TL.exe hacking one more try...

[P5yl0]

*rofl*
more Tera launcher hacking...^^
so far I re-created the LauncherWindow and Loading of the CopyCub.dll ^^
but i am stuck at the moment...
but else i am very lucky.. the more mistakes i make the more i learn from the function how the
tera launch process is really working.. i know it already in my head but somehow it doesnt work with the
SendCopyData WinApi as i planed...

PS: I hate C++
C# is a very smoother Language i think i will port it to unmanaged C# when it works...

 

[ulysse3131]

So I was coming on this forum after several month because I am trying to code a Tera launcher.. And i thought I might check existing project, what a lucky day, you are on it at the exact same moment !
Anyhow, i am not sure what you are doing exactly (I guess you coded launcher https transfers and now try to launch the standard tl.exe ?)

What I have :
I am at ease with c++ (it's my main language)
I know how to suspend themida functions from tl.exe + TERA.exe so that you can use procmon (that didn't help me tho).
I have the TeraLauncher https transfers working, thus I get my login ticket and account master name.
I have reversed the wm_copydata messages, launcher sends 3 to TL.exe.
I am in process of reversing the Launcher.exe <--> TL.exe relationship
1/Launcher starts process TL.exe with CreateProcess in a suspended state.
2/Launcher resumes the TL.exe first thread.
... Some stuff happens here, not sure what exactly
3°/Launcher sends TL.exe copydata messages as such :
1:
Hello!!size: 0x8data type: 0x0dbadb0a

2:

You must be registered to see links

0x34data type: 0x00000002
3:
{"last_connected_server_id":40xx,"chars_per_server":{},"account_bits":"0x00000000","ticket":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","result-message":"OK","result-code":200,"user_permission":0,"game_account_name":"TERA","access_level":0,"master_account_name":"xxxxxxxxx"}
size: 0x11d
data type: 0x04


My problem is that when i launch TL.exe right now, it gives me SSNL error (i am guessing it is because i need to create the adequate window on my launcher for TL.exe to communicate to, the window that probably has one of these names :
SSNHostWindow
???????d???!???????? <- this one does most of the work
I am currently reversing the callback method TL.exe passes to enumwindows, what I know so far :
The call to enumwindows (which passes the callback method) is done at RVA 0x183EA.
The routine passed does this :
For each window on the desktop, it gets the class of the window name, it gets the length of this name and it compares it with EME.LauncherWnd if it is NA's launcher.
If the class name matches, TL.exe will compare the PID of the owner of this window to the PID of its parent process. If The PIDs don't match, we get SSNL error, if they match, TL.exe saves the handle of the TERA launcher window here : DS:[A2F11C]

If all tests fail, TL.exe will throw a messagebox "Can't find SSNL".
If all tests are passed, TL.exe will send the message wm_copydata with "hello!!" to the launcher, if this function returns 0 TL.exe will say that the launcher was terminated.
If the message was correctly sent, TL.exe will wait for the launcher's copydata msgs.

Edit :
I can now trick my TL.exe into sending me messages, im tired af and will go sleep on that

 

[P5yl0]

wow nice to hear that... i want to do the exact same thing.. sending the message to the original tl.exe..
cause of this i recreated the Windows Classes with the same names as in the original launcher...
Main Window as GUID + _SSNSkinWindow....

i already tried it a few month ago with c# but i couldnt manage the Laucnher <-> TL communication process wit hte WMCOPY DATA
so i tried it now with c++ but im not do familiar with c++ i love c# more so i hope if i can get the send process to work with c++
1 Hello
2 SLS
3.Login Parameters

when its all working ill try to convert it to unmanaged c#

and the copycub.dll thing is i think its the DLL that creates the ID from the LauncherWindow to get recognized by the TL.EXE as _SkinWindow
so i try to rebuild the Loadng and Initializie Function from this DLL...
Interop_CreateInstance() but for now the Loading with LoadLibraryW works.. but it stops in the debugger with Initialize failed...

 

[ulysse3131]

i already tried it a few month ago with c# but i couldnt manage the Laucnher <-> TL communication process wit hte WMCOPY DATA

Did you go as far as getting an answer from TL.exe ?

