Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: Everdump

  1. #1
    Registered User
    Join Date
    Apr 2009
    Posts
    16

    Everdump

    What stopped this from working? I think it was because Acid changing stuff after he went to work for the man BUT what I want to know is how is there a current tool that works like it did? Apparently Acid is still out there or someone was able to reverse it like he did. I tried to reverse engineer the program that *does* work but it is a bit over my head and the best I could do, which isn't much, is dump the raw udp packets and that is it. When I look at the raw packets I see one packet that is the same in the working program and my snooping program and that is "Server Keygen Request" but I am having a dog of a time trying to figure out the keys part from the client.
    Code:
    -- Server Keygen Request --
    0000:    00 09 00 00 02 52 00 00 00 03 1E 0B CC 22 41 CA .....R......."A.
    0010:    56 AE 40 AC F5 D4 0E 94 F9 16 7C 11 69 37 BC 46 V.@.......|.i7.F
    0020:    92 BE D2 DB B9 AB 6F 8E 17 EA E4 8C E6 81 9A 76 ......o........v
    0030:    EF 2F F1 B6 0C 99 1C 8C CD 14 6C 63 F3 A7 5C 50 ./........lc..\P
    0040:    20 7C 9A 49 78 C6 14 00 1A F9 77 01 8F 4E 69 BC  |.Ix.....w..Ni.
    0050:    C8 1C 3C DB 2A E0 7C F2 9A 26 FF 01 00 00 00 23 ..<.*.|..&.....#
    
    -- Client Keygen Response
    0000:    FF FF FF FF 52 00 00 00 02 B4 D6 86 D9 9E 9F 0A ....R...........
    0010:    EF 9B 26 86 A0 95 31 E8 CF F6 F4 FF 44 A9 D9 1D ..&...1.....D...
    0020:    50 F3 33 02 35 2C 3F 1D 87 08 3F 7D 60 0C C5 39 P.3.5,?...?}`..9
    0030:    D9 DA D2 FC 5C 01 5B AB 2E 6D 23 AF 53 6E 83 4A ....\.[..m#.Sn.J
    0040:    DB 1D A2 3F 1B 6C B6 68 CC 48 A5 9B A1 27 AB 29 ...?.l.h.H...'.)
    0050:    A9 9B E0 07 6F 98 89 00 41 97                   ....o...A.
    The first one I get but I do not get that part from the Client. I suspect it is because that part is the key intermixed in. I think the FF FF FF FF means it is in the clear but not 100% sure on that.

    Anyone have any ideas or am I the only one around anymore that is messing with this stuff?

  2. #2
    Developer
    Join Date
    Jun 2003
    Posts
    446

    Re: Everdump

    What program currently works for this? I'd be curious enough to have a look at it.

  3. #3
    Developer
    Join Date
    Jun 2003
    Posts
    446

    Re: Everdump

    By the way, I saw you in IRC. You can't ask a question and expect an immediate answer. If you stuck around for a bit I'd have seen it about 15 minutes after and we'd be chatting there right now

  4. #4
    Registered User
    Join Date
    Apr 2009
    Posts
    16

    Re: Everdump

    Sorry about that I was late for dinner and the wife was waiting for me.

  5. #5
    Registered User
    Join Date
    Sep 2008
    Posts
    14

    Re: Everdump

    reversing the key is not hard at all, eq2emulator project has a working closed source packet scanner that currently working, i`ve also redone Acid`s source code to work too.

    You have a hard time getting anyone to share how to get the key, took me 2 months to determine how to get the key. the reason that no one is sharing the information, is that you could easy write a login (user/password) stealer once you know how to get the key.

    i`ll give you a couple of hints, the key changes on each login and on each zone.

  6. #6
    Registered User
    Join Date
    Apr 2009
    Posts
    16

    Re: Everdump

    Quote Originally Posted by unknwon View Post
    reversing the key is not hard at all, eq2emulator project has a working closed source packet scanner that currently working, i`ve also redone Acid`s source code to work too.

    You have a hard time getting anyone to share how to get the key, took me 2 months to determine how to get the key. the reason that no one is sharing the information, is that you could easy write a login (user/password) stealer once you know how to get the key.

    i`ll give you a couple of hints, the key changes on each login and on each zone.
    Well, I notice that it does change and has changed twice on me just logging in.

    Where I am stuck at is knowing when and where the key is. Is it compressed or still in the open? Do I need EQ2's exe at all to figure out the key?

