Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 35

Thread: No Xtrap Client

  1. #11
    tacaovo
    tacaovo is offline
    New member tacaovo's Avatar
    Join Date
    2011 Sep
    Posts
    8
    Thanks Thanks Given 
    6
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    would be nice if we had a wiki about AIKA packets
    I could contribute with some packets

  2. #12
    ragazzi05
    ragazzi05 is offline
    Member-in-training ragazzi05's Avatar
    Join Date
    2010 Dec
    Posts
    107
    Thanks Thanks Given 
    23
    Thanks Thanks Received 
    56
    Thanked in
    53 Posts
    Rep Power
    0
    Quote Originally Posted by tacaovo View Post
    would be nice if we had a wiki about AIKA packets
    I could contribute with some packets
    Look for tutorials, I found some!
    But it is still useless for me.

  3. The Following 2 Users Say Thank You to ragazzi05 For This Useful Post:


  4. #13
    gm3x
    gm3x is offline
    Member-in-training gm3x's Avatar
    Join Date
    2011 Feb
    Location
    Rio Grande, RS - Brazil
    Posts
    92
    Thanks Thanks Given 
    4
    Thanks Thanks Received 
    56
    Thanked in
    16 Posts
    Rep Power
    0
    Quote Originally Posted by ragazzi05 View Post
    Look for tutorials, I found some!
    But it is still useless for me.

    People try to find tutorials onlyfor aika packets, isnt so easy like it, u must study packet enc/dec in case of random encryption, u must use your debugger to find the cypher table in the command line, so use it, people will never find a especific aika tutorial, but tutorials about random decryption/encryption its the start of everything...

    People can read the definition of the type of encryption that aika uses here:

    Random Encryption Package

  5. #14
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    you can study send or recv packets by placing breakpoint both w32_32 functions

    Commands:
    bp send
    bp recv

    or you can do it without commands..

    Right Click somewhere in assembly code view.. click Search for -> All intermodular calls

    Find one which you want to debug.. i recommend send packets.. because that's what gets sent to server. As for recv packets.. that's all for clientside some useful things here too of-course..

    So put breakpoint on WS2_32.send aka CALL <JMP.&WS2_32.#19>

    When you login game.. you send packet of idk username/password?

    When breakpoint triggered
    Here you will find the whole WS2_32 call with full parameters.. of course you can look at buffer.. and right click it to view in DUMP.
    You will see same layout.. as in WPE PRO/rPE.. Packet being encrypted..

    You can then look at OllyDBG stack view.. (it's bottom right side) and (bottom left side is DUMP)

    You will see on stack right after breakpoint is triggered something like
    RETURN to 00443210 from WS2_32.send

    the number 00443210.. is where
    (if you looking for SEND packets) this would be where packet was encrypted. [Client 2 Server]
    (if you looking for RECV packets) this would be where packet was decrypted. [Server 2 Client]

    So right click that line (it will be red) and click on it and press ENTER

    Now you are a bit deeper.. where either encryption or decryption happens.. you will have to look up a few lines..

    look for either CALLS's (which could mean calling encrypt/decrypt function) or beginning of function.. (probably means encrypt/decrypt is where you are at) set breakpoints everywhere either way..

    Now step line by line.. and always look at registers.. try to find where register shows packet. you must right click on register and click Follow in Dump.

    Look in dump.. if you see same packet.. that you found in W32_2.send/recv buffer.. then it's still encrypted!! but this is good sign! you found buffer array where probably the encryption/decryption happens.

    Anyways after you put those breakpoints.. it's a good idea to save the encrypted buffer packet.. to notepad or something.. because now you will have to restart game Ctrl+F2 or press <<.

    But now when you send packet.. you will breakpoint deeper in encryption.. not straight away to W32_2.send (which sends the packet).
    Keep running like by line by Pressing F7.. and always look at registers.. look at all the registers that have big numbers.. (these usually are addresses to dump)
    if it's too small like 0000010 or 0003430 these usually counters.. you don't have to even look at these..
    if it's too big like 7FFDE000 this too big to be address.. these can be ignored to save time..

    If you find decrypted packet.. it should have maybe username.. then you found out where encryption still hasn't been run and packet is easily viewable decrypted.. (unecrypted) you can do alot of things here.. if you don't know how to rip out encryption. You can hook in C++ the buffer where decrypted packets are to make a packet sniffer. Or what I always do..

    I also hook that buffer with unecrypted packet but I modify the packet that comes in like filter.. So lets say in game you chat.. like 'test'.. you will see packet came in with 'test'.. you can replace this packet with whatever you want.. it will be encrypted.. and sent to server.. and work like any packet hack!.. You can make tool.. that automatically replaces this unecrypted buffer with your packet.. and to send you simply just send any packet in game.. movement packet/chat packet.. etc..

    Encryption can be ripped with tools not ollydbg but these tools cost money. You can also rip encryption with ollydbg plugin called CodeRipper (you must download this plugin). This works very good on many languages.. DELPHI/C/C++ and plain ASM.

    Just select whole encryption in ollydbg.. and right click Code Ripper.. it will automatically rip all functions it CALL/JMP's pretty much do all the work for you.. then you just copy/paste to C++ in naked function __declspec( naked ) test(int param1, int param2, etc.. {__asm {/*ASM CODE HERE*/}}

    If you call your encrypt/decrypt function you ripped.. and it crashes.. trust me it will crash from first try.. there will always be problems like registers being wrong or something wrong with stack.. all this can be fixed.. if you copy/paste the same exact registers.. you may have to step to figure out whats going wrong with registers.

    Other then that now you can use this to encrypt/decrypt packets.. then you will have to write fake server.. or fake client, which ever you prefer.

    I didn't say how to do much but given steps.. maybe you guys can easily do this.

  6. The Following User Says Thank You to pkedpker For This Useful Post:


  7. #15
    rhu10
    rhu10 is offline
    Banned
    Join Date
    2011 May
    Location
    Brasil
    Posts
    70
    Thanks Thanks Given 
    42
    Thanks Thanks Received 
    24
    Thanked in
    15 Posts
    Rep Power
    0
    Is it possible to do something cool like dup XP, etc. with RPE/WPE PRO without decrypt/encrypt packets?

  8. #16
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    Could be possible with WPE PRO.. if you are lucky.. but most likely will just disconnect you.

  9. #17
    rhu10
    rhu10 is offline
    Banned
    Join Date
    2011 May
    Location
    Brasil
    Posts
    70
    Thanks Thanks Given 
    42
    Thanks Thanks Received 
    24
    Thanked in
    15 Posts
    Rep Power
    0
    Am I on the right way of decryption?


  10. #18
    pkedpker
    pkedpker is offline
    Member-in-training
    Join Date
    2011 Mar
    Posts
    67
    Thanks Thanks Given 
    13
    Thanks Thanks Received 
    41
    Thanked in
    14 Posts
    Rep Power
    0
    Yes encryption happens CALL to send from AIKABR.00411BE5

    00411BE5 or what goes to 00411BE5.. or before that.. or even before that.. could be where encryption happens.. but you doing great

  11. The Following User Says Thank You to pkedpker For This Useful Post:


  12. #19
    rhu10
    rhu10 is offline
    Banned
    Join Date
    2011 May
    Location
    Brasil
    Posts
    70
    Thanks Thanks Given 
    42
    Thanks Thanks Received 
    24
    Thanked in
    15 Posts
    Rep Power
    0
    Look at that. The name "ROCKERTEER" that is written below is my id, I think I'm getting close of decryption.

  13. #20
    Ranza
    Ranza is offline
    New member Ranza's Avatar
    Join Date
    2011 Sep
    Posts
    8
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    I see that I still have much to learn
    I thought I was doing well in my studies of game hacking. Decryption is more difficult than I thought, haha

Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. What is for the Russian client?
    By siberian in forum Aika Online
    Replies: 1
    Last Post: 2011-01-28, 12:29 PM
  2. New Requiem client
    By Dwar in forum Requiem Online
    Replies: 18
    Last Post: 2011-01-02, 09:23 PM
  3. New DeXTrap for every client. XTrap bypass
    By Dwar in forum Aika Online
    Replies: 0
    Last Post: 2010-12-11, 06:39 AM
  4. Xtrap
    By bhebhe in forum Aika Online
    Replies: 1
    Last Post: 2010-12-03, 09:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •