Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Rappelz > Rappelz Private Server
You last visited: Today at 13:25

  • Please register to post and access all features, it's quick, easy and FREE!

 

a few old files i had laying around

Reply
 
Old   #16
 
elite*gold: 0
Join Date: Aug 2012
Posts: 312
Received Thanks: 252
I got some time this morning... So I have unpacked



Other are packed by a Home made packer who look like themida/Upolyx it's strange ^^



gr4ph0s is offline  
Old   #17
 
elite*gold: 0
Join Date: Apr 2011
Posts: 273
Received Thanks: 69
for me how I've bypassed GG "semi bypass not program itself bypass :\ " ...

I used internet logging program to catch all gg data recieved from gg server and the gg rappelz host .

then I traced the paths of data and made files in my local host .

then and finally edited hosts file and configured my router to change all sent data of 2 servers to my local host ....

and boom ... gg bypassed ...

folders are :
npggerr
RealServer
files :
update.cfg
service.do

use internet logging program or something to catch them for US client cause I took them from arabian one :\


TheSuperKiller is offline  
Old   #18
 
elite*gold: 0
Join Date: Mar 2009
Posts: 236
Received Thanks: 129
Well i did the same as you did, but than i was doing some crappy stuff and came here :



apperently gamegaurd uses mac adressing, i didn't know that O.o

also the page before i found it said the following :

Quote:
The controls were not installed.
The authentication component is not installed.
Please click here and install it manually.
Also intresting :

Quote:

















- Edit :

Taking a closer look i found (this) perhaps usefull, but not for me i dont know how to work with it. :

Quote:
맥어드레스 구하기

"인증처리기" 설치 여부를 묻는 인증 창이 나타나면 "예"를 누르면 데모를 볼 수 있습니다.
이 후 삭제는 C:\WINNT\Downloaded Program Files에* “맥어드레스 인증 컨트롤”을 제거하면 됩니다.
소스입니다.

<SCRIPT LANGUAGE="JavaScript">
<!--
// 맥어드레스 인증 컨트롤의 설치 여부 확인
function installed()
{
if (typeof(document.all("auth"))!="undefined" && document.all("auth").object!=null)
return true;
else
return false;
}
//-->
</SCRIPT>

<SCRIPT language=JavaScript for=auth event=OnError(ErrMsg)>
alert("에러 발생:" + ErrMsg);
</SCRIPT>

<OBJECT id="auth" classid="clsid:7C159314-7E2C-4E6E-B580-5DF25610F581" codebase="./AuthByMAC.cab#Version=1,1,9,0">
<PARAM name=copyright value="hided value.">
<div style="position:absolute;top:276;left:320;width:30 0;height:68;border:solid 1 #99B3A0;background:#D8D7C4;overflow:hidden;z-index:1;visibility:visible;">
<FONT style='font-family: "굴림", "Verdana"; font-size: 9pt; ont-style: normal;'>
<BR> 인증 컴포넌트가 설치되지 않았습니다.
<BR> <a href="./AuthByMAC.EXE"><font color=red>이곳</font></a>을 클릭하여 수동으로 설치하시기 바랍니다. </FONT>
</div>
</OBJECT>
<SCRIPT LANGUAGE="JavaScript">
<!--
if (installed)
{
alert("맥어드레스:\n" + auth.MAC);
alert("컴퓨터 이름:\n" + auth.ComputerName);
alert("작업그룹:\n" + auth.WorkGroup);
}
else
alert("맥어드레스 인증 컨트롤이 설치 되지 않았습니다.");
//-->


컨트롤 설치가 안되었습니다.

it looks like gamegaurd responses to :

alert("맥어드레스:\n" + auth.MAC);
alert("컴퓨터 이름:\n" + auth.ComputerName);
alert("작업그룹:\n" + auth.WorkGroup);

or does something with it..
misterd is offline  
Thanks
1 User
Old   #19


 
elite*gold: 30
Join Date: May 2011
Posts: 4,795
Received Thanks: 3,179
Quote:
Originally Posted by misterd View Post
it looks like gamegaurd responses to :

alert("맥어드레스:\n" + auth.MAC);
alert("컴퓨터 이름:\n" + auth.ComputerName);
alert("작업그룹:\n" + auth.WorkGroup);

or does something with it..
alert in JavaScript is the function-name for the MessageBox ().


