New Sync method on tRO found.

[notethedude]

i found something like sync packet sent by client every 10-12 sec. in X3 mode it can run normally b coz the client sent it every 12 sec. as debug below

<< Sent by RO client: 0360 [6 bytes] Jul 31 23:29:19 2016 0> 60 03 D5 5F 9C 16 .._.. << Sent by RO client: 0360 [6 bytes] Jul 31 23:29:31 2016 0> 60 03 C6 8E 9C 16..... << Sent by RO client: 0360 [6 bytes] Jul 31 23:29:43 2016 0> 60 03 B6 BD 9C 16 ..... << Sent by RO client: 0360 [6 bytes] Jul 31 23:29:55 2016 0> 60 03 A7 EC 9C 16..... << Sent by RO client: 0360 [6 bytes] Jul 31 23:30:07 2016 0> 60 03 97 1B 9D 16 ..... << Sent by RO client: 0360 [6 bytes] Jul 31 23:30:19 2016 0> 60 03 87 4A 9D 16..J..

there are no packet received before client send the sync packet i found that the different between packet is 0x2EF0 or 0x2EF1 that is 12,016 in Dec i think that was 12,016 miliseconds that why client send it every 12 sec so the data should be time in milisec to send to server every 12 seconds. but i have a question what is the time start count? or it use client time? how i can use perl to print out current time in milisecond format?

[gotkungll]

Hardcode only right? If i can bypass the EAC, do you think it will solved this problem and share OPK file with me?

[notethedude]

There are no packet encryption except on password packet to connect Master Login my OPK now can login into the game with hardcode password send to Master Login after that it can login into the game at Map Server about 15 sec and Map Server disconnect me bcoz i don't send the sync packet every 12 seconds.

At this point i found sync packet is the time (in milisecond format) but i don't know which time? (client time or something that the server send the time to client before) so next step i should find out what time the client send to server for sync? and try to send it every 12 sec. to ensure that it's work.

And surely i can share u the file? now u know how it encrypt the password packet?

[gotkungll]

I'm just a beginner for Openkore but i have an experience about security network, i find other to dev openkore to x 0 mode if you can share information i will help you to dev. oh we can type thai. ^^

[sailomsaengdaed]

I set bot to send sync to ever 3 , 10 ,12 second but my bot is still disconenct

but if set send sync evey 12 sencode sometime disconenct before 12 second

00000026 60 03 ac fa 73 01 000009AE 7f 00 ad 3f 98 26 0000002C 60 03 d1 06 74 01 000009B4 7f 00 d3 4b 98 26 00000032 60 03 fa 12 74 01 000009BA 7f 00 f9 57 98 26 00000038 60 03 09 1f 74 01

[notethedude]

the method for sync is normally with other RO but now found the packet that the server ask for client answer the key i try to close EAC then client not answer the packet the it's like server send some key then EAC use algorithm then reply the server only 1 time when you change the map

WITH EAC SERVER <- 0A7B XXXXXX (REQUEST THE KEY) CLIENT -> 0A7C YYYYYY (ANSWER THE KEY) SERVER <- 0187 TICKTIME (REQUEST SYNC) CLIENT -> 0360 TICKTIME (REPLY SYNC) SERVER <- 007F TICKTIME (SYNC ACK)

WITHOUT EAC SERVER <- 0A7B XXXXXX (REQUEST THE KEY) CLIENT -> NO ANSWER WITH 0A7C SERVER <- 0187 TICKTIME (REQUEST SYNC) CLIENT -> 0360 TICKTIME (REPLY SYNC) SERVER <- NO SYNC ACK

For 0A7B and 0A7C found only when we change the map i think the sync method 0187 -> 0360 -> 007F that's ok for OPK the problem is the EAC authen method b coz we don't know the algorithm to calculate the key for reply the 0A7B with 0A7C

[chavalit]

I just started playing around with this bot and ro exe (thai) server. I am now stuck at this point as well. Would be great if someone can reverse this authen method.

[notethedude]

@gotkungll How's ur OPK? is it done? I found something want u to c it.

[notethedude]

Update! with the same packet 0A7B from server the client answer with different 0A7C so i don't know how to decrypt it @gotkungll wanna try?

[gotkungll]

@notethedude I'm really sorry for late, I think so hard for decrypt and send back packet to server, You should to bypass with Poseidon and debug log from open kore to decrypt packet, but now the package has changed you have a problem every 10 min. on a day sir?

[notethedude]

@gotkungll @sailomsaengdaed Last night, I can bot in X0 mode for 6 hrs. without disconnection....w00t but got something to find out.

[gotkungll]

@notethedude Really ? :+1: Could you please how i can other contacts to you? Line ID or facebook? You can run x0 mode with hardcode?

[51616]

any guideline for x0 sync packet method pls ? i would really appreciate your help.

[chavalit]

@notethedude @gotkungll hi, i would love to join your conversation or help exploring further, please let me know your fb or line or add me at "xxxxxxx[removed]" (without double quote sign) Do let me know that you add me from github, thanks. cheers !!!

one more question to @notethedude , did you bot change map in those 6 hours ? or just stay on the same map ?

[sailomsaengdaed]

@notethedude What did you do?

[notethedude]

@gotkungll give me yours. @chavalit Surely it change the map....and every map was fine with different map IP and Port. @sailomsaengdaed i have to find out it's like 0A7C send the key,hash and with different character it's change some packet.

[51616]

@notethedude can i involve with your development ? Or you finished it already ?

[chavalit]

@notethedude please also include me. Thanks.

By the way, I notice that EAC behave differently today. It usually loads wow64.bin from cdn.ro.exe blahblahblah with your unique uuid. But today I dont see this activity at all fron EAC.

[sailomsaengdaed]

@notethedude Openkore show Packet Tokenizer: Unknown switch: 0A7B I add 0A7B to src/network/recive/tRO.pm I can't to add function fro packet 0A7B

OK it pass I forget to add 0A7B to recvpackets.txt

[chavalit]

@sailomsaengdaed because it is a newly added opcode. You have to define this new opcode in your packet list and define a new function to handle it accordingly. At the moment, the bot (x3) just don't understand what it is and only act as a packet forwarder.

Bot receives 0A7B(44 bytes) from game server, it doesn't understand, anyway, forward to game client. Game clients re-act with 0A7C (196 bytes), game sends this out to bot (x3), again bot doesn't understand and doesn't care, act as a packet forwarder.

I have yet to look into this 44 + 196 bytes in detail. I hope @notethedude can share some information on this topic :)

[sailomsaengdaed]

I am new here fro Openkro. I start openkore arount haft month after new tRO start 1 week. I can't understant to order bot work but i try to . example which first file to bot read or first function to bot work but I wiil try to study it

[chavalit]

@sailomsaengdaed I am totally new to OPK as well. Just started playing around it around 1 week. Here is the actual bytes being transfer on the wire. http://imgur.com/a/nmvMt Hope to be able to understand it soon.

[gotkungll]

@notethedude This is my facebook inbox message and i will addfriend to you.

https://www.facebook.com/godkung

[sailomsaengdaed]

Now has error unknow packet 0840 . Server send new packet to select another map .because Now map server (Morroc City) is full. I think to usleep 1 minute to reconnect again

[chavalit]

@gotkungll my id got banned from eac (it is still valid in RO) Now, everytime I login on this id with the original game client. The eac on server side doesn't accept the "valid" 0a7c anymore and I got kicked right away. LOL

[sailomsaengdaed]

Last night, I can bot in X0 mode for 8 hrs. without disconnection

[chavalit]

@sailomsaengdaed DId you record the "valid" 0A7C and reply it to the server? If so, you sent a valid "packet format" but not valid "content". EAC will ban your account if you send out "invalid" reply often, I don't know how many time you have to do this before you got banned from EAC server. EAC server ban is not Ragnarok ID ban, I think you will run into this problem soon. Cheers !!!

[notethedude]

@sailomsaengdaed nice ^^ @chavalit i will try to random it today.

[sailomsaengdaed]

packet 0a7b is same 3 user but 1 user is not same another user packet 0a7b is unchange

sometime packet 0a7b is chang but after change will be not change

but packet 0a7c is change every time

[notethedude]

@sailomsaengdaed yep i found that too, still finding how to generate 0a7c.

[sailomsaengdaed]

EAC check hack tool and bot when recive 0a7b.

ithink use time to genrate 0a7c

[notethedude]

@sailomsaengdaed did u dump EAC memory? So if it use time to generate 0a7c that's easy to generate it

[sailomsaengdaed]

I think time is one key in many key to generate.

[notethedude]

@sailomsaengdaed if it was one to many that's good because we can use any key in the many, but would u wanna try to reply random recorded key? if ur assume was correct, you can random about 5-6 key that you record it before then the server couldn't detect you send the fake key.

[chavalit]

@sailomsaengdaed what is your line id ?

[chavalit]

Finally, a valid eac reply!!!

[sailomsaengdaed]

Oh! is a good news. Can you share it?

[roxaslock]

i'm stuck reply eac now =.,=

[51616]

Any chance you can share with us ?

[jesthaiza]

@chavalit x0 login -> map : 30 sec.disconnection

[i3ankboy]

@chavalit Can you share how to reply valid EAC package for education pls? Thanks.

[eradicated]

@chavalit Could you hint how to generate 07AC?

[51616]

@chavalit line id: tan51616 hope i can learn a lot from you.

[KwangGan]

finally X0 WORK!!

[itsrachelfish]

@KwangGan @chavalit If you have a working version of OpenKore for tRO, please share your code in a pull request.

[eradicated]

For now, Most of X0 opk users of tRO using 'fix' EAC reply package (07AC: 144 bytes) but I think tRO will update it very soon.