[REL] Redfox Integrity Bypass

[Plastic]

Quote:

Originally Posted by adek1994

Did they fix it again? Or should I make higher delay?

Try injecting when the "Loading XKernel" window is shown.

Quote:

Originally Posted by 34k01

Sometime it's work, i can sendkeys into the game with protected by GG.
But i don't know why... Now, still Inject this Dll but got nothing.

This is not meant for private servers, and has nothing to do with EzierMac.

[34k01]

Hi Mr.Plastic
I really wanna pay for you if you can help me to bypass private server use GG, I only need use a macro to send keys into the game !
Hope you reply.
i've try EzierMac, but GG auto close Xkernel.

[9D_player]

34k01, bypassing GG, i.e. stripping client from GG is a piece of cake. The server uses a heartbeat signal every ~5 mins and you're automatically DCed if GG client doesn't respond to it. This timer is zeroed once you go in a different map. So you can use this feature for example to teleport within a map or change your speed or some different ****, but you can't play all the time w/o a GG client.

[Geleia]

Quote:

Originally Posted by Plastic

Bypass

With this you will be able to modify the client again ( mastery, maps, epithets, etc ). I recommend making a backup of the game client without any modifications. This will allow you to download updates in a timely manner, since I believe the launcher prevents itself from updating the game if it finds modified files.

Version 0.2

Tested on Korean 9D


BattleLog Debugging

To enable BattleLog Debugging all you need to do is press the INSERT key on your keyboard. Changing map seems to create a new file in the base game directory, so you should probably do that or enable the option before logging into the game.

How to use

You will need an automatic injection tool ( Extreme Injector, Xenos Injector, etc. ) and have it ready to inject into the NINEDRAGONS.exe process prior to having the game open. If the game crashes for some reason upon injection, try setting an inject delay of around 100 ~ 1500ms.

Here are the settings I use with Extreme Injector:

If you are receiving this error:


Then open the injector and have it automatically inject when you see this window:

If you are incapable of injecting because of an "MSVC.dll" error, download and install the .

Hi Plastic, thanks for the share and good job on the research, but the title is incorrect because this will not bypass the red fox client integrity check..

This code is just enabling the games XBattleLog by writting to a variable that is outside the game .code section..

the definition of Integrity Bypass is something that would allow you to modify the game .code section without getting booted.

BTW, What is the utility of this tool?

[Plastic]

Quote:

Originally Posted by Geleia

Hi Plastic, thanks for the share and good job on the research, but the title is incorrect because this will not bypass the red fox client integrity check..

This code is just enabling the games XBattleLog by writting to a variable that is outside the game .code section..

the definition of Integrity Bypass is something that would allow you to modify the game .code section without getting booted.

BTW, What is the utility of this tool?

The DLL was meant to bypass the hash check they do on files ( SCR_BASE.XP / NDTEXTDB_US.XSD / etc. ) loaded by the client. It doesn't work as intended anymore because with the method in the DLL they will disconnect you as you finish loading a character.

[Geleia]

Quote:

Originally Posted by Plastic

The DLL was meant to bypass the hash check they do on files ( SCR_BASE.XP / NDTEXTDB_US.XSD / etc. ) loaded by the client. It doesn't work as intended anymore because with the method in the DLL they will disconnect you as you finish loading a character.

Reading the source files, and I just see a battle state log enabler.
Perhaps i missed it on the compiled DLL's..

//here is the current address for redfox version, this code does not boot me from the game.. i think your injection method or createthread api usage may be the issue.. Also could be that ur signature scanner is leaving behind a unique byte signature they can use to blacklist your dll.

Code:

DWORD dwBase = (DWORD)GetModuleHandleA(NULL), dwPtr = dwBase + 0x00462E5C;

DWORD* pdwND1Hash = reinterpret_cast< DWORD* > (*reinterpret_cast< DWORD* >(dwPtr));

DWORD dwProt = PAGE_EXECUTE_READWRITE;

VirtualProtect(pdwND1Hash, 4, dwProt, &dwProt);
oND1Hash = (ND1Hash_t)*pdwND1Hash;
*pdwND1Hash = (DWORD)HookedND1Hash;
VirtualProtect(pdwND1Hash, 4, dwProt, &dwProt);

dwPtr = dwBase + 0x003B83FF;

g_bWriteLog = reinterpret_cast< DWORD* > (*reinterpret_cast< DWORD* >(dwPtr));

*g_bWriteLog = TRUE;

You dont need to go too much engine deep to bypass the ( SCR_BASE.XP / NDTEXTDB_US.XSD / etc ) check.. its actually pretty easy

However good work, love your coding style.

Btw what would you gain modifying these files anyway?

[Plastic]

Quote:

Originally Posted by Geleia

Reading the source files, and I just see a battle state log enabler.
Perhaps i missed it on the compiled DLL's..

You dont need to go too much engine deep to bypass the ( SCR_BASE.XP / NDTEXTDB_US.XSD / etc ) check.. its actually pretty easy.

However good work, love your coding style.

Btw what would you gain modifying these files anyway?

The NDTEXTDB_US.XSD is all the string references for NPCs/Items/etc. and you can use to translate other versions of the game into english.

Basically everything inside of SCR_BASE.XP is how the game loads data. Some of it is only read in by the server though, so editing some stuff will not do anything on the client. Client sided examples would be changing every epithet to give 100% speed bonus, or changing every skill to have 0 cast time, lightfoot to have 0 recast time. Everything related to the server is mostly for creating private server content, and the reason and exist. If you're interested in how the game actually loads the files you can search for threads and find mostly everything.

[Geleia]

Quote:

Originally Posted by Plastic

The NDTEXTDB_US.XSD is all the string references for NPCs/Items/etc. and you can use to translate other versions of the game into english.

Basically everything inside of SCR_BASE.XP is how the game loads data. Some of it is only read in by the server though, so editing some stuff will not do anything on the client. Client sided examples would be changing every epithet to give 100% speed bonus, or changing every skill to have 0 cast time, lightfoot to have 0 recast time. Everything related to the server is mostly for creating private server content, and the reason and exist. If you're interested in how the game actually loads the files you can search for threads and find mostly everything.

thx for this information. you know if this is still possible nowdays?

[9dragonsGold]

Quote:

Originally Posted by 9D_player

34k01, bypassing GG, i.e. stripping client from GG is a piece of cake. The server uses a heartbeat signal every ~5 mins and you're automatically DCed if GG client doesn't respond to it. This timer is zeroed once you go in a different map. So you can use this feature for example to teleport within a map or change your speed or some different ****, but you can't play all the time w/o a GG client.

I'ts preety easy to bypass GG and its heartbeat

[Plastic]

Quote:

Originally Posted by Geleia

thx for this information. you know if this is still possible nowdays?

Everything I mentioned in that post should still be possible, and more.

Quote:

Originally Posted by 9dragonsGold

I'ts preety easy to bypass GG and its heartbeat

How do you dump the GG module and disassemble the virtualized packet function(s)?

[9dragonsGold]

Quote:

Originally Posted by Plastic

How do you dump the GG module and disassemble the virtualized packet function(s)?

Well if I tell it then I would have no business. I cannot share my pvt bypass for free. You can alwyas buy it on my store. All I can do is share a video proof.

[Plastic]

Quote:

Originally Posted by 9dragonsGold

Well if I tell it then I would have no business. I cannot share my pvt bypass for free. You can alwyas buy it on my store. All I can do is share a video proof.

I never asked you for your bypass, I asked you how you dump the GG module and disassemble the packet functions.

[9dragonsGold]

Quote:

Originally Posted by Plastic

I never asked you for your bypass, I asked you how you dump the GG module and disassemble the packet functions.

Basically telling you that info, is half of the work to can bypass it or check how it works.
All I can tell is there are 2 main packets working while in game, game sends se.do and if all is ok GG sends back bl or bn packet I think it was (I should recheck). In case something is wrong a hl.do packet is send to shutdown the game. Also there are previous check packets at the start of the game called service.do mr and bn.

Quote:

Originally Posted by 34k01

I really wanna pay for you if you can help me to bypass private server use GG, I only need use a macro to send keys into the game !

The only way to remove the macro's layer of protection is disabling GG, It means that you actually will get kicked every 5 minutes cos of the HB, and HeartBeat cannot be disabled if GG is also disabled.

There are 2 ways for make a bot, with GG disabled and changing map or "select character" b4 HB countdown (5 mins). The second way is making a bot by packets, not hard with knowdelege, you need C++, a bit of ASM and reverse enginering to decrypt and crypt packets.

[Fugea]

Everytime I come to this forum and read these posts I realize I have no idea about 9d.. xD

[Geleia]

Here is some more info from RedFox, this is a dump of the Monster name Id for everyone who is building a bot and want to make a GetMonsterNameById function..
Cheers.