Jump to content
Returning Members: Password Reset Required ×

TQ Algorithms bybass

zMagic

By zMagic
in Conquer Online

 Share

Recommended Posts

zMagic

zMagic

Posted
Posted

 

Hey Cooldown folks 

I'm actually a bit miserable about this point. trying to bypass the client's algorithms to access the packet without encryption.

I actually read the login packet. But things failed when tried to read the movement packet. 1010

 

Tried reading and sniffing somethings like Blowfish but @Spirited disclosed that I don't have to worry about the BF thing 

due lack of @Spirited time I couldn't talk with him that enough, he asked me gently to ask you some of help

This is Send hook Ws2_32.dll

Packet 1010 is printed in console, but the packets somehow still encrypted 

The current code just decrypting the login packet , some junks are removed from the hook

 

I need some help with this and some guidance.  

int __stdcall csv3_send(SOCKET s, PBYTE buf, int len, int flags)
{

			if ( len == 276) // lenth of packet 1086 Login
			{
			CLegacyCipher* legacy;
			legacy = new CLegacyCipher();

			if ( len == 24 || len == 276 || len == 32)
			{
					legacy->GenerateIV(0x13FA0F9D, 0x6D5C7962);

			if (legacy)
			{

				//_COCAC->Decrypt(buf ,len);
				if (len != 276 )
				{
							legacy->Decrypt(buf, len-8);

				}
				else
				{
							legacy->Decrypt(buf, len);

				}
				//legacy->ResetCounters();
				int lenx = *buf;
				if (/*lenx == 276 || len == 276 || *//*getPacketHeader(buf) == 0x0114 */ /*len == 0x114 || *//*( len >= 30 && len <= 40)*/ 1)
				{

					//logFile<<"Packet ID :" << dec <<getPacketHeader(buf) << " || Hex : " << std::hex << getPacketHeader(buf) << std::endl;
					//            logFile<<"Packet Legnth :" << std::dec << len << std::endl;
					std::cout<< "[TQCIPHER] Len: " << len << "] Packet : ";

					for ( int x=0; x< len; x++)
								{

									//std::cout<< " 0x"<<static_cast<int>(buf[x]) <<std::hex;
									std::cout << std::setw(2) << std::setfill('0') << std::hex << static_cast<int>(buf[x]) << " ";
								}
					std::cout<< "\n";


				}

		
						if (len != 276 )
				{
							legacy->Encrypt(buf, len-8);

				}
				else
				{
							legacy->Encrypt(buf, len);

				}

				//legacy->Encrypt(buf, len);


			}

			}

					legacy->ResetCounters();
		delete legacy;
		legacy = NULL;

			}





	typedef int(__stdcall *LPFSEND)(SOCKET, PBYTE, int, int);
	return ((LPFSEND)send_stub.Address)(s, buf, len, flags);
}

 

zMagic

zMagic

Posted
  • Author
Posted
1 hour ago, Spirited said:

I had a bit more time this morning and found some old videoes on how to get the send function, at the very least:

Also, a thread that might help a bit: https://www.elitepvpers.com/forum/co2-programming/1917917-c-dll-injecting-hooking.html

My hook actually works, and I looked at Angelis's content a couple of months ago, but it was based on changing the pre-encryption packets (as far as I remember). It's worth noting that he didn't complete the playlist, and there are a lot of references to his project that I couldn't find.

kennylovecode

kennylovecode

Posted
Posted

I've been saving this playlist for a long time, kept looking but never understood it

I really don't have a talent for decompilation; assembly code looks like machine code to me 01010101010....
Actually, I've been studying how to modify all player characters in the client with health bars through assembly code... obviously, I failed
Because I really don't have a lot of time to spend on studying this, but I've seen many clients do it this way and succeed

zMagic

zMagic

Posted
  • Author
Posted
21 hours ago, kennylovecode said:

I've been saving this playlist for a long time, kept looking but never understood it

I really don't have a talent for decompilation; assembly code looks like machine code to me 01010101010....
Actually, I've been studying how to modify all player characters in the client with health bars through assembly code... obviously, I failed
Because I really don't have a lot of time to spend on studying this, but I've seen many clients do it this way and succeed

I followed that playlist, but it was incomplete, and the references weren't attached or expired.

In addition, I wanted to get a solution to the algorithms for obtaining data packets and then sending them back. I've already completed 50% of Angelas' playlist, but I stopped due to time and its incompleteness.

Spirited

Spirited

Posted
Posted

Well, the other half of that would be finding the receive address. The way I find it is in OllyDbg, finding the referenced text string "catch error in process msg:%u." in conquer.exe. And then tracing that back manually until I see "TEST EAX, EAX". Following that is the jump to the receive function. I'm sure that no longer works for the newest patches, but it at least works for the patches I've worked on.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...