i sayed on top of the thread u dont need send for making a bot but its okay try it and say u did it^^ i go too sleeping i am poorly at home this week ;o
[Question] Packet Encryption
02/09/2010 01:04
meak1#46
02/09/2010 01:13
Thiesius#47
It will help me understand CRC and HShield flow a little bit, so I would have some knowladge when I will try to switch to clientless :). My goal isn't to create bot, but actually fix that expell when all HShield functions are bypassed and SendPacketMain is hooked :D. I know, I didn't chose exactly easiest goal, but let's say: It cannot hurt me if I learn some more.
#EDIT:
For the love of Jesus... how could I been so blind.
Packet order if driver isn't loaded is actually like this:
1. Packet with session keys
2. 0x09 packet (Version?)
3. 0x05 aka ping packet
4. Here - if jump isn't taken, then 0x5B "Ud" will be sent, disconnecting you, doesn't matter what's inside(I guess). If jmp is taken, then build 0x03 "m" packet (This packet will come out of "SendPacketMain"). This one will probably disconnect you too when debugging. I will have to check what's inside this one.
Two exports of HackShield are called just before these packets. Export 10 and Export 16 (called from export 10).
I hope that it will be helpful to someone
#EDIT:
For the love of Jesus... how could I been so blind.
Packet order if driver isn't loaded is actually like this:
1. Packet with session keys
2. 0x09 packet (Version?)
3. 0x05 aka ping packet
4. Here - if jump isn't taken, then 0x5B "Ud" will be sent, disconnecting you, doesn't matter what's inside(I guess). If jmp is taken, then build 0x03 "m" packet (This packet will come out of "SendPacketMain"). This one will probably disconnect you too when debugging. I will have to check what's inside this one.
Two exports of HackShield are called just before these packets. Export 10 and Export 16 (called from export 10).
I hope that it will be helpful to someone
02/11/2010 16:39
Thiesius#48
Some updates:
I thought I would not have to do it, but yes - it looks like I will have to emulate HackShield in order to make it work. Or atleast I will have to fix some stuff...
I read few articles on other forums and I researched for some time.
3 Broken bypasses ->
1) You cannot just prevent engine from loading EhSvc - c'mon, that would be too easy, who would generate AckMessages for you?
2) You cannot simply hook callback - Integrity check(this wouldn't matter) + AckMessage(this matter)
3) You cannot simply disable some exit functions or modify 3 opcodes - Integrity check + AckMessage
And I also read, that bypassing driver will lead to malfunction of AckMessage generator. That will pretty much suit my case.
Ack message is 0x03 "m" packet 0x199 long (if I remember correctly). Normally it should contain CRCs and 32 x 12byte hashes of functions given by server.
Fixing MakeAckMessage should be done by bypassing all "Has been HShield sucessfully initialized" checks inside this function (Same for GUIDAckMessage).
My current goal: ["Repairing" AckMessages functions so they work again]
That mean they will not send bull**** to server...
I thought I would not have to do it, but yes - it looks like I will have to emulate HackShield in order to make it work. Or atleast I will have to fix some stuff...
I read few articles on other forums and I researched for some time.
3 Broken bypasses ->
1) You cannot just prevent engine from loading EhSvc - c'mon, that would be too easy, who would generate AckMessages for you?
2) You cannot simply hook callback - Integrity check(this wouldn't matter) + AckMessage(this matter)
3) You cannot simply disable some exit functions or modify 3 opcodes - Integrity check + AckMessage
And I also read, that bypassing driver will lead to malfunction of AckMessage generator. That will pretty much suit my case.
Ack message is 0x03 "m" packet 0x199 long (if I remember correctly). Normally it should contain CRCs and 32 x 12byte hashes of functions given by server.
Fixing MakeAckMessage should be done by bypassing all "Has been HShield sucessfully initialized" checks inside this function (Same for GUIDAckMessage).
My current goal: ["Repairing" AckMessages functions so they work again]
That mean they will not send bull**** to server...
02/12/2010 11:32
ILikeItEasy#49
gogogo Thiesius :)
02/12/2010 11:45
BenKiu#50
exteco made client less, ask him how
02/12/2010 11:52
ILikeItEasy#51
It is not just the goal, it is the road towards it that is the challenge :)
02/12/2010 20:13
Thiesius#52
Well, I don't have any contacts for him.Quote:
exteco made client less, ask him how
Well I know a lot of theory but I lack in practice.
I downloaded some reverse me's and learning tuts so I will practice.
But I'm not at home now and I won't be for some time. And I need my PC, I have all resources on it.
02/12/2010 20:31
bloodx#53
Thiesius i can explain it u if u want.
02/13/2010 00:23
Thiesius#54
Well, that would kickass :cool:Quote: