Everdump

[Viper]

What stopped this from working? I think it was because Acid changing stuff after he went to work for the man BUT what I want to know is how is there a current tool that works like it did? Apparently Acid is still out there or someone was able to reverse it like he did. I tried to reverse engineer the program that *does* work but it is a bit over my head and the best I could do, which isn't much, is dump the raw udp packets and that is it. When I look at the raw packets I see one packet that is the same in the working program and my snooping program and that is "Server Keygen Request" but I am having a dog of a time trying to figure out the keys part from the client.

Code:

-- Server Keygen Request --
0000:    00 09 00 00 02 52 00 00 00 03 1E 0B CC 22 41 CA .....R......."A.
0010:    56 AE 40 AC F5 D4 0E 94 F9 16 7C 11 69 37 BC 46 V.@.......|.i7.F
0020:    92 BE D2 DB B9 AB 6F 8E 17 EA E4 8C E6 81 9A 76 ......o........v
0030:    EF 2F F1 B6 0C 99 1C 8C CD 14 6C 63 F3 A7 5C 50 ./........lc..\P
0040:    20 7C 9A 49 78 C6 14 00 1A F9 77 01 8F 4E 69 BC  |.Ix.....w..Ni.
0050:    C8 1C 3C DB 2A E0 7C F2 9A 26 FF 01 00 00 00 23 ..<.*.|..&.....#

-- Client Keygen Response
0000:    FF FF FF FF 52 00 00 00 02 B4 D6 86 D9 9E 9F 0A ....R...........
0010:    EF 9B 26 86 A0 95 31 E8 CF F6 F4 FF 44 A9 D9 1D ..&...1.....D...
0020:    50 F3 33 02 35 2C 3F 1D 87 08 3F 7D 60 0C C5 39 P.3.5,?...?}`..9
0030:    D9 DA D2 FC 5C 01 5B AB 2E 6D 23 AF 53 6E 83 4A ....\.[..m#.Sn.J
0040:    DB 1D A2 3F 1B 6C B6 68 CC 48 A5 9B A1 27 AB 29 ...?.l.h.H...'.)
0050:    A9 9B E0 07 6F 98 89 00 41 97                   ....o...A.

The first one I get but I do not get that part from the Client. I suspect it is because that part is the key intermixed in. I think the FF FF FF FF means it is in the clear but not 100% sure on that.

Anyone have any ideas or am I the only one around anymore that is messing with this stuff?

[ieatacid]

What program currently works for this? I'd be curious enough to have a look at it.

[ieatacid]

By the way, I saw you in IRC. You can't ask a question and expect an immediate answer. If you stuck around for a bit I'd have seen it about 15 minutes after and we'd be chatting there right now

[Viper]

Sorry about that I was late for dinner and the wife was waiting for me.

[unknwon]

reversing the key is not hard at all, eq2emulator project has a working closed source packet scanner that currently working, i`ve also redone Acid`s source code to work too.

You have a hard time getting anyone to share how to get the key, took me 2 months to determine how to get the key. the reason that no one is sharing the information, is that you could easy write a login (user/password) stealer once you know how to get the key.

i`ll give you a couple of hints, the key changes on each login and on each zone.

[Viper]

reversing the key is not hard at all, eq2emulator project has a working closed source packet scanner that currently working, i`ve also redone Acid`s source code to work too.

You have a hard time getting anyone to share how to get the key, took me 2 months to determine how to get the key. the reason that no one is sharing the information, is that you could easy write a login (user/password) stealer once you know how to get the key.

i`ll give you a couple of hints, the key changes on each login and on each zone.

Well, I notice that it does change and has changed twice on me just logging in.

Where I am stuck at is knowing when and where the key is. Is it compressed or still in the open? Do I need EQ2's exe at all to figure out the key?

"eq2emulator project has a working closed source packet scanner that currently working" Is exactly what I am using and I am reverse engineering it but I find it odd that they grab 27 bytes from the process and actually write ANYTHING into EQ2's process. That writing part is it necessary?

I have a copy of Acid's Everdump and he never wrote in the memory but he grabbed the key out of the exe, I believe, but that was changed.

As far as login passwords etc... that would be stupid but I have seen people do worse than that. I have no idea why they would want to but each to their own I suppose. What sucks is that jack asses like that are what gets the free flow of information squashed.

I will tell you and everyone else that if I crack this I will freely give the information with source code to the world. If someone tells me how to do it then it is up to them and I would abide by their wishes but if I do it then the devil (and SoE) be damned because this information will not be stifled any longer.