Register for your free account! | Forgot your password?

You last visited: Today at 09:44

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



anyone good w/ CE?

Discussion on anyone good w/ CE? within the General Gaming Discussion forum part of the General Gaming category.

Reply
 
Old 05/24/2008, 22:13   #31
 
elite*gold: 0
Join Date: Dec 2007
Posts: 55
Received Thanks: 4
Quote:
Originally Posted by DeltaX13 View Post
Let's start with good old WPE Pro ^^ *DL*
So what to try first? Changing the quest IDs to the one where you had to deliver that girl? Gave an insane amount of Experience. Would be worth a try.

(Wär toll wenn dieses mal nichts public wird. Jeder kennt das Forum hier, ergo könnte man den Entwicklern auch direkt erklären, wo es Sicherheitslücken gibt, statt es hier zu posten)
have u done it ?
djbrazil is offline  
Old 05/25/2008, 05:18   #32
 
elite*gold: 0
Join Date: Mar 2008
Posts: 36
Received Thanks: 4
speed hack still works..
i can run from south tower to village like super fast.
i can lay 5 attacks before the monster hits me for his 2nd.

hp,item changing, stats changing is all server side.
tekmo is offline  
Thanks
1 User
Old 05/25/2008, 18:26   #33
 
elite*gold: 0
Join Date: Jun 2006
Posts: 12
Received Thanks: 1
how do you find the adress for speed ?
if I search for 5.0 I get too many results..
btw I got CE 5.4. I tried atk speed too but it didnt work..
daikirai is offline  
Old 05/25/2008, 21:16   #34
 
elite*gold: 0
Join Date: Nov 2006
Posts: 70
Received Thanks: 1
Spinnt mein WPE oder bin ich dieses Wochenende über leicht verpeilt gewesen? Ich kann nicht ein Packet senden ohne DC zu kriegen. Bei nem auf japanisch geschriebenem Game kann ich die einzelnen Commands darin auch schlecht übersetzen. Also bin ich zur Zeit nur leicht durch den Wind oder besitzt jedes Packet ein Tag mit Gültigkeitsdauer?
Was die Quests angeht hab ich also nichts zustande gebracht. Bitte um Verzeihung. *verneig*
DeltaX13 is offline  
Old 05/26/2008, 11:28   #35
 
CosmosTunes's Avatar
 
elite*gold: 0
Join Date: Nov 2007
Posts: 1,358
Received Thanks: 273
btw. if someone found pointers please give me informations about that. i'm working on a bot and can't find out the pointers (my x64 system frooze if i try to start the debugger).

so if anyone give me the information that would speed up the process
CosmosTunes is offline  
Old 05/26/2008, 11:34   #36
 
caitulanh's Avatar
 
elite*gold: 0
Join Date: Apr 2008
Posts: 19
Received Thanks: 1
i can confirm that attack speed is working.

@tekmo:
which item do u use to change the run speed?

@cosmostunes:
i would like to help, but i need to figure out how pointers work. Still noob with CE.
caitulanh is offline  
Old 05/26/2008, 12:38   #37
 
scbiz's Avatar
 
elite*gold: 196
Join Date: Nov 2005
Posts: 625
Received Thanks: 192
Quote:
Originally Posted by DeltaX13 View Post
Spinnt mein WPE oder bin ich dieses Wochenende über leicht verpeilt gewesen? Ich kann nicht ein Packet senden ohne DC zu kriegen. Bei nem auf japanisch geschriebenem Game kann ich die einzelnen Commands darin auch schlecht übersetzen. Also bin ich zur Zeit nur leicht durch den Wind oder besitzt jedes Packet ein Tag mit Gültigkeitsdauer?
Was die Quests angeht hab ich also nichts zustande gebracht. Bitte um Verzeihung. *verneig*
You were supposed to fail buddy.
This has been written by "clearscreen" (I wish he would answer my PMs...) during the closed beta phase:

Code:
#include <iostream>
#include <winsock2.h>
#include "table.h"

/*
   Requiem packet explanation:
   Both client and server at all times keep a count of the amount of packets received.
   This is stored in an unsigned char so the amount will never exceed 255.
   In the first (encrypted) packet of the server, the client receives an offset for his packetcount.
   The packetdata is preceded by 7 bytes which are in place to protect from injection.
   Packetdata is decrypted by an 8 byte data block which is used on the whole packet.
   The offset for this 8 byte block for any particular packet is PacketCount * 8 in CryptTable.
   
   The 7 byte protection bytes are constructed as following:

   - 1 byte ( Packetcount check ):
      PacketCount ^ 0x4B

   - 2 bytes ( Packetsize check ):
      (Payload + 7) ^ 0xBA7D
      Essentially it is (Full Packet Size) ^ 0xBA7D

   - 4 bytes ( Packetdata check ):
      Initial value = 0xFFFFFFFF
      The following is performed for every byte of the un-encrypted payload:
      X = Last byte of Value
      Y = PayloadByte ^ X
      Value = Value >> 8
      Value = Value ^ DWORD Table[ ( Y * 4 ) ]
      Value = !Value
      Value = Value ^ 0xA5F323CD

   The functions below are proof of concept.
*/

void CryptData ( unsigned char* pData, unsigned int Length, unsigned char pCount )
{
   /*
      004012AC  |> 8B3402         /MOV ESI,DWORD PTR DS:[EDX+EAX]
      004012AF  |. 8B7C02 04      |MOV EDI,DWORD PTR DS:[EDX+EAX+4]
      004012B3  |. 3375 08        |XOR ESI,DWORD PTR SS:[EBP+8]
      004012B6  |. 337D 0C        |XOR EDI,DWORD PTR SS:[EBP+C]
      004012B9  |. 8930           |MOV DWORD PTR DS:[EAX],ESI
      004012BB  |. 8978 04        |MOV DWORD PTR DS:[EAX+4],EDI
      004012BE  |. 83C0 08        |ADD EAX,8
      004012C1  |. 49             |DEC ECX
      004012C2  |.^75 E8          JNZ SHORT Requiem.004012AC
   */
   unsigned int CryptOffset = 0;
   for ( unsigned int i = 0; i < Length; i++ )
   {
      if ( CryptOffset == 8 ) CryptOffset = 0;
      pData[i] = pData[i] ^ ( CryptTable[CryptOffset + (pCount * 8)] );
      CryptOffset++;
   }
}

void Calculate1Byte(unsigned char pCount) { printf ( "Calculated 1 byte: %.2Xn", pCount ^ 0x4B ); }
void Calculate2Byte(unsigned short pSize) { printf ( "Calculated 2 byte: %.4Xn", pSize ^ 0xBA7D ); }

void Calculate4Byte(unsigned char* payload, unsigned short Length, unsigned char* Dest)
{
   /*
      Please note: This is only valid for the Client -> Server checksum!
      The Server -> Client checksum performs some extra operations, not important for us.

      00401330  |> 8B5424 08      /MOV EDX,DWORD PTR SS:[ESP+8]
      00401334  |. 0FB61411       |MOVZX EDX,BYTE PTR DS:[ECX+EDX]
      00401338  |. 8BF0           |MOV ESI,EAX
      0040133A  |. 81E6 FF000000  |AND ESI,0FF
      00401340  |. 33D6           |XOR EDX,ESI
      00401342  |. C1E8 08        |SHR EAX,8
      00401345  |. 330495 8865830>|XOR EAX,DWORD PTR DS:[EDX*4+836588]
      0040134C  |. 41             |INC ECX
      0040134D  |. 3B4C24 0C      |CMP ECX,DWORD PTR SS:[ESP+C]
      00401351  |.^72 DD          JB SHORT Requiem.00401330

      00401353  |. 5E             POP ESI
      00401354  |> F7D0           NOT EAX

      00401115  |. 35 CD23F3A5    XOR EAX,A5F323CD
   */
   unsigned char Value[4] = { 0xFF, 0xFF, 0xFF, 0xFF };
   for ( unsigned short i = 0; i < Length; i++ )
   {
      unsigned char Offset = Value[0];   // MOV ESI, EAX - AND ESI, 0FF
      Offset ^= payload[i];            // XOR EDX, ESI
      (*(unsigned int *)Value) >>= 8;      // SHR EAX, 8
      for ( unsigned int x = 0; x < 4; x++ ) Value[x] ^= ProtectionTable[(Offset*4)+x]; // XOR EAX,DWORD PTR DS:[EDX*4+836588]
   }
   (*(unsigned int *)(Dest+3)) = (~(*(unsigned int *)Value)) ^ 0xA5F323CD; // NOT EAX - XOR EAX,A5F323CD
}

// Overload send function.
void send ( SOCKET s, unsigned char* Data, unsigned int len, unsigned char &PacketCount )
{
   unsigned char* Packet = new unsigned char[len+7];

   // Calculate protection bytes.
   Packet[0] = PacketCount ^ 0x4B;

   *(unsigned short*)(Packet+1) = (len + 7) ^ 0xBA7D;
   Calculate4Byte ( Data, len, Packet );

   // Encrypt payload and copy to packet buffer.
   CryptData ( Data, len, PacketCount );
   memcpy ( Packet + 7, Data, len );

   send ( s, (char *)Packet, len + 7, 0 );
   PacketCount++;

   delete[] Packet;
}

int main()
{
   SOCKET   s;
   WSADATA wsa;
   unsigned char ServerPacketCount = 0;
   unsigned char ClientPacketCount = 0;
   unsigned char VersionInfo[16] = { 0x10, 0x00, 0x21, 0xCB, 0xB8, 0x6E, 0x83, 0x00, 0x03, 0x0C, 0x43, 0x04, 0x00, 0x00, 0x00, 0x00 };

   WSAStartup ( wsa.wVersion, &wsa );
   SOCKADDR_IN target;
   target.sin_family = AF_INET;
   target.sin_port = htons ( 7110 );
   target.sin_addr.s_addr = inet_addr ( "38.103.63.161" );
   
   s = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP );
   connect(s, (SOCKADDR *)&target, sizeof(target));

   unsigned char*   PacketBuffer = new unsigned char[8092];
   unsigned int   ReceivedBytes = TRUE;

   ReceivedBytes = recv(s, (char *)PacketBuffer, 8092, 0);
   while ( ReceivedBytes != 0 && ReceivedBytes != 0xFFFFFFFF )
   {
      unsigned int   DataSize = ReceivedBytes - 7;
      unsigned char   Protection[7];
      unsigned char*   PacketData = new unsigned char[DataSize];

      memcpy ( Protection, PacketBuffer, 7 );
      memcpy ( PacketData, PacketBuffer + 7, DataSize );

      // Decryption example.
      CryptData ( PacketData, DataSize, ServerPacketCount );
      for ( unsigned int i = 0; i < DataSize; i++ ) printf ( "%.2X ", PacketData[i] );
      printf ( "n" );

      unsigned short   cDataSize = *(unsigned short *)PacketData;
      unsigned short   cDataOpcode = *(unsigned short *)(PacketData+2);
      unsigned char*   cData = new unsigned char[cDataSize-8];
      memcpy ( cData, PacketData + 8, cDataSize );

      switch ( cDataOpcode )
      {
         case 50001:

            ClientPacketCount += cData[0];
            send ( s, VersionInfo, 16, ClientPacketCount );
            break;
         
         case 52002:

            closesocket ( s );
            break;

         default:
            printf ( "Unknown opcode: %d", cDataOpcode );
      }

      ServerPacketCount++;
      delete[] cData;
      delete[] PacketData;

      ReceivedBytes = recv(s, (char *)PacketBuffer, 8092, 0);
   }
   WSACleanup();

   system("PAUSE");
   return 0;
}
So, simply sending packets which were already sent won't work.
scbiz is offline  
Thanks
1 User
Old 05/26/2008, 12:48   #38
 
elite*gold: 0
Join Date: Dec 2007
Posts: 55
Received Thanks: 4
Quote:
Originally Posted by CosmosTunes View Post
btw. if someone found pointers please give me informations about that. i'm working on a bot and can't find out the pointers (my x64 system frooze if i try to start the debugger).

so if anyone give me the information that would speed up the process
same here ...
djbrazil is offline  
Old 05/26/2008, 14:52   #39
 
elite*gold: 0
Join Date: Nov 2006
Posts: 70
Received Thanks: 1
Lol this is insane xD I can't waste too much time on this project as I'm busy with school n all that stuff so til someone comes up with more information I won't give it another try.
DeltaX13 is offline  
Old 05/26/2008, 15:49   #40
 
elite*gold: 0
Join Date: Dec 2007
Posts: 36
Received Thanks: 1
hmmmmm

i cant beleive for a game that has no antihack system that we know of this sure is a tough cookie to crack. i cannot manage to get the movement speed down, i have the attack speed figured out but it is useless to me because i am not a melee character. since the cooldown timers are server side attacking fast as a long range character is still limited to your skill casting, which could shoot fast if the server didnt control the cooldown.
willcro is offline  
Old 05/26/2008, 16:27   #41
 
CosmosTunes's Avatar
 
elite*gold: 0
Join Date: Nov 2007
Posts: 1,358
Received Thanks: 273
Quote:
Originally Posted by nop0x90 View Post
You were supposed to fail buddy.
This has been written by "clearscreen" (I wish he would answer my PMs...) during the closed beta phase:

Code:
#include <iostream>
#include <winsock2.h>
#include "table.h"

/*
   Requiem packet explanation:
   Both client and server at all times keep a count of the amount of packets received.
   This is stored in an unsigned char so the amount will never exceed 255.
   In the first (encrypted) packet of the server, the client receives an offset for his packetcount.
   The packetdata is preceded by 7 bytes which are in place to protect from injection.
   Packetdata is decrypted by an 8 byte data block which is used on the whole packet.
   The offset for this 8 byte block for any particular packet is PacketCount * 8 in CryptTable.
   
