Auth Packets -> stopping randomizing! - Printable Version +- The Matrix Online Server Emulator (//mxoemu.info/forum) +-- Forum: The Matrix Online (//mxoemu.info/forum/forumdisplay.php?fid=3) +--- Forum: The MxO Client (//mxoemu.info/forum/forumdisplay.php?fid=7) +--- Thread: Auth Packets -> stopping randomizing! (/showthread.php?tid=23) |
RE: Auth Packets -> stopping randomizing! - HD_Neo - 03-07-2009 hmm..if i think about it, the best way would be to find out the InitClientDLL Arguments, maybe than we could use our own launcher /login client if we know which data the initclient.dll expects or something...Crap is this a shit. Btw. rajko i saw your posts on Rarebit forums, i have tried the same before For other contact possibilities : http://www.redpillalliance.com/support.html . I try now to contact WBIE again, cause SOE said "we cant do nothign and give out nothig cause the rights have WBIE". And i have maybe another interesting infos..over 100 developers had worked on MxO ...one of them must have the code and be frustrated enough (and there is a list on the internet with all names of the Devs). I bet there has not been many changed at all at the structure at the last years . RE: Auth Packets -> stopping randomizing! - HD_Neo - 03-07-2009 Okay maybe this is helpful too: It is "reversed" by Rec Studio (RecStudio trys to make readable Code with your .exe). However it is helpful cause we know now where it is located. /* Procedure: 0x00468D60 - 0x00468DBA * Argument size: 8 * Local size: 0 * Save regs size: 0 * Called by: * L00468DC0() */ L00468D60(A8) /* unknown */ void A8; { if(!(1 & M004f85cc)) { (save)-268435456; (save)1; (save)0; (save)0; (save)5211592; M004f85cc = M004f85cc | 1; CryptAcquireContextA(); (save)0x4a7dc0; L0048BC66(); esp = esp + M00000004; } ecx = *(ebp + M0000000c); return CryptGenRandom(M004f85c8, ecx, A8); } RE: Auth Packets -> stopping randomizing! - rajkosto - 03-07-2009 lol fucking REC, use ida pro and hexrays DERP RE: Auth Packets -> stopping randomizing! - HD_Neo - 03-07-2009 i use IDA Pro , rec, ollydbg, hex editor MX, sometimes moonlight engine ....shall i continue ? RE: Auth Packets -> stopping randomizing! - rajkosto - 03-07-2009 hexrays > REC also, i need to find the EXACT version of cryptopp that mxo uses, that way i can compile it and compare binary to get function addresses i remember its something old like 4.x RE: Auth Packets -> stopping randomizing! - HD_Neo - 03-07-2009 hmm...okay this could be not so easy to find out, but we could try it (must be something like a version from 2003/2004 or older). RE: Auth Packets -> stopping randomizing! - HD_Morpheus - 03-07-2009 if you look carefully on params you have in matrix.exe code, you could see some that match: RSA.cpp on cryptopp database http://cryptopp.sourceforge.net/docs/ref521/rsa_8cpp-source.html which stands for 5.2.1 and in the footer, you could see generated on july 2004 Some linux packets changelog, mark it as: "cryptopp-devel-5.2.1-2.0.rh9.rf.i386.rpm Fri 26 Nov 2004 2313 kb" "cryptopp-devel-5.2.1-2.1.el3.rf.i386.rpm Fri 26 Nov 2004 2313 kB" 5.2.1-2.2 was launched on february 2005. So it could be 5.2.1 or earlier, but too much coincidence of params, and dates may be similar too.... Thanks to open software for its listings. You could try to see some changelog from crypto pp between 200x-2004 to see if rsa.cpp was added/changed. see ya! RE: Auth Packets -> stopping randomizing! - rajkosto - 03-07-2009 the interface of crypto++ doesnt change much... i think its 4.9.x or something, i forgot, the newer versions do not cipher name as a string into the classes RE: Auth Packets -> stopping randomizing! - rajkosto - 03-07-2009 another problem that seems to have appeared and has something to do with crypto++ is that the proxy logger logs packets including the twofish padding now....it didnt do this before, the older logs i have didnt have this padding at the end of packets, but now almost every packet has 00 cd cd cd or 00 fd fd fd at the end of it, i know its twofish padding, because if you remove it, then pass that same thing through twofish, it will add it, but why doesnt cryptopp remove it now ? it did before (i have logs to prove) RE: Auth Packets -> stopping randomizing! - rajkosto - 04-07-2009 about the tcp packet length prefix if packet size is <= 7f, the length prefix is 1 byte and nothing is done with it, its taken as is if its bigger, the size is made with 2 bytes, but with the first bit set to 1 (aka +0x80 00) to read the size from this, just set the first bit to 0 and interpret as unsigned short big endian |