New injection core - SPOILER

Necr0Potenc3 · Post by **Necr0Potenc3** » 2004-06-13 19:51:35

http://segundaoitava.hpg.com.br/irwspoiler.JPG

drools kids, drool

gonna add GUI and plugin support, then its ready to be released

WeedDevil · Post by **WeedDevil** » 2004-06-15 13:04:01

hehe nice work matey still cant wait

lalla521 · Post by **lalla521** » 2004-06-15 19:02:07

*drooling*

wow! i can't wait

DDD

but where you will release the new core? and last but not least, will it have all yoko's functions or only some?

Lem · Post by **Lem** » 2004-06-20 11:49:43

sweet

clagio · Post by **clagio** » 2004-06-20 18:27:41

thank's!

lalla521 · Post by **lalla521** » 2004-06-20 18:56:14

can't wait can't wait...

lalla521 · Post by **lalla521** » 2004-06-28 21:08:57

any news?

Necr0Potenc3 · Post by **Necr0Potenc3** » 2004-06-29 20:07:56

heh, currently I'm stuck in encryption (twofish to be more accurate)

I'll explain:

in crypt.cpp (injection)

in void NewGameCrypt::decrypt(unsigned char * in, unsigned char * out, int len)

you have this table:
static const BYTE sm_bData[] = { 0x05, 0x92, 0x66, 0x23, 0x67, 0x14, 0xE3, 0x62, 0xDC, 0x60, 0x8C, 0xD6, 0xFE, 0x7C, 0x25, 0x69 };

it's generated by a function in the client based on the seed of the game socket. currently injection will only work with Twofish encryption (2.0.3 and above) if the seed is 0x0100007f, thats why it doesnt work in OSI.

what I'm trying to do is get that function, but I dont have enough time to do it (hell, I had SATs/vestibular/abitur this weekend), in case you people wanna try it:

client 2.0.4

Code: Select all

00425DFA  |. E8 21610A00    CALL Client20.004CBF20                   ; \twofish init
.
.
00425E03  |. 50             PUSH EAX                                 ;  arg1
00425E04  |. E8 27930800    CALL Client20.004AF130                   ;  unknown
.
.
00425E0E  |. 68 00010000    PUSH 100                                 ;  arg1
00425E13  |. E8 58620A00    CALL Client20.004CC070                   ;  unknown2
.
.
00425E1C  |. 50             PUSH EAX                                 ;  arg2
00425E1D  |. 51             PUSH ECX                                 ;  arg1
00425E1E  |. E8 3D930800    CALL Client20.004AF160                   ;  unknown3
00425E23  |. 8D5424 2C      LEA EDX,DWORD PTR SS:[ESP+2C]            ;  arg2
00425E27  |. 8D86 B0120300  LEA EAX,DWORD PTR DS:[ESI+312B0]         ;  arg1 - the 16 byte table for decrypt
00425E2D  |. 52             PUSH EDX
00425E2E  |. 50             PUSH EAX
00425E2F  |. E8 EC930800    CALL Client20.004AF220                   ;  build the DWORD[4] table for decrypt

have fun ^^

lalla521 · Post by **lalla521** » 2004-06-29 23:01:53

i don't know enough c++ to work on injection... i'll learn with time i hope ^^

lalla521 · Post by **lalla521** » 2004-07-17 01:56:42

still nothing?

Necr0Potenc3 · Post by **Necr0Potenc3** » 2004-07-23 12:37:21

I'm working in 4 different projects atm, since IRW is the biggest I'll finish the other 3 first (which are almost done btw)

lalla521 · Post by **lalla521** » 2004-07-23 16:42:43

ok i'll wait...

Boydon · Post by **Boydon** » 2004-09-11 18:12:54

Any news about this?

Necr0Potenc3 · Post by **Necr0Potenc3** » 2004-09-11 19:57:34

yeah news are that the new core is done but im trying to get encryption working and well.. im trying =P

after encryption is done (pray..) I'll work on the plugins and on the release

Boydon · Post by **Boydon** » 2004-09-12 04:50:05

I don't know if this can be done, but you can look how encryption worls in other progs, can't oyu?

Necr0Potenc3 · Post by **Necr0Potenc3** » 2004-09-12 17:52:10

actually yesterday just after that post I got encryption to work..

I was trying to decrypt 200g's stream with blowfish cause I had already tested twofish with 403b client. the thing is the stream was always getting decrypted wrong and I didnt notice that the decrypted part was the twofish rest of the stream

and now you might be wondering "shit if you decrypted the stream with blowfish why would you see twofish?" and I was thinking the same... after wondering for a few minutes I changed the 200g client to a 200 one and decrypted the stream... the result: worked

so the 2.0.0g client uses both twofish and blowfish just like the 203 client. what a bitch huh? I completly rewrote the encryption code a few times (like 4 or 6) and the first one was just perfect! sometimes I just stole it from injection cause I was too tired...

lol all of that cause I didnt look closely at the data

so anyway, I'm trying to find (today) the deleted source code of the first encryption module if I dont find it (I think yoko has a copy i'll check with him) monday I'll rewrite it

cya peeps. wait up

lalla521 · Post by **lalla521** » 2004-09-12 20:46:32

i can't wait for the new core... *excited*

Drakull · Post by **Drakull** » 2004-09-12 21:44:21

lalla521 wrote::( i don't know enough c++ to work on injection... i'll learn with time i hope ^^

In fact that was assembly language

Boydon · Post by **Boydon** » 2004-09-13 02:37:13

I don't know if this can help, but I know there is a prog that work as packet hooker and that work both with crypted and decrypted uo clients.

It is written in C# and it is opensource and it is called SpyUo: maybe you can see how works with encryption.

Here is the link:
http://www.runuo.com/forum/showthread.php?t=17020

It also use ultima.dll developed by Krrios (one of the RunUo developers) wich is opensouce too (http://www.runuo.com/forum/showthread.php?t=18022).

Good work,...

Necr0Potenc3 · Post by **Necr0Potenc3** » 2004-09-13 02:58:56

SpyUO is a C# conversion from Folko's UOLog. It sets a breakpoint on send (packet encryption function) and on recv (the packet handler function)

I already modded UOLog to be automated so it doesn't need the clients.cfg file so yeah I'm pretty familiar with the code.

tomorrow (monday) I'll clean up irw's code and start plugin development

yay!