Xijezu is offline  
Old   #20
 
elite*gold: 0
Join Date: Mar 2009
Posts: 236
Received Thanks: 129
its weird gamegaurd makes an alert posting your mac,computername (motherboard?),workgroup/user ^^
misterd is offline  
Old   #21
 
elite*gold: 0
Join Date: Apr 2012
Posts: 448
Received Thanks: 768
a mac address is unique (or should be unique), so gameguard may use that to associate a client with a fixed network address. (instead of using a game-related ID or something else like that)
glandu2 is offline  
Old   #22
 
elite*gold: 0
Join Date: Mar 2009
Posts: 236
Received Thanks: 129
a mac adress is unique indeed, i wish rappelz would ban spammers on mac adress range...

lol

#-> taking a look @ Dekaron's gamegaurd and MU online they look similiar, but simpler.
Think we can make a connection to make it work for rappelz?

Quote:
Originally Posted by wisp66 View Post
Code:
+ GameGuard.exe 	--> nProtect GameGuard Launcher
+ GameMon.exe		--> nProtect Game Monitor
+ ggerror.exe		--> nProtect GameGuard Error Report
+ ggscan.dll		--> nProtect Scan Module
+ npgg9x.dll		--> nProtect GameGuard Module
+ npggNT.dll		--> nProtect GameGuard Module
+ npsc.dll		--> nProtect SpeedCheck Module
+ npscan.dll		--> nProtect GameGuard Scan Engine
forgot where i got this stuff but it contains unpacked gameguard modules
for rev 1512
which btw the ini is encrypted with RSA. You can decrypt the files using a public key, but to encrypt them again you'll need a private key that only INCA Internet Co., Ltd has or so ive been reading and verifiing

I was debugging some stuff, suddenly i found this in a intresting file.
(it shows where modules are loaded / wich) ^^

Quote:
Version = 1
EventType = APPCRASH
Event Time = 130122280349099800
Report Type = 2
Consent = 1
Upload Time = 130122280349599801
ReportIdentifier = 8737fcb9-b579-11e2-877c-bc5ff4440fbf
IntegratorReportIdentifier = 8737fcb8-b579-11e2-877c-bc5ff4440fbf
WOW64 = 1
Response.BucketId = 3439469075
Response.BucketTable = 1
Response.type = 4
Sig [0]. Name = Application Name
Sig [0]. Value = GameGuard.des
Sig [1]. Name = Application version
Sig [1]. Value = 2013.1.25.1
Sig. [2] Name = Application Timestamp
Sig [2]. Value = 51020bcf
Sig [3]. Name = Fault Module Name
Sig [3]. Value = kernel32.dll
Sig. [4] Name = Fault Module Version
Sig [4]. Value = 6.1.7601.18015
Sig. [5] Name = Fault Module Timestamp
Sig [5]. Value = 50b83c89
Sig. [6] Name = Exception Code
Sig [6]. Value = c0000005
Sig. [7] Name = Exception Offset
Sig [7]. Value = 0001139d
DynamicSig [1]. Name = OS Version
DynamicSig [1]. Value = 6.1.7601.2.1.0.256.1
DynamicSig. [2] Name = Locale ID
DynamicSig [2]. Value = 1043
DynamicSig. [22] Name = Additional Information 1
DynamicSig [22]. Value = 262b
DynamicSig. [23] Name = Additional Information 2
DynamicSig [23]. Value = 262b10fd5f1941172858f1104bcce4d6
DynamicSig [24]. Name = Additional Information 3
DynamicSig [24]. Value = 21f6
DynamicSig. [25] Name = Additional Information 4
DynamicSig [25]. Value = 21f67bdb5395427cc774093596d18623
UI [2] = C: \ Special Games \ Rappelz \ Rappelz \ GameGuard.des
UI [3] = nProtect GameGuard Launcher Rev. 262 no longer works
UI [4] = You can search online for a solution to the problem.
UI [5] = Online to find a solution and close the program
UI [6] = Later online for a solution and close the program
UI [7] = Close the program
Loaded Module [0] = C: \ Special Games \ Rappelz \ Rappelz \ GameGuard.des
Loaded Module [1] = C: \ Windows \ SysWOW64 \ ntdll.dll
Loaded Module [2] = C: \ Windows \ syswow64 \ kernel32.dll
Loaded Module [3] = C: \ Windows \ syswow64 \ KERNELBASE.dll
Loaded Module [4] = C: \ Windows \ SysWOW64 \ advapi32.dll
Loaded Module [5] = C: \ Windows \ SysWOW64 \ msvcrt.dll
Loaded Module [6] = C: \ Windows \ SysWOW64 \ sechost.dll
Loaded Module [7] = C: \ Windows \ SysWOW64 \ Rpcrt4.dll
Loaded Module [8] = C: \ Windows \ SysWOW64 \ SspiCli.dll
Loaded Module [9] = C: \ Windows \ SysWOW64 \ CRYPTBASE.dll

Loaded Module [11] = C: \ Windows \ SysWOW64 \ gdi32.dll
Loaded Module [12] = C: \ Windows \ syswow64 \ USER32.dll
Loaded Module [13] = C: \ Windows \ SysWOW64 \ LPK.dll
Loaded Module [14] = C: \ Windows \ SysWOW64 \ USP10.dll
Loaded Module [15] = C: \ Windows \ SysWOW64 \ oleaut32.dll
Loaded Module [16] = C: \ Windows \ SysWOW64 \ ole32.dll
Loaded Module [17] = C: \ Windows \ system32 \ VERSION.dll
Loaded Module [18] = C: \ Windows \ SysWOW64 \ wininet.dll
Loaded Module [19] = C: \ Windows \ SysWOW64 \ api-ms-win-downlevel user32-l1-1-0.dll
Loaded Module [20] = C: \ Windows \ SysWOW64 \ api-ms-win-downlevel Advapi32-l1-1-0.dll
Loaded Module [21] = C: \ Windows \ SysWOW64 \ api-ms-win-downlevel shlwapi-l1-1-0.dll
Loaded Module [22] = C: \ Windows \ SysWOW64 \ SHLWAPI.DLL
Loaded Module [23] = C: \ Windows \ SysWOW64 \ api-ms-win-down-level version-l1-1-0.dll
Loaded Module [24] = C: \ Windows \ SysWOW64 \ api-ms-win-downlevel normaliz-l1-1-0.dll
Loaded Module [25] = C: \ Windows \ SysWOW64 \ normaliz.dll
Loaded Module [26] = C: \ Windows \ SysWOW64 \ iertutil.dll
Loaded Module [27] = C: \ Windows \ system32 \ apphelp.dll
Loaded Module [28] = C: \ Windows \ AppPatch \ AcLayers.dll
Loaded Module [29] = C: \ Windows \ SysWOW64 \ shell32.dll
Loaded Module [30] = C: \ Windows \ system32 \ Userenv.dll
Loaded Module [31] = C: \ Windows \ system32 \ profapi.dll
Loaded Module [32] = C: \ Windows \ system32 \ Winspool.drv
Loaded Module [33] = C: \ Windows \ system32 \ Mpr.dll
Loaded Module [34] = C: \ Windows \ system32 \ IMM32.DLL
Loaded Module [35] = C: \ Windows \ SysWOW64 \ Msctf.dll
Loaded Module [36] = C: \ Windows \ system32 \ CRYPTSP.dll
Loaded Module [37] = C: \ Windows \ system32 \ rsaenh.dll
Loaded Module [38] = C: \ Windows \ system32 \ Secur32.dll
Loaded Module [39] = C: \ Windows \ system32 \ api-ms-win-downlevel Advapi32-l2-1-0.dll
Loaded Module [40] = C: \ Windows \ SysWOW64 \ api-ms-win-downlevel ole32-l1-1-0.dll

