Permission for Progression

08/31/2013 03:07 TheComputerist#1
I'll spare you the horrible story on my troubles with RE and understanding Conquer from IDA and Ollydbg.

I've looked into the play.exe of Conquer and the AutoPatch. I'm under the impression that the play.exe is just a debug check of a persons computer and compatibility issue. I've already managed to bypass the (what I hope is the only) level of Update checking, hint: " blacknull".

Is there anything I should know from the play.exe or AutoPatch that might be critical to the performance of the Conquer client before I try to hit it next by finding WSA calls and send + recvs to actually (attempt to) get a Logging system going ?
08/31/2013 04:28 Lateralus#2
There's really no reason why you can't hook those calls now from what I know. The only check is the blacknull string passed from the autopatch file as a parameter check, which you've mentioned you've bypassed.
08/31/2013 04:57 TheComputerist#3
Thanks I see you're point when you mentioned hooking those calls. I've already located them(As in the single function's that utilizes them for sending and receiving traffic).
I just needed some reassurance that if I was to hook them that I wouldn't spend a couple of hours searching within the conglomerate crap ton of calls that those functions get through reference (as in the hierarchy of code that lead to a call to rather it be send, sendto, and recvfrom) for some error that might had been caused by the AutoPatch not passing extra information to Conquer.exe (which I doubted since it made little sense to me seeing that it was a process within itself and not a child window that might have had memory access to the AutoPatch).

Since I do not want to spam the forum with individual questions, I guess I'll ask here. I ended up reading an article about the Encryption Conquer uses. Which specified 2 keys for login/ Auth and then the 2 new keys for actual in-game play(At least that's what I think I read it to be). Does that still stands to this date? (I'll take a guess and say yes since I've noticed that all network related logic end up going down into one of 4 functions before being sent to server. I'm not sure about recvfrom for now.).
08/31/2013 06:42 { Angelius }#4
Quote:
Originally Posted by TheComputerist View Post
I've already managed to bypass the (what I hope is the only) level of Update checking, hint: " blacknull".
Correct. but by blacknull'ing Conquer.exe you discarded 1 important step of the process of connecting to the server which will result in your account getting banned.

When AutoPatch.exe is launched it sends the current client version in plain text to the server and then the server verifies it and replays back with the string "READY" if the version matches, Otherwise the replay is "UPDATE".

Conquer.exe does pretty much the same thing.
08/31/2013 07:03 TheComputerist#5
I see, well that could had ended tragically for me. Not that I was going to use this for a bot luckily, I'm just trying to make a private server for experience, but regardless. Time to hop on wireshark. So it must be the server that keeps track via IP(going to check the packets to see)? And on a side note, What can you tell me encryption wise. I know you won't give me the keys(obviously) but is it just a big system that uses switching encrypted headers to check for what to do with the packet?

Does this seem right?

.?.a..p...t...E.
.,.A@....D......
s..`%C........P.
...]..5777

p...t..? .a....E.
.-.\@.o. [.&R.W...
.%8...n ~..!C.P
...... ..REA DY

I think that might be the packet you where telling me about.
I believe I found the function that does this whole thing. But sadly I found it in the AutoPatch not the Conquer.exe so I don't know of how much use it might be to me (_410C80)
09/02/2013 05:28 { Angelius }#6
Quote:
Originally Posted by TheComputerist View Post
Does this seem right?

.?.a..p...t...E.
.,.A@....D......
s..`%C........P.
...]..5777

p...t..? .a....E.
.-.\@.o. [.&R.W...
.%8...n ~..!C.P
...... ..REA DY

I think that might be the packet you where telling me about.
I believe I found the function that does this whole thing. But sadly I found it in the AutoPatch not the Conquer.exe so I don't know of how much use it might be to me (_410C80)
Yes that's it... The one in conquer.exe doesn't really matter unless you are planing on going client-less.
If the purpose of this whole thing is to make a private server then the AutoPatch.exe doesn't matter and blacknull'ing conquer.exe is OK as long as you block any outgoing connections from it (Except for ports 5816/9959).

