Hier hat BakaBug geschrieben das müsste euch endlich helfen ^.^
hoffe jetzt kommen auch paar antworten und nicht nur views <.< ;)
(karma?XP)
Yeah for all who want make something for Kal..
here is my release
Ahm yeah you can use it for hacking in nvm
PACKET STRUCKTUR
Some easy Kal-Packet: (Yeah I can't help you how to write a Sniffer)
Code:
0500161215
04001248
030047
So Yeah the first we see is .. the first 2 bytes is the size (means a word ..)
So the rest everytime changes .. can only mean crypted.. so packet structure is
Code:
type TKalPacket = packed record
size:word;
data:array of char;
end;
This is first step..
PACKET CRYPTING
So .. after sniffing a lot at login (easyer to sniff) we will see something like
a login packet :) .. becosue it's the login packet you know what you have entered .. so
(I used some nummbers they aren't correct .. but it works this way
??= I am to boring to count the bytes)
Code:
????04 B0 A1 C0 A1 B0 F1 AA 12 B0 A1 C0 A1 B0 F1 AA 12
B a k a B u g \0 B a k a B u g \0
(I entered acc:BakaBug pass:BakaBug)
Why we know there it must be BakaBug ?
When you look good you will see ..
Kal Crypt every letter .. 1 time ! means a crypte "a" at position 1...
looks like a crypte "a" at position 3..
Now wtf is this ? .. after a lot of trying .. first we know It's not working like
XOR mean haven't something like a key.. So it muss be something static
Which says A->! B->A C->& ... so ABC would be crypted to !A&
Yeah WTF a easy crypt .. and easy to crack..
so how to get this crypt-table ?
CRYPT TABLE
BTW. this way only works with a decompressed engine.exe
My first thought was some where in engine.exe must be a table ..
So .. starting hex-editor .. opening engine.exe
Entered in Login
Code:
Username: abcdefgh
Passwort: ijklmop
Sniff the Crypted oacket .. search this hex ... an WOOLLLLAAAA
And the first thing is .. WTF ? the table is uncrypted saved..
InixSoft makes hacking really easy.. ;)
..
So how to get the full Crypt-Table from the engine.exe (or mainsvr.exe works there too)
SO starting a disambler (I am using IDA) .. let disamble engine.exe ..
when everythings is loaded I scroll in the hex window .. to the offset where I found the abcde.. (crypted) click ... go to disambler window .. and WOLLLAAA
there is a area .. from START to END of the full CRYPT-Table ;)
So we copy this Area .. into our hexeditor and save it as CRYPT.dat (or how you want)
So how to laod this table ?.. We know each letter is crypted with a other key!
so 256 letters .. our file is .. 200*256 bytes big ( I am to boring to multiplizier it .. I already know there are 200 keys) so how many keys are here ?
Yeah FileSize / 256 ;)
How to load ? (in delphi)
Code:
type TCryptRow = packed record
Byte: array[0..255] of char;
end;
var
CryptTable: array[0..199] of TCryptRow;
..
..
fil.read(CryptTable,sizeof(CryptTable)); //finish ;)
Btw this is the encrypt ( i think ) for decrypt you need to genereat your own file.. mean when you know "A->!" you will know "!->A" easy to write -.-
DECRYPT PACKETS
Yeah we updating the source of out Sniffer (yeah write your own or you wont able to do this way)
We adding our CryptTable..
So what we know ?
* Kal is using Nullterminated strings
* the row of the crypt changes everytime (we know this after a lot of testing)
..Special the point Nullterminated strings *grins*
We are adding to the sniffer that he try's all rows to decrypt the last Byte
when it's decrypted \0 key found ..
So this way only works on chat packet ;) becouse there they use string..
So we chat a lot ingame .. and look at our log..
KEY: 12
KEY: 13
KEY: 14
KEY: 15
KEY: 16
KEY: 17
..
WTF yeah the row(key) increase every packet ;)
..
