Packet Editing Runes of Magic

Runes of Magic/Radiant Arcana (http://www.runesofmagic.com)
Post Reply
Message
Author
User avatar
Chaosis
Posts: 21
Joined: Sun Jun 07, 2009 5:45 pm

Packet Editing Runes of Magic

#1 Post by Chaosis » Sat Aug 08, 2009 5:58 pm

Has anyone done any packet editing of Runes of Magic? I tried awhile ago with WPE Pro, but it doesn't hook WSASend correctly. I recently made a WSASend hook for Runes of Magic, and have the code necessary to analyze packets and other information needed. I was wondering if anyone would like to help me decrypt the packets or figure out if they are encrypted, and work on some hacks? From past experience I know that Runes of Magic's servers do very little checking of data sent, and many hacks could be made...

If anyone has experience and wants to help, or wants to see what I have, post or PM me.

User avatar
Administrator
Site Admin
Posts: 5313
Joined: Sat Jan 05, 2008 4:21 pm

Re: Packet Editing Runes of Magic

#2 Post by Administrator » Sat Aug 08, 2009 10:03 pm

Try changing WPE to use Winsock 2.0 functions before attaching to RoM.

User avatar
Chaosis
Posts: 21
Joined: Sun Jun 07, 2009 5:45 pm

Re: Packet Editing Runes of Magic

#3 Post by Chaosis » Sun Aug 09, 2009 9:16 am

I have, it doesn't work correctly. I have made made a program for analyzing packets and data from Runes of Magic.

I need to (1) figure out if they have encryption, (2) find the unencrypted location or reverse the encryption, (3) make some packet filters.

I am wondering if anyone has some experience or could tell me if these packets are encrypted:
Stealth Ability:

Code: Select all

3e 00 00 00 02 52 72 f4 f4 f4 e6 f4 ff ff d0 f4 f4 f4 dc f4 f4 f4 3c ed f9 f4 d6
 4a a0 36 e8 8a bf b8 9d 3c cf 38 8d ad 84 b3 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4
 f4 f4 f4 f4 85 8c bf b8 26 00 00 00 02 18 ec 6e 6e 6e 58 6e ff ff 5a 6e 6e 6e a6
 6c 6e 6e c6 75 69 6e b6 83 67 6e c6 75 69 6e 67 6e 6e 6e

Code: Select all

3e 00 00 00 02 b4 14 92 92 92 a8 92 ff ff ae 92 92 92 9a 92 92 92 3a 89 95 92 06
 86 5d d8 ab f3 51 56 a3 b3 9b d6 db 10 6f 53 92 92 92 92 92 92 92 92 92 92 92 92
 92 92 92 92 a8 f4 51 56 26 00 00 00 02 70 9c 1e 1e 1e 28 1e ff ff 2a 1e 1e 1e 66
 1c 1e 1e c6 15 19 1e 56 83 17 1e c6 15 19 1e 17 1e 1e 1e
Mount (Flame Wartiger)(Similar to using any item):

Code: Select all

22 00 00 00 02 95 ec 6e 6e 6e 58 6e ff ff 5e 6e 6e 6e a3 6b 6e 6e 6e 6e 6e 6e 27
 5a 6b 6e ff ff ff ff

Code: Select all

22 00 00 00 02 bf 44 c2 c2 c2 d8 c2 ff ff d2 c2 c2 c2 9b c3 c2 c2 c2 c2 c2 c2 07
 d6 c3 c2 ff ff ff ff
Ping:

Code: Select all

0a 00 00 00 04 00 7d 00 00 00

Code: Select all

0a 00 00 00 04 00 3e 00 00 00

User avatar
Administrator
Site Admin
Posts: 5313
Joined: Sat Jan 05, 2008 4:21 pm

Re: Packet Editing Runes of Magic

#4 Post by Administrator » Sun Aug 09, 2009 9:49 am

Yes, they are encrypted (except for the header). The header (first 5 bytes, it seems) doesn't seem to include any 'dynamic' data.

First, I would try to understand how the header works. Get more examples of skills, mounts, etc. 3e 00 00 00 02 is the header for your stealth example. '3e' might stand for using a skill. The '02' might have something to do with the target or action. Both mounting and stealthing contain that same byte, and both are used on the player. But, again, it could mean anything. More examples are needed.

