI, 0FF
Offset ^= payload[i]; // XOR EDX, ESI
(*(unsigned int *)Value) >>= 8; // SHR EAX, 8
for ( unsigned int x = 0; x < 4; x++ ) Value[x] ^= ProtectionTable[(Offset*4)+x]; // XOR EAX,DWORD PTR DS:[EDX*4+836588]
}
(*(unsigned int *)(Dest+3)) = (~(*(unsigned int *)Value)) ^ 0xA5F323CD; // NOT EAX - XOR EAX,A5F323CD
}
// Overload send function.
void send ( SOCKET s, unsigned char* Data, unsigned int len, unsigned char &PacketCount )
{
unsigned char* Packet = new unsigned char[len+7];
// Calculate protection bytes.
Packet[0] = PacketCount ^ 0x4B;
*(unsigned short*)(Packet+1) = (len + 7) ^ 0xBA7D;
Calculate4Byte ( Data, len, Packet );
// Encrypt payload and copy to packet buffer.
CryptData ( Data, len, PacketCount );
memcpy ( Packet + 7, Data, len );
send ( s, (char *)Packet, len + 7, 0 );
PacketCount++;
delete[] Packet;
}
int main()
{
SOCKET s;
WSADATA wsa;
unsigned char ServerPacketCount = 0;
unsigned char ClientPacketCount = 0;
unsigned char VersionInfo[16] = { 0x10, 0x00, 0x21, 0xCB, 0xB8, 0x6E, 0x83, 0x00, 0x03, 0x0C, 0x43, 0x04, 0x00, 0x00, 0x00, 0x00 };
WSAStartup ( wsa.wVersion, &wsa );
SOCKADDR_IN target;
target.sin_family = AF_INET;
target.sin_port = htons ( 7110 );
target.sin_addr.s_addr = inet_addr ( "38.103.63.161" );
s = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP );
connect(s, (SOCKADDR *)&target, sizeof(target));
unsigned char* PacketBuffer = new unsigned char[8092];
unsigned int ReceivedBytes = TRUE;
ReceivedBytes = recv(s, (char *)PacketBuffer, 8092, 0);
while ( ReceivedBytes != 0 && ReceivedBytes != 0xFFFFFFFF )
{
unsigned int DataSize = ReceivedBytes - 7;
unsigned char Protection[7];
unsigned char* PacketData = new unsigned char[DataSize];
memcpy ( Protection, PacketBuffer, 7 );
memcpy ( PacketData, PacketBuffer + 7, DataSize );
// Decryption example.
CryptData ( PacketData, DataSize, ServerPacketCount );
for ( unsigned int i = 0; i < DataSize; i++ ) printf ( "%.2X ", PacketData[i] );
printf ( "n" );
unsigned short cDataSize = *(unsigned short *)PacketData;
unsigned short cDataOpcode = *(unsigned short *)(PacketData+2);
unsigned char* cData = new unsigned char[cDataSize-8];
memcpy ( cData, PacketData + 8, cDataSize );
switch ( cDataOpcode )
{
case 50001:
ClientPacketCount += cData[0];
send ( s, VersionInfo, 16, ClientPacketCount );
break;
case 52002:
closesocket ( s );
break;
default:
printf ( "Unknown opcode: %d", cDataOpcode );
}
ServerPacketCount++;
delete[] cData;
delete[] PacketData;
ReceivedBytes = recv(s, (char *)PacketBuffer, 8092, 0);
}
WSACleanup();
system("PAUSE");
return 0;
}
So, simply sending packets which were already sent won't work.
|
do u have the header file also ?
|
|
|
05/26/2008, 18:06
|
#42
|
elite*gold: 0
Join Date: Dec 2007
Posts: 55
Received Thanks: 4
|
ive been working on more tests and found something that i dont really know how to work ...
it seems to have different variable for the same thing...
for example EXP ...
I was able to find the address and change it, i could see it ingame but had no pratical efect ... that means it is a screen variable ...
and I could find another address that at first sight means nothing ... but i think it is some kind of encripting code that only server can decript it ...
does any1 got the same ?
|
|
|
06/29/2008, 19:20
|
#43
|
elite*gold: 0
Join Date: Oct 2005
Posts: 50
Received Thanks: 21
|
woop
|
|
|
06/30/2008, 15:22
|
#44
|
elite*gold: 0
Join Date: Nov 2006
Posts: 70
Received Thanks: 1
|
You can't change serversided values with cheatengine. It can just manipulate your client data. Cmon you didn't really think you could just change your experience and get to max lvl that way
|
|
|
All times are GMT +1. The time now is 09:44.
|
|