KEY: 60
KEY: 61
KEY: 62
KEY: 63
KEY: 0
So ahhhh after 63 (or was it 64) it starts at 0 ..
hehe good to know so after 1 time getting the key you can decrypt everything ;)
ADDITIONAL CRYPT AT INT SERVER
Yeah ~.~ when you have your decoder .. you sniff a lot of packes (chat is easyest)
And try to write this in chat:
Code:
a
aa
aaa
aaaa
aaaaa
aaaaaa
aaaaaaa
aaaaaaaa
aaaaaaaaaa
aaaaaaaaaaa
aaaaaaaaaaaa
Than you will see first..
New packet system have 4 bytes more .. why ? no idea.. (i never looked after it.. i can decryot them but dosn't help much ...)
We allso see .. .. that the decrypted stuff is wrong..
So we know our text is "aaaaaaaa..."
So we see all over 16 bytes (after sniffing) is a other crypt again (AES .. a lot of guys say this ..)
We also know Kal is yeah lol.. becouse first packet (at login, means welcome packet which is crypted with 0) they don't use the new crypt (but the old ..)
So we write a easy rotine..
CryptedStuff (but decryted with CryptTable) xor "aaaaaa...." = OUR XOR KEY
Wolllaaa.. after a lot of testing you will see
that you can crypt all <16 Bytes Packtes.. It's enought to write a KsBot (you wee some ingame ? some are suing my hack..)
MORE INFO ? Sorry can't help you ;)
GTX Texture files
Ahm yeah I opend it with my Hex editor and have seen
DTX (or was it DXT .. nvm)
DXT3
DXT1
DXT5
...
So a file which have the abilitiy to change the texture-format (A8R8G8B8 X8R8G8B8 ... )
The only file i knowed which work so .. was DDS
so i saved a dds .. looked my gtx .. and it was 1:1 the same..
(okay.. the header was crypted.. so after a little testing we see ..
the crypt key is 4 ..)
I decrypt the header part ...
Changed the first 3 bytes to DDS..
WOOLLLLAAAA
Can load GTX's -.-
KSM KalServerMap
Yeah .. I really got no clue what this file should be ..
so i written a easy programm to show a file as graphic..
means:(full source when someone want try out..)
Code:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls;
type
TForm1 = class(TForm)
Image1: TImage;
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
var
x,y:integer;
myByte:dword;
fil:tmemorystream;
begin
image1.Picture.Bitmap.Width:=form1.Width;
image1.Picture.Bitmap.Height:=form1.Height+3000; //neue size
//soooooo bild malen
fil:=tmemorystream.Create;
fil.LoadFromFile('C:\Dokumente und Einstellungen\BakaBug\Desktop\MainS vr-Crack\Map\n_032_032.ksm');
fil.Position:=0; //an dne anfang..
repeat
for x:= 0 to image1.Width do
begin
//auslesen
fil.Read(myByte,4);
image1.Canvas.Pixels[x,y]:=myByte;
end;
y:=y+1;
until fil.Position>=fil.Size;
fil.Free;
end;
end.
Yeah when you resize the window and let redraw the picture..
*grins* ..Yeah after a lot of resizing you will start to see a structure
after you are near ~256 (width) .. you say WTF .. that is it ?
Yeah.. KSM are like a picture.. it's a 255x255 (or was it 256x256 ?) shoot of the coolision zones and castle war zones .. saveones etc.
after a little time you will have this script for loading:
Code:
type TArea= packed record
a,b:word;
end;
type TKSM=packed record
Pixel:array[0..255,0..255] of TArea;
end;
var
KSM:TKSM;
..
...
..
fil.read(KSM,sizeof(KSM)); //finish ;)
KCM Kal Cell Map ?
Yeah I found it out the same why like KSM ;)
With showing it as picture ^^ (I wont tell you everything)
But 1 tip: "Load it from end of the file.. to the begin of the file"
So it's easyer to laod .. I already know how the Header works..
but also KaME loads it from end to begin ;) becouse it's easyer
OPL Object Postion list
Yeah open it with Hex-Editor and learn reading ~.~
I can't tell you much .. lol such easy..
..
so thats all for the moment..
When you miss something write it here ;)
hoffe jetzt kommen auch paar antworten und nicht nur views <.< ;)
(karma?XP)
Yeah for all who want make something for Kal..
here is my release
Ahm yeah you can use it for hacking in nvm
PACKET STRUCKTUR
Some easy Kal-Packet: (Yeah I can't help you how to write a Sniffer)
Code:
0500161215
04001248
030047
So Yeah the first we see is .. the first 2 bytes is the size (means a word ..)
So the rest everytime changes .. can only mean crypted.. so packet structure is
Code:
type TKalPacket = packed record
size:word;
data:array of char;
end;
This is first step..
PACKET CRYPTING
So .. after sniffing a lot at login (easyer to sniff) we will see something like
a login packet :) .. becosue it's the login packet you know what you have entered .. so
(I used some nummbers they aren't correct .. but it works this way
??= I am to boring to count the bytes)
Code:
????04 B0 A1 C0 A1 B0 F1 AA 12 B0 A1 C0 A1 B0 F1 AA 12
B a k a B u g \0 B a k a B u g \0
(I entered acc:BakaBug pass:BakaBug)
Why we know there it must be BakaBug ?
When you look good you will see ..
Kal Crypt every letter .. 1 time ! means a crypte "a" at position 1...
looks like a crypte "a" at position 3..
Now wtf is this ? .. after a lot of trying .. first we know It's not working like
XOR mean haven't something like a key.. So it muss be something static
Which says A->! B->A C->& ... so ABC would be crypted to !A&
Yeah WTF a easy crypt .. and easy to crack..
so how to get this crypt-table ?
CRYPT TABLE
BTW. this way only works with a decompressed engine.exe
My first thought was some where in engine.exe must be a table ..
So .. starting hex-editor .. opening engine.exe
Entered in Login
Code:
Username: abcdefgh
Passwort: ijklmop
Sniff the Crypted oacket .. search this hex ... an WOOLLLLAAAA
And the first thing is .. WTF ? the table is uncrypted saved..
InixSoft makes hacking really easy.. ;)
..
So how to get the full Crypt-Table from the engine.exe (or mainsvr.exe works there too)
SO starting a disambler (I am using IDA) .. let disamble engine.exe ..
when everythings is loaded I scroll in the hex window .. to the offset where I found the abcde.. (crypted) click ... go to disambler window .. and WOLLLAAA
there is a area .. from START to END of the full CRYPT-Table ;)
So we copy this Area .. into our hexeditor and save it as CRYPT.dat (or how you want)
So how to laod this table ?.. We know each letter is crypted with a other key!
so 256 letters .. our file is .. 200*256 bytes big ( I am to boring to multiplizier it .. I already know there are 200 keys) so how many keys are here ?
Yeah FileSize / 256 ;)
How to load ? (in delphi)
Code:
type TCryptRow = packed record
Byte: array[0..255] of char;
end;
var
CryptTable: array[0..199] of TCryptRow;
..
..
fil.read(CryptTable,sizeof(CryptTable)); //finish ;)
Btw this is the encrypt ( i think ) for decrypt you need to genereat your own file.. mean when you know "A->!" you will know "!->A" easy to write -.-
DECRYPT PACKETS
Yeah we updating the source of out Sniffer (yeah write your own or you wont able to do this way)
We adding our CryptTable..
So what we know ?
* Kal is using Nullterminated strings
* the row of the crypt changes everytime (we know this after a lot of testing)
..Special the point Nullterminated strings *grins*
We are adding to the sniffer that he try's all rows to decrypt the last Byte
when it's decrypted \0 key found ..
So this way only works on chat packet ;) becouse there they use string..
So we chat a lot ingame .. and look at our log..
KEY: 12
KEY: 13
KEY: 14
KEY: 15
KEY: 16
KEY: 17
..
WTF yeah the row(key) increase every packet ;)
..