    "eq2emulator project has a working closed source packet scanner that currently working" Is exactly what I am using and I am reverse engineering it but I find it odd that they grab 27 bytes from the process and actually write ANYTHING into EQ2's process. That writing part is it necessary?

    I have a copy of Acid's Everdump and he never wrote in the memory but he grabbed the key out of the exe, I believe, but that was changed.

    As far as login passwords etc... that would be stupid but I have seen people do worse than that. I have no idea why they would want to but each to their own I suppose. What sucks is that jack asses like that are what gets the free flow of information squashed.

    I will tell you and everyone else that if I crack this I will freely give the information with source code to the world. If someone tells me how to do it then it is up to them and I would abide by their wishes but if I do it then the devil (and SoE) be damned because this information will not be stifled any longer.

  7. #7
    Registered User
    Join Date
    Sep 2008
    Posts
    14

    Re: Everdump

    not sure why eq2emulator is writing to the eq2 process, my key grab doesn`t read memory or read from the eq2 client.

    i`d love to release my capture program, but i`m too worried about others using it to create password stealers or worse. I know it hard getting any information about eq2, when i was write my wow radar program, you could find tons of information on the web about the memory structure and packets. But for eq2 there`s nothing.

    The sad thing is i had a working correct of myseq2 source when it first came out, but deleted it when i stopped play eq2. When i started playing eq2 again, i found that the myseq2 was no more. That`ll teach me not to keep backups.

  8. #8
    Registered User
    Join Date
    Apr 2009
    Posts
    16

    Re: Everdump

    Quote Originally Posted by unknwon View Post
    not sure why eq2emulator is writing to the eq2 process, my key grab doesn`t read memory or read from the eq2 client.

    i`d love to release my capture program, but i`m too worried about others using it to create password stealers or worse. I know it hard getting any information about eq2, when i was write my wow radar program, you could find tons of information on the web about the memory structure and packets. But for eq2 there`s nothing.

    The sad thing is i had a working correct of myseq2 source when it first came out, but deleted it when i stopped play eq2. When i started playing eq2 again, i found that the myseq2 was no more. That`ll teach me not to keep backups.
    Yeah, it sucks. I wish I had the right avenue because I have spent over 100+ hours so far trying to get this to work. I had to learn how to code for pcap first but that took an hour or 2. The rest has been in eq2emulator and eq2 itself.

    Man, I don't know if I can do this alone since I don't have a real bone to go on. Are the first 2 bytes still the same as they were when acid was on this stuff? 00 09 means the server is asking me for a keygen right?

  9. #9
    Registered User
    Join Date
    Sep 2008
    Posts
    14

    Re: Everdump

    no 00 09 just means it`s a data packet. if you haven`t read the following over at eq2emu. http://eq2emulator.net/phpBB3/viewtopic.php?f=3&t=1268

    also if you find getting the key hard, just wait till you have to decode the packets after. some are compressed or XOR`ed , some are both..

    i`m thinking what i might do is change part of my program into a server/client application like the current myseq. just need to split my capture program up, that way i`ll be able to release just the server application, and not have to worry about anyone using it to create a user/pass stealer. If i do it right, we might be able to use the current myseq client? not sure about it yet. will have to look at the myseq server and client code first..

  10. #10
    Registered User
    Join Date
    Apr 2009
    Posts
    16

    Re: Everdump

    Possibly.

    Well, if you notice that 00 09 above is preceded by the Server Keygen request which must mean the keygen request was in that data? If that were the case shouldn't the info be out in the open since no keygen has been created yet OR is there a default keygen that from then on out gets changed?

    http://eq2emulator.net/phpBB3/viewto...+opcodes#p9939

    That link helps me immensely but look at this
    Code:
    0000: 00 09 00 02 04 00 05 10 02 00 00 00 08 00 00 00   ................
    0010: 20 00 00 00 96 b0 de 43 b7 b4 a9 b7 37 58 86 b5    ......C....7X..
    0020: ce 4f 14 1f 2f 35 4b a1 b5 31 aa 5d 5a ae 1e 02   .O../5K..1.]Z...
    0030: d9 bf 85 90                                       ....
    that example has a 04 and 00 means clear 01 means compressed but what does 04 mean?
    Last edited by Viper; 04-13-2009 at 10:16 AM.

  11. #11
    Registered User
    Join Date
    Sep 2008
    Posts
    14

    Re: Everdump

    if eq2emulator packet collector is reading to the eq2 client than their using a detour to collect the key. i don`t like this option as it`s easy for sony to detect changes to the eq2 client. Also they can easy change the function location on the client with each update.

