[Release] ASM/packets (Exploit/fixes) {Server&Client Side} vsro-ecsro-br!

[Br.Abdelfattah]

Hello !

I would like to release and share my work (Not all of that belong to my work like gateway exploit fix by Dizzie)

Let's Start :

BR ASM

Remove GS Dumps:

(RVA Offsets)

Code:

0x7FB2E0 - { 0xE9, 0xDF, 0x06, 0x00, 0x00, 0x90 }
0x8037A0 - { 0xE9, 0x1D, 0x04, 0x01, 0x90 }

Modify SM Rates:

(RVA Offsets)

0x40D75F - { 0x42 }
0x40D7FF - { 0x42 }
0x40D8DD - { 0x42 }

Also BR

Code:

this->_levelCapOffset_1 = (0x004D0DF2 + 2);
this->_masteryCapOffset_1 = (0x00479172 + 1); //v027 [4 bytes]
this->_disableDumps_1 = 0x008037A0; //retn + nop
this->_disableDumps_2 = 0x007FB2E0; //retn + nop
//debug [disable any messages in gameserver window]
this->_disableMsg_1 = (0x007D4700); //retn
this->_petLevelCapOffset_1 = (0x004C19F0 + 3); //0x64 [v027]

ECSRO

Code:

0047584D  |. 3C 5A          CMP AL,5A  (Change 5A=90)

^ For max lvl GameServer

Code:

005B53FC  |> 80BC24 5803000>CMP BYTE PTR SS:[ESP+358],46

(46 = skills lv 70)
^client side to make skills over lv 70 showed (Change 46 for example to 5A means skills lv 90 will appear) {That's if u will work on an old client of ecsro and need to add skills of lv 90 or more}

------------------------------------

This Exploit works with any server files :

Gateway Exploit fix (the exploit allow u to send SMC packet of {receive new patch} which cause stopping gateway service

Code:

right click -> Search for -> All commands

write there:
PUSH 6308

Change 6308 to anything else (gateway will be longer able to accept auto-update from smc) > so u could use the original gateway for adding your update then close it and use this one {will allow client to update with no problems}

Code:

change 631D opcode to something else

< VSRO only

-------------------------------------------

Agent server Exploit (Packets of crash)

Code:

Paket             : 8  {8 ; 0}
Veri Boyutu       : 129 Byte  {129 ; 0}
Toplam Büyüklük   : 532 Byte  {449 ; 83}
Veri H‎z‎         : 0.9 KB/Sn
Yakalama Zaman‎   : 25.06.2013 22:43:46:552

==================================================


[25.06.2013 22:43:46:552]
00000000  25 00 00 50 00 00 0E 41  41 75 26 98 AE 82 E8 BB   %..P...A Au&ک®‚è» 
00000010  00 00 00 19 00 00 00 99  25 03 DD BA 18 E0 1A C3   .......™ %.ف؛.à.أ 
00000020  D9 F4 5D 1B B4 69 6A AB  48 1C 21 09 00 00 50 00   ظô].´ij« H.!...P. 
00000030  00 10 47 48 EC 19 A3 DA  2F E9 0E 00 01 20 00 00   ..GHى.£ع /é... .. 
00000040  0B 00 41 67 65 6E 74 53  65 72 76 65 72 00 05 00   ..AgentS erver... 
00000050  0D 60 00 00 01 01 00 05  20 0B 00 0D 60 00 00 00   .`......  ...`... 
00000060  01 00 01 C3 02 05 00 00  00 02 05 00 0D 60 00 00   ...أ.... .....`.. 
00000070  01 01 00 05 60 06 00 0D  60 00 00 00 03 00 02 00   ....`... `....... 
00000080  02

Packet

Code:

0x2005

----------------------------------------------------

SWSRO offsets

Code:

[serv lvl cap]
0x0046d73d -> cmp al, 78
[serv mastery limit]
0x00515963 -> cmp eax,14a

********************************

[client pt matching]
pt match : 0x004d4465
pt match : 0x004d43e7
pt match : 0x004d4448
pt search :0x004d4465
[client mastery]
mastery1: 0x00451390 -> push 12c
mastery2: 0x00451452 -> push 12c

--------------------------------------------------------

SMC account connect with global

Code:

First you need to send an request packet
just send an packet with opcode: 0x7200

After that you receive the packet 0xb200
The structure is as followed:

01 01 49 51 CF D0 45 00 00 00 04 05 00 61 64 6D
69 6E 16 40 00 DD 07 05 00 02 00 15 00 08 00 19
00 2B 00 5A 03 00

byte - error flag
byte - new user flag

byte - ip1
byte - ip2
byte - ip3
byte - ip4

uint32 - userID
uint16 - username_strlen
stringASCII - username

byte - local
uint16 - serverID
uint32 - something with an time i didn't figure 100% out what this is.

now there will be 12 unknown bytes

byte - if there will be an new user or not.

-----------------------------------------------------------

VSRO fully gameserver config

Code:

SR_GameServer 
{
certification (str),port                                -> certification ip and port ex: "127.0.0.1", 32000
certification_ip_bind (str?)                                -> certification ip "127.0.0.1"
ReportConnectionLog                                    -> unknown
MaxSendQueDepth (int)                                    -> unknown
PromptAtClose                                        -> is user dummy who could close gs accidently ? :D
WritePerLogToText                                    -> write log ? unknown


CONTROL_NOTIFY_SPAWN_UNIQUE_MONSTER_MSG (enabled by default, ON)            -> prints notice in gs window if unique appears
DO_NOT_SPAWN_MONSTER_OVER_MAX_SERVICE_LEVEL (enabled by default, ON)             -> Probably wont spawn monsters that are above level cap that  is set.
ENTERWORLD_LIMIT_CONDITION_FLEAMARKET (enabled by default)                -> unknown
ENTERWORLD_LIMIT_CONDITION_TRADE (ENABLED BY DEFAULT)                    -> unknown
CAN_WEARING_CONDITION_TRIJOB_EQUIP (ENABLED BY DEFAULT)                    -> unknown
CAN_WEARING_CONDITION_FREEBATTLE_EQUIP (ENABLED BY DEFAULT)                -> unknown
MONSTER_AGGRO_LINK_DECREASE_RATIO (unknown, should be int)                -> decrease aggro ammount ? O_o unknown, not tested
ExpRatio                                        -> Experience ratio (individual)
ExpRatioParty                                        -> Experience ratio (in party)
DropItemRatio                                        -> Item drop ratio (overall)
DropGoldAmountCoef                                    -> Gold drop amount multiplyer
HwanGainFactor (berserker gaining speed)                        -> Berzerker gain speed ? not tested
ShowFormulaDetail                                    -> unknown
ShowGameServerDisplay                                    -> allow showing details in gamesrv window
PCSpeedRatio                                        -> unknown
GiantMonster_SpawnRatio                                    -> ratio for spawning giant monsters
WINTER_EVENT_2009 (EVENT_ON)                                -> winter event enabled ?
EnableScheduleJobLogFatal                                -> unknown
SET_FEE_RATE                                        -> probably, fortress fee rate [buy]
SELL_FEE_RATE                                        -> probably, fortress fee rate [sell]
PARTYMONSTER_SPAWN (ON/OFF) ????                            -> should we spawn party monsters ?
GAMEWORLD_ENTRY_UNTOUCHABLE_TIME (ON/OFF) ????                         -> probably, 5 seconds before exiting game and such shit timer
MAX_SQUAD_MEMBER_COUNT (int?)                                 -> probably, party max members

        <! UNKNOWN SETTINGS CONTEXT !>
        <! i think, that's the max level limit for party matching restriction, or something like that ^_^ !>
ENTER_LIMIT_CONDITION_ENTRY (int)                     -> unknown
ENTER_LIMIT_CONDITION_PARTY (int)                    -> unknown
ENTER_LIMIT_CONDITION_GAME_WORLD_ASSIGNED (on/off)    -> unknown
ENTER_LIMIT_CONDITION_JOB_CLOTHES_PUT_ON(on/off)     -> unknown
ENTER_LIMIT_CONDITION_JOB_CLOTHES_TAKE_OFF (ON/OFF) -> unknown
ENTER_LIMIT_CONDITION_LEVEL_MINIMUM_NUM (INT)         -> unknown
ENTER_LIMIT_CONDITION_LEVEL_MAXIMUM_NUM (INT)        -> unknown
ENTER_LIMIT_CONDITION_MAX_LEVEL_MINIMUM_NUM (INT)    -> unknown
ENTER_LIMIT_CONDITION_MAX_LEVEL_MAXIMUM_NUM (INT)    -> unknown
ENTER_LIMIT_CONDITION_ENTRY_MAXIMUM_NUM (INT)        -> unknown

        <! UNKNOWN SETTINGS CONTEXT !>
        <! entering some world restrictions ? O_o !>
ENTER_LIMIT_CONDITION_RIDE_COS_RIDING (ON/OFF)        -> has to ride cos ?
ENTER_LIMIT_CONDITION_RIDE_COS_NOT_RIDING (ON/OFF)    -> has to be not riding cos ?
ENTER_LIMIT_CONDITION_TRADE_COS_RIDING(ON/OFF)        -> has to ride trade pet ?
ENTER_LIMIT_CONDITION_TRADE_COS_NOT_RIDING(ON/OFF)    -> has to be not riding trade pet ?
ENTER_LIMIT_CONDITION_FRPVP_VOUCHER_PUT_ON(ON/OFF)    -> has to wear pvp voucher ?
ENTER_LIMIT_CONDITION_FRPVP_VOUCHER_TAKE_OFF(ON/OFF)-> has to be not wearing pvp voucher ?
ENTER_LIMIT_CONDITION_TEMPLE_ASSOCIATION (ON/OFF)    -> unknown, maybe, cant be in temple association ?

        <! UNKNOWN SETTINGS CONTEXT !>
        <! entering some world restrictions ? O_o !>
        
ENTER_LIMIT_CONDITION_TEMPLE_ASSOCIATION_MINIMUM_N UM (INT)            -> unknown, mby job lvl ? (1-5)
ENTER_LIMIT_CONDITION_TEMPLE_ASSOCIATION_RATE_MERC HANT_HUNTER (INT) -> unknown, mby job lvl ? (1-5)
ENTER_LIMIT_CONDITION_TEMPLE_ASSOCIATION_RATE_THIE F (INT)            -> unknown, mby job lvl ? (1-5)

        
USER_COUNTING_ON_TEMPLE_ASSOCIATION (ON/OFF)                         -> unknown, but means if user is at temple association, but WHAT ?!
FAILED_ENTER_WORLD_TO_SPECIAL_TARGET_SWITCH(ON/OFF)                    -> unknown


NOTEXIST_PARTY_RESTRICTION_ATTACK (ON)                                -> unknown
NOTEXIST_PARTY_RESTRICTION_ITEM (ON/OFF)                            -> unknown
NOTEXIST_PARTY_RESTRICTION_EXP (ON/OFF)                                -> unknown

}

--------------------------------------------------------

VSRO rates FIX

Code:

Individual experience ratio


0042714C   F6C4 50          TEST AH,42




Party experience ratio


004271F5   F6C4 42          TEST AH,42





Item drop rate


004272A0   F6C4 42          TEST AH,42




Gold drop amount rate


00427349   F6C4 42          TEST AH,42




HWLAN (berserker) gain factor


004273CA  |. F6C4 44        TEST AH,42





Bypass creation of huge .dmp files (less lags)


00964060     81EC 6C060000  SUB ESP,66C


***************************************8

Change all to 

jmp 009642FD

--------------------------------------------------------------------

ECSRO files fixes

Code:

Mastery:
CMP EAX,(max mastery in hex)

Max Level:
CMP AL,(max lv in hex)
ASCII .\GObjPC.cpp
ASCII Clamp () ==> min(%d) exceeded max (%d) value), File %s, Line: %d

QWord (8.-byte) stack alignment
CMP BYTE PTR DS:[ESI+58],(max lv in hex)

Fix job suit bug:
search for call 00726760 (the first) /CALL 00724240
go to this call
scroll till 
007267B9   >^\E9 12DFFFFF   jmp     007246D0
007267BE   >^ E9 8DDFFFFF   jmp     00724750
mark them and exchange to NOP

Fix Shinmoo bug:
Search jnz short 0074B125 / JNE SHORT 00748B85
Modify JNZ short 0074B125 and JNE SHORT 0074B143 / JNE SHORT 00748BA3 to JMP

Fix Ban bug:
0047FC2B  |. /76 05         jbe     short 0047FC32    ;  fix,  jmp

Fix right click skill disable:
go to 0060C827
From 0060C83E to 0060C860 ALL NOP
Then
CPU Disasm
Address   Hex dump          Command                                  Comments

0060C839  |.  E8 92D1E0FF   CALL 004199D0
0060C83E      8B02          MOV EAX,DWORD PTR DS:[EDX]
0060C840      B9 43485F00   MOV ECX,005F4843
0060C845      21C8          AND EAX,ECX
0060C847      3BC1          CMP EAX,ECX
0060C849      74 17         JE SHORT 0060C862
0060C84B      EB 65         JMP SHORT 0060C8B2
NOP
NOP
...

Add GM box paste:
To 005018C3
change to jmp 009C96C4
Then to 005E0AE9
change to jmp 009C96FE
to 009C96C4
New Code:
009C96C4      60                           pushad
009C96C5      8B0D 04F5A900                mov     ecx, dword ptr [A9F504]
009C96CB      8B89 40030000                mov     ecx, dword ptr [ecx+340]
009C96D1      85C9                         test    ecx, ecx
009C96D3      74 1D                        je      short 009C96F2
009C96D5      83BF 18010000 10             cmp     dword ptr [edi+118], 10
009C96DC      72 08                        jb      short 009C96E6
009C96DE      8B87 04010000                mov     eax, dword ptr [edi+104]
009C96E4      EB 06                        jmp     short 009C96EC
009C96E6      8D87 04010000                lea     eax, dword ptr [edi+104]
009C96EC      50                           push    eax
009C96ED      E8 FE5CAFFF                  call    004BF3F0
009C96F2      61                           popad
009C96F3      E8 D83CF5FF                  call    0091D3D0
009C96F8    ^ E9 CB81B3FF                  jmp     005018C8
009C96FD      90                           nop
009C96FE      60                           pushad
009C96FF      8B0D 04F5A900                mov     ecx, dword ptr [A9F504]
009C9705      8B89 40030000                mov     ecx, dword ptr [ecx+340]
009C970B      85C9                         test    ecx, ecx
009C970D      74 0A                        je      short 009C9719
009C970F      8B4424 44                    mov     eax, dword ptr [esp+44]
009C9713      50                           push    eax
009C9714      E8 D75CAFFF                  call    004BF3F0
009C9719      61                           popad
009C971A      E8 51A7A5FF                  call    00423E70
009C971F    ^ E9 CA73C1FF                  jmp     005E0AEE
009C9724      90

Again > Not all of that work done by me but (ECSRO ~ Agent are done by me)

Regards,
Dr.Abdelfattah

[JarvisG12]

Do you know how to fix stall dupe bug??