KEY: 60
KEY: 61
KEY: 62
KEY: 63
KEY: 0
So ahhhh after 63 (or was it 64) it starts at 0 ..
hehe good to know so after 1 time getting the key you can decrypt everything ;)
ADDITIONAL CRYPT AT INT SERVER
Yeah ~.~ when you have your decoder .. you sniff a lot of packes (chat is easyest)
And try to write this in chat:
Code:
a
aa
aaa
aaaa
aaaaa
aaaaaa
aaaaaaa
aaaaaaaa
aaaaaaaaaa
aaaaaaaaaaa
aaaaaaaaaaaa
Than you will see first..
New packet system have 4 bytes more .. why ? no idea.. (i never looked after it.. i can decryot them but dosn't help much ...)
We allso see .. .. that the decrypted stuff is wrong..
So we know our text is "aaaaaaaa..."
So we see all over 16 bytes (after sniffing) is a other crypt again (AES .. a lot of guys say this ..)
We also know Kal is yeah lol.. becouse first packet (at login, means welcome packet which is crypted with 0) they don't use the new crypt (but the old ..)
So we write a easy rotine..
CryptedStuff (but decryted with CryptTable) xor "aaaaaa...." = OUR XOR KEY
Wolllaaa.. after a lot of testing you will see
that you can crypt all <16 Bytes Packtes.. It's enought to write a KsBot (you wee some ingame ? some are suing my hack..)
MORE INFO ? Sorry can't help you ;)
GTX Texture files
Ahm yeah I opend it with my Hex editor and have seen
DTX (or was it DXT .. nvm)
DXT3
DXT1
DXT5
...
So a file which have the abilitiy to change the texture-format (A8R8G8B8 X8R8G8B8 ... )
The only file i knowed which work so .. was DDS
so i saved a dds .. looked my gtx .. and it was 1:1 the same..
(okay.. the header was crypted.. so after a little testing we see ..
the crypt key is 4 ..)
I decrypt the header part ...
Changed the first 3 bytes to DDS..
WOOLLLLAAAA
Can load GTX's -.-
KSM KalServerMap
Yeah .. I really got no clue what this file should be ..
so i written a easy programm to show a file as graphic..
means:(full source when someone want try out..)
Code:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls;
type
TForm1 = class(TForm)
Image1: TImage;
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
var
x,y:integer;
myByte:dword;
fil:tmemorystream;
begin
image1.Picture.Bitmap.Width:=form1.Width;
image1.Picture.Bitmap.Height:=form1.Height+3000; //neue size
//soooooo bild malen
fil:=tmemorystream.Create;
fil.LoadFromFile('C:\Dokumente und Einstellungen\BakaBug\Desktop\MainS vr-Crack\Map\n_032_032.ksm');
fil.Position:=0; //an dne anfang..
repeat
for x:= 0 to image1.Width do
begin
//auslesen
fil.Read(myByte,4);
image1.Canvas.Pixels[x,y]:=myByte;
end;
y:=y+1;
until fil.Position>=fil.Size;
fil.Free;
end;
end.
Yeah when you resize the window and let redraw the picture..
*grins* ..Yeah after a lot of resizing you will start to see a structure
after you are near ~256 (width) .. you say WTF .. that is it ?
Yeah.. KSM are like a picture.. it's a 255x255 (or was it 256x256 ?) shoot of the coolision zones and castle war zones .. saveones etc.
after a little time you will have this script for loading:
Code:
type TArea= packed record
a,b:word;
end;
type TKSM=packed record
Pixel:array[0..255,0..255] of TArea;
end;
var
KSM:TKSM;
..
...
..
fil.read(KSM,sizeof(KSM)); //finish ;)
KCM Kal Cell Map ?
Yeah I found it out the same why like KSM ;)
With showing it as picture ^^ (I wont tell you everything)
But 1 tip: "Load it from end of the file.. to the begin of the file"
So it's easyer to laod .. I already know how the Header works..
but also KaME loads it from end to begin ;) becouse it's easyer
OPL Object Postion list
Yeah open it with Hex-Editor and learn reading ~.~
I can't tell you much .. lol such easy..
..
so thats all for the moment..
When you miss something write it here ;)