Closed yajoicapes closed 7 years ago
sapiro1403
commented
7 years ago Unang Paalala
Mag Ingat sa mga SCAMMER
Hindi nagbebenta at nag bobot service c "KingJ" at hindi siya connected dun sa putang inang HercuBOT na yan
Huwag atat mag bot, kapag my nag offer sa inyo ng working bot tpos babayaran mag isip isip na kayo.... bahala kayo pag na SCAM kyo...
KristenCruz
commented
7 years ago If you will observe the pattern... wala nang Received packet after niya makalogin sa map server. Kore and the server cant communicate kaya na DDC in 30 seconds. I think this is where the encrypted packets should be decrypted for the rcvpackets to work.
Edit: Or may capability na ang rcvpackets mag decrypt as long as naka specify? Enlighten me sempai. :smile:
pRO encrypted size 6 flag 0 << Received packet: 02C9 [ 3 bytes] Allowed other player invite to Party pRO encrypted size 6 flag 0 << Received packet: 02DA [ 3 bytes] Other players are not allowed to view your Equipment. Calculating random route to: Sograt Desert (moc_fild12): 276, 237 You on route to: Sograt Desert(moc_fild12): 276, 237 Route You Solution Ready! Route You - next step moving to (170, 372), index 15, 265 steps left Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - trimming down solution (265) by 1 steps Route You - next step moving to (170, 371), index 15, 264 steps left Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - not moving, decreasing step size to 12 Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - trimming down solution (264) by 0 steps Route You - next step moving to (169, 373), index 12, 264 steps left Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - not moving, decreasing step size to 9 Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - trimming down solution (264) by 0 steps Route You - next step moving to (167, 374), index 9, 264 steps left Move You - (re)trying Sent packet : 035F [ 5 bytes] pRO encrypted size 19 flag 1 Move You - (re)trying Sent packet : 035F [ 5 bytes] Sent packet : 0360 [ 6 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - not moving, decreasing step size to 7 Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - trimming down solution (264) by 0 steps Route You - next step moving to (165, 374), index 7, 264 steps left Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - not moving, decreasing step size to 5 Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - not moving, decreasing step size to 4 pRO encrypted size 10 flag 1 Sent packet : 0360 [ 6 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - trimming down solution (264) by 0 steps Route You - next step moving to (163, 373), index 4, 264 steps left Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - not moving, decreasing step size to 3 Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - trimming down solution (264) by 0 steps Route You - next step moving to (162, 373), index 3, 264 steps left Move You - (re)trying Sent packet : 035F [ 5 bytes] pRO encrypted size 10 flag 1 Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - timeout Route You - not moving, decreasing step size to 2 Move You - (re)trying Sent packet : 035F [ 5 bytes] Move You - (re)trying Sent packet : 035F [ 5 bytes] ai AI turned off Sent packet : 0360 [ 6 bytes] Timeout on Map Server, connecting to Account Server in 30 seconds... Sent packet : 018A [ 4 bytes] Disconnecting (116.93.120.134:10037)...disconnected>
smallkid0503
commented
7 years ago @KristenCruz patay! naka flag ka na boss! ingat2 nlng. baka ma ban ka nyan..
KristenCruz
commented
7 years ago @smallkid0503 wag ka mag alala... dummy acct lang yan
sctnightcore
commented
7 years ago ENGLIST PLS
JBri01
commented
7 years ago Please refrain from spamming the thread. Updates lang po sana ipost dito
reigun02
commented
7 years ago Hi guys, currently naka connect na ko sa map. Ang problem ko ngayon is hindi siya gumagalaw, hindi makita yung equipments, inventory, etc. Nakakareceive din ako ng incoming data left in buffer error.
Can you please advise anong mga kaylangan i edit to solve this issue or mga tools na needed para ma solve yung issue na to.
Sinundan ko lang yung guide ni @DemonDevilClaw dun sa previous thread and somehow nag backread ako and ginaya yung revpackets ni @GamexBot. I really want to know pano ayusin yung mga packets/tools na needed to extract these packets.
Many thanks
kaliwanagan
commented
7 years ago Hey everyone. Some rules:
If you post something that breaks these rules, you will be banned from this issue tracker for being unconstructive.
It's REALLY difficult to go through all the issues to find out the useful ones, and you're just adding to the noise.
You can help us make development faster by not slowing us down.
All good?
mnjfx
commented
7 years ago Have you guys checked @GamexBot 's post from the other check? If you want, I'll repost it later when I get home. I haven't tried it myself though I'm at the office at the moment. I'm just quietly observing everyone here.
therunesoldier
commented
7 years ago I've tried to download again a fresh openkore and update what is needed.
Xkore 0.
Any next steps to be taken?
Also tried GamerxBot's codes but having errors in MessageTokenizer.
Sorry im a leecher, but i want all of us to be aligned. :)
kaliwanagan
commented
7 years ago jhayecool is banned.
I'm serious about this.
eisengray
commented
7 years ago @therunesoldier here's what i've done for a week now with 2-3 of sleep everyday just to get updated but I only manage this far. I'm stuck with the character can not move in game.
Lykeee
commented
7 years ago Hey Team!
Couple of things.
Are we trying to resolve xKore 1 or xKore 0 in this thread?
BTW, here's my progress. Still stuck somewhere in parsing the packets.
Not sure if you've seen the video from bahay123 that shows xKore 1 working. One thing I noticed is that, he has Ragexe.exe, you can also see his openkore connected, and there's this another window that looks like resolving packets real time and talking to openkore. Anyone knows what that is? I can't seem to find the video, it was probably taken down or whatever.
kaliwanagan
commented
7 years ago kenomonogatari is banned.
Seriously people. Read first before you post.
putohcy
commented
7 years ago heres my progress, i managed to log ingame but char doesnt move and then disconnects, anyone know how to solve this packet tokenizer error? thanks, credits to Fclose files
kaliwanagan
commented
7 years ago No more posts on stuff we already know okay? We all know about the packet tokenizer error. Asking about it contributes nothing to this discussion.
putohcy
commented
7 years ago okay sorry @kaliwanagan
kaliwanagan
commented
7 years ago ItzLui18 is banned.
classmate01
commented
7 years ago @Lykeee that another window is a python script which I believe he run using command prompt.
KristenCruz
commented
7 years ago I am not familiar with the full structure of openkore thats why I am trying to understand how kore handles the packets and doing some trial and error myself.
Feel free to direct me to the correct path if im wrong.
kaliwanagan
commented
7 years ago KristenCruz
commented
7 years ago Yep. I have doubts what I'm currently doing is a temporary fix, as these packet patterns changes every maintenance (based from tRO thread) although this is ROph's 2nd week and I didnt do anything with kore during its 1st week. @unknown-item did mention to make use of CDClient,dll to handle the encryption stuffs, but this is already out of my league. :smile:
@kaliwanagan Thanks for the enlightenment above by the way. :+1:
HappyGoMarky
commented
7 years ago @kaliwanagan was wondering when someone would show up to control the thread. been on popcorn mode after what happened to the previous thread. believe me. i tried. i really tried.
@KristenCruz an invite has been sent to you to collab on the pRO fork. :)
@unknown-item and to you both, I stumbled upon this https://github.com/hashcat/hashcat it basically hacks everything (i think) but can't get to run it.
I believe that the last known working config for tRO had a md5 key. plus other files. (i browsed the openkore.in) hashcat can crack md5. can this tool help? can you guys help me run it. willing to abuse my system GPUs :)
also, can't get anything to work on windows 10. 😆 im downloading ubuntu now.
kaliwanagan
commented
7 years ago According to unknown-item they slightly changed the hashing function so it's not the canonical MD5 algorithm anymore. That means hashcat won't work.
HappyGoMarky
commented
7 years ago @kaliwanagan is there a way to know which algo CDClient uses? or will it be trial and error?
kaliwanagan
commented
7 years ago If only it was that easy. You can't do trial and error. You'll need to trace through the process and figure it out from there.
Which is why I agree with unknown-item's assessment that it's a big waste of time to try and reverse engineer this, because they can just easily change the algorithms when maintenance happens.
HappyGoMarky
commented
7 years ago that's sad... a switch for monthS of work. 😠guess the only way is to get CDClient.dll to work for us. will ask around about this. this is waaaaaaay too much.
classmate01
commented
7 years ago Please note that every 5 secs ragexe.exe connected to > roasgard.cheatdefender.com ( this happens consistently every 5 sec)
Based on the packet that I get there's much d ifference between xkore 0 and xkore 1 which I believe we should make 2 threads about this to avoid any confusions.
kaliwanagan
commented
7 years ago English please. Last warning.
(don't you want international devs to understand what you're saying?)
unknown-item
commented
7 years ago For HMAC the key is calculated from 0A7B packet and it is different for each login, also some slight changes in MD5 constants. The function I used to hook was some sort of delay execution method that takes an function address, a delay and an interval, internally it uses it for performing API hooks and cycle some detections, I used to disable them all but now we can't disable them but we can change the intervals so they will only run once and we can start the bot afterwards. For CDClient, we can use the DLL for roughly a minute or so then it will start to disconnect us. I think that's the time it will start the code received from the side channel. This code works similar to the EAC's injected DLL but it is much more complicated by the look of it.
hideman012
commented
7 years ago Cheer @unkown-item come back i think soon will done
k1ngJ
commented
7 years ago @unknown-item That is correct. I'm getting disconnected every minute or so when using xKore 0. Let me share some of my observations with you guys.
Looks like there is a lot going on with the dll, as there are 8 ordinals being exported from it.
Cheers.
KristenCruz
commented
7 years ago I think that explains why the alleged working bots runs in XKore1 as it uses Client features + Openkore. A video is circulating (but was taken down) that uses another script to capture and decrypt packet real time.
For XKore0 that claimed their bots to be working, i got a great suspicion that we did the same process. Reverse engineer and manual hard coding of packets. As I mentioned, a temporary fix.
PS. I gave up sniffing packets after reading the above comments. :disappointed:
classmate01
commented
7 years ago @KristenCruz You mean this one > https://www.youtube.com/watch?v=7yWYPyUWPaY&feature=youtu.be ?
k1ngJ
commented
7 years ago What you're doing is not a temporary fix, that's a way to move away further from the solution. By doing that you will not only destroy your OpenKore, you will also confuse yourself on what the real problem is. Even if you fix those unencrypted received packets, you are still missing the encrypted ones. And you can't ever do something ingame unless you encrypt the packets you are sending.
madalilng
commented
7 years ago @k1ngJ is right, the real problem here is the encryption/decryption method .. which can be done by simulating the algorithm inside the cdcient.dll and use xkore 1 make a program that sniff the packets from client that can encrypt / decrypt "mitm style" Server -> enc/dec method -> openkore openkore -> enc/dec method -> server
or you can just re program the whole openkore to handle encryption algo.
kaliwanagan
commented
7 years ago 
enseighil
commented
7 years ago My only concern is, is there someone who can post or make a tutorial on how to encrypt/decrypt or something like that to help you guys. You can assign any member for a specific task so you can focus on more detailed task. I think many our willing to help you guys.
kaliwanagan
commented
7 years ago You mean like http://forums.openkore.com/viewtopic.php?f=36&t=212035 this one?
supportski
commented
7 years ago @k1ngJ I ran the DLL through IDA and I'm seeing 12 ordinals and the entry point. How did you view the ordinals?
@unknown-item In the other issue here, you said that you were able to directly invoke the methods on the DLL and it worked for a minute or so (probably due to the side channel negotiations you mentioned here). What ordinals were you invoking, and were you able to determine the signatures for them?
Without a significant amount of refactoring, it seems like a Poseidon-type approach seems to be what's needed to get this going. Ideally, kore could continue to pass plaintext throughout, but once it connects to a new Poseidon-type application as a MITM (which loads CDClient.dll), that application would just make calls in a similar manner as the client and we could completely forget about what the DLL is doing, right?
I'm just ramping up on this, but looking at some quick captures in-game, the way that the protocol seems to be processed is the CDClient is just wrapping the original packets that were being sent (length 8 packet is now length 10, encrypted with a short length in the front). I couldn't imagine that the client was modified much to work with this DLL - the company is offering it as fairly non-intrusive approach to solve some problems.
daison12006013
commented
7 years ago I'm trying out XKore to apply proxy instead, since the anti cheat engine blocks NetRedirect.dll, or I will try to explore the Anti Cheat that they have in the Ragexe.exe
sctnightcore
commented
7 years ago xKORE 0
rev 0A7B > send 0A7C [200 bytes]
It is encrypted.
eric-cerio
commented
7 years ago 
linocrvnts
commented
7 years ago Having read CheatDefender's documentation, those 8 orginals are no longer "ordinal" for me.
eric-cerio
commented
7 years ago @linocrvnts wow cool..
tuloy natin d2 ang updates!!!