    I`m making progress on turn my collector into a server/client application..still hoping to use the myeq client, less coding just need to get my collector to send the data to the myseq client in the correct format.

  12. #12
    Registered User
    Join Date
    Apr 2009
    Posts
    16

    Re: Everdump

    After a few days of digging I can attest they throw an INT 3 (0xCC) into the EQ2 code. They also use heavily multitasking code and it is very hard for me to follow multitasking code.

  13. #13
    Registered User
    Join Date
    Sep 2008
    Posts
    14

    Re: Everdump

    well i have meshed my packet capture with the myseq server and client, just having problems getting my old struct to convert to the myseqserver class.

    if someone can tell me how to make

    struct Snpc
    {
    int ID;
    string Name;
    FLOAT x;
    FLOAT y;
    FLOAT Z;
    int level;
    int HP;
    };

    into

    class SPAWNINFO_SEND {
    public:
    SPAWNINFO_SEND() {

    }
    SPAWNINFO_SEND(const SPAWNINFO_SEND &s) {
    strncpy(Name, s.Name, 30);
    Snpc *npc;
    //Name = ((unsigned char)npc->Name);
    Y =npc->y;// s.Y;
    Z = npc->Z; //s.Z;
    X = npc->x; //s.X;
    Heading = s.Heading;
    SpeedRun = s.SpeedRun;
    SpawnID = npc->ID;//s.SpawnID;
    Type = s.Type;
    Class = s.Class;
    Race = s.Race;
    Level = s.Level;
    Hide = s.Hide;
    strcpy(Lastname, s.Lastname);
    flags = s.flags;
    }

    SPAWNINFO_SEND &operator=(const SPAWNINFO_SEND &s) {
    strncpy(Name, s.Name, 30);
    Y = s.Y;
    Z = s.Z;
    X = s.X;
    Heading = s.Heading;
    SpeedRun = s.SpeedRun;
    SpawnID = s.SpawnID;
    Type = s.Type;
    Class = s.Class;
    Race = s.Race;
    Level = s.Level;
    Hide = s.Hide;
    strcpy(Lastname, s.Lastname);
    flags = s.flags;
    return *this;
    }
    CHAR Name[30];
    FLOAT Y;
    FLOAT X;
    FLOAT Z;
    FLOAT Heading;
    FLOAT SpeedRun;
    DWORD SpawnID;
    BYTE Type;
    BYTE Class;
    DWORD Race;
    BYTE Level;
    BYTE Hide;
    CHAR Lastname[22];
    int flags;
    } ;

    i`ve tried "memcpy(spbuf, npc, sizeof(npc));" but getting the following error

  14. #14
    Registered User
    Join Date
    Sep 2006
    Posts
    97

    Re: Everdump

    Try adding these 2 functions to SPAWNINFO_SEND class. Basically, these functions are telling it how to convert a Snpc struct into a SPAWNINFO_SEND class...

    Code:
    SPAWNINFO_SEND(const Snpc &s) {
    strncpy(Name, s.Name, 30);
    strcpy(Lastname, "");
    Y =s.y;
    Z = s.Z;
    X = s.x;
    SpawnID = s.ID;
    
    // Set all unused to zeros
    Heading = 0;
    SpeedRun = 0;
    Type = 0;
    Class = 0;
    Race = 0;
    Level = 0;
    Hide = 0;
    flags = 0;
    }
    
    SPAWNINFO_SEND &operator=(const Snpc &s) {
    strncpy(Name, s.Name, 30);
    strcpy(Lastname, "");
    Y =s.y;
    Z = s.Z;
    X = s.x;
    SpawnID = s.ID;
    
    // Set all unused to zeros
    Heading = 0;
    SpeedRun = 0;
    Type = 0;
    Class = 0;
    Race = 0;
    Level = 0;
    Hide = 0;
    flags = 0;
    
    return *this;
    }

  15. #15
    Registered User
    Join Date
    Sep 2006
    Posts
    97

    Re: Everdump

    Almost forgot, and then with those two class methods, you can now do one of the following to initialize a SPAWNINFO_SEND class from a Snpc struct...

    Code:
    Snpc snpc;  // I assume you're obtaining one of these somewhere...
    
    SPAWNINFO_SEND sis(snpc);
    // or...
    SPAWNINFO_SEND sis2;
    sis2 = snpc;

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

You may post new threads
You may post replies
You may post attachments
You may edit your posts
HTML code is On
vB code is On
Smilies are On
[IMG] code is On