   The 7 byte protection bytes are constructed as following:

   - 1 byte ( Packetcount check ):
      PacketCount ^ 0x4B

   - 2 bytes ( Packetsize check ):
      (Payload + 7) ^ 0xBA7D
      Essentially it is (Full Packet Size) ^ 0xBA7D

   - 4 bytes ( Packetdata check ):
      Initial value = 0xFFFFFFFF
      The following is performed for every byte of the un-encrypted payload:
      X = Last byte of Value
      Y = PayloadByte ^ X
      Value = Value >> 8
      Value = Value ^ DWORD Table[ ( Y * 4 ) ]
      Value = !Value
      Value = Value ^ 0xA5F323CD

   The functions below are proof of concept.
*/

void CryptData ( unsigned char* pData, unsigned int Length, unsigned char pCount )
{
   /*
      004012AC  |> 8B3402         /MOV ESI,DWORD PTR DS:[EDX+EAX]
      004012AF  |. 8B7C02 04      |MOV EDI,DWORD PTR DS:[EDX+EAX+4]
      004012B3  |. 3375 08        |XOR ESI,DWORD PTR SS:[EBP+8]
      004012B6  |. 337D 0C        |XOR EDI,DWORD PTR SS:[EBP+C]
      004012B9  |. 8930           |MOV DWORD PTR DS:[EAX],ESI
      004012BB  |. 8978 04        |MOV DWORD PTR DS:[EAX+4],EDI
      004012BE  |. 83C0 08        |ADD EAX,8
      004012C1  |. 49             |DEC ECX
      004012C2  |.^75 E8          JNZ SHORT Requiem.004012AC
   */
   unsigned int CryptOffset = 0;
   for ( unsigned int i = 0; i < Length; i++ )
   {
      if ( CryptOffset == 8 ) CryptOffset = 0;
      pData[i] = pData[i] ^ ( CryptTable[CryptOffset + (pCount * 8)] );
      CryptOffset++;
   }
}

void Calculate1Byte(unsigned char pCount) { printf ( "Calculated 1 byte: %.2Xn", pCount ^ 0x4B ); }
void Calculate2Byte(unsigned short pSize) { printf ( "Calculated 2 byte: %.4Xn", pSize ^ 0xBA7D ); }

void Calculate4Byte(unsigned char* payload, unsigned short Length, unsigned char* Dest)
{
   /*
      Please note: This is only valid for the Client -> Server checksum!
      The Server -> Client checksum performs some extra operations, not important for us.

      00401330  |> 8B5424 08      /MOV EDX,DWORD PTR SS:[ESP+8]
      00401334  |. 0FB61411       |MOVZX EDX,BYTE PTR DS:[ECX+EDX]
      00401338  |. 8BF0           |MOV ESI,EAX
      0040133A  |. 81E6 FF000000  |AND ESI,0FF
      00401340  |. 33D6           |XOR EDX,ESI
      00401342  |. C1E8 08        |SHR EAX,8
      00401345  |. 330495 8865830>|XOR EAX,DWORD PTR DS:[EDX*4+836588]
      0040134C  |. 41             |INC ECX
      0040134D  |. 3B4C24 0C      |CMP ECX,DWORD PTR SS:[ESP+C]
      00401351  |.^72 DD          JB SHORT Requiem.00401330

      00401353  |. 5E             POP ESI
      00401354  |> F7D0           NOT EAX

      00401115  |. 35 CD23F3A5    XOR EAX,A5F323CD
   */
   unsigned char Value[4] = { 0xFF, 0xFF, 0xFF, 0xFF };
   for ( unsigned short i = 0; i < Length; i++ )
   {
      unsigned char Offset = Value[0];   // MOV ESI, EAX - AND ESI, 0FF
      Offset ^= payload[i];            // XOR EDX, ESI
      (*(unsigned int *)Value) >>= 8;      // SHR EAX, 8
      for ( unsigned int x = 0; x < 4; x++ ) Value[x] ^= ProtectionTable[(Offset*4)+x]; // XOR EAX,DWORD PTR DS:[EDX*4+836588]
   }
   (*(unsigned int *)(Dest+3)) = (~(*(unsigned int *)Value)) ^ 0xA5F323CD; // NOT EAX - XOR EAX,A5F323CD
}

