would be nice if we had a wiki about AIKA packets
I could contribute with some packets
would be nice if we had a wiki about AIKA packets
I could contribute with some packets
People try to find tutorials onlyfor aika packets, isnt so easy like it, u must study packet enc/dec in case of random encryption, u must use your debugger to find the cypher table in the command line, so use it, people will never find a especific aika tutorial, but tutorials about random decryption/encryption its the start of everything...
People can read the definition of the type of encryption that aika uses here:
Random Encryption Package
you can study send or recv packets by placing breakpoint both w32_32 functions
Commands:
bp send
bp recv
or you can do it without commands..
Right Click somewhere in assembly code view.. click Search for -> All intermodular calls
Find one which you want to debug.. i recommend send packets.. because that's what gets sent to server. As for recv packets.. that's all for clientside some useful things here too of-course..
So put breakpoint on WS2_32.send aka CALL <JMP.&WS2_32.#19>
When you login game.. you send packet of idk username/password?
When breakpoint triggered
Here you will find the whole WS2_32 call with full parameters.. of course you can look at buffer.. and right click it to view in DUMP.
You will see same layout.. as in WPE PRO/rPE.. Packet being encrypted..
You can then look at OllyDBG stack view.. (it's bottom right side) and (bottom left side is DUMP)
You will see on stack right after breakpoint is triggered something like
RETURN to 00443210 from WS2_32.send
the number 00443210.. is where
(if you looking for SEND packets) this would be where packet was encrypted. [Client 2 Server]
(if you looking for RECV packets) this would be where packet was decrypted. [Server 2 Client]
So right click that line (it will be red) and click on it and press ENTER
Now you are a bit deeper.. where either encryption or decryption happens.. you will have to look up a few lines..
look for either CALLS's (which could mean calling encrypt/decrypt function) or beginning of function.. (probably means encrypt/decrypt is where you are at) set breakpoints everywhere either way..
Now step line by line.. and always look at registers.. try to find where register shows packet. you must right click on register and click Follow in Dump.
Look in dump.. if you see same packet.. that you found in W32_2.send/recv buffer.. then it's still encrypted!! but this is good sign! you found buffer array where probably the encryption/decryption happens.
Anyways after you put those breakpoints.. it's a good idea to save the encrypted buffer packet.. to notepad or something.. because now you will have to restart game Ctrl+F2 or press <<.
But now when you send packet.. you will breakpoint deeper in encryption.. not straight away to W32_2.send (which sends the packet).
Keep running like by line by Pressing F7.. and always look at registers.. look at all the registers that have big numbers.. (these usually are addresses to dump)
if it's too small like 0000010 or 0003430 these usually counters.. you don't have to even look at these..
if it's too big like 7FFDE000 this too big to be address.. these can be ignored to save time..
If you find decrypted packet.. it should have maybe username.. then you found out where encryption still hasn't been run and packet is easily viewable decrypted.. (unecrypted) you can do alot of things here.. if you don't know how to rip out encryption. You can hook in C++ the buffer where decrypted packets are to make a packet sniffer. Or what I always do..
I also hook that buffer with unecrypted packet but I modify the packet that comes in like filter.. So lets say in game you chat.. like 'test'.. you will see packet came in with 'test'.. you can replace this packet with whatever you want.. it will be encrypted.. and sent to server.. and work like any packet hack!.. You can make tool.. that automatically replaces this unecrypted buffer with your packet.. and to send you simply just send any packet in game.. movement packet/chat packet.. etc..
Encryption can be ripped with tools not ollydbg but these tools cost money. You can also rip encryption with ollydbg plugin called CodeRipper (you must download this plugin). This works very good on many languages.. DELPHI/C/C++ and plain ASM.
Just select whole encryption in ollydbg.. and right click Code Ripper.. it will automatically rip all functions it CALL/JMP's pretty much do all the work for you.. then you just copy/paste to C++ in naked function __declspec( naked ) test(int param1, int param2, etc.. {__asm {/*ASM CODE HERE*/}}
If you call your encrypt/decrypt function you ripped.. and it crashes.. trust me it will crash from first try.. there will always be problems like registers being wrong or something wrong with stack.. all this can be fixed.. if you copy/paste the same exact registers.. you may have to step to figure out whats going wrong with registers.
Other then that now you can use this to encrypt/decrypt packets.. then you will have to write fake server.. or fake client, which ever you prefer.
I didn't say how to do much but given steps.. maybe you guys can easily do this.
Is it possible to do something cool like dup XP, etc. with RPE/WPE PRO without decrypt/encrypt packets?
Could be possible with WPE PRO.. if you are lucky.. but most likely will just disconnect you.
Yes encryption happens CALL to send from AIKABR.00411BE5
00411BE5 or what goes to 00411BE5.. or before that.. or even before that.. could be where encryption happens.. but you doing great
Look at that. The name "ROCKERTEER" that is written below is my id, I think I'm getting close of decryption.
I see that I still have much to learn
I thought I was doing well in my studies of game hacking. Decryption is more difficult than I thought, haha