Loaded Module [42] = C: \ Windows \ SysWOW64 \ WS2_32.dll
Loaded Module [43] = C: \ Windows \ SysWOW64 \ NSI.dll
Loaded Module [44] = C: \ Windows \ system32 \ iphlpapi.dll
Loaded Module [45] = C: \ Windows \ system32 \ WINNSI.DLL
Loaded Module [46] = C: \ Windows \ system32 \ dhcpcsvc.dll
Loaded Module [47] = C: \ Windows \ system32 \ mswsock.dll
Loaded Module [48] = C: \ Windows \ System32 \ wship6.dll
Loaded Module [49] = C: \ Windows \ system32 \ netapi32.dll
Loaded Module [50] = C: \ Windows \ system32 \ netutils.dll
Loaded Module [51] = C: \ Windows \ system32 \ srvcli.dll
Loaded Module [52] = C: \ Windows \ system32 \ wkscli.dll
Loaded Module [53] = C: \ Windows \ system32 \ cscapi.dll
Loaded Module [54] = C: \ Windows \ SysWOW64 \ urlmon.dll
Loaded Module [55] = C: \ Windows \ system32 \ api-ms-win-downlevel shlwapi-l2-1-0.dll
Loaded Module [56] = C: \ Windows \ system32 \ Dnsapi.dll
Loaded Module [57] = C: \ Windows \ SysWOW64 \ clbcatq.dll
Loaded Module [58] = C: \ Windows \ system32 \ dhcpcsvc6.DLL
Loaded Module [59] = C: \ Windows \ System32 \ Wshtcpip.dll
Loaded Module [60] = C: \ Windows \ System32 \ netprofm.dll
Loaded Module [61] = C: \ Windows \ System32 \ nlaapi.dll
Loaded Module [62] = C: \ Windows \ system32 \ rasadhlp.dll
Loaded Module [63] = C: \ Windows \ system32 \ RpcRtRemote.dll
Loaded Module [64] = C: \ Windows \ System32 \ Fwpuclnt.dll
Loaded Module [65] = C: \ Windows \ System32 \ npmproxy.dll
Loaded Module [66] = C: \ Windows \ system32 \ msiltcfg.dll
Loaded Module [67] = C: \ Windows \ system32 \ msi.dll
Loaded Module [68] = C: \ Windows \ system32 \ uxtheme.dll
Loaded Module [69] = C: \ Windows \ system32 \ dwmapi.dll
Loaded Module [70] = C: \ Program Files \ Common Files \ INCA Shared \ Online Engine \ TeCtrl.dll
Loaded Module [71] = C: \ Windows \ SysWOW64 \ Imagehlp.dll
Loaded Module [72] = C: \ Windows \ SysWOW64 \ Wintrust.dll
Loaded Module [73] = C: \ Windows \ SysWOW64 \ Crypt32.dll
Loaded Module [74] = C: \ Windows \ SysWOW64 \ MSASN1.dll
Loaded Module [75] = C: \ Program Files \ Common Files \ INCA Shared \ Online Engine \ tyav32.dll
Loaded Module [76] = C: \ Windows \ SysWOW64 \ PSAPI.DLL
Loaded Module [77] = C: \ Windows \ system32 \ sfc.dll
Loaded Module [78] = C: \ Windows \ system32 \ sfc_os.dll
State [0]. Key = Transport.DoneStage1
State [0]. Value = 1
Friendly Event Name = Does not
ConsentKey = Appcrash
AppName = nProtect GameGuard Launcher Rev 262
AppPath = C: \ Special Games \ Rappelz \ Rappelz \ GameGuard.des







Uploaded the content of : C: \ Program Files \ Common Files \ INCA Shared \ Online Engine \

/facepalm didnt even know i had a folder installed there, geuss gamegaurd does that himown.

download the folder here :
misterd is offline  
Old   #23
 
elite*gold: 0
Join Date: Nov 2010
Posts: 16
Received Thanks: 0
Quote:
Originally Posted by TheSuperKiller View Post
for me how I've bypassed GG "semi bypass not program itself bypass :\ " ...

I used internet logging program to catch all gg data recieved from gg server and the gg rappelz host .

then I traced the paths of data and made files in my local host .

then and finally edited hosts file and configured my router to change all sent data of 2 servers to my local host ....

and boom ... gg bypassed ...

folders are :
npggerr
RealServer
files :
update.cfg
service.do

use internet logging program or something to catch them for US client cause I took them from arabian one :\
just wondering what internet logging program u used. ganna attempt to do ur thing on US live version to bypass gg and maybe load multiple clients
csharpLove is offline  
Old   #24
 
elite*gold: 0
Join Date: Apr 2012
Posts: 448
Received Thanks: 768
To continue on gameguard, i found that:

The last post contain the pdf that was on mediafire.

This pdf talk about gameguard heartbeat management on client side, how the client send a reply to the server.

Actually, rappelz is using this method, that is a gameguard packet of 16 bytes encrypted (should be also blowfish) using packet id 55, and the client reply with a packet id 56 with 16 bytes of encrypted data.

The server request is sent when connecting to the gameserver, and then randomly over time.

So to bypass gameguard on the client side, it's not so easy ... but not infeasible
the key element is gamemon.des, but is packed (with themida ?), it contains the algorithm that decrypt the 16 bytes, generate a 16 byte response and encrypt it, then send it to the client through a pipe.

And about the client new way of encrypting the password, it use rsa to encrypt 128 bits key + 128 bits IV used to encrypt the password using AES (no salt, default padding)
glandu2 is offline  
Thanks
2 Users
Old   #25
 
elite*gold: 0
Join Date: Aug 2012
Posts: 312
Received Thanks: 252
Do you found the key for the new auth encryption?

Moreover thanks for this information I will try to unpack gamemon.des
gr4ph0s is offline  
Thanks
1 User
Old   #26
 
elite*gold: 0
Join Date: Apr 2012
Posts: 448
Received Thanks: 768
the key for the new auth encryption is transfered from the server to the client using RSA, the client generate a private & public key, then send the public one to the server. The server generate a AES key + IV and encrypt them using the public key from the client, then send it to the client. The client decrypt the key & IV using it's private key, and encrypt the password using AES. And the server decrypt it using the same key & IV.

RSA is asymmetric and AES symmetric, that's not a feature from rappelz, but used in many environment (and rappelz use openssl to decrypt & encrypt data, they didn't implement their own algorithm)

For blowfish I don't know, but gamemon.des should tell us what's the key. was wondering about the ggauthXX.dll, if the one we had with 7.4 and older servers was the currently used dll ... At least, they seems to use 32 different indexes, so using the method described in the pdf, we have to get 32 different indexes from the server, that is at least 32 hours, to understand them all (and fully bypass gameguard)

[edit] About the ini files, the program posted here in c++: is fully working on official servers (despite the post date, 2004 ...)

The url is censored, but google has this page referenced
glandu2 is offline  
Old   #27
 
elite*gold: 0
Join Date: Aug 2012
Posts: 312
Received Thanks: 252
If I understand corretly each time when the client(sframe) is running. The client generate a random Private + Public key and he send it to the the server?

Client to/from Auth = open SSL (So excepted to inject sframe for know the packet before the SSL encryption it will be hard to decrypt them, isn't it?)
gr4ph0s is offline  
Old   #28
 
elite*gold: 0
Join Date: Apr 2012
Posts: 448
Received Thanks: 768
it's just the password string that is encrypted using RSA + AES with openssl library. The packet encryption has not changed.

And indeed, every login, the client generate public + private keys for the RSA algo and the server create a key + IV for AES algo.

About gameguard, I discovered how strings are encrypted in it (even unpacked, gameguard has encrypted string so you can find any "gamemon.des" or anything else like that in sframe.exe, the gameguard part of rappelz decrypt the string, and every time a new string is decrypted, the last decrypted string is re-encrypted so at any time there is at most 1 decrypted string. Gameguard devs are really paranoids ...

here is the function that can decrypt these strings:

Thanks rappelz philipines
If we could have the .pdb of currents sframes, that would be perfect xD


glandu2 is offline  
Reply



« Previous Thread | Next Thread »

Similar Threads
[Biete] FinalMT2 Server Files + Patcher + (Neue)Homepage Files vom 22.04.2012
Biete hier gegen einen kleinen Obolus die obengenannten Dinge an, als Dankbarkeit von 25 PSC werde ich euch die files zukommen lassen, sendet...
11 Replies - Metin2 PServer - Discussions / Questions
i have an extra computer laying around anyone wanna use it to host
i got a old good computer laying around that im leting ppl use it to host and what not and plz dont flame me lol i just want it to get used (: if so...
4 Replies - CO2 Main - Discussions / Questions
Accounts laying around.
Ok well as the thread says im trading other mmorpg game accounts for Just about anything. Guild wars: 3 level 20s pve.All expantions. Drift City;...
20 Replies - Trading



All times are GMT +2. The time now is 13:25.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2017 elitepvpers All Rights Reserved.