Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23
  1. #11
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    so pain stacking hard.

    [s]I am thinking of just making a empty dll in C++ and try loading it up. instead of XTrap.dll maybe this will work. with empty imports

    I think only need
    XProc3, XProc4, XProc9[/s]

    screw that even harder lol

    I'll i'll try some higher function.

    [update] still haven't been able to start game successfully but with around 3 patches. I got up to the game skill loader "SkillData0.bin".

    Then comes UI/PI.bin loading

    Found bin encryption and crypt table woo lol.

    Found a little trick open the AikaClient.log and breakpoint the most next to last messages in ollydbg to see how far you go to avoid endless stepping.

    I get up to

    Code:
    04/08 00:40:37 - Read ItemList..OK
    04/08 00:40:37 - Read Skilldata..ok
    04/08 00:40:37 - Read PI..OK
    04/08 00:40:38 - Init ServerList
    04/08 00:40:38 - Init Timer Manager
    04/08 00:40:38 - Init Render Device
    04/08 00:41:38 - VertexShader HW Accel Enabled
    can't get up to Network Manager yet.

    These are my xTrap bypass patches so far.

    Code:
    005C3BCC -> NOP (Xtrap higher function)
    005C3BFB -> JNZ (skips termination some check)
    0041D9DE -> JNZ (Xtrap messagebox skip)
    Dwar maybe you can tell me what I'm missing



    ---------- Post added at 09:06 PM ---------- Previous post was at 01:42 AM ----------

    Sorry for double posting but I didn't want to make a new topic lol.

    Thanks to Dwar's hints and help I finally managed to load Aika Online without Xtrap, I didn't believe it at first had to load up Cheat Engine and run speed hack on 99.0 and the login user/pass blinker was going crazy lol.

    There is still one thing I missed because It terminates the process in 30 seconds. but thats plenty of time to step threw encryption one line at a time!.

    Last edited by pkedpker; 2011-04-08 at 05:56 AM.

  2. #12
    coolninja
    coolninja is offline
    New member
    Join Date
    2011 Apr
    Posts
    10
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    2
    Thanked in
    1 Post
    Rep Power
    0
    Congraz pkedpker!
    Well, for me, I don't really understand what you guys talked about,
    it's way beyond my knowledge, I only got 10% of the meaning.
    But that's ok, as im just a beginner in RCE,
    one day, I will understand everything in this thread.

  3. #13
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    Haha it wasn't any of my work it's all thanks to Dwar he gives you cryptic answers in forms of hints good for learning..

    I'm happy to say I've bypassed the 90 second crash.. this was the easiest thing you can do :P no patching involved, I might as well tell a hint of my own.. you set it to INFINITE

    Also Dwar is right you need those heartbeat packets I can barely play 5 minutes before I get logged out to login menu. Of course emulating those heartbeat packets is no where near what I can do at the moment plus XTrap is packed and no matter how hard I tried to unpack AikaOnline .. I got OEP.. i did the memory bp on code and access on imports or other way around I forget, ran those tools universal important fixer then dumped the file.. and fixed it with impec (import reconstructor) turned out the OEP was wrong or something. No real good tutorials on unpacking, I guess it's something people pick up when they are expert at Reversing.

    Anyways meh now it feels like i'm playing a ordinary flash game.. and no matter how difficult a flash game is.. it's nothing with cheat engine lol.. but screw this I want to make a bot!.

    [Update]
    I'd like to say my plan is somewhat of a fail dang... I wanted to use his unpack too find offsets to hook and inject dll, I've done. Even when I inject into offical packed version it works fine!. But Xtrap pops out with game memory modification error dang.

    Now my only option is to make a proxy bot and I have to rewrite the packet encryption like dwar says man this looks too hard of a task for me to do. I've did some work so far found out the packet encryption uses rand() & 0xff which made me go like wtf.
    Last edited by pkedpker; 2011-04-09 at 06:58 AM.

  4. #14
    coolninja
    coolninja is offline
    New member
    Join Date
    2011 Apr
    Posts
    10
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    2
    Thanked in
    1 Post
    Rep Power
    0
    Quote Originally Posted by pkedpker View Post
    the packet encryption uses rand() & 0xff which made me go like wtf.
    what!? it's impossible... if it really uses rand() to encrypt the packets, nothing can decrypt them back to what they are.
    just think of a password with random numbers, do you think the server will have to bruteforce it? they are legit packets, man.
    you must be missing something, and I believe the decryption code should be in the client,
    else, the encrypted packets sent from the server couldn't be read by your client.

    just guessing, if it's not the case, idk...

  5. #15
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    Quote Originally Posted by coolninja View Post
    what!? it's impossible... if it really uses rand() to encrypt the packets, nothing can decrypt them back to what they are.
    just think of a password with random numbers, do you think the server will have to bruteforce it? they are legit packets, man.
    you must be missing something, and I believe the decryption code should be in the client,
    else, the encrypted packets sent from the server couldn't be read by your client.

    just guessing, if it's not the case, idk...
    First of all if I can't decrypt packets how does the client do it lol.

    Naw it's possible to decrypt packets even if they use rand(). after all rand() isn't random it's a stream of bytes that are predetermined by a random seed. so if you re-run the same random seed you'll end up with the same random bytes. It depends how much iterations you do.

    I'm just very bad at converting assembly :\ so much instructions I don't understand I mean anyone can do it... if you waste like 1 week in my case 24\7 being on lol and it's only like 100 lines!.

    I mean I can really hardcore it and see every byte which changes to what and not even look at the assembly use my own brain to figure out what happened to the byte to make it increase/decrease etc..

    Getting closer a bit.. I found out each of the packets are encrypted 4 bytes at a time..

    the encryption has some oddness in it, it doesn't encrypt everything but 1 out of 3 bytes.. Yet sometimes it encrypts all 4 bytes.. such as 0 bytes.. like 00 00 00 00 becomes EF FF FF FF then next becomes to F2 FF FF FF.. seems to keep the 0xFF's maybe thats because they are zero.

    IDK what this is ATM but it may be helpful in the future. Seems very connected to packet encryption and maybe even decryption.

    Code:
    52 B3 F7 20 34 FB 8E 4C 21 2A 64 E9 2F 89 E7 B9 F1 F2 DF 79 F9 40 09 FF 9A 04 02 85 F3 7A 67 45 28 BB 3B 46 F3 33 89 75 5C 56 4A F7 C4 8F 88 BE 28 79 C4 5A A4 52 96 12 36 AD 93 34 C5 66 73 A9 62 DB 74 CC CD 59 F9 7D 3B D5 77 70 56 DD 91 CB 86 CE 82 F1 6F 46 BC 98 BB DC CE 22 19 0F 8B 2A 85 7D 69 5D CB 56 27 8B 46 0F B3 FD EE 5B 4A 0A 92 57 E1 E5 61 04 C4 B9 AF FB 7D F8 F6 5C F7 F0 1B 08 E3 9F F3 10 5B C8 06 6D C5 46 93 F1 FB A1 D4 7D A9 DF 82 75 F6 9C 9C 71 66 5D 65 35 FE 22 AC E4 AA 3A 4F 70 DD 5B 02 55 77 F2 4D 87 EB B8 D4 A8 A1 86 DB 7F 99 6A 09 A6 52 FA 6C 82 EA E8 BE 78 86 D7 E7 5E F4 6D C2 30 8F AA 24 05 63 78 1B 41 92 83 73 0B F7 4A 7F 02 08 77 16 2B 01 6B DB 2E 3F 1E C1 C3 E9 26 CF 67 D6 15 21 53 AB 08 30 AE 44 7D 53 02 56 65 85 ED 52 7B 68 19 8C D3 8A 6D 9C B6 E7 85 04 AD B0 60 14 DC 4B 59 0B 91 9B 59 7F 1D 81 4A FF E3 A3 CF F6 AE 6C 32 D2 48 54 9E 66 48 61 8E 8D 2B ED 85 11 A6 AB 00 CB 3B E5 A8 07 CD 3A EB 61 10 BD B9 29 5F 1D F1 BF 27 65 7B 35 C4 CC C7 0F 3D 94 1C 47 2E 32 2D 95 05 AF EE ED 71 4E A5 48 18 6F 44 A7 89 B3 F6 55 71 61 F8 6D 11 09 AA 9D EF 67 E6 29 CC 89 90 33 D7 34 6E 39 20 85 3A DF 4F D4 F6 EF 96 DD 80 9E E4 22 66 11 5C 8B FB 1F 05 50 AB 59 C3 18 8B 47 86 63 34 F5 C1 25 D2 AE 1E B3 78 08 70 E3 B7 21 E8 6F 6E 27 8D 9B E3 1E E6 18 13 DD F9 27 47 5A 7A 02 E8 28 3C 77 94 3E EB D6 71 FA FD 0D C2 66 E6 12 B8 B9 8B 81 8A 21 FA 87 C8 BF 58 FE EC F3 1A D9 32 DB 79 C3 A9 16 1F 03 8A CE 27 A3 C9 F5 44 D1 EB CE 40 85 17 B0 A9 64 6F 07 C7 E5 A1 9B D0 B2 B8 15 5F 51 39 BF 23 03 6B 8B D4 EC F6 57 6C 00 65 D7 7A 2D AA 0E 18 8A F0 10 1B E9 2F 20 C1 02 EA 52 05 AA 47 6F EE 8F 63 70 18 24 2B 0C E3 22 2D 16 A3 23 CC 19 91 BE D3 F4 4F 4B 61 0C E0 EF 30 73 17 8A 94 0C 35 34 F4 0E 4B E6 01 3A 32 11 74 12 78 EF 8E 0B 15 82 92 34 D5 F7 A4 EA FF 14 6F 41 8E 0C 7A D9 7A 22 91 0F 7F 86 22 0C 35 2B EA DE F5 1E 33 4F 0A F1 D0 0C 18 E8 30 74 1D E9 8D 16 03 13 FE C1 0F 46 83 16 BF 21 C4 0A E3 26 2E 6F 7A 1E 93 0C FD 66 9A 76 9B 5A 6F B8 7E 00 50 13 DE EF 30 D4 DE 24 2C 5C 85 CF 90 7E 4B 8C 51 04 77 6D 38 11 17 88 2A D9 7D 24 2F 34 3F FA 22 05 7D F0 33 0D 68 90 10 DB 17 22 95 72 81 22 F3 16 21 F3 72 01 23 78 3D D4 DD 96 C8 70 7C EA 91 0E E1 EB F0 3E 85 56 22 40 AF 96 F1 45 22 D3 C7 D6 79 84 31 D7 DC 86 D7 16 49 A3 AE 35 AF 14 51 4E 54 48 B5 72 16 25 94 0F 1C 88 90 5C 5D 2A 04 81 23 FA 83 64 6B 7C 7B 11 1B 26 F3 70 1C 24 F1 02 35 D8 5E 5F 0F 96 8D C8 09 68 9E 6F DF 24 31 0C 1C 21 8F 48 5D 73 E0 69 55 C8 47 E9 10 65 78 D2 1B 26 2E D3 18 86 2D 34 D5 F2 72 23 73 5A E7 64 C0 F6 EE 11 E3 1F 31 DA 16 EB 28 16 7B 11 AE 18 EB 82 47 34 93 63 30 10 E0 ED 2F 77 7F 8A F7 3E F3 1E F4 7A B9 32 C9 0C A0 F0 1C 0A 7B 87 91 74 7E E6 8E 34 8F E4 D6 13 AF D2 65 98 17 38 D5 0A 7D 1E 28 6E 80 23 2C 16 5D F8 7C 12 AF 00 E7 DB D0 D8 2B 10 7C E9 F3 0A 7B 24 2C 2A 21 8A 36 9D 91 8C A1 36 E7 1B 4E 0B 80 89 28 D3 17 E7 F9 16 F3 65 EA EA 4B 00 15 4E 26 38 8D 6E 7E EB F5 10 1B 1E F9 20 21 1B 2C 9A 87 50 FB 30 6E CB FB 0F E2 84 2E 76 15 83 8E 20 35 40 18 0A EB 00 F1 1E 99 C3 4C 76 14 22 95 D8 1C 85 90 0C A3 02 FE 8D 2D 46 51 70 6A 4D C5 70 1B 26 F4 0F DD 00 00 00 00
    Last edited by pkedpker; 2011-04-10 at 07:03 AM.