Right now, TL.exe recognizes my launcher and initiates contact with "hello!!", I answer the same, then TL.exe sends me "slsulr" and I answer "http://sls.service.enmasse.com:8080/servers/list.en"
Then TL.exe sends me "endPopup(273)" and I send the ticket.
Tera doesn't launch so I am still reversing.
What I want to get today : I want the RVA of the windowproc method passed to registerclass from original TERA launcher and reverse it.
Then I probably will do same with TL.exe (so far I have reversed only the enumwindowproc method passed to enumWindows from TL.exe to ID if its parent process).

Edit :
AOB signature for windowproc method passed to register class EME.LauncherWnd :
558bec518b4d0c53565783

 

[P5yl0]

i ported it now so far to c# ^^

and get on the Send Process a response..
first i had...
SendMessage(WM_COPYDATA) failed w/err 0x578

now i am on 0x00000057 response from GetLastError()
ERROR_INVALID_PARAMETER

i dont know if you have the tera error codes... but it seems you are on the right way....
LAUNCHER_ERROR.set('x273','SLS 錯誤');// 273 : SLS 오류

seems your porblem is somewhere at the Serverlist part...

 

[ulysse3131]

i ported it now so far to c# ^^

and get on the Send Process a response..
first i had...
SendMessage(WM_COPYDATA) failed w/err 0x578

now i am on 0x00000057 response from GetLastError()
ERROR_INVALID_PARAMETER

i dont know if you have the tera error codes... but it seems you are on the right way....
LAUNCHER_ERROR.set('x273','SLS 錯誤');// 273 : SLS 오류

seems your porblem is somewhere at the Serverlist part...

Yes,
I am surprised, I don't understand why TERA-launcher.exe sends "http://sls.service.enmasse.com:8080/servers/list.en" to TL.exe
TL.exe does not open internet connection it doesn't need this url.
I do not understand how TERA-launcher.exe gives all of this information to TL.exe :
<server>
<id>4009</id>
<ip>208.67.49.68</ip>
<port>10001</port>
<category sort="1">PVE</category>
<name raw_name="Celestial Hills - Roleplay">
<![CDATA[ Celestial Hills - Roleplay ]]>

</name>


<crowdness sort="1">None</crowdness>
<open sort="3">High</open>
<permission_mask>0x00000000</permission_mask>
<server_stat>0x00000000</server_stat>
<popup>
<![CDATA[ This server isn't up yet! ]]>

</popup>


<language>en</language>

</server>
But I am convinced that it does somehow. maybe in a file on disk ? i need to look into that. We are lucky TL.exe isn't packed, some IDA might come in handy later if i don't progress

 

[P5yl0]

the tl.exe doesnt open any web address...
but so far i understand...

the TL.exe only takes the start parameters like in a container...

but on GameStart when the TL.exe executes the TERA.exe
the TERA.exe takes the SLS url from the TL.exe
to know where he serverlist is..

 

[ulysse3131]

After some more researchs I have understood It is TL.exe that opens the connection to sls servers. But the connection is so short in time that most sniffers/TCP tools won't see it, however with procmon driver you can see that TL.exe is the process getting server list.
So this solves this mystery

Now i think i am really close

 

[P5yl0]

good to hear...
but i am stuck at this 0x57 parameter error...^^

i think the error come from the wrom wParam i use....?
on what do you send it in your code?

 

[ulysse3131]

LRESULT CALLBACK pWndProc(HWND hwnd, UINT Msg, WPARAM wParam, LPARAM lParam) {}
SendMessage((HWND)wParam, WM_COPYDATA, (WPARAM)hwnd, (LPARAM)&Hello)
You only answer to TL.exe
TL.exe initiates conversation with Launcher.exe, so you can't really have WPARAM wrong because you get it from the procedure you passed to registerlclassEx.
As for the WM_COPYDATA bytes, i gave them all here :

1:
Hello!!size: 0x8data type: 0x0dbadb0a

2:

You must be registered to see links

0x34data type: 0x00000002
3:
{"last_connected_server_id":40xx,"chars_per_server":{},"account_bits":"0x00000000","ticket":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","result-message":"OK","result-code":200,"user_permission":0,"game_account_name":"TERA","access_level":0,"master_account_name":"xxxxxxxxx"}
size: 0x11d
data type: 0x04


Real question is, do you receive "Hello!!" from TL.exe or not yet ?
If the answer is no, stop working on message, it means TL.exe does not accept your window class

 

[P5yl0]

i think thats my problem...The Classname is not right... i only have the title in the C# Version...
ill try it on the c++ till i get a respone..