// Overload send function.
void send ( SOCKET s, unsigned char* Data, unsigned int len, unsigned char &PacketCount )
{
   unsigned char* Packet = new unsigned char[len+7];

   // Calculate protection bytes.
   Packet[0] = PacketCount ^ 0x4B;

   *(unsigned short*)(Packet+1) = (len + 7) ^ 0xBA7D;
   Calculate4Byte ( Data, len, Packet );

   // Encrypt payload and copy to packet buffer.
   CryptData ( Data, len, PacketCount );
   memcpy ( Packet + 7, Data, len );

   send ( s, (char *)Packet, len + 7, 0 );
   PacketCount++;

   delete[] Packet;
}

int main()
{
   SOCKET   s;
   WSADATA wsa;
   unsigned char ServerPacketCount = 0;
   unsigned char ClientPacketCount = 0;
   unsigned char VersionInfo[16] = { 0x10, 0x00, 0x21, 0xCB, 0xB8, 0x6E, 0x83, 0x00, 0x03, 0x0C, 0x43, 0x04, 0x00, 0x00, 0x00, 0x00 };

   WSAStartup ( wsa.wVersion, &wsa );
   SOCKADDR_IN target;
   target.sin_family = AF_INET;
   target.sin_port = htons ( 7110 );
   target.sin_addr.s_addr = inet_addr ( "38.103.63.161" );
   
   s = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP );
   connect(s, (SOCKADDR *)&target, sizeof(target));

   unsigned char*   PacketBuffer = new unsigned char[8092];
   unsigned int   ReceivedBytes = TRUE;

   ReceivedBytes = recv(s, (char *)PacketBuffer, 8092, 0);
   while ( ReceivedBytes != 0 && ReceivedBytes != 0xFFFFFFFF )
   {
      unsigned int   DataSize = ReceivedBytes - 7;
      unsigned char   Protection[7];
      unsigned char*   PacketData = new unsigned char[DataSize];

      memcpy ( Protection, PacketBuffer, 7 );
      memcpy ( PacketData, PacketBuffer + 7, DataSize );

      // Decryption example.
      CryptData ( PacketData, DataSize, ServerPacketCount );
      for ( unsigned int i = 0; i < DataSize; i++ ) printf ( "%.2X ", PacketData[i] );
      printf ( "n" );

      unsigned short   cDataSize = *(unsigned short *)PacketData;
      unsigned short   cDataOpcode = *(unsigned short *)(PacketData+2);
      unsigned char*   cData = new unsigned char[cDataSize-8];
      memcpy ( cData, PacketData + 8, cDataSize );

      switch ( cDataOpcode )
      {
         case 50001:

            ClientPacketCount += cData[0];
            send ( s, VersionInfo, 16, ClientPacketCount );
            break;
         
         case 52002:

            closesocket ( s );
            break;

         default:
            printf ( "Unknown opcode: %d", cDataOpcode );
      }

      ServerPacketCount++;
      delete[] cData;
      delete[] PacketData;

      ReceivedBytes = recv(s, (char *)PacketBuffer, 8092, 0);
   }
   WSACleanup();

   system("PAUSE");
   return 0;
}
So, simply sending packets which were already sent won't work.
do u have the header file also ?
CosmosTunes is offline  
Old 05/26/2008, 18:06   #42
 
elite*gold: 0
Join Date: Dec 2007
Posts: 55
Received Thanks: 4
ive been working on more tests and found something that i dont really know how to work ...

it seems to have different variable for the same thing...
for example EXP ...
I was able to find the address and change it, i could see it ingame but had no pratical efect ... that means it is a screen variable ...
and I could find another address that at first sight means nothing ... but i think it is some kind of encripting code that only server can decript it ...

does any1 got the same ?
djbrazil is offline  
Old 06/29/2008, 19:20   #43
 
elite*gold: 0
Join Date: Oct 2005
Posts: 50
Received Thanks: 21
woop
clearscreen is offline  
Old 06/30/2008, 15:22   #44
 
elite*gold: 0
Join Date: Nov 2006
Posts: 70
Received Thanks: 1
You can't change serversided values with cheatengine. It can just manipulate your client data. Cmon you didn't really think you could just change your experience and get to max lvl that way
DeltaX13 is offline  
Reply




All times are GMT +1. The time now is 09:44.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2024 elitepvpers All Rights Reserved.