Protected Conquer.exe

Page 1 of 2

01/30/2012 17:33 Diabolik777#1

Hello ePvP,

i came here after long time looking for a private server to play at (coz official kinda sucks now) and found decent classic server (patch 5165) :rolleyes: . Anyway, after playing for a while i realized that i am a bit bored so i started a small project in c# that would be for packet logging. Everything was going well until i was stuck on encryption. I have opened conquer.exe in notepad++ and cannot find encryption key that is used, in fact, it looks like whole file has been encrypted/protected against people like me :p . File size is same as original 5165 conquer.exe. Protected conquer.exe is in attachment, i would be glad if anyone can point me in right direction, i dont want complete solution (and lose opportunity to have all fun solving this).

Thanks in advance

02/02/2012 11:14 injection illusion logic#2

Compiler : Borland Delphi 6.0-7.0
Heuristic : Enigma protection 1.1x-1.3x -> Sukhov Vladimir & Serge N. Markin
information : 4 hashes & crypto signatures detected
2 crc32 1 md2 1 md4 (if need offsets and addresses post for it)
if need manual unpacking post for it
if need the key and dont need to even move ur ass a bit post for it :P
if u need someone to play on this ps. for u also post it :P :P :P
Edit: forgot to say this , u don't really need to remove the client protection to figure out the encryption key :P that's pretty enough to have fun figuring it out :P

02/02/2012 11:55 Lateralus#3

You can attach to it with a debugger when it's running to grab the key. Enigma decrypts everything at runtime.

02/03/2012 18:11 Diabolik777#4

Quote:

Originally Posted by Lateralus

You can attach to it with a debugger when it's running to grab the key. Enigma decrypts everything at runtime.

I really can't right now, there is that anti-hack protection ^^. I am working on that now. They scan for known hacks (or processes, they prevent client from running if any java program is started :rolleyes: ). Problem is they are blocking .net (tried c#) too. Only thing i can't figure out is how they know it is a c# application, I was changing exe descripions (or how it is called) via ResHacker and few other tools. There must be something that differs c# and applications that are written in other languages. Just haven't found it yet :) .

02/03/2012 18:38 Lateralus#5

Quote:

Originally Posted by Diabolik777

I really can't right now, there is that anti-hack protection ^^. I am working on that now. They scan for known hacks (or processes, they prevent client from running if any java program is started :rolleyes: ). Problem is they are blocking .net (tried c#) too. Only thing i can't figure out is how they know it is a c# application, I was changing exe descripions (or how it is called) via ResHacker and few other tools. There must be something that differs c# and applications that are written in other languages. Just haven't found it yet :) .

Enigma protects against process names, window names, and class names. Change those in the program and it's helpless. It's crazy that they block .net programs from running. How stupid.

02/03/2012 19:47 Diabolik777#6

So I have tried changing everything I found in test application (class, filename, window name, copyrights, version, etc.) and it is still being detected. Also I have encryption key from olly (thanks guys). Just need to remove that Enigma shit so I can run VS2010 while running conquer (also blocked :p ). I was searching google how to remove it but so far no luck. Any hints?

02/03/2012 20:24 Lateralus#7

If you have the key, you can just place it in a non-protected executable and use it instead of the protected one.

02/04/2012 21:35 Diabolik777#8

:facepalm: I am so stupid. So i have tried changing the key inside clean 5165 but I can't log in sucessfully. Seems like encryption key I have is wrong (it shouldn't) or they have some extra encryption added (in CO folder there are dlls that are used to manipulate with memory but it looks like they aren't used because when i delete them i can still log in sucessfully with their conquer.exe).

02/05/2012 11:35 injection illusion logic#9

are you sure u r logging on the right game/auth ports ;) ?

02/05/2012 12:43 Diabolik777#10

Checked with WPE and ports are correct (9958, 5816). Looks like it's easier to create logger/proxy for retail conquer than for pserver lol. And I noticed that when I try to log in with their conquer.exe, there is slight (3-4 sec) "login freeze" before it proceeds to loading maps. When I am logging with cracked exe, no login freeze occurs.

02/05/2012 12:45 m7mdxlife#11

Quote:

Originally Posted by Diabolik777

Checked with WPE and ports are correct (9958, 5816). Looks like it's easier to create logger/proxy for retail conquer than for pserver lol. And I noticed that when I try to log in with their conquer.exe, there is slight (3-4 sec) "login freeze" before it proceeds to loading maps. When I am logging with cracked exe, no login freeze occurs.

win7?

02/05/2012 13:09 Diabolik777#12

Yes, I am using Windows 7. But that login freeze can be irrelevant.

02/05/2012 13:12 m7mdxlife#13

noticed a login freeze when using windows 7 on more than 1 computer.. just thought i should let you
know that maybe its not whatever reason you think it is, its just the windows, Lateralus said that the client starts doing
something when it hits that point and that makes it freeze on windows 7

02/05/2012 13:42 I don't have a username#14

It's because setting Blowfish is slow at latest patches.

02/05/2012 15:44 Diabolik777#15

Is patch 5165 one of those latest patches?

Page 1 of 2