About the Encryption you should search the forum a bit and i am sure you will find all the information you need.
09/02/2013 13:00 phize#7
Quote:
Originally Posted by { Angelius } View Post
Correct. but by blacknull'ing Conquer.exe you discarded 1 important step of the process of connecting to the server which will result in your account getting banned.

When AutoPatch.exe is launched it sends the current client version in plain text to the server and then the server verifies it and replays back with the string "READY" if the version matches, Otherwise the replay is "UPDATE".

Conquer.exe does pretty much the same thing.
I've been running the client with blacknull argument forever now without any issues.
09/02/2013 16:17 CptSky#8
Quote:
Originally Posted by { Angelius } View Post
Correct. but by blacknull'ing Conquer.exe you discarded 1 important step of the process of connecting to the server which will result in your account getting banned.

When AutoPatch.exe is launched it sends the current client version in plain text to the server and then the server verifies it and replays back with the string "READY" if the version matches, Otherwise the replay is "UPDATE".

Conquer.exe does pretty much the same thing.
The AutoPatch server will deal with that. I don't think it communicates to the AccServer / MsgServer to say that the client is valid or not... It might have been added recently if it does.
09/03/2013 03:37 TheComputerist#9
I recently(today) blacknull'ed my 5777 client and the client asked me to update my CO2 client(to 5778). So I guess this is a verification that yes the client does check again after AutoPatch checks the client version.
I blacknull'ed my client again and logged in with the recently updated client and I didn't get instantly banned. But guess what! After about 10 minutes the account I used to log in get's a 1 day ban for suspicion of using a bot. I'm not too sure what to make of this.

(Hope someone out there trying to make a bot finds this useful. As for me, I can't find the damn encryption function of the client.)
09/03/2013 09:55 { Angelius }#10
Quote:
Originally Posted by phize View Post
I've been running the client with blacknull argument forever now without any issues.
On realco, on the latest patch, by just blacknulling the exe? i don't think so.

Quote:
Originally Posted by CptSky View Post
The AutoPatch server will deal with that. I don't think it communicates to the AccServer / MsgServer to say that the client is valid or not... It might have been added recently if it does.
Trust me It does. Now i am not sure when that shit was added but its there and you can load the AutoPatch.exe/Conquer.exe into olly and search/breakpoint on one of these strings UPDATE/READY.

Quote:
Originally Posted by TheComputerist View Post
I recently(today) blacknull'ed my 5777 client and the client asked me to update my CO2 client(to 5778). So I guess this is a verification that yes the client does check again after AutoPatch checks the client version.
I blacknull'ed my client again and logged in with the recently updated client and I didn't get instantly banned. But guess what! After about 10 minutes the account I used to log in get's a 1 day ban for suspicion of using a bot. I'm not too sure what to make of this.
The 10 minutes could extend to 30 minutes before the account is restricted and you don't have to be online for it to ban you.

Quote:
Originally Posted by TheComputerist View Post
As for me, I can't find the damn encryption function of the client.
There you have it Cast_Encrypt:

Conquer.exe|ASM
09/03/2013 13:19 TheComputerist#11
Quote:
Originally Posted by { Angelius } View Post
There you have it Cast_Encrypt:

Conquer.exe|ASM
Wow thanks. Now I know where the Update checking goes on. But since I'm insanely newbish in RE, I still don't know where to find that Cast_Encrypt you're talking about within the Conquer.exe. But it's alright. For now I'm just going to read the logic behind that Cast_Encrypt and keep looking for it since I'll have an idea of what to look for.
09/03/2013 17:16 phize#12
Quote:
Originally Posted by { Angelius } View Post
On realco, on the latest patch, by just blacknulling the exe? i don't think so.
If by "blacknulling the exe" you mean starting the client with the " blacknull blacknull" argument, then yeah I'm not getting banned.