Bypass arc, run pwi without it

[TheMrViper]

Hi there. The question is in subject, do any one tried to bypass it?

i found that game running with user & token param, so you can't login by username & password in game, this token is generated i think in server side.

also i found that arc uses this addr: login.core.perfectworld.com, as endpoint for auth in ark, and prepare some data before game runned, so i think in last packet, we have token inside, but its encrypted.

Thank you for any info.

 

[Hycker]

its a param in serverside use_token_auth=0/1
so far i know its avaliable from 1.5.3 -> up to date, also can confirm an other param in 1.6.2 -> 1.7.4 files there is an unique arc poop
the token is generated some kind of format like salt.username.username.password.currenttimestamp and the salt is defined in delivery param

 

[TheMrViper]

its a param in serverside use_token_auth=0/1
so far i know its avaliable from 1.5.3 -> up to date, also can confirm an other param in 1.6.2 -> 1.7.4 files there is an unique arc poop
the token is generated some kind of format like salt.username.username.password.currenttimestamp and the salt is defined in delivery param

I found it in src, it there from ~1.4.x
values 0, 1, 2
0 use default login
1 is currently used in PWI - one time token
2 as i think used by ruoff - 1 day token, i remember it from AutoLogin soft

before we lauch a game, arc generate this token on server side, its not in delivery, as far as i see.
there is used external server-app (i thing gauth, but a bit different), example of packets:

You must be registered to see links

i decoded a bit packets between arc <-> server-app
1 s2c - is rsa key
2 c2s - encoded with this key static data
3 s2c - response without body
4 c2s - i think login and password is here but i can't decrypt this packet, and seems like it not even encrypted (with rsa), cause i send to arc my public key, and then i can't decrypt it with private one, and also, if i send my rsa key, and then this packet, arc accept it without problems, so only packet 2 is encrypted with rsa
5 s2c - response also encrypted (like packet 4), im not here, but i think i need to solve step 4, and this will be not a problem


as i see, token is checked by auth, not by delivery service, packet called MatrixToken
the path is: game -> glinkd -> gdelivery -> gauth

the problem is that 1.2.6 or 1.5.5 gauth do not have handlers for this packet, and in result do not have function to see how its inside
along with MatrixToken, there is not another handler called MatrixPasswd2

server have check lsm->GetAUVersion() == 0 if else, and based on this, server choose MatrixPasswd or MatrixPasswd2, also there is a check for a token.