The Classname in C# could not be changed easyly...

 

[ulysse3131]

Ok so I have reversed Normal conversation and it's like this :
TL.exe -> "Hello!!" Launcher.exe
Launcher.exe ->"Hello!!" TL.exe
TL.exe->"slsurl" Launcher.exe
Launcher.exe-> "http://sls.service.enmasse.com:8080/servers/list.en" Launcher.exe : This is chromium talking to inner EME window
Launcher.exe-> "http://sls.service.enmasse.com:8080/servers/list.en" TL.exe

case 1 : something went wrong (TL.exe has a timout function to receive data and it did not get it)
TL.exe->"endPop(273)"Launcher.exe
TL.exe closes, failure to login

case 2 : all good
TL.exe->"gamestr" Launcher.exe
Launcher.exe->"{"last_connected_server_id":4024,"chars_per_server":{},"account_bits":"0x00000000","ticket":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","result-message":"OK","result-code":200,"user_permission":0,"game_account_name":"TERA","access_level":0,"master_account_name":"xxxxxxxxxx"}"TL.exe


My problem : I always get Popup(273), I am trying to reverse TL.exe to find this timout function.
this poop is hard as duck

 

[ulysse3131]

Have done some progress.. So it's like I thought, Because bluehole is coding TL.exe and they don't want to do the same work 10 times, every launcher uses same window class.
So for you this means that even if you work on EU launcher, you simply need to create a window with EME.LauncherWnd class.
I will give you a little help with the code :

hInstance = GetModuleHandle(NULL); WNDCLASS WndClass = {}; WndClass.style = CS_HREDRAW | CS_VREDRAW; // == 0x03 WndClass.lpfnWndProc = pWndProc; WndClass.cbClsExtra = 0; WndClass.cbWndExtra = 0; WndClass.hIcon = 0; WndClass.hCursor = 0; WndClass.hbrBackground = (HBRUSH)COLOR_WINDOWFRAME; WndClass.lpszMenuName = 0; WndClass.lpszClassName = "EME.Launchernd";
^This is the exact same as created from EME launcher (reversed with olly).
if (RegisterClassA(&WndClass)) { cout << "class registered. Hinstance : " << hInstance << " style : (expect 0xcf0000) " << std::hex << style << endl; HWND hwind2 = CreateWindowExA(0, "EME.LauncherWnd", "EME.LauncherWnd", style, 0x80000000, 0x80000000, 0x80000000, 0x80000000, NULL, NULL, hInstance, NULL); if (hwind2 == 0) cout << "Couldn't create window" << endl; else cout << "created window" << endl; }
You just need to create a callback method for receiving messages, then start TL.exe with ur process and u ll receive "hello!!"
I am doing progress (only working on IDA for now) but i am still stuck at Popend(273)

 

[P5yl0]

i already managed the send process yesterday. IResult : 1
i know its right cause i played a bit with the original launcher..^^
i started the original tera-launcher and gone till the login...
so the TL.exe was loaded and started up...
i then created the WMCopyData .. and had a very nice look with Spy++ that the Send Process was really done...
i stepped to take 3 buttons...
Hello, SLS and the GameStr, everything worked fine so far.. but the game didn't start automatic after the gamestr was send..
and so ive done a bit more reasearch.. tryed WinDbg and some HideWindow Tools..
as you will see.. aufter the TERA-Launcher starts... it creates an Instance hidden win with the name EME.LauncherWnd
the MainWindow of the Launcher is called GUID_SSNSkinWindow after the Start up it creates another hidden instance called
SSNHostWindow...
the TeraLauncher Skin Window gives reaction to the SSNHostWindow... the HostWindow ist working as or through the EME.LauncherWnd
what starts up the Tl.exe the TL.exe has another Thread Instance as LAUNCHER_WINDOW/LAUNCHER CLASS
as you see launcher.exe -> creates Eme .. TL.exe creates LAUNCHERWINDOW.. mm EME gets data from LAUNCHER_WINDOW processed hrough the SSNHostWindow..

after i realized taht and had the SendMessage Process now in C# working
ive done yesterday the WindowClass Problem so far.. ive created a Win32 Window over CreateWindowEx and unmanaged/dllImport
so far i have now the SendProcess in a Project and the Window with the Correct Title/ClassName in another Project...

i will start putting them together today..
lets see if im getting more reaction as IResult : 1

my other problem was
when starting the TL.exe getting an SSNL error or in Suspended mode there was no reaction.
but i think i know ..it was not the correct classname.. to get the hello response...^^



i think i got it... communication seems to work
TL.exe responses...^^

[/IMG]

 

[ulysse3131]

Great!

when starting the TL.exe getting an SSNL error or in Suspended mode there was no reaction.
but i think i know ..it was not the correct classname.. to get the hello response...^^

Yep.
I also have the 3 windows.

EME.LauncherWnd0D663844-9692-46E5-8151-A6B19A07BF08_SSNSkinWindow
SSNHostWindow

But TL.exe wont send gamestr yet !:glare:
Edit :
Thanks for spy++ i didn't use it and it's very good !
Also your crash Launcher terminated, this happens when TL.exe sendsMessage to launcher and return value of sendmessage is 0 (message not processed so TL.exe thinks launcher is closed)

 

[P5yl0]

i like spy++ and i tryed WinDbg a few weeks ago when i tryed to unpack a DLL.. i can prefer it to ...
and yeah i got the crash message from the Launcher Window cause i received the Hello but havent send anything back till now...
im doing the Receive Process now.. but have to rebuild my CopyDataStruct cause i only have the Sending Structure...
my Receive was only a Result (true/false) in the Sender Project...

i dont know i told you i tryed it with teh Original Launcher Started.. so the Hello and else was send...
i replaced from Spy++ the handle window to send in my Sender project and send my own messages
i got from the SLS to the GameStr,, but the Game has not started... but it had to cause the Hello and else was send fro the original launcher
i only switched between...
so im thinking after the gamestr maybe we need another SendMessage
for the Launching
i hope not cause i havent seen till now in any debugger oder else that after the SendMessage game_str...
anything else was send only this Copycub dispatch...
so i think when the game doesnt rund after sending the gamestr we will have another problem...
but i hope not...



got it...^^
i had a few poblems at the sls url.. cause my WM_copydata always returned 0x0 .. false back..
but the hello process dindt had any problems
it switched over to the sls url but there it stopped cause of a false return...

im going now for a coffee break.. and then back to the game_str thingy... ^^

[/IMG]



lol....
i added now message display to and...
welcome...

same error as you...
Message: slsurl
Send SLS Url From: 0x1c1722 to: 0xf1578
Rcvd From hWnd: 988536(0xf1578)
pcds: 99280792(0x5eae798)
dwData: 0(0x0)
cbData: 13(0xd)
lpData: 88598624(0x547e860)
Message: endPopup(273)



*lol*
i think i switched the serverlist problem but im not shure if the problem is solved...
endpopup is transfer error...

after msg 0x02 serverlist always comes msg 0x0 endpopup(273)
i put the serverlist send in to send it twice
after the second time it jumps over to request game_str msg 0x4

now im sending gamestr.. as msg 0x4 not 0x3 back...
but the mouse cursor only blinks for a millisecond...

it looks ike the same error with the other starters when it tryes to run the game and the logo should appear...
it nly blinks and stops there now...
maybe the gmae_str is wrong cause of the "".... parts
or its the serverlist problem loading to start
need to try more things...



lol
okay i think i know how the poop really works now...
when im right we dont even need the TL.exe
cause the TL.exe does the same game with the TERA.exe.. like the launcher with the TL.exe

Launcher(EME) > WM_COPYDATA > TL.EXE(LAUNCHER_CLASS) > WM_COPYDATA >TERA.exe

so if im right we dont need the EME... we call oour starter direct LAUNCHER CLASS and do the Same.. as like with the Launchr before
CreateProcess TERA.exe and give parameters to Tera.exe direct...

cause of this the TERA.exe gives us like the TL.exe a error when we start it direct...
the TL.exe gives SSNL Error cause it needs the EME Window... and TERA.exe gives the Please start game with Launcher Error cause it needs the LAUNCHER_CLASS Window...

i wil try that Tomorrow.. copy the Project and renaming the EMEWindow to LAUNCHER_CLASS and calling the TERA.exe and not the TL.exe

 

[ulysse3131]

mmmm this is interesting.
So you say if we send serverlist 2 times, we get gamestr ? well doesn't change for me, still no gamestr

 

[P5yl0]

o i tryed to rename it... but it seems that is maybe not possible cause the TERA.exe is packed. the Messages i get are only some crippyled poop...

so i tryed to catch the TL to Exe but its very hard after clicking on start in the launcher the TL.exe opens and closes a few seconds when the game is started...
but i got spy++ to attach to the process but i think im missing some data before...
i only catched a few... when the warp screen in tera comes up..

but i found out the Structure for sending is...

TERA-Launcher.exe:
Title: EME.LauncherWnd
Class: EME.LauncherWnd
sends WM_CopyData -->

TL.exe:
Title: LAUNCHER_WINDOW
Class: LAUNCHER_CLASS
sends WM_CopyData -->

TERA.exe
Title: S1GAME_WINDOW
Class: S1GAME_CLASS

when you are inGame and go back to the Serverlist i catched that the Game sends to the Tl.exe "ticket" as like to refreshs the account things -->
S1GAME_WINDOW > sends WM_CopyData to LAUNCHER_WINDOW

and so on.. it seems its a tri-game betweend this 3 Windows...
Launcher(Front) - Starter(Back) - Game

PS:
and yes it worked to start the TERA.exe
as renamed to LAUNCHER_WINDOW and starting TERA.exe with CREATEPROCESS
like the TL.exe before... the TERA.exe Game starts to run without a Please start game with luancher error.. but i only see the WindowBorders.. and nothing happens...
it maybe be possible to start tera.exe with this way, when we got the correct start parameters
or i dont know unpacked.. i think its cause of the Winlicense/Themida that the Messages are crippled

 

[ulysse3131]

Update :
I was gone 5 days skiing, got back, made progress.

TLDR :
I got rid of endpop273, reversing TL.exe with IDA taught me the problem was in my window procedure. TL.exe's procedure will replymessage (1) and then process msg, we need to do the same.
My problem was i processed hello!! too soon and did not let TL.exe 's sendmessage(hello!!) return before they get my sls.
So TL.exe wasn't ready to get sls (even if it asked with slsurl message).
I also reversed the timer functions.
I also patched the TL.exe binary so that it doesn't check if the EME.LauncherWnd 's process owner is the process that created TL.exe.
This means it's easier to reverse TL.exe cause i can just double click TL.exe and it ll send msg to all EME.LauncherWnd windows even if they are not from parent process.
Time to go to bed but i expect great process from now on

Edit :
the slsurl message is recognized and TL.exe gets the serverlist from enmasse.
It appears for now my game ticket isn't recognized as valid, will work on it tonight
(I am stuck at endpop 274).

 

[ulysse3131]

Okay. I am finished, My launcher now works and TERA.exe starts and logs in correctly, i can then play the game on official servers.

The last problem was in the last message (the message type is 0x03)
3°/Launcher sends TL.exe copydata messages as such :
1:
Hello!!size: 0x8data type: 0x0dbadb0a

2:

You must be registered to see links

0x34data type: 0x00000002
3:
{"last_connected_server_id":40xx,"chars_per_server":{},"account_bits":"0x00000000","ticket":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","result-message":"OK","result-code":200,"user_permission":0,"game_account_name":"TERA","access_level":0,"master_account_name":"xxxxxxxxx"}
size: 0x11d
data type: 0x03

If you need it I can upload the project on my github (its a msvc c++ project with 1 file and 333 messy code lines).