New Gameforge protection

07/13/2014 16:01 3t3r4n#1
Hi, what you know about the new protection? I checked a little and it seem to be afected by system time and it have 2 component :P

1 - metin2client.bin is launched with an argument that is: 13322+minute*2
2 - metin2launch.exe create a file "003254" before execute metin2client.bin and what file contain is changed after 2 minute (no matter what date or hour is)

The contain of that file for 16:00-16:02 is [Only registered and activated users can see links. Click Here To Register...]

So if you freeze the system time you can bypass the protection :P

EDIT: compiled + source in c++ (codeblocks -GNU GCC) + keyfiles
07/13/2014 16:20 KaMeR1337#2
Quote:
v47 = *(_DWORD *)"killhackbot";
v48 = *(_DWORD *)"hackbot";
v49 = *(_DWORD *)"bot";
v50 = 0;
*(_DWORD *)Buffer = 0;
_time64(&v46);
v14 = _localtime64(&v46);
_itoa(v14->tm_min, &v54, 10);
_itoa(v14->tm_min + 1, &v53, 10);
sprintf(v42, "%s%s%s", &v54, &v47, &v53);
v35 = 2 * v14->tm_min + 13322;
v15 = 0;
do
{
if ( !v42[v15] )
break;
++*(_DWORD *)Buffer;
++v15;
}
there it is but i dont understand it :P
07/13/2014 16:30 Mi4uric3#3
Don't try to understand what they are doing, simply bypass the check and you are good :)
07/13/2014 16:50 3t3r4n#4
KaMeR1337 can you give me all of that pseudocode? because something is missing there :P
v42 is a char array that contain in example for 17:49 this "49killhackbot50"
07/13/2014 17:24 Mi4uric3#5
Why do you try to understand what it does? Simply jump over the check function in the client..

What if they change the protection in the next update? Then your time working on understanding it was wasted
07/13/2014 17:28 3t3r4n#6
because i don't know how to modify the client :/ and it is easyer to me to do like this ;)
07/13/2014 17:44 KaMeR1337#7
Quote:
Originally Posted by Mi4uric3 View Post
Don't try to understand what they are doing, simply bypass the check and you are good :)
simple is saying bypass. not everyone know how :p

Quote:
Originally Posted by 3t3r4n View Post
KaMeR1337 can you give me all of that pseudocode? because something is missing there :P
v42 is a char array that contain in example for 17:49 this "49killhackbot50"

v42 return this "%s%s%s"
07/13/2014 17:57 3t3r4n#8
kamer look [Only registered and activated users can see links. Click Here To Register...]
v42 return what &v54, &v47, &v53 contain

what BYTE1 do?

v17=112;
v42[v16] ^= BYTE1(v17);