I'm not assuming that this info is 100% correct, if you have something to add or found something that i completely missed, don't hesitate to say about it
To study dekaron.exe in disassembler you'll need to unpack it first (remove y0da+ASProtect). I'm not going for details on how to do that, there's already been even video tutorials for that, and you can get unpacked expedition client exe here . In future minor updates to game offsets in code might change.
Typical communication between client and server at connection to map server (when you're at character selection screen, selected char/server channel and pressed "connect" button) looks like this.
In case someone forgot, this is general packet structure in all dekaron games: Offset: 0 - Packet CRC (calculated/checked by upon encryption/decryption) 4 - Number (starts from 0; synchronization,GG’s CSA are not counted) 6 - Size (header+data => 16bytes minimum ) 8 - Timestamp (used to distinguish between requests/responces in some commnads)12 - Command (Describes what action to take) 16 - Data (optional; varies in size and not all areas of it are always used)
The packets with command 4000010 and 4000011 are exclusive to Expedition and weren't in BMR version of the game.
Number 0x4000011 can be easily found in disassembled client code.
Number 0x4000010 can't be found directly because it calculated in big switch-like structure in a function that handles all login commands
Here packet with command = 4000011 and CRC value as data is formed. Function-method of CRC object at [this+4] (called at 51BCFA and 51BD14) retreives CRC value.But it's calculated somewhere else.Note that value is retreived from [this+10h] offset
Quote:
.text:0063BD50 Get_CRC proc near ; DATA XREF: .data:00A48AECo
.text:0063BD50 mov eax, [ecx+10h]
.text:0063BD53 retn
.text:0063BD53 Get_CRC endp
Note that nullsub_1 at 51BD41 and string "[CRCCHECK send %u " above it.There's alot of such debug text messages at client but their results usually aren't printed anywhere. I beleive that instead of nullsub_1 (it contains only "ret" instruction) originally there was debug output function which was removed in release build.I wonder if it's possible to patch it to send these strings to console for example, there's would be alot of useful information from client itself.Well, that's a side note
Lets' look more deeper what happens when client receives 4000010 command.
pCRCObject is variable that holds address of object (C++ class) that is used to store CRC and it's parameters & address of functions to manipulate with it.If you load it in debugger you can get address of list of that class member functions (it lies at offset '0' at memory address stored pCRCObject variable) in this case it's A48AE8.So CRC object has 4 methods, sub_63C030 is probably destructor but it's not interesting.Here contents of received packet are stored in memory via Load_params method.There are 4 values 2 words(P1,P2 - 16bit integers) and 2 double words (P3,P4 - 32bit integer) which are taken from packet's data consequently. I'm not sure what exactly Load_ListCSV (51C120) does, but it contains strings "list.csv","share\\" so i assume it loads share\list.csv file from pack.d04
So P1 (word) is sroted at offset 4, P2 (word) -> 6, P3 (dword) -> 8, P4 -> 12 (that are offsets from "this" pointer for CRC object).At offset 16(=10h) is stored '-1' - this initial value for CRC, and it will be used later in calculations.
And here's goes the most interesting part - CRC calculation itself.
This function is called for each file in list.csv (there are totally 85 files from share/ folder and it's subfolders, and while this folder contains much more files,i beleive these listed files is critical ones, you can affect game client-side by changing them so they are protected by CRC).Files are loaded somewhere else, call to function at 0063BECF only copies particular file content to newly allocated buffer. Then CRC of that file is calculated in function CalcFileCRC.All 4 parameters form packet 4000010 participate in CRC calculation.After that, total CRC value is updated, based on the result and previous CRC value. At BAE660 lies table of 1024 bytes, it's used both in file and total CRC calculation.(Btw, the same table of values is used for encrypting/decrypting packets - obviously game developers were too lazy to add different one). Fully reversed algortihm of CRC calculation you can find with attached archive (it's in C-langauge).Two strings "[CRC32] : %u " and "[CRC32] Total: %u " means calculated CRC values for particular file form list and resulting CRC for all files.
