New bot development

Ok, i decided to make a new thread for this.
So basically we have nothing, we're starting from scratch.

So our obvious obstacle is: packet encryption

From my testing I've discovered the whole packet where the "session key" is sent. Meaning I don't know specifically what in the packet is the session key.

I can do all the programming for the bot, packet handling, GUI etc.
But I do need a team, or people willing to help.
Mostly I someone who can analyze the client and find the encryption method.

I'll explain in steps how it work,

1) Server sends packet containing session key
2) Client uses the session key (may or may not manipulate it somehow) to encrypt all its outgoing packets from now on.
3) Client sends a encrypted OK packet
4) Server checks the packet to see that it is valid and sends an OK packet aswell

So, if we can find the encryption method we can encrypt our packets and thus send valid packets.

dont u need server ip and port? or are u gonna send it to the client?
i havent hacked in ages
im tryna see if i can find attack speed packet

i found this on another respected website mpcforum. hope it helps...

"These are the decrypted versions of the files found in the \ini directory, they contain the settings for just about everything including item stats, npcs, skills, teleport fees etc.
This is just to help hackers, I'm not going to tell you what you can do with them and how (except one pointer for hackers: 004E2110). I don't even know if they are useful yet, although characterdatatable.txt contains a lot of useful info about the mobs. Enjoy."

a reply to this is.

"I assume that 004E2110 is the program offset to the crypto key in the client? If that is the case, then the next step is to identify the crypto algorithm and try to decrypt the files on our own.

If the key is a symmetric key, then the same key can be used to decrypt the ini files, change them and then reencrypt to make the changes perminant.

If the key is asymmetric then we need to write a patcher to decrypt the ini files, replace the client key and reencrypt the ini files.

Is this on the right track?"

Hey alabatusa, I'm glad you're trying to help!
First off, the ini files are a completely different thing, they are checked server-side anyways. I did some hacking to those, f.ex. I added other classes skills to my character's skilltree, I couldn't however learn them. There is with 99% chance that they check that kind of things server-side which makes it pointless to hack the ini files.

As for ip & port, that's no problem. The client connects to login.archlordgame.com port 11002.

I'm gonna do some testing later today by setting up my "fake" loginserver and redirect "login.archlordgame.com" to my own ip. I'll try to mess around with the packet containing the "session key" and see how the client responds.

EDIT
But what we need the most, is someone who can hack the client and find the encryption algoritm.

i'd like to thank u for helping, though ur both jun members, i dont know crp about hacking and id like to learn, but dont know where and how^^

so u have my blessing, and i hope itll work, im looking forward to a bot that is supported and works on vista^^

grtz

Thank you Newbb, if we can get the algoritm there's no obstacle for it to not work on vista. The bots main features would be:
standalone application (no need to have archlord open)
repair items
sell items
delete items if inventory is full
logout if PK is near
run if low hp
attack mob that is already attacking oneself

etc etc

Progress:
I've analyzed the session key packet further, here are the same session key packet but from 3 different connections:
first set:
->2 > 0xD62E004800000000000301200006394B090097B12B206C50 CC82CA7B86BC93C5CD9313C5E54E318BD81C632DFB6B
->1 > 0xD616004820000000000306080000000000000000006B
second set:
->2 > 0xD62E0048FE0000000003012000BFFB35859A57967F1DA4BE D7B57A75F7AE242D3A73D7066803FECE66CB8D6C9D6B
->1 > 0xD6160048FE000000000306080000000000000000006B
third set:
->2 > 0xD62E0048000000000003012000B95A06729D0391CF3A9C93 FA4589042801639349DAFD0734852A83CB58E766706B
->1 > 0xD616004800000000000306080000000000000000006B

So this are the packets sent to the client containing the session key.
First packet contains 0xD6160048 then a key with 2 or more bytes, followed by 00000000000306080000000000000000006B.

Second packet 0xD62E0048 followed by the two bytes from the first packet and then 0000000003012000 followed by an encrypted string which ends with 6B.

Now the client has the session key, encrypts a string of it owns and sends a packet back to the server to confirm that the client has successfully used the session key.

So, is anyone here familiar with crypto signatures in .exe files?

Seems like the client encrypts the packet clientside too by some variable which I dont know yet. Gamehackers needed!!!

HOWTO: tutorial needed^^

I'm sorry Newbb, I've got very limited skills in .exe hacking and crypto signatures, that's why I need someone else to help me on this.

Anyone?

its an awesome idea but i really think it will be far to much work and unfortunatly no rewards at the end.
chinese bot is having BIG problems at the moment and they havent been able to fix it for a month. making a new bot will be twice as hard. and the encryption will be super hard as it is different for everyone and every charatcer. unless you can find how they encrypt and re encrypt it and how it links to each individuale char upon each log in.

look for the encryption/decryption functions with a disassembler

I will do that shortly.

Its been a long time since i did this, but it works something like this

The server uses a fixed key that it sends in one of the first packets

The client generates its own random client key, that it encrypts with the server key and sends back

The respective key is used for client->server comms or server->client comms

Hint: the encryption used is a broken version of a popular patent free 256 bit cipher ;)

Yes, I know that the encryption is AES 256 :)
And your description sounds to confirm my testing results.

Think you could help a little further by pointing out the key server/client uses to encrypt the packets?

Hehe, its not AES, you have PM :)

I'll see if I can find my proof of concept code again and clarify a few things, its been a while