PDA

View Full Version : Everdump



Viper
04-12-2009, 07:53 PM
What stopped this from working? I think it was because Acid changing stuff after he went to work for the man BUT what I want to know is how is there a current tool that works like it did? Apparently Acid is still out there or someone was able to reverse it like he did. I tried to reverse engineer the program that *does* work but it is a bit over my head and the best I could do, which isn't much, is dump the raw udp packets and that is it. When I look at the raw packets I see one packet that is the same in the working program and my snooping program and that is "Server Keygen Request" but I am having a dog of a time trying to figure out the keys part from the client.

-- Server Keygen Request --
0000: 00 09 00 00 02 52 00 00 00 03 1E 0B CC 22 41 CA .....R......."A.
0010: 56 AE 40 AC F5 D4 0E 94 F9 16 7C 11 69 37 BC 46 V.@.......|.i7.F
0020: 92 BE D2 DB B9 AB 6F 8E 17 EA E4 8C E6 81 9A 76 ......o........v
0030: EF 2F F1 B6 0C 99 1C 8C CD 14 6C 63 F3 A7 5C 50 ./........lc..\P
0040: 20 7C 9A 49 78 C6 14 00 1A F9 77 01 8F 4E 69 BC |.Ix.....w..Ni.
0050: C8 1C 3C DB 2A E0 7C F2 9A 26 FF 01 00 00 00 23 ..<.*.|..&.....#

-- Client Keygen Response
0000: FF FF FF FF 52 00 00 00 02 B4 D6 86 D9 9E 9F 0A ....R...........
0010: EF 9B 26 86 A0 95 31 E8 CF F6 F4 FF 44 A9 D9 1D ..&...1.....D...
0020: 50 F3 33 02 35 2C 3F 1D 87 08 3F 7D 60 0C C5 39 P.3.5,?...?}`..9
0030: D9 DA D2 FC 5C 01 5B AB 2E 6D 23 AF 53 6E 83 4A ....\.[..m#.Sn.J
0040: DB 1D A2 3F 1B 6C B6 68 CC 48 A5 9B A1 27 AB 29 ...?.l.h.H...'.)
0050: A9 9B E0 07 6F 98 89 00 41 97 ....o...A.

The first one I get but I do not get that part from the Client. I suspect it is because that part is the key intermixed in. I think the FF FF FF FF means it is in the clear but not 100% sure on that.

Anyone have any ideas or am I the only one around anymore that is messing with this stuff?

ieatacid
04-12-2009, 09:00 PM
What program currently works for this? I'd be curious enough to have a look at it.

ieatacid
04-12-2009, 09:01 PM
By the way, I saw you in IRC. You can't ask a question and expect an immediate answer. If you stuck around for a bit I'd have seen it about 15 minutes after and we'd be chatting there right now :)

Viper
04-12-2009, 09:36 PM
Sorry about that I was late for dinner and the wife was waiting for me.

unknwon
04-13-2009, 06:43 AM
reversing the key is not hard at all, eq2emulator project has a working closed source packet scanner that currently working, i`ve also redone Acid`s source code to work too.

You have a hard time getting anyone to share how to get the key, took me 2 months to determine how to get the key. the reason that no one is sharing the information, is that you could easy write a login (user/password) stealer once you know how to get the key.

i`ll give you a couple of hints, the key changes on each login and on each zone.

Viper
04-13-2009, 08:51 AM
reversing the key is not hard at all, eq2emulator project has a working closed source packet scanner that currently working, i`ve also redone Acid`s source code to work too.

You have a hard time getting anyone to share how to get the key, took me 2 months to determine how to get the key. the reason that no one is sharing the information, is that you could easy write a login (user/password) stealer once you know how to get the key.

i`ll give you a couple of hints, the key changes on each login and on each zone.
Well, I notice that it does change and has changed twice on me just logging in.

Where I am stuck at is knowing when and where the key is. Is it compressed or still in the open? Do I need EQ2's exe at all to figure out the key?

"eq2emulator project has a working closed source packet scanner that currently working" Is exactly what I am using and I am reverse engineering it but I find it odd that they grab 27 bytes from the process and actually write ANYTHING into EQ2's process. That writing part is it necessary?

I have a copy of Acid's Everdump and he never wrote in the memory but he grabbed the key out of the exe, I believe, but that was changed.

As far as login passwords etc... that would be stupid but I have seen people do worse than that. I have no idea why they would want to but each to their own I suppose. What sucks is that jack asses like that are what gets the free flow of information squashed.

I will tell you and everyone else that if I crack this I will freely give the information with source code to the world. If someone tells me how to do it then it is up to them and I would abide by their wishes but if I do it then the devil (and SoE) be damned because this information will not be stifled any longer.

unknwon
04-13-2009, 09:27 AM
not sure why eq2emulator is writing to the eq2 process, my key grab doesn`t read memory or read from the eq2 client.

i`d love to release my capture program, but i`m too worried about others using it to create password stealers or worse. I know it hard getting any information about eq2, when i was write my wow radar program, you could find tons of information on the web about the memory structure and packets. But for eq2 there`s nothing.

The sad thing is i had a working correct of myseq2 source when it first came out, but deleted it when i stopped play eq2. When i started playing eq2 again, i found that the myseq2 was no more. That`ll teach me not to keep backups. :(

Viper
04-13-2009, 09:35 AM
not sure why eq2emulator is writing to the eq2 process, my key grab doesn`t read memory or read from the eq2 client.

i`d love to release my capture program, but i`m too worried about others using it to create password stealers or worse. I know it hard getting any information about eq2, when i was write my wow radar program, you could find tons of information on the web about the memory structure and packets. But for eq2 there`s nothing.

The sad thing is i had a working correct of myseq2 source when it first came out, but deleted it when i stopped play eq2. When i started playing eq2 again, i found that the myseq2 was no more. That`ll teach me not to keep backups. :(
Yeah, it sucks. :( I wish I had the right avenue because I have spent over 100+ hours so far trying to get this to work. I had to learn how to code for pcap first but that took an hour or 2. The rest has been in eq2emulator and eq2 itself.

Man, I don't know if I can do this alone since I don't have a real bone to go on. Are the first 2 bytes still the same as they were when acid was on this stuff? 00 09 means the server is asking me for a keygen right?

unknwon
04-13-2009, 09:43 AM
no 00 09 just means it`s a data packet. if you haven`t read the following over at eq2emu. http://eq2emulator.net/phpBB3/viewtopic.php?f=3&t=1268

also if you find getting the key hard, just wait till you have to decode the packets after. some are compressed or XOR`ed , some are both..:)

i`m thinking what i might do is change part of my program into a server/client application like the current myseq. just need to split my capture program up, that way i`ll be able to release just the server application, and not have to worry about anyone using it to create a user/pass stealer. If i do it right, we might be able to use the current myseq client? not sure about it yet. will have to look at the myseq server and client code first..

Viper
04-13-2009, 10:13 AM
Possibly. :)

Well, if you notice that 00 09 above is preceded by the Server Keygen request which must mean the keygen request was in that data? If that were the case shouldn't the info be out in the open since no keygen has been created yet OR is there a default keygen that from then on out gets changed?

http://eq2emulator.net/phpBB3/viewtopic.php?f=3&t=369&p=9939&hilit=updating+opcodes#p9939

That link helps me immensely but look at this
0000: 00 09 00 02 04 00 05 10 02 00 00 00 08 00 00 00 ................
0010: 20 00 00 00 96 b0 de 43 b7 b4 a9 b7 37 58 86 b5 ......C....7X..
0020: ce 4f 14 1f 2f 35 4b a1 b5 31 aa 5d 5a ae 1e 02 .O../5K..1.]Z...
0030: d9 bf 85 90 .... that example has a 04 and 00 means clear 01 means compressed but what does 04 mean?

unknwon
04-15-2009, 09:11 AM
if eq2emulator packet collector is reading to the eq2 client than their using a detour to collect the key. i don`t like this option as it`s easy for sony to detect changes to the eq2 client. Also they can easy change the function location on the client with each update.

I`m making progress on turn my collector into a server/client application..still hoping to use the myeq client, less coding :) just need to get my collector to send the data to the myseq client in the correct format.

Viper
04-17-2009, 12:24 PM
After a few days of digging I can attest they throw an INT 3 (0xCC) into the EQ2 code. They also use heavily multitasking code and it is very hard for me to follow multitasking code.

unknwon
04-17-2009, 01:50 PM
well i have meshed my packet capture with the myseq server and client, just having problems getting my old struct to convert to the myseqserver class.

if someone can tell me how to make

struct Snpc
{
int ID;
string Name;
FLOAT x;
FLOAT y;
FLOAT Z;
int level;
int HP;
};

into

class SPAWNINFO_SEND {
public:
SPAWNINFO_SEND() {

}
SPAWNINFO_SEND(const SPAWNINFO_SEND &s) {
strncpy(Name, s.Name, 30);
Snpc *npc;
//Name = ((unsigned char)npc->Name);
Y =npc->y;// s.Y;
Z = npc->Z; //s.Z;
X = npc->x; //s.X;
Heading = s.Heading;
SpeedRun = s.SpeedRun;
SpawnID = npc->ID;//s.SpawnID;
Type = s.Type;
Class = s.Class;
Race = s.Race;
Level = s.Level;
Hide = s.Hide;
strcpy(Lastname, s.Lastname);
flags = s.flags;
}

SPAWNINFO_SEND &operator=(const SPAWNINFO_SEND &s) {
strncpy(Name, s.Name, 30);
Y = s.Y;
Z = s.Z;
X = s.X;
Heading = s.Heading;
SpeedRun = s.SpeedRun;
SpawnID = s.SpawnID;
Type = s.Type;
Class = s.Class;
Race = s.Race;
Level = s.Level;
Hide = s.Hide;
strcpy(Lastname, s.Lastname);
flags = s.flags;
return *this;
}
CHAR Name[30];
FLOAT Y;
FLOAT X;
FLOAT Z;
FLOAT Heading;
FLOAT SpeedRun;
DWORD SpawnID;
BYTE Type;
BYTE Class;
DWORD Race;
BYTE Level;
BYTE Hide;
CHAR Lastname[22];
int flags;
} ;

i`ve tried "memcpy(spbuf, npc, sizeof(npc));" but getting the following error

Carpathian
04-17-2009, 02:13 PM
Try adding these 2 functions to SPAWNINFO_SEND class. Basically, these functions are telling it how to convert a Snpc struct into a SPAWNINFO_SEND class...