User avatar
Chaosis
Posts: 21
Joined: Sun Jun 07, 2009 5:45 pm

Re: Packet Editing Runes of Magic

#5 Post by Chaosis » Sun Aug 09, 2009 12:21 pm

This is the WSASend Function (from MSDN):

Code: Select all

int WSASend(
  __in   SOCKET s,
  __in   LPWSABUF lpBuffers,
  __in   DWORD dwBufferCount,
  __out  LPDWORD lpNumberOfBytesSent,
  __in   DWORD dwFlags,
  __in   LPWSAOVERLAPPED lpOverlapped,
  __in   LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);
Here is an example:

Code: Select all

WSASend(AcceptSocket, &DataBuf, 1,
                     &SendBytes, 0, &SendOverlapped, NULL);
Here is the region in Runes of Magic it calls WSASend. (Sorry I couldn't highlight it...)

Code: Select all

006BDA5E - int 3
006BDA5F - int 3
006BDA60 - sub esp,1c
006BDA63 - push ebx
006BDA64 - push ebp
006BDA65 - push esi
006BDA66 - mov esi,[esp+2c]
006BDA6A - lea ebp,[esi+48]
006BDA6D - xor ebx,ebx
006BDA6F - push ebp
006BDA70 - mov [esp+10],ecx
006BDA74 - mov [esp+14],ebx
006BDA78 - call dword ptr [std::_init_locks::operator=+14741] : RtlEnterCriticalSection
006BDA7E - push std::_init_locks::operator=+29af9
006BDA83 - lea ecx,[ebp+3c]
006BDA86 - call dword ptr [std::_init_locks::operator=+14829] : std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
006BDA8C - add dword ptr [ebp+1c],01
006BDA90 - cmp [esi+000000dc],bl
006BDA96 - jne createobjnet+d19a
006BDA9C - cmp [esi+000000cc],ebx
006BDAA2 - jng createobjnet+d19a
006BDAA8 - mov ecx,[esi+000000d0]
006BDAAE - mov edx,[esi+000000c4]
006BDAB4 - add dword ptr [esi+000000cc],ff
006BDABB - lea eax,[ecx+ecx*2]
006BDABE - add ecx,01
006BDAC1 - cmp ecx,[esi+000000c8]
006BDAC7 - lea eax,[edx+eax*4]
006BDACA - mov [esi+000000d0],ecx
006BDAD0 - jne createobjnet+d0a8
006BDAD2 - mov [esi+000000d0],ebx
006BDAD8 - mov edx,[eax+04]
006BDADB - push edi
006BDADC - mov edi,[eax]
006BDADE - mov eax,[eax+08]
006BDAE1 - mov byte ptr [esi+000000dc],01
006BDAE8 - mov [esi+000000f4],ebx
006BDAEE - mov [esi+000000f8],ebx
006BDAF4 - mov [esi+000000fc],ebx
006BDAFA - mov [esi+00000104],ebx
006BDB00 - mov [esi+00000108],ebx
006BDB06 - mov [esi+00000110],ebx
006BDB0C - mov [esi+00000100],bl
006BDB12 - mov [esi+00000101],bl
006BDB18 - xor ecx,ecx
006BDB1A - mov [esi+000000e0],ecx
006BDB20 - mov [esi+000000e4],ecx
006BDB26 - mov [esp+28],eax
006BDB2A - lea eax,[esi+000000e0]
006BDB30 - mov [eax+08],ecx
006BDB33 - mov [eax+0c],ecx
006BDB36 - mov [eax+10],ecx
006BDB39 - mov ecx,[esi+18]
006BDB3C - add [esi+000000d8],edx
006BDB42 - cmp ecx,ff
006BDB45 - mov [esp+1c],edi
006BDB49 - mov [esp+18],edx
006BDB4D - mov [esi+000000f4],00000003
006BDB57 - mov [esi+00000104],edi
006BDB5D - je createobjnet+d17d
006BDB5F - push ebx
006BDB60 - push eax
006BDB61 - push ebx
006BDB62 - lea edx,[esp+20]
006BDB66 - push edx
006BDB67 - push 01
006BDB69 - lea eax,[esp+2c]
006BDB6D - push eax
006BDB6E - push ecx
006BDB6F - call dword ptr [std::_init_locks::operator=+14cf1] : WSASend
006BDB75 - cmp eax,ff
006BDB78 - jne createobjnet+d199
006BDB7A - call dword ptr [std::_init_locks::operator=+14ce9] : WSAGetLastError
006BDB80 - cmp eax,000003e5
006BDB85 - je createobjnet+d199
006BDB87 - mov ecx,[esi+14]
006BDB8A - mov edx,[esp+10]
006BDB8E - push ecx
006BDB8F - push eax
006BDB90 - push std::_init_locks::operator=+29ac1
006BDB95 - push edx
006BDB96 - call createobjnet+9490
006BDB9B - mov ecx,[esp+20]
006BDB9F - mov eax,[ecx]
006BDBA1 - mov edx,[esi+14]
006BDBA4 - mov eax,[eax+2c]
006BDBA7 - add esp,10
006BDBAA - push edx
006BDBAB - call eax
006BDBAD - mov ecx,[esp+10]
006BDBB1 - push edi
006BDBB2 - add ecx,00000284
006BDBB8 - mov [esi+000000dc],bl
006BDBBE - mov [esi+00000104],ebx
006BDBC4 - call createobjnet+a100
006BDBC9 - pop edi
006BDBCA - add dword ptr [ebp+1c],ff
006BDBCE - push std::_init_locks::operator=+45a47
006BDBD3 - lea ecx,[ebp+3c]
006BDBD6 - call dword ptr [std::_init_locks::operator=+14829] : std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
006BDBDC - push ebp
006BDBDD - call dword ptr [std::_init_locks::operator=+14745] : RtlLeaveCriticalSection
006BDBE3 - pop esi
006BDBE4 - pop ebp
006BDBE5 - pop ebx
006BDBE6 - add esp,1c
006BDBE9 - ret 0004
Anybody see anything useful? I think finding the unencrypted location would be the easiest. Could it be that it sends data to the LPWSABUF buffer, the encrypt it and not have another buffer? If so we could just insert a jmp to a code cave at the start of this function?

lilj2005
Posts: 1
Joined: Mon Aug 10, 2009 8:40 am

Re: Packet Editing Runes of Magic

#6 Post by lilj2005 » Mon Aug 10, 2009 8:42 am

Looks as if the first WORD is the packet len...

User avatar
Chaosis
Posts: 21
Joined: Sun Jun 07, 2009 5:45 pm

Re: Packet Editing Runes of Magic

#7 Post by Chaosis » Mon Aug 10, 2009 10:56 am

Where? In the WSABUF? The WSABUF has a property called .len, that should be the first unsigned int, but it doesn't match the results I get... Maybe I forgot about it being unsigned...

User avatar
Administrator
Site Admin
Posts: 5313
Joined: Sat Jan 05, 2008 4:21 pm

Re: Packet Editing Runes of Magic

#8 Post by Administrator » Mon Aug 10, 2009 12:53 pm

He may be right. It would seem that way. The 5th byte is still what interests me.

Code: Select all

0a 00 00 00 04 00 3e 00 00 00
0a 00 00 00 is in network byte order. You would probably be more comfortable if it were written 00 00 00 0a, or 10. The packet is 10 bytes long. Using 4 bytes for what should only need 2 bytes seems kind of wasteful to me. I can't think of many situations where a message would be a billion or more bytes long.

User avatar
Chaosis
Posts: 21
Joined: Sun Jun 07, 2009 5:45 pm

Re: Packet Editing Runes of Magic

#9 Post by Chaosis » Mon Aug 10, 2009 1:40 pm

That would make sense... And I just figured out that these are actually two packets!
Stealth Ability:

Code: Select all

3e 00 00 00 02 52 72 f4 f4 f4 e6 f4 ff ff d0 f4 f4 f4 dc f4 f4 f4 3c ed f9 f4 d6
 4a a0 36 e8 8a bf b8 9d 3c cf 38 8d ad 84 b3 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4
 f4 f4 f4 f4 85 8c bf b8 

26 00 00 00 02 18 ec 6e 6e 6e 58 6e ff ff 5a 6e 6e 6e a6
 6c 6e 6e c6 75 69 6e b6 83 67 6e c6 75 69 6e 67 6e 6e 6e

Code: Select all

3e 00 00 00 02 b4 14 92 92 92 a8 92 ff ff ae 92 92 92 9a 92 92 92 3a 89 95 92 06
 86 5d d8 ab f3 51 56 a3 b3 9b d6 db 10 6f 53 92 92 92 92 92 92 92 92 92 92 92 92
 92 92 92 92 a8 f4 51 56 

26 00 00 00 02 70 9c 1e 1e 1e 28 1e ff ff 2a 1e 1e 1e 66
 1c 1e 1e c6 15 19 1e 56 83 17 1e c6 15 19 1e 17 1e 1e 1e
I will try to figure out the 5th byte.... When I was getting these packets I was being ganked, I need to make a new character.

User avatar
Rishijin
Posts: 49
Joined: Sat Jul 04, 2009 4:25 pm
Location: Kauai

Re: Packet Editing Runes of Magic

#10 Post by Rishijin » Fri Aug 21, 2009 10:06 pm

Try going through these in relation to RoM.

I don't play RoM, but I am doing the same thing on Shaiya; and these have been useful so far.


http://www.gamehacking.com/forums/tutor ... 7-8-a.html




http://www.reversing.us/pages/g3n/Packe ... acking.htm

User avatar
3cmSailorfuku
Posts: 354
Joined: Mon Jan 21, 2008 6:25 pm

Re: Packet Editing Runes of Magic

#11 Post by 3cmSailorfuku » Sat Aug 22, 2009 7:23 am

Chaosis wrote: Anybody see anything useful? I think finding the unencrypted location would be the easiest. Could it be that it sends data to the LPWSABUF buffer, the encrypt it and not have another buffer? If so we could just insert a jmp to a code cave at the start of this function?
You're thinking too easy. Yes, the encrypted data is on the Buffer, however it is encrypted (Either you wouldn't get a hook with encrypted Packets, do'h).
What you have todo is setting up a Breakpoint on the send function and see what return adress it pushes on the stack (Let's assume you write a chat message into the chat, and it breaks, that's the easiest way to find the location.). If you follow it in the disassembler, you have to keep setting up BP's in order to find out what calls are made until you can see your unencrypted chat message in the stack, if you can see it you're somewhat close to the actual function and the encryption loop. I think it's noticeable when you find the loop where the data is encrypted (Probably big ass code if they're not using a thirdparty encryption, though asfar as I can remember, there were even exports in the DLLs that would allow you to encrypt data)... The problem will be the arguments that the encryption function takes, since you want to make a standalone program you have to reverse this properly into C++ or whatever you fancy. There are much more ways to find the location though, this is just what seemed easy for me in the past.

However if you plan on doing an dll injection anyway, don't look for the encryption, just keep on looking like I described to find the regular function (It's even in plaintext dawg!). You can then call it from your Dll like this castSpell(id, target);. Or from MicroMacro if you write a plugin, it keeps you from doing alot of work.

User avatar
Chaosis
Posts: 21
Joined: Sun Jun 07, 2009 5:45 pm

Re: Packet Editing Runes of Magic

#12 Post by Chaosis » Sun Aug 23, 2009 5:16 pm

Ok, I will work on it some more. I think that I am getting closer... I will post any new updates.

User avatar
Rishijin
Posts: 49
Joined: Sat Jul 04, 2009 4:25 pm
Location: Kauai

Re: Packet Editing Runes of Magic

#13 Post by Rishijin » Thu Sep 17, 2009 5:33 am

Did this get shifted to PMs or did it die?

User avatar
Chaosis
Posts: 21
Joined: Sun Jun 07, 2009 5:45 pm

Re: Packet Editing Runes of Magic

#14 Post by Chaosis » Sat Sep 19, 2009 7:46 am

It died. The people that PM'ed me stopped communicating. And I stopped once school started.

I would pick it back up with someone. But Aion starts soon, and I have a guild I am expected to power level in.

klinius
Posts: 1
Joined: Sat Sep 19, 2009 5:47 pm

Re: Packet Editing Runes of Magic

#15 Post by klinius » Sat Sep 19, 2009 7:21 pm

I've found this forum, trying to do the same: packet editing RoM.
My efforts by the moment had been only focused to make a simple tcp hijacker.... that doesnt works and finally a packet "redirecter - repeater" in linux + python, i've tried to sent some of the packets sniffed to both the server and the client, many times them get crashed the client, others nothing happens.
I've made also my own bot for linux(very experimental and not very reliable because its based in on-screen info, in fact ive used an ocr to get the current position), but im still more interested in hacking the game via packet editing. So im interested in decipher all this stuff. Sorry for my bad english. Anyone interested?

User avatar
Chaosis
Posts: 21
Joined: Sun Jun 07, 2009 5:45 pm

Re: Packet Editing Runes of Magic

#16 Post by Chaosis » Sun Sep 20, 2009 8:04 pm

Wow, this is what I have been doing.
I have made a bot too; it is mainly based on memory reading, but has good navigation. I a working packet reader, but I can't figure out the encryption. I would help you, just PM me.

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot] and 0 guests