[鳳凰城]

Now, nyan#

[Br.Abdelfattah]

Quote:

Originally Posted by JarvisG12

Do you know how to fix stall dupe bug??

i don't fix it with a real fix but you have 2 ways to fix it :
1 - remove stall network ~ stalls
2 - make all rare items like globals - reverse - scrolls - hammers ~ etc (all make them max stack to 1)
and remove arrow (1 arrow will be useless ^_^)
Then make anything in game stackable sold for 0 golds , like hp alchemy elements speed drug , pet awake

and the last bug u may didn't know the copy bug and the only solve of it that u make rare items can't be dropped (like all items (set, weapon, etc) and also item mall and so on)
so u will just left the items like alchemy and hp/mp and so on to be dropped and no one will care to copy them ^_^

^
Just an idea i done it before(and works perfect) {2nd way will allow u to use stall & stall network}

[TPRO]

may you provide more info about the agent server fix?

[magicanoo]

So,you released the already-released agentserver exploit?

Congratulations

[Ferpa_]

Quote:

Originally Posted by Br.Abdelfattah

i don't fix it with a real fix but you have 2 ways to fix it :

2 - make all rare items like globals - reverse - scrolls - hammers ~ etc (all make them max stack to 1)
and remove arrow (1 arrow will be useless ^_^)
Then make anything in game stackable sold for 0 golds , like hp alchemy elements speed drug , pet awake

thats not a fix, it's an solution, they still can make dupe bug
btw make not stackable reverse, global, scrolls are not the way (failure) this is items bought by item mall that you obtain trough donate.
so you donate for buy 1 reverse?
how could you run a server like that?

[MaximumDark]

If you can't fix it, you can still track it.

1) Make a SQL Job, that will run every second, tracking for the items, once you've found abnormal counts, you can automatically ban this player account and character and probably kick it out of the game .

[Darkness™]

Quote:

Originally Posted by JarvisG12

Do you know how to fix stall dupe bug??

contact if you want to fix dupe bug, i helped him a bit to fix dupe trough stall and pet. (stall network just disabled it)


maybe he could tell you some hints

[Br.Abdelfattah]

Another Agent crash packet (0x7007)

Agent FIX Patcher for the guys who need it (Credits to MegaMaX) :


Also there's more agent exploits but idk if that patch fixed it and i will try to look for all exploits at agent now

Quote:

Originally Posted by Ferpa_

thats not a fix, it's an solution, they still can make dupe bug
btw make not stackable reverse, global, scrolls are not the way (failure) this is items bought by item mall that you obtain trough donate.
so you donate for buy 1 reverse?
how could you run a server like that?

u will make 1 reverse for example for 1 gold and so on , also still it's the only solution ..(if u need to use stall and stall network)

AgentServer Exploit FIX (The exploit of Close)

Code:

004315D0 Change to        C2 1000 RETN 10

Code:

0042B790 Change to         C3 RETN

Gateway (Another damn Exploit) :

Code:

00444520 Change  to          C2 1000 RETN 10

Code:

00443FA0 Change to     C3 RETN

Download Server for:

Code:

004046E0  Change to              C2 1000 RETN 10

Code:

00412FA0    Change to          C3 RETN

Credits goes to Deepblue

[pushipu]

I have no idea if all this work, but this guy at least try to help

[Qynchou]

Well, you could might aswell call it, Chernobyl#2.

Remember what happened when Cherno released the files? Yeeaaah.

And
here...
we...
go.

[HaGsTeR?]

Quote:

Originally Posted by Qynchou

Well, you could might aswell call it, Chernobyl#2.

Remember what happened when Cherno released the files? Yeeaaah.

And
here...
we...
go.

wut?

[A new hope]

Quote:

Originally Posted by HaGsTeR?

wut?

i love you and i love your avatar

[Qynchou]

Id recommend releasing a compiled database with all of these exploits already fixed, much easier to use and more people would have access to it.