SPAWNINFO_SEND(const Snpc &s) {
strncpy(Name, s.Name, 30);
strcpy(Lastname, "");
Y =s.y;
Z = s.Z;
X = s.x;
SpawnID = s.ID;

// Set all unused to zeros
Heading = 0;
SpeedRun = 0;
Type = 0;
Class = 0;
Race = 0;
Level = 0;
Hide = 0;
flags = 0;
}

SPAWNINFO_SEND &operator=(const Snpc &s) {
strncpy(Name, s.Name, 30);
strcpy(Lastname, "");
Y =s.y;
Z = s.Z;
X = s.x;
SpawnID = s.ID;

// Set all unused to zeros
Heading = 0;
SpeedRun = 0;
Type = 0;
Class = 0;
Race = 0;
Level = 0;
Hide = 0;
flags = 0;

return *this;
}

Carpathian
04-17-2009, 02:47 PM
Almost forgot, and then with those two class methods, you can now do one of the following to initialize a SPAWNINFO_SEND class from a Snpc struct...



Snpc snpc; // I assume you're obtaining one of these somewhere...

SPAWNINFO_SEND sis(snpc);
// or...
SPAWNINFO_SEND sis2;
sis2 = snpc;

Viper
04-17-2009, 08:53 PM
if eq2emulator packet collector is reading to the eq2 client than their using a detour to collect the key. i don`t like this option as it`s easy for sony to detect changes to the eq2 client. Also they can easy change the function location on the client with each update.

I`m making progress on turn my collector into a server/client application..still hoping to use the myeq client, less coding :) just need to get my collector to send the data to the myseq client in the correct format.
Would you do me a tiny favor and run this through your routine and tell me what key it was?

0000: FF FF FF FF 52 00 00 00 02 5C 55 C9 73 2C F0 E2 ....R....\U.s,..
0010: 5A C3 EB E8 C1 F1 E0 38 0A FB 27 88 0A 1E 3C B5 Z......8..'...<.
0020: 96 A3 B0 CF 2F 6B F8 DD 98 CA F7 F4 CD 9E 03 92 ..../k..........
0030: AE 38 1F EA CE A2 01 4C 7E CC 3E 16 62 B8 DD 08 .8.....L~.>.b...
0040: 2F B7 BA E7 FF ED A0 19 02 12 73 EC AB C8 0B 10 /.........s.....
0050: 53 CD B5 8F E4 55 1E BC 7F 25 S....U...%

Be interesting to see what your routine shows.

unknwon
04-20-2009, 08:55 PM
thanks for the class routine, that helped. getting much closer now..i`m able to send and display some data in the myseq client with out any modifications to the myseq client :)

included is a screenshot from my emu.


hxxp://mmoradar.com/images/myseq.jpg

Viper
04-23-2009, 02:19 AM
hmmmm, the task I kindly asked if you would perform was not that hard and would not give any vital secrets away but oh well.

Good luck with your project.

unknwon
04-23-2009, 04:44 AM
it would, telling you what the key was would give away the method of getting the key. it`s not that hard.

Viper
04-23-2009, 09:03 AM
it would, telling you what the key was would give away the method of getting the key. it`s not that hard.
Well, I know the key already. So, tell me the first 2 or 3 bytes of the key out of the 8 is all that I am asking.

I am fascinated that you say you cracked her open so easily and that it is not that hard.

Let me tell you the last 2 bytes of the key 570e.

Viper
05-06-2009, 05:43 PM
Well, last week I made Everdump work again but I can't decipher the stream without doing the everdump trick. I have spent over 180 hours and while I have learned RSA and some RC4 I just can't bust their network protocol because it is way over my head. I got close but no cigar.

So, Everdump is working again and that is a plus but if someone managed to crack open their RSA/RC4 datastream then bravo to them because I sure couldn't do it.

unknwon
05-13-2009, 07:56 AM
don`t feel too bad, mine was working fine on Live, but have been testing for the last 4 weeks on my emulator. tried it on live the other day, it will no longer fine the correct key, seems with the new U51 they fixed the method i was using to get the key. But should be too hard to correct. :)

As for my radar program, have it tracking Mobs movements now. that was hard getting it to track correctly. just have some more major bugs to fix, than i should be able to release an beta release soon.