[RELEASE] Everything (by TamaGo)

[BakaBug]

[RELEASE-OLD] Some infos about Kal

Yeah for all who want make something for Kal..
here is my release

Ahm yeah you can use it for hacking in nvm​

PACKET STRUCKTUR

Some easy Kal-Packet: (Yeah I can't help you how to write a Sniffer)

0500161215
04001248
030047

So Yeah the first we see is .. the first 2 bytes is the size (means a word ..)
So the rest everytime changes .. can only mean crypted.. so packet structure is

type TKalPacket = packed record
  size:word;
  data:array of char;
end;

This is first step..
​

PACKET CRYPTING

So .. after sniffing a lot at login (easyer to sniff) we will see something like
a login packet .. becosue it's the login packet you know what you have entered .. so
(I used some nummbers they aren't correct .. but it works this way
??= I am to boring to count the bytes)

????04 B0 A1 C0 A1 B0 F1 AA 12 B0 A1 C0 A1 B0 F1 AA 12
          B   a    k   a   B  u   g  \0  B   a   k   a   B  u   g \0

(I entered acc:BakaBug pass:BakaBug)
Why we know there it must be BakaBug ?
When you look good you will see ..
Kal Crypt every letter .. 1 time ! means a crypte "a" at position 1...
looks like a crypte "a" at position 3..
Now wtf is this ? .. after a lot of trying .. first we know It's not working like
XOR mean haven't something like a key.. So it muss be something static
Which says A->! B->A C->& ... so ABC would be crypted to !A&
Yeah WTF a easy crypt .. and easy to crack..
so how to get this crypt-table ?
​

CRYPT TABLE

BTW. this way only works with a decompressed engine.exe
My first thought was some where in engine.exe must be a table ..
So .. starting hex-editor .. opening engine.exe
Entered in Login

Username: abcdefgh
Passwort: ijklmop

Sniff the Crypted oacket .. search this hex ... an WOOLLLLAAAA
And the first thing is .. WTF ? the table is uncrypted saved..
InixSoft makes hacking really easy..
..
So how to get the full Crypt-Table from the engine.exe (or mainsvr.exe works there too)
SO starting a disambler (I am using IDA) .. let disamble engine.exe ..
when everythings is loaded I scroll in the hex window .. to the offset where I found the abcde.. (crypted) click ... go to disambler window .. and WOLLLAAA
there is a area .. from START to END of the full CRYPT-Table
So we copy this Area .. into our hexeditor and save it as CRYPT.dat (or how you want)
So how to laod this table ?.. We know each letter is crypted with a other key!
so 256 letters .. our file is .. 200*256 bytes big ( I am to boring to multiplizier it .. I already know there are 200 keys) so how many keys are here ?
Yeah FileSize / 256
How to load ? (in delphi)

type TCryptRow = packed record
 Byte: array[0..255] of char;
end;
var
 CryptTable: array[0..199] of TCryptRow;

..
..
fil.read(CryptTable,sizeof(CryptTable)); //finish ;)

Btw this is the encrypt ( i think ) for decrypt you need to genereat your own file.. mean when you know "A->!" you will know "!->A" easy to write -.-
​

DECRYPT PACKETS

Yeah we updating the source of out Sniffer (yeah write your own or you wont able to do this way)
We adding our CryptTable..
So what we know ?

• Kal is using Nullterminated strings
• the row of the crypt changes everytime (we know this after a lot of testing)

..Special the point Nullterminated strings *grins*
We are adding to the sniffer that he try's all rows to decrypt the last Byte
when it's decrypted \0 key found ..
So this way only works on chat packet becouse there they use string..
So we chat a lot ingame .. and look at our log..
KEY: 12
KEY: 13
KEY: 14
KEY: 15
KEY: 16
KEY: 17
..
WTF yeah the row(key) increase every packet
..
KEY: 60
KEY: 61
KEY: 62
KEY: 63
KEY: 0

So ahhhh after 63 (or was it 64) it starts at 0 ..
hehe good to know so after 1 time getting the key you can decrypt everything
​

ADDITIONAL CRYPT AT INT SERVER

Yeah ~.~ when you have your decoder .. you sniff a lot of packes (chat is easyest)
And try to write this in chat:

a
aa
aaa
aaaa
aaaaa
aaaaaa
aaaaaaa
aaaaaaaa
aaaaaaaaaa
aaaaaaaaaaa
aaaaaaaaaaaa

Than you will see first..
New packet system have 4 bytes more .. why ? no idea.. (i never looked after it.. i can decryot them but dosn't help much ...)
We allso see .. .. that the decrypted stuff is wrong..
So we know our text is "aaaaaaaa..."
So we see all over 16 bytes (after sniffing) is a other crypt again (AES .. a lot of guys say this ..)
We also know Kal is yeah lol.. becouse first packet (at login, means welcome packet which is crypted with 0) they don't use the new crypt (but the old ..)
So we write a easy rotine..
CryptedStuff (but decryted with CryptTable) xor "aaaaaa...." = OUR XOR KEY
Wolllaaa.. after a lot of testing you will see
that you can crypt all <16 Bytes Packtes.. It's enought to write a KsBot (you wee some ingame ? some are suing my hack..)

MORE INFO ? Sorry can't help you
​

GTX Texture files

Ahm yeah I opend it with my Hex editor and have seen
DTX (or was it DXT .. nvm)
DXT3
DXT1
DXT5
...
So a file which have the abilitiy to change the texture-format (A8R8G8B8 X8R8G8B8 ... )
The only file i knowed which work so .. was DDS
so i saved a dds .. looked my gtx .. and it was 1:1 the same..
(okay.. the header was crypted.. so after a little testing we see ..
the crypt key is 4 ..)
I decrypt the header part ...
Changed the first 3 bytes to DDS..
WOOLLLLAAAA
Can load GTX's -.-
​

KSM KalServerMap

Yeah .. I really got no clue what this file should be ..
so i written a easy programm to show a file as graphic..
meansfull source when someone want try out..)

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, ExtCtrls;

type
  TForm1 = class(TForm)
    Image1: TImage;
    Button1: TButton;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.Button1Click(Sender: TObject);
var
 x,y:integer;
 myByte:dword;
 fil:tmemorystream;
begin
 image1.Picture.Bitmap.Width:=form1.Width;
 image1.Picture.Bitmap.Height:=form1.Height+3000; //neue size
 //soooooo bild malen
 fil:=tmemorystream.Create;
 fil.LoadFromFile('C:\Dokumente und Einstellungen\BakaBug\Desktop\MainSvr-Crack\Map\n_032_032.ksm');
 fil.Position:=0; //an dne anfang..
 repeat
  for x:= 0 to image1.Width do
  begin
   //auslesen
    fil.Read(myByte,4);
    image1.Canvas.Pixels[x,y]:=myByte;
  end;
  y:=y+1;
 until fil.Position>=fil.Size;
 fil.Free;
end;

end.

Yeah when you resize the window and let redraw the picture..
*grins* ..Yeah after a lot of resizing you will start to see a structure
after you are near ~256 (width) .. you say WTF .. that is it ?
Yeah.. KSM are like a picture.. it's a 255x255 (or was it 256x256 ?) shoot of the coolision zones and castle war zones .. saveones etc.
after a little time you will have this script for loading:

 type TArea= packed record
  a,b:word;
 end;
 type TKSM=packed record
  Pixel:array[0..255,0..255] of TArea;
 end;

var
 KSM:TKSM;
..
...
..
fil.read(KSM,sizeof(KSM)); //finish ;)

KCM Kal Cell Map ?

Yeah I found it out the same why like KSM
With showing it as picture ^^ (I wont tell you everything)
But 1 tip: "Load it from end of the file.. to the begin of the file"
So it's easyer to laod .. I already know how the Header works..
but also KaME loads it from end to begin becouse it's easyer
​

OPL Object Postion list

Yeah open it with Hex-Editor and learn reading ~.~
I can't tell you much .. lol such easy..
​

HISTORY OF KAL CRYPT

Yeah maybe someon is interrested

1. DYNAMIC CryptTableStart, DYNAMIC CrypTableEnd (0-200)
2. STATIC CryptTableStart (0), STATIC CryptTableEnd (64)
3. Changed CryptTable
4. Added Crypt to type-variable
5. Changed CryptTable
6. Changed type-variables //private server version
7. Added a XOR like crypt
8. updated the XOR like crypt //offizial version

..
so thats all for the moment..
When you miss something write it here

 

[Dopestar]

does this mean youre quitting or just sharing ?

 

[BakaBug]

does this mean youre quitting or just sharing ?

Ahm both ..
I feel boring about Kal .. -.-
It's much work .. I have problems at school..
I hacked/cracked Kal now for 3 years .. mean yeah everyone who want write something for Kal (thx my info) and get problems he can ask me
Anyways KaME and AHS3 are my last projects I will finish them and than..
thann.. that was it, there is no more to crack/hack something Oo so what should I do ?

 

[Keppi]

Ahm both ..
It was there is no more to crack/hack something Oo so what should I do ?

Nice that you share your work

and about the what should I do? Wait for 2Moons and hack/crack it , kal is over

 

[Dopestar]

K well atleast great that you finish ahs3 and kame

atleast this is very usefull

 

[BakaBug]

Nice that you share your work

and about the what should I do? Wait for 2Moons and hack/crack it , kal is over

2Moon ?
I will write "TamaGo Online" *grins*

 

[Keppi]

w00t

the new Revolution Game xD

 

[mejniok]

Ya this i a very interesting lesson
Keep talking Luca

 

[BakaBug]

Ya this i a very interesting lesson
Keep talking Luca

I also added 50% of the new crypt

 

[Keppi]

Ahm both ..
Anyways KaME and AHS3 are my last projects I will finish them and than..

Just a last annoying question from me : You mean with AHS3 also AHS3_CL? Or you stop that ? *hides*

 

[BakaBug]

Just a last annoying question from me : You mean with AHS3 also AHS3_CL? Or you stop that ? *hides*

with AHS3 I mean

• AHS3_MS (Anti Hack System 3 for MainSvr)
• AHS3_DB (Anti Hack System 3 for DBSvr - not really antihack but some tools)
• AHS3_CL (Anti Hack System 3 for engine.exe)

 

[Keppi]

with AHS3 I mean

• AHS3_MS (Anti Hack System 3 for MainSvr)
• AHS3_DB (Anti Hack System 3 for DBSvr - not really antihack but some tools)
• AHS3_CL (Anti Hack System 3 for engine.exe)

Nice , I love your work <3

 

[BakaBug]

so thats all for the moment..
When you miss something write it here

 

[pacd]

so thats all for the moment..
When you miss something write it here

What if we miss you? We can also write here?

Thank you for all your good work mate.
We surely will miss you if you quit.

 

[BakaBug]

You must be registered to see links

Yeah check this out *grins* wrong .. topic but don't know where to post

 

[pacd]

NO comments, just ROFLMAO!!!!

 

[mikeymike123]

omfg!!!! XD there just a bunch of people that bought the lineage 2 game engine and made there own game dam my bedroom looks bigger than there office anyone know what server they use to withstand all them people they got joine.. i would much like to see that

 

[Xoz0r]

Nice that you share your work

and about the what should I do? Wait for 2Moons and hack/crack it , kal is over

FO! No1 must crack the game, I prohibite -.-" I want to see fair play, without some R'TarD asses with hacks and THing the f***** items which ppl got from hard work
Keppi, spast! XD (j/k)
Keppi, mad boy! XD (not the real translation!)

 

[ZeroSanity]

lol when i read all luca posted i realise what kinda nub i am.

 

[HandsOfGod]

lol i am sure its not only me who dont know wtf u posted there