[KEMBL]

C1 AntiBot-HowTo: Change Auth Server Encryption key (Network.dll)

I have got many questions like "How to change protocol version between Client and Server (LineAge2 C1)", so
there, i left solution, how to do this.

So, find any hex editor, with search by ASCII abilities (ultraedit or some).

Client side:
Open ..\LineageII\System\Network.dll go to 0x41138 or
find by ASCII string "-%&@!" (without quotes):

There we see "[;'.]94-31==-%&@!^+]", it is full, default auth key for LineAge2 C1

You can change the number 94 or may be other parts, i don’t sure, to what ever you desire. But memo this changes!

Lets change it for example to 60
Save file.

Server side - AuthServer:
Open your L2AuthD.exe in same way as Network.dll before
Go to 0x6c6b0 or find by ASCII string "-%&@!" (without quotes):

You'll see some string as before - "[;'.]94-31==-%&@!^+]"

Change 94 to 60 (or what you memo at previous step)
Save file.

Server side - L2server:

Open ..\L2Server\l2server.ini and change AcceptLowerProtocol=true to AcceptLowerProtocol=false if it not the same.

Send to all your gamers, new Network.dll file. Restart server with new AuthKey in L2AuthD.exe.

That’s all. Take a fun.

Theory:

First goal is disorient out-game bot programs, which use other server "key".

In fact, it is not "Protocol change guide", it is "Àuthkey change guide".
I think so, cause i dump traffic, with and with-out changes,
disasm dll and server (IDA-Pro, wDasm8.93) and see clearly, what changes and where.
It is not protocol num, it is probably Àuthkey.


If you familar with IDA-Pro (Greatest disassembler), so when you dissasm Network.dll you'll see that:
a_9431@ db '[;',27h,'.]94-31=^-%&@!^+]',0

that str is used in sub_10014120 proc near ; CODE XREF: UNetworkHandler::Init(int,FL2NetNotify *)+49

I am not to sure, but I think at this place we have some algorithm to encode strings that outgoing to server (name and password).

Next step, is reoptimise dll, or reencode it, so no one walkers or etc., don’t find what key you use without totally disassemble of your new dll file.

C1 AntyBot-HowTo 2: Network.dll reoptimisation.
[Only Registered and Activated Users Can See Links. Click Here To Register...]

To Russians:

ß äóìàþ, ÷òî ñóäÿ ïî äàìïàì èíòåðíåò òðàôèêà ñ ñåðâåðîì, è äèçàñåìáëåðíûì êîäàì, ýòî íèêàêîé íå íîìåð ïðîòîêîëà, êàê ìíîãèå äóìàþò, à êëþ÷ êîòîðûì øèôðóþòñÿ äàííûå ïðè ïåðåñûëêå íà ñåðâåð.

Ò.î. íàäî ìåíÿòü åãî ñ 2 ñòîðîí, ïðîñòî íàéäèòå â network.dll è L2AuthD.exe ñòðîêó "[;'.]94-31==-%&@!^+]" è îäèíàêîâî èçìåíèòå öèôðû, ñêîðåå âñåãî è âñå ñîòàëüíîå ìîæíî ìåíÿòü, íî âîîáùåòî íå ñòîèò, òàê êàê ýòèì æå êëþ÷åì âîçìîæíî ðàñïàêîâûâàþòñÿ PGP ôàéëû êëèåíòà, - ñòðîêà ïîâòîðÿåòñÿ è â l2decrypt.exe

Ñëåäóþùèé øàã ýòî íàéòè õîðîøèé ðåîïòèìèçàòîð, èëè dll óïàêîâùèê, è òàê âñå ïåðìåøàòü âíóòðè áèáëèîòåêè ÷òîáû íèêòî íå ìîã èç íåå âûòàùèòü êàê èìåííî èçìåíèëñÿ êëþ÷ áåç îáðàòíîé îòëàäêè, äî÷åãî áîòû âðÿäëè áûñòðî äîáåðóòñÿ.

[juster]

good tutorial. valuable addition to RZ knowledge base. If you dont mind, place an examples of your work here, it`ll be nice :)

î÷åíü öåííûé âêëàä â áàçó çíàíèé. Ñîõðàíþ ê ñåáå íà âèíò, ÷òîáû òóò âäðóã íåïîòåðÿëîñü. Áûëî áû ñóïåð, åñëè áû òû îïóáëèêîâàë ïðèìåðû òâîåé ðàáîòû :)

[SupPyton1k]

Попробуй.. +)

[juster]

so it`s really works
and here is my package. feel free to use. Based on KEMBL tutorial.

[BiGBoY1]

juster i also used that tutorial and gues what.
i had nasty DDoS attack from someone who didnt liked teh solution :)

[Rikku]

If you guys don't mind I will add this to downloads section.. If you care I will remove it credits go to the poster/hex editor :)

[juster]

i don`t need credits, i just want to see RZ live, full of knowledge and without flood.

[Pyr02]

Quote:

Next step, is reoptimise dll, or reencode it, so no one walkers or etc., don’t find what key

How can I do this ?

[RossGeller]

it's necesary modify hexa l2auth.exe?

[Rikku]

Quote: Originally Posted by RossGeller

it's necesary modify hexa l2auth.exe?

Yes as thats what stops the 3rd party bot. Just like you also need hex the client.

[RossGeller]

Quote: Originally Posted by Rikku

Yes as thats what stops the 3rd party bot. Just like you also need hex the client.

That is dificult :(

[juster]

use da package man

and someone plz tell us what exactly software do we need to reoptimize or reencode dll?

[MakaveliTha]

yes any one can teach us how to reoptimize or reencode the dll ???

btw there is an other problem, this protection only work for OOG Walker (out of game) but not for IG walker (ingame walker) cuz ingame walker doesnt use server auth, so i think we cant protect against IG walker :S

there is a methode to protect against IG walker, ppl must install C2 textures so IG walker doenst work cuz its not compatible with C1 client uses C2 textures. But this is an shit protection cuz the botters wont install the c2 textures then and we cant check the ppl, if they using the textures, so we must get some good other solutions ^^

[KEMBL]

First part ( C1 AntiBot-HowTo: Change Auth Server Encryption key (Network.dll) ) - [Only Registered and Activated Users Can See Links. Click Here To Register...]


In first part we change la2 C1 encription key. Now we make Network.dll reoptimisation and even little more (compress).

Last time we make good job - change encription key (token), but several programms now can extract it automaticaly from Network.dll, and use it for outgame bot connection.
It is not good, cause now only the key change have'nt any sense.

So, next step after the key change is that:

1) Search some dll optimiser, for example PECompact2 v2.64 (seach it [Only Registered and Activated Users Can See Links. Click Here To Register...] )
2) Install it and run
3) Press "Browse for files", and find your changed Network.dll, after you add it to file list, select and hightlite it.
4) Press "Compress selected"

Now you have two files - new small Network.dll, and more big old not comressed Network.dll.pec2bac.

I was test this with several different parametres, and all works fine. From now bot/extract programm cant get your key automaticaly, without reverse optimisation or bruteforce check of the token ( 20bit key ).

If you wish, you can go in to the "Settings of selected" menu, and ajust several parametres, but every time after that, you must chek your new Network.dll (simple try to connect and enter the game).

To Russians:

При помощи утилиты PECompact2 v2.64 вы можете пережать Network.dll так, чтобы зловредная программа автоматичеки не могла в ней найти ключ для соединения с сервером. В программе масса настроек, кроме того есть и другие программы оптимизации dll файлов, используя которые мы немного увеличиваем количество действий необходимых для вытаскивания ключа. Все эти программы, что я видел основаны на алгоритме windows Lz компрессии. Т.е. мы имеем дело с обратимым процесом, и развернуть обратно те части библиотеки, что пожаты можно, но всеже на написание довеска к боту, который будет этим заниматься уйдет некотрое время. А нам бы надо найти точку входа в функцию работающую ключем с сетвым пакетом, и перенаправить ту часть, котрая вынимает из текста сам ключ, в другую функцию, где ключ будет собираться более сложным способом.

А если пойти по легкому, но неправильному пути, то нужна вот какая программа: каждый раз мы стартуем автолоадер, он выкачивает новый Network.dll, актуальный на сегодня для нашего сервера, и копирует в system замещая старый. Потом пускает игру. Типа GameGuard.

[juster]

в общем того раза уже хватило чтобы отсечь внешних ботов. теперь все юзают ингейм ботов. вот бы теперь обсудить отлов ингейм валкеров, и проч.

[Sakumi]

Nice post ~ Thank you ^^

Tested and working in under 2 minutes :)

[KEMBL]

Solution there
[Only Registered and Activated Users Can See Links. Click Here To Register...]

[snoworm]

только учти что ключи уже ищут в памяти, а не в dll, а в памяти он всегда распакован

[KEMBL]

Next idea: when gamer in game, some time ahead him appear random numeric string.
If player enter it to the general game chat between 5 or 10 minutes, so they are not a bot )

This idea have very simple automatic solution:

1) Add numeric string ahead player nickname
2) Wait 5-10 min while player enter it
3) Replace string to old and kick player if not 2)

any corrections?

[karpa13a]

about external bots and 2 servers with same id - try to add first server 0.0.0.0 instead 127.0.0.1 and external bots cannot in :) but user need to select server 2 with in testing mode.

note: with 127.0.0.1 ip in db any user may forward 7777 local port to 7777 port on remote ip with no problems, in that case i dunno about how to do that :)

2KEMBL: i think there is need a bot that after 5-10min login user type in private smth like: "hello! 5+7-1=? reply to me, if not your account will be banned for 24hours" :)

[Codechanger]

Quote: Originally Posted by juster

в общем того раза уже хватило чтобы отсечь внешних ботов. теперь все юзают ингейм ботов. вот бы теперь обсудить отлов ингейм валкеров, и проч.

Невозможно в принципе. Или патчить Network.dll на отлов определенных процессов в памяти.

[Eliot]

This is very usefull, stickied, i also try to merge with Your other thread.

[pipoulo]

1rst You can dump the dll from memory, even the most compressed and protected one and get the hash key. Just wait until L2.exe go to login screen (the dll is fully decrypted there, we dont need its IAT table etc etc), then dump the dll with yoda's LordPE. Search for the hash bla bla. Tested with PeCompact, Armadillo, Aspack/ASPr, UPX and some other packers.
2nd You can patch l2walker (outgame) in memory and change its default hash key (2 times in memory image) and play as normal as before. I know that this way works as i did it before.
3rd You forget the sounds in some bots like l2walker, so sending messages is not the way.
4rth You can code a proxy that enters into the second testing server where the bot cant and emulate the packets needed for the bot to operate (something hybrid like muhax - all you need is l2j code).

Sorry but these sollutions are for kids. What you need is a program that:
a) protects l2 files from editing by hex or memory editors
b) checks for debuggers,dumpers
c) checks for varius cheats
d) changes in memory the hash key
e) encrypts the packets in client (using hooks in winsock dll function to preserve the ip of the user) and decrypts them in server
f) reports back to server if found anything suspicious

and keep in mind of users' privacy!!!

[Bluffy]

thats why gameguard was bundled to l2 right?

[pipoulo]

for some parts yes. but gameguard can be disabled very easy.