Thread: Hacking Scarlet Blade (The Beginning)

I'v been experimenting around trying to hack Scarlet Blade. Haven't done much but i'v made some progress.

So far i'v been able to perform a few packet edits and very simple skill swaps.

Show you guys my progress and hopefully advance further

Tools Used:

Wpe Pro(modified version)

-------------------------------------------

Everything else is pretty straight forward.

Run Scarlet Blade(SB), once you reach the server selection immediately stop right there and alt tab out of SB.

Go ahead and run Wpe Pro, Right click it and run as adminstrator(if you don't you will not be able to locate the SB.exe process)

if you go farther past the server selection screen you will not be able to attach Wpe to the SB.exe process. after the server selection screen the SB.exe process begins to enable whatever security/anti-hack features it has. attaching Wpe early for some reason allows us to bypass a few of those checks.

once Wpe has been attached, we are going to need to adjust the settings and enable WSASEND

click on View>Options>Winsock Functions> Winsock 2.0

go ahead and check all the options listed under it. apply then OK

In SB go ahead and go somewhere nice and secluded, i like to go to Bitterstone Core.



Once your in somewhere secluded we can begin with the testing. If you'd like set SB into Frame mode which will allow for easier transitioning between Wpe and SB.

Now we are going to record the packet that controls calling the skills. so go find a skill on your character that doesn't require a target(makes things easier, works with targeted skills too).

best way to start off is using a Buff , Im currently using a Shadow Walker, so the skill im going to use for this test run will be Miss Misery.

once you figured out which skill you want to record, go ahead and go on Wpe and press Start Logging, quickly switch to SB and cast your skill, then switch back to wpe and stop logging.


you should get between 1-3 packets, if you get any more than that, restart the process till you get less packets.




Here i got only 2 packets, we are looking for a packet of size 28ish, packet sizes will change depending on the skills used. AoE attack skills are usually larger then buffs, targeted skills are usually larger then AoE skills. IN GENERAL the packets that we are looking for are the smallest ones among other randomly found packets.


Now lets observe a few things, first the hex string. lets copy that whole string and paste it into a notepad and save it for later. right next to the hex string is the ascii dump of the string. notice how its all jumbled up and unreadable?

that's because these packets are encrypted by a hash stored in the client. this hash is used to create a byte signature every time the game loads. the byte signature then is used to encrypt the packets. Basically speaking, every time you restart SB the encryption of the packets CHANGE meaning that we would have to record the packets over again every time you run SB. So far there's nothing i can do about encryption.

but that doesn't mean we still can't modify these files and find an exploit.

Now lets repeat the same thing above, but this time lets use a different skill, preferably use another skill of the same genre ex.. if you recorded the packet of a buff, then use another buff)

This time im going to run the scan again. but i'm going to use the shadow walker buff contortionist.




This time i only found one packet(in most cases this will happen, this is a good thing.)

lets copy and save that hex string now.

these are the 2 strings i recorded on mine

1C 00 01 A2 E6 FB 95 2D 69 E3 7D 24 77 C0 6D 32 3A 04 10 78 0D 04 9E 4E 12 40 BC 3E Miss Misery

1C 00 01 A2 E6 FB 95 2D 69 E3 7D 24 77 C0 6D 32 3A 04 10 11 0D 04 9E 7E DA 41 BC 3E contortionist

NOTE: your strings may or may not look different in structure due to many factors. things such as location, movement and skill type.

in general when sniffing for packets you want to limit as many variables as possible. do not move or change spots, do not change skill types etc...

now if you notice both strings are almost identical, with the exception of a few bytes that are differen.

This piece for Miss Misery

78 0D 04 9E 4E 12 40 BC 3E

this piece for contortionist

11 0D 04 9E 7E DA 41 BC 3E


The final 2 bytes can be ignored (BC 3E), those are just ending pieces that seem to tell the end of a skill cast(maybe possible to abuse later on)


the first 2 bytes of that chain (78 0D/11 0D) from my experience is the Skill Id, basically tells the client what skill is being cast.


Next 2 bytes after that(04 9E), usually remain constant throughout different skills not sure what they are, but its a good identifier for the skill id since ALL skill ids are followed by that immediate chain.

Next byte after that 4E/7E appears to be a completely random byte that does not contribute to the skill cast(as far as i can tell) this byte will be ignored as it is always different even on same skill cast's

next 2 bytes after that (12 40/DA 41) seems to be some kind of none unique id. meaning it contributes to the behavior of the skill cast but i have no clue how it interacts with it. its non unique because some skills will sometimes share the same byte chain.


Now that we've obtained the skill ID, lets make a filter and make some kind of exploit.

go to Wpe and click on the filters, click on filter 1. click on the pencil (edit selected filter...).

change the mode to advance. change "starting modify from" to "from the position of the chain found"


using this filter, im going to replace the skill contortionist with the skill miss misery. so in the SEARCH field starting at the
001 box im going to paste skill id + the skill identifier chain of contortionist(11 0D 04 9E) (the skill i want to replace).



in the modify box, starting at 00 i'm going to paste miss miseries skill id (78 0D) then im going to skip 3 bytes ahead to the non unique byte chain (12 40) and paste it in starting at 005.





once you done, click apply. check [filter 1] and click on the tiny ON button right next to the [edit selected filters..] button.


then go ingame and test it out. if everything was done correctly the next time you click on your skill it should cast something totally different. for me, im casting Miss Misery buff when i click on contortionist!

what does this do for me? how do i benefit? well.....

casting contortionist causes my miss misery spell to go on cool down, my contortionist skill does not go on cool down. meaning... since contortionist is the skill that gives me the buff and its not on cool down i can cast it again to re apply the miss misery buff. miss misery is a buff on a 45s cool down, the buff last for 20s. since contortionist doesnt go on CD when pressed i can essentially re apply miss misery again once the buff has worn off. giving my a perma buff that will never run out, for as long as i have SP(hopefully that will change too)


welp thats all i have for now in terms of SB hacking. future progress soon.