  6. #16
    makradesh
    makradesh is offline
    Member-in-training makradesh's Avatar
    Join Date
    2011 Feb
    Location
    UG in PGC
    Posts
    68
    Thanks Thanks Given 
    3
    Thanks Thanks Received 
    14
    Thanked in
    9 Posts
    Rep Power
    0
    looks promising..

    Now that you disabled xtrap try using a multilog, then recheck if xtrap is working again..
    If not try how long you will stay online without getting kicked back..

    Just wondering bro^^,
    Stewie kills the world in 2012.

  7. #17
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    about 7 minutes and 3 minutes with speed hack

    enough to do stuff with cheat engine, if someone made like a undetected driver that edits your memory not the memory for game.. but i'm talking about raw ram memory and find a specifc array of bytes.. you can hack aika online with xtrap on then.. just alter your ram! Possible idk

  8. #18
    remka
    remka is offline
    Member-in-training remka's Avatar
    Join Date
    2010 Oct
    Location
    Moscow
    Posts
    161
    Thanks Thanks Given 
    17
    Thanks Thanks Received 
    31
    Thanked in
    6 Posts
    Rep Power
    15
    Dwar, you don't tell about xTrapEmu? ))))))))
    Please write to the PM only at the right issues.
    or if you know what 0x90)))
    P.s.
    it's NOT NOP

  9. #19
    explosionsinthe
    explosionsinthe is offline
    New member explosionsinthe's Avatar
    Join Date
    2011 Apr
    Posts
    16
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    pker I haven't read the entire thread but regarding this decryption algorithm you are trying to convert why not copy the assembly function as it is and use it as inline asm to define the function in MSVC.

  10. #20
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    Quote Originally Posted by remka View Post
    Dwar, you don't tell about xTrapEmu? ))))))))
    0x90 is a hexadecimal value of 144 in decimal lol, but yeah it the value of opcode NOP, no he didn't but I don't really need xTrapEmu


    I attempted that explosionsinthe but lots of shit gets passed to it without using arguments like outside of call.. which is really gay.. but I managed to get Encrypt function working 2 days ago.. and today I got finally semi working Decrypt function working. Code looks extremely ugly. I'll try cleaning it up and in the end hopefully I can get a working dll with Enc/Dec/ClearSession functions and code my bot in different language I'm more comfortable in.

    Maybe I'll make a aika server emu haha, but I doubt it. I only passed the enc/dec for the actual game server not the login screen.

    decryption method has argument DWORDS which are not even used believe it or not but in turn are generated as the decryption function is running like first argument gets set to 2.. if packet is special and doesn't need decoding. and next argument gets set to packet 4 bytes but..
    If size of packet is too small or too big first argument gets set to 2 and second argument is suppose to be packet 4 bytes right? but it isn't it is size rofl!. Probably used for error handling but in any case packet isn't even a argument! it's pushed later on.. from some arbitrary location.

    Oh yeah.. first 4 bytes of packet do actually cotain size so it's not really that amazing but the size isn't a dword its a word yet it's treated as dword so my assumption on top is accurate about it being error handled.

    Plus what I am doing believe it or not at first I thought it was worthless but I didn't give up.. and now it's a great learning experience I may even write a tool that fixes decompiled code.
    Last edited by pkedpker; 2011-04-20 at 07:43 AM.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •