Page 1 of 3 123 LastLast
Results 1 to 10 of 23
  1. #1
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0

    Question Aika Game connection, xTrap bypass

    I'm just wondering

    I come up with this connection here.
    IP: 173.245.92.15 PORT: 8090

    The data it sends is encrypted.

    is that the game connection? or just used for maintenance alert, because thats what i'm getting it from.

    whats odd is that that ip and port actually keeps a connection.



    It comes from wininet.dll pretty hard to trace it back to AIKAEN module

    I think that I've traced it to this.


    Seems that the game may operate completely over HTTP requests? wth? thats crazy

    if not why does this HTTP Request connect to port 8090? so much strange things. IDK where to begin, yes i'm a newbie at this whole reversing.


    Can someone help me out I want to get some where thanks dwar for the unpack.

    Well maybe I can get away from debugging if someone could tell me how the packet encryption works does it work the same as bin files are packed/unpacked? if so does the server send some kind of key to begin from, some sort of byte offset in the cipher table then keeps incrementing starting over when reaches end?

    thanks i appreciate it.. I'm really bored with playing aika i won't mind making a bot or some sort of ultimate questing tool, that walks and talks to npcs does the proper amount of kills etc..

  2. #2
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    First of all, game client will check server status, if server status is “ok”, client runs and ask login-password. Password and login are sent to the server via https requests; if client get correct answer (account status and password hash) – connection to game server has been established.
    Well maybe I can get away from debugging if someone could tell me how the packet encryption works does it work the same as bin files are packed/unpacked? if so does the server send some kind of key to begin from, some sort of byte offset in the cipher table then keeps incrementing starting over when reaches end?
    Packet encryption is differ from bin encryption. Standard technique is to set BP on recv, send etc functions and then trace to the upper functions where must be an encryption algorithm (for Aika client this is simple task). All necessary data are inside the game client
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  3. #3
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    ahhh I am having so much difficulty lol, I can't even find the call that loads xTrap.

    Yup I do the bp send, bp recv technique. I thought they would just stop at WS_32 but and higher function would be AIKAEN.Offset##### but no it goes into wininet.dll haha .

    I got lucky that Maintenance alert is before Xtrap so i can fool around a bit. but once it starts loading XTrapVa.dll



    Do i just nop out one of those calls?
    Meh it's okay sorry for asking too much questions i should just keep trying.
    Seems the call that loads xtrap does alot more then just load Xtrap.
    Last edited by pkedpker; 2011-04-07 at 07:41 AM.

  4. #4
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    There are also some other functions which should be nop'ed. Commonly 3-4 jmp/nop will prevent xTrap from loading
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  5. #5
    coolninja
    coolninja is offline
    New member
    Join Date
    2011 Apr
    Posts
    10
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    2
    Thanked in
    1 Post
    Rep Power
    0
    Quote Originally Posted by Dwar View Post
    There are also some other functions which should be nop'ed. Commonly 3-4 jmp/nop will prevent xTrap from loading
    So, you mean 3-4 nop'ed jump == xTrap bypass!?
    if so, what other thing does deXtrap do?

  6. #6
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    So, you mean 3-4 nop'ed jump == xTrap bypass!?
    Not exactly... don't forget about heartbeat packets.
    There are two ways of bypass:
    1: Completely disable xTrap (main xTrap thread and driver) + create emulator with purpose to send heartbeat packets to server
    2: Keep xTrap loading but disable xTrap protection mechanism (need to check what exactly hooked and find exploit possibility)
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  7. #7
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    Most likely coolninja.

    But I still think it even though xtrap isn't running may not be good xtrap probably sends packets too.. if it doesn't you probably get disconnected by game server after some timeout exceeds the waiting period for that packet.

    But all in all I'm not worried about keeping xtrap off for long periods of time just for 10 minutes to find out the proper function that is called to encrypt raw packet data and hook it and detour it with maybe a naked stub if it's not one of those formats ermm they are called calling conventions like

    cdecl,stdcall,fastcall,thiscall.

    But i love doing it the naked way it's much easier and most of the time you can just copy/paste ollydbg code into C++ app.

    naked doesn't use any registers or anything nothing gets changed so it's like codecave to new area. But you can control it.

    I'll give you explain

    Code:
    DWORD RealRecvOffset = 0xAABBCCDD;
    
    int __declspec(naked) RecvDetour(DWORD sizePacket,DWORD packetPtr,...)
    {
            //emulate a call as jmp
            __asm
            {
                    push    ebp
                    mov     ebp, esp
                    sub     esp, 40h
            }
            //do your stuff here like update hp's of npcs your npc,new npcs spawns etc
            __asm
            {
                    jmp RealRecvOffset
            }
    }
    simple.

    Now for sending packets it turns a bit harder as you cannot call the function directly since you don't know where instruction ptr is.
    You can make a queue to fill it up with packets and in game like spam chat with something to create a good packet flow.. and replace packets with yours as you intercept them but this you know won't be stable lol.

  8. #8
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by pkedpker View Post
    xtrap probably sends packets too
    xTrap not only send information to game server, it also send information about your system and all running processes (xtrap collect signature for every module in system) to the xTrap server.
    Now for sending packets it turns a bit harder
    No, just find an encryption routine and rewrite it: trace code, dump and log registers state, find cypher table and that's all
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  9. #9
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    Anyways I am not getting anywhere once I do any of those I end up with
    Process terminated, exit code 0, no idea where it even screws up just all threads get terminated followed by process termination.


    I just NOP -> [CALL EDI = LoadLibraryA]
    (This would mean I gotta find the place where imports get called and somehow nop them too.)

    I can't find out where the dll gets called I've stepped over 50,000 lines and still doesn't crash but as soon I run it without stepping instant crash.

    I thought about just looking for GetProcAddress calls to XTrap.dll that could be crashing it as I've aborted the loading of the xtrap, but seems its's not used??

    So then it hit me why not just look for TerminateProcess calls and nop them all out lol. err still doesn't work.

    or just change
    005C4525 -> JE to JNZ to quickly exit. (probably shouldn't do this, most likely this is if error occurs).

    XTrap dll loading code
    Code:
    005C4500  /$ 81EC 04010000  SUB ESP,104
    005C4506  |. 53             PUSH EBX
    005C4507  |. 56             PUSH ESI
    005C4508  |. 57             PUSH EDI
    005C4509  |. B9 40000000    MOV ECX,40
    005C450E  |. 33C0           XOR EAX,EAX
    005C4510  |. 8D7C24 0D      LEA EDI,DWORD PTR SS:[ESP+D]
    005C4514  |. C64424 0C 00   MOV BYTE PTR SS:[ESP+C],0
    005C4519  |. F3:AB          REP STOS DWORD PTR ES:[EDI]
    005C451B  |. 66:AB          STOS WORD PTR ES:[EDI]
    005C451D  |. AA             STOS BYTE PTR ES:[EDI]
    005C451E  |. A1 A0873802    MOV EAX,DWORD PTR DS:[23887A0]
    005C4523  |. 85C0           TEST EAX,EAX
    005C4525     74 18          JE SHORT AIKAEN_u.005C453F
    005C4527  |. A1 CC873802    MOV EAX,DWORD PTR DS:[23887CC]
    005C452C  |. 5F             POP EDI
    005C452D  |. 5E             POP ESI
    005C452E  |. 5B             POP EBX
    005C452F  |. C740 08 032000>MOV DWORD PTR DS:[EAX+8],2003
    005C4536  |. 33C0           XOR EAX,EAX
    005C4538  |. 81C4 04010000  ADD ESP,104
    005C453E  |. C3             RETN
    005C453F  |> 8B8C24 1401000>MOV ECX,DWORD PTR SS:[ESP+114]
    005C4546  |. 68 94026100    PUSH AIKAEN_u.00610294                   ;  ASCII "XTrapVa.dll"
    005C454B  |. 51             PUSH ECX
    005C454C  |. 8D5424 14      LEA EDX,DWORD PTR SS:[ESP+14]
    005C4550  |. 68 80026100    PUSH AIKAEN_u.00610280                   ;  ASCII "%s\%s"
    005C4555  |. 52             PUSH EDX
    005C4556  |. E8 8ECBFEFF    CALL AIKAEN_u.005B10E9
    005C455B  |. 8B3D 74603A02  MOV EDI,DWORD PTR DS:[<&kernel32.LoadLib>;  kernel32.LoadLibraryA
    005C4561  |. 83C4 10        ADD ESP,10
    005C4564  |. 8D4424 0C      LEA EAX,DWORD PTR SS:[ESP+C]
    005C4568  |. 50             PUSH EAX                                 ; /FileName
    005C4569  |. FFD7           CALL EDI                                 ; \LoadLibraryA
    005C456B  |. 8BF0           MOV ESI,EAX
    005C456D  |. 85F6           TEST ESI,ESI
    005C456F  |. 75 52          JNZ SHORT AIKAEN_u.005C45C3
    005C4571  |. FF15 00603A02  CALL DWORD PTR DS:[<&kernel32.GetLastErr>; [GetLastError
    005C4577  |. 8BD8           MOV EBX,EAX
    005C4579  |. 83FB 7E        CMP EBX,7E
    005C457C  |. 75 24          JNZ SHORT AIKAEN_u.005C45A2
    005C457E  |. 68 94026100    PUSH AIKAEN_u.00610294                   ;  ASCII "XTrapVa.dll"
    005C4583  |. 8D4C24 10      LEA ECX,DWORD PTR SS:[ESP+10]
    005C4587  |. 68 88026100    PUSH AIKAEN_u.00610288                   ;  ASCII ".\XTrap\%s"
    005C458C  |. 51             PUSH ECX
    005C458D  |. E8 57CBFEFF    CALL AIKAEN_u.005B10E9
    005C4592  |. 83C4 0C        ADD ESP,0C
    005C4595  |. 8D5424 0C      LEA EDX,DWORD PTR SS:[ESP+C]
    005C4599  |. 52             PUSH EDX
    005C459A  |. FFD7           CALL EDI
    005C459C  |. 8BF0           MOV ESI,EAX
    005C459E  |. 85F6           TEST ESI,ESI
    005C45A0  |. 75 21          JNZ SHORT AIKAEN_u.005C45C3
    005C45A2  |> A1 CC873802    MOV EAX,DWORD PTR DS:[23887CC]
    005C45A7  |. 5F             POP EDI
    005C45A8  |. 5E             POP ESI
    005C45A9  |. 8958 04        MOV DWORD PTR DS:[EAX+4],EBX
    005C45AC  |. 8B0D CC873802  MOV ECX,DWORD PTR DS:[23887CC]           ;  AIKAEN_u.02388F70
    005C45B2  |. 33C0           XOR EAX,EAX
    005C45B4  |. 5B             POP EBX
    005C45B5  |. C741 08 042000>MOV DWORD PTR DS:[ECX+8],2004
    005C45BC  |. 81C4 04010000  ADD ESP,104
    005C45C2  |. C3             RETN
    005C45C3  |> 8D5424 0C      LEA EDX,DWORD PTR SS:[ESP+C]
    005C45C7  |. 56             PUSH ESI
    005C45C8  |. 52             PUSH EDX
    005C45C9  |. E8 12080000    CALL AIKAEN_u.005C4DE0
    005C45CE  |. 83C4 08        ADD ESP,8
    005C45D1  |. 8935 A0873802  MOV DWORD PTR DS:[23887A0],ESI
    005C45D7  |. E8 04070000    CALL AIKAEN_u.005C4CE0
    005C45DC  |. 56             PUSH ESI
    005C45DD  |. 8BC8           MOV ECX,EAX
    005C45DF  |. E8 BC070000    CALL AIKAEN_u.005C4DA0
    005C45E4  |. 5F             POP EDI
    005C45E5  |. 5E             POP ESI
    005C45E6  |. B8 01000000    MOV EAX,1
    005C45EB  |. 5B             POP EBX
    005C45EC  |. 81C4 04010000  ADD ESP,104
    005C45F2  \. C3             RETN

  10. #10
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by pkedpker View Post
    I just NOP -> [CALL EDI = LoadLibraryA]
    you should try to nop some client functions which calls the xTrap loading ... not functions which exactly load xTrap. Then, try again to trace back from TerminateProcess and retn termination functions. For example, for FistsOfFu or Martial Empires you should also find a timer routine where messy checking functions runs in cycle
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  11. The Following User Says Thank You to Dwar For This Useful Post:


Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •