| View previous topic :: View next topic |
| Author |
Message |
Disto
Newbie cheater
![]() Reputation: 0
Joined: 07 Dec 2006
Posts: 23
|
 Posted: Sun Sep 14, 2008 1:56 pm Post subject: [Question] Eudemons Online / RKunhooker help |
 |
|
Hello, im currently working on hacking Eudemons Online and it has no gameguard whatsoever, meaning CE is useless and it requires WPE to hack. my problem is that when sending a packet it disconects from server, i was informed that to prevent this you use RKunhooker, but i have no clue how to use it via helping WPE to send the packet.
please give me some tips or a mini-tut on how to prevent disconection when sending a packet.
much thanks in advance
|
|
| Back to top |
|
 |
Fuzz
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Nov 2006
Posts: 531
|
| Posted: Sun Sep 14, 2008 2:06 pm Post subject: Re: [Question] Eudemons Online / RKunhooker help |
|
|
| Disto wrote: | Hello, im currently working on hacking Eudemons Online and it has no gameguard whatsoever, meaning CE is useless and it requires WPE to hack. my problem is that when sending a packet it disconects from server, i was informed that to prevent this you use RKunhooker, but i have no clue how to use it via helping WPE to send the packet.
please give me some tips or a mini-tut on how to prevent disconection when sending a packet.
much thanks in advance |
You contradicted your self. And this isn't the right section.
_________________
|
|
| Back to top |
|
|
Disto
Newbie cheater
![]() Reputation: 0
Joined: 07 Dec 2006
Posts: 23
|
| Posted: Sun Sep 14, 2008 5:24 pm Post subject: |
|
|
what i meant was that its all server side. therefor CE is useless..
any tips?
|
|
| Back to top |
|
|
jackyyll
Expert Cheater
![]() Reputation: 0
Joined: 28 Jan 2008
Posts: 143
Location: here
|
| Posted: Sun Sep 14, 2008 5:28 pm Post subject: |
|
|
| Packets are encrypted... Need to decrypt/encrypt first.. The encryption methods are available on the internet already... Go look.
|
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
 Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Sun Sep 14, 2008 5:30 pm Post subject: |
|
|
Whether or not it uses a Gameguard style program doesn't directly lead to whether CE is useful or not.
Also, CE can be used to influence the sending of packets (modify the code responsible for sending the packet).
If you are disconnecting when you send packets, that means the packets are stateful. Try this. Jump, look at the packet. Jump again, look at the packet. They will probably be different, meaning if you resend a packet it is clearly not legitimate, the packets are encrypted with a stream encryption algorithm, or have a field to represent packet number or something similar.
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
jackyyll
Expert Cheater
![]() Reputation: 0
Joined: 28 Jan 2008
Posts: 143
Location: here
|
| Posted: Sun Sep 14, 2008 6:05 pm Post subject: |
|
|
| nog_lorp wrote: | Whether or not it uses a Gameguard style program doesn't directly lead to whether CE is useful or not.
Also, CE can be used to influence the sending of packets (modify the code responsible for sending the packet).
If you are disconnecting when you send packets, that means the packets are stateful. Try this. Jump, look at the packet. Jump again, look at the packet. They will probably be different, meaning if you resend a packet it is clearly not legitimate, the packets are encrypted with a stream encryption algorithm, or have a field to represent packet number or something similar. |
They don't. He's just capturing encrypted packets and trying to resend them. Obviously this wont work because the packet is encrypted differently each time with a counter and xor. Basically it's...
| Code: |
for ( int i = 0; i < sizeof(packet); i++ )
encryptedpacket[i] = ( packet[i] ^ key[counter1] ) ^ key2[counter1];
|
|
|
| Back to top |
|
|
Disto
Newbie cheater
![]() Reputation: 0
Joined: 07 Dec 2006
Posts: 23
|
| Posted: Mon Sep 15, 2008 5:51 pm Post subject: |
|
|
so ur saying, for eg: drop 10,000 gold or w.e and recording the packet of picking it up and resending it wont work because there is a counter and u need to increase it for it to not DC?
im hella nuub to packets in general so my bad lol..
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Mon Sep 15, 2008 8:01 pm Post subject: |
|
|
There's an encryption. Sometimes, it's not even that complex, it's just a GetTickCount value inside the packet. Other times, the packet is actually encrypted using CryptDecrypt. However, most of the time, the author of the game uses his/her own algorithm. Here's how I find encryption.
Assuming there's no protection, open the game with a debugger such as OllyDbg. Get ingame with your character and put a breakpoint on recv(). Run till return (Ctrl+F9) and see what's happening. That will probably get you onto the encryption/decryption routine.
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Mon Sep 15, 2008 8:48 pm Post subject: |
|
|
| rapion124 wrote: | | Assuming there's no protection, open the game with a debugger such as OllyDbg. Get ingame with your character and put a breakpoint on recv(). Run till return (Ctrl+F9) and see what's happening. That will probably get you onto the encryption/decryption routine. |
There is another step which makes this even easier that most people overlook. A memory-bp-on-access on the buffer returned by recv() can work wonders. 
|
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Mon Sep 15, 2008 8:53 pm Post subject: |
|
|
| jackyyll wrote: | | They don't. He's just capturing encrypted packets and trying to resend them. Obviously this wont work because the packet is encrypted differently each time with a counter and xor. Basically it's... |
Huh, that's what I was saying | nog_lorp wrote: | | the packets are encrypted with a stream encryption algorithm, or have a field to represent packet number or something similar. |
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Wed Sep 17, 2008 8:31 pm Post subject: |
|
|
wanna hack a game without gg then make a dll injection re-route decrypted recv buffer to your dll proggy (using ollydbg to find it in the first place)
find the function in ollydbg thats used to send packets (so it accepts decrypted packets) make a typedef{} in C++ to that access get the parameters correct and you could call the ingame function for sending packets.. pretty much same way as the game works but you are controlling it a little..
like here was for a game I've hacked.. this is what I used
| Code: |
typedef void (__fastcall* TOriSendFunction)(int classe,char* packetPtr,WORD size); //original definition
TOriSendFunction sendPacket =(TOriSendFunction)0x00404310; //bind OriSendFunction to a assembly address
|
0x00404310 I found in ollydebugger
then that code makes a instance of that template.
so everytime you do
sendPacket(0,"x0/x01/x0/x0/x2/x04",6);
it would send a packet inside game..
don't just string hardcode it like that sometimes you get long packets to work with so you gotta use buffers and such.
It's pretty easy in the long run.. it can even bypass MOST gameguards because you don't modify the game code at all you just hook it's address to call.
Now if you want to get recv game (thats like monster positions and such that would require modifying game code).
Now figuring out what call it is like __fastcall is all about luck in my case..
it could be
__stdcall
__cdcdel
__fastcall
__thiscall
it all depends on how the stuff is pushed on the function and rather or not u gotta move esp and shit.
I realized my game had a class parameter in it that right away means it may be __fastcall means ownership of class like instance of a bigger class (most likely used if game uses packet class).
_________________
|
|
| Back to top |
|
|
jackyyll
Expert Cheater
![]() Reputation: 0
Joined: 28 Jan 2008
Posts: 143
Location: here
|
| Posted: Thu Sep 18, 2008 7:26 am Post subject: |
|
|
| Eudemons online has a function for sending packets. It takes a pointer to a buffer that contains an unencrypted packet. It will then encrypt it, and send it. So hooking the send function would be double the work. The smart thing to do, is find the encryption routine and see what's calling it. It's most likely the same function that sends the packet. The function which called that function should be the one which you want to hook.
|
|
| Back to top |
|
|
WolfDm3
Grandmaster Cheater
 Reputation: 0
Joined: 11 Jun 2007
Posts: 502
Location: Mississippi
|
| Posted: Thu Sep 18, 2008 12:43 pm Post subject: |
|
|
| Disto wrote: | so ur saying, for eg: drop 10,000 gold or w.e and recording the packet of picking it up and resending it wont work because there is a counter and u need to increase it for it to not DC?
im hella nuub to packets in general so my bad lol.. |
That would be sending a packet from the server to the client, meaning the server would tell you that you only picked it up once. You would have to send a SENT packet, not a RECV. The server would probably say "Hey, there is nothing there on the ground, let's DC him for potential cheating."
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
