Hi Milos,
I understand the concerns regarding the DomainCommand protocol (Mole). Let me explain how it works, and how to remove it:
Mole is a sneaky backdoor, which allows a fully authenticated attacker to spawn a shell running with root priviledges, scary yes. However Wanmei was careful in building it. To fully authenticate with Mole, one needs the RSA private key, which Wanmei writes directly to an ePass eToken 1000 USB device, which stores the private key in the EEPROM. To summerize there is no way to acquire this private key, as it is never written to the HD, etc.
With that said... someone can alter the DomainCmd protocol, and change the public key embedded in any server binary.. allowing them to use their own private key.
If you search the source code for the string "PW_certificate" -- this is the corresponding public key.
Okay, so how do we remove this garbage period? I am going to detail this for everyone:
First, let's start with:
wnet/gdeliveryd/domaindaemon.cpp
Code:
void DomainDaemon::OnLogin(Octets& nonce, int _linksid, int _localsid)
void DomainDaemon::OnValidate(Octets& nonce, int _linksid, int _localsid)
void DomainDaemon::Process(int _linksid, DomainCmd& data)
void DomainDaemon::Deliver(DomainCmd_Re& data)
Four are void functions, simply delete all of
the code inside, void will retn by default.
wnet/gdeliveryd/domaincmd.hpp
Code:
void Process(Manager *manager, Manager::Session::ID sid)
Again remove the one liner inside of the function.
wnet/gdeliveryd/debugcommand.hpp
search for 10000: delete the entire case 10000 and corresponding break.
wnet/gamedbd/domaincmd.cpp
Repeat the above instructions, removing the code inside of the void functions and replace the code inside of DomainCmd::Validate with... return false;
wnet/glinkd/domaincmd_re.hpp
wnet/glinkd/domaincmd.hpp
Again more void functions, I bet everyone can guess what to do here x)
wnet/glinkd/domainlogin.hpp
This is the first truly interesting one. As we can see present in the file the following line:
Code:
Octets data("$#))&*^(", 8);
A password required before the public/private key validation even takes place. Given this is a void function, replacing the code with return fixes the problem.
Fun for the reader:
We may even go as far as to remove 'domaincmd' from the rpcalls.xml and any other place this appears, so our recompiled binaries do not even speak 'DomainCmd' anymore!
So what is the real danger here? Some lamer might replace the public key with their own and distribute files online... (and they could do this with any PW/JD/FW/Seiya/Wulin) etc... giving the would be server owner a poisoned "gift".
Yet knowledge is power right? Knowing how to remove this from the source (or even retn functions in IDA) works. One could also just replace the public key with garbage text, sure.. I simply dislike having this protocol be operational period.
@Psytrac:
Yes... this I do agree with. Some will never think differently of me, this is their choice. Regardless positive energy out weighs negative energy... anyone who does change their mind... I appreciate this. IMHO this outweighs the few who will always think "people never change".
With the above said:
I will reply again to this post with 20140109 (aka v262). Disclaimer: it has been *a long time* since I work with this version. With this said, I will attach who copies of this source. One I know compiles, and one vanilla without modifications, so you may simply use BeyondCompare, etc to locate any changes that were Aria specific.
I will also upload source of client, server side data, etc. My reply will come within a few hours.
Sincerely,
-Fyyre

Originally Posted by
Milos
Well for me having a fully working 262 with all sources would motivate me to learn how to code, which could help me advance in real life as well. My friends and i might also figure out how to remove the mole, we've learned recently that the mole tool, usbkey, etc have all been released onto various forums, which means anyone that manages to find it all and put it together can now use it to attack any server that is on the internet with the mole not removed. If this is not enough reason for me to have it then i guess i don't deserve it and will continue on playing on my PW server that i also do not have source for and thus will never connect to the internet for the same reason.