I have no idea what does these 4 parameters mean, they seem to be different each time client connects to map-erver even if the same server channel is selected.However i found following pattern:
P1 = 0 ~ 10h
P2 = 10h ~ 20h (usually > P1)
P3 = 000FXXXX
P4 = totally random
Obviously you need to calculate CRC value each time based on valid files with parameters given by server, otherwise server won't let you connect (it will be famouse "invalid client" error. Possible ways to bypass CRC checks that comes to my mind:
1.Do not modify files on disk, let the client calculate correct CRC and then make changes directly in memory.Using GG killer + UCE/Rev for example, or write new program that will be injected into client process at startup and do all the work.
2.Modify client code so it will load valid files only for CRC calculation from other location, not from pak.d04.Files in pack.d04 then can freely modified. (GG Killer will be required to run such exectauble)
3.Intercept packets 4000010, store parameters from it,calculate CRC based on valid files and then modify packet 4000011 with correct CRC. WPE will NOT work here even if GG is bypassed, need a specific packet sniffer/editor capable of decrypting packets
Here's a little program with source code that will calculate correct CRC value with given parameters. Necessary client files including list.csv must be located in CRC\ subfolder.
For the first screenshot with packets:
It would be great if you share a bit of your research with us, or PM me, since ive been looking at the .exe using Olly and figuring out what you have done and hopefully create a CRC bypasser
Yah, good work Nebular. It would be very useful if you posted the info here since me and many other friends are trying to get a hang on how the CRC checks the files etc. . Great work indeed.
yea would be nice to see your findings
i can bypass alot of the crc
but would like to know a little more about the crc check on the d04 pack
because from what ive seen its a bit random for certain parts
well..... all i can say is hex editing just turned into the easiest thing in the world versus that info u gave. I dont think i could even begin to comprehend any of that. Dont get me wrong, i would love to know what all of it meant but, i dnt even know where to start.... All i can say is that u are a genius for what u have found out so far! U have my confidence that ull get it all figured out!! Good Luck, id help ya but.... like i said no clue lol
Btw, is what was shown in all that info the data that is sent back and forth between the server and our pc?
------------------------------------------------------------------------
but it contains strings "list.csv","share\\" so i assume it loads share\list.csv file from pack.d04
------------------------------------------------------------------------
if you could convince the client to load from c:`\xx\list.csv
and list.csv was something like this:
xx\info.csv
xx\pattern\aldebaran.csv
xx\pattern\call.csv
xx\pattern\event.csv
xx\pattern\grupain.csv
xx\pattern\negative_attack.csv
xx\pattern\negativecall_attack.csv
xx\pattern\positive_attack_noex.csv
xx\pattern\positivecall_attack.csv
xx\pattern\range_attack.csv
(all those files should be the originals from the unpacked pack.d04)
well, you get the idea, the client would do the CRC check with the "real" files which will always turn out OK, but you would load your modified pack.d04.
i tried to do that, but my technical knowledge, while advanced, was not enough.
EXPEDITION 09/17/2010 - Dekaron - 4 Replies hey i wanna do an expedition lvl 68-104 on saturday if u want to join pm me and ill add u plz join and thx
Need Expedition Pt Siz 07/31/2010 - Dekaron - 3 Replies I was wondering if anyone can help me in the expedition? its hard to find a pt I there right now on kali waiting to see if anyone will come
Using CSV in Expedition 12/09/2008 - Dekaron - 3 Replies can I use Csv in Expedition? I was wondering if I'll be able to use the upacked data from pack.d04.. for example can edit skills through C:\Program Files\Acclaim - Copy\2MOONS\data\share\skill ?? enlightened me please.
DC in expedition 10/21/2008 - Dekaron - 2 Replies i can't play 2M coose every 2 or 4 min its disconect i tried all the servs in abaddon and it dc in every serv:(
please help me
thanks
Expedition CRC
. In future minor updates to game offsets in code might change.
ff_51C658[eax*4] ; switch jump
CRCObject
