i will share my sources with you
Code: Select all
/*
code BY DarkInjection
*/
Code: Select all
#include "stdafx.h"
__declspec(naked)void ge4_007126D0(){
__asm{
PUSH EBP
PUSH EBX
MOV EBX, DWORD PTR SS : [ESP + 0xC]
MOV EBP, DWORD PTR SS : [ESP + 0x10]
PUSH ESI
PUSH EDI
MOV EDI, DWORD PTR DS : [EBX]
MOV ESI, DWORD PTR DS : [EBX + 4]
XOR EAX, EAX
MOV EBX, DWORD PTR SS : [EBP]
XOR ECX, ECX
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 4]
MOV EBX, EDI
XOR ESI, EDX
SHR EBX, 0x10
MOV EDX, EDI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR ESI, EBX
MOV EDX, DWORD PTR SS : [EBP + 8]
MOV EBX, ESI
XOR EDI, EDX
SHR EBX, 0x10
MOV EDX, ESI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0xC]
MOV EBX, EDI
XOR ESI, EDX
SHR EBX, 0x10
MOV EDX, EDI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR ESI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x10]
MOV EBX, ESI
XOR EDI, EDX
SHR EBX, 0x10
MOV EDX, ESI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x14]
MOV EBX, EDI
XOR ESI, EDX
SHR EBX, 0x10
MOV EDX, EDI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR ESI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x18]
MOV EBX, ESI
XOR EDI, EDX
SHR EBX, 0x10
MOV EDX, ESI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x1C]
MOV EBX, EDI
XOR ESI, EDX
SHR EBX, 0x10
MOV EDX, EDI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR ESI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x20]
MOV EBX, ESI
XOR EDI, EDX
SHR EBX, 0x10
MOV EDX, ESI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x24]
MOV EBX, EDI
XOR ESI, EDX
SHR EBX, 0x10
MOV EDX, EDI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR ESI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x28]
MOV EBX, ESI
XOR EDI, EDX
SHR EBX, 0x10
MOV EDX, ESI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x2C]
MOV EBX, EDI
XOR ESI, EDX
SHR EBX, 0x10
MOV EDX, EDI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR ESI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x30]
MOV EBX, ESI
XOR EDI, EDX
SHR EBX, 0x10
MOV EDX, ESI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x34]
MOV EBX, EDI
XOR ESI, EDX
SHR EBX, 0x10
MOV EDX, EDI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR ESI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x38]
MOV EBX, ESI
XOR EDI, EDX
SHR EBX, 0x10
MOV EDX, ESI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x3C]
MOV EBX, EDI
XOR ESI, EDX
SHR EBX, 0x10
MOV EDX, EDI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
XOR EAX, EAX
XOR ESI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x40]
MOV EBX, ESI
XOR EDI, EDX
SHR EBX, 0x10
MOV EDX, ESI
MOV AL, BH
AND EBX, 0xFF
MOV CL, DH
AND EDX, 0xFF
MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
ADD EBX, EAX
MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
XOR EBX, EAX
MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
ADD EBX, EDX
MOV EAX, DWORD PTR SS : [ESP + 0x14]
XOR EDI, EBX
MOV EDX, DWORD PTR SS : [EBP + 0x44]
XOR ESI, EDX
MOV DWORD PTR DS : [EAX + 4], EDI
MOV DWORD PTR DS : [EAX], ESI
POP EDI
POP ESI
POP EBX
POP EBP
RETN; <= Procedure End
}
}
__declspec(naked) void ge4_007125F0(char * in, char * out, char * key, int f){
__asm{
SUB ESP, 8
MOV EAX, DWORD PTR SS : [ESP + 0xC]; packet buffer
MOVZX ECX, BYTE PTR DS : [EAX]; first byte of packet buffer
MOVZX EDX, BYTE PTR DS : [EAX + 1]; second byte of packet buffer
ADD EAX, 1
SHL EDX, 0x10
SHL ECX, 0x18
OR ECX, EDX
XOR EDX, EDX
MOV DH, BYTE PTR DS : [EAX + 1]
ADD EAX, 1
ADD EAX, 1
ADD EAX, 1
ADD EAX, 1
ADD EAX, 1
OR ECX, EDX
MOVZX EDX, BYTE PTR DS : [EAX - 3]
OR ECX, EDX
MOVZX EDX, BYTE PTR DS : [EAX - 1]
MOV DWORD PTR SS : [ESP], ECX
MOVZX ECX, BYTE PTR DS : [EAX - 2]
SHL EDX, 0x10
SHL ECX, 0x18
OR ECX, EDX
XOR EDX, EDX
MOV DH, BYTE PTR DS : [EAX]
MOV DL, BYTE PTR DS : [EAX + 1]
OR EDX, ECX
CMP DWORD PTR SS : [ESP + 0x18], 0
MOV DWORD PTR SS : [ESP + 4], EDX
MOV EAX, DWORD PTR SS : [ESP + 0x14]
PUSH EAX; key buffer
LEA ECX, DWORD PTR SS : [ESP + 4]
PUSH ECX; temp buffer ? ?
CALL ge4_007126D0; <= Jump / Call Address Not Resolved
MOV ECX, DWORD PTR SS : [ESP + 8]
MOV EAX, DWORD PTR SS : [ESP + 0x18]
MOV EDX, ECX
SHR EDX, 0x18
MOV BYTE PTR DS : [EAX], DL
ADD EAX, 1
MOV EDX, ECX
SHR EDX, 0x10
MOV BYTE PTR DS : [EAX], DL
ADD EAX, 1
MOV EDX, ECX
SHR EDX, 8
MOV BYTE PTR DS : [EAX], DL
MOV BYTE PTR DS : [EAX + 1], CL
MOV ECX, DWORD PTR SS : [ESP + 0xC]
ADD EAX, 1
ADD EAX, 1
MOV EDX, ECX
SHR EDX, 0x18
MOV BYTE PTR DS : [EAX], DL
ADD EAX, 1
MOV EDX, ECX
SHR EDX, 0x10
MOV BYTE PTR DS : [EAX], DL
ADD EAX, 1
MOV EDX, ECX
ADD ESP, 8
SHR EDX, 8
MOV BYTE PTR DS : [EAX], DL
MOV BYTE PTR DS : [EAX + 1], CL
ADD ESP, 8
RETN; <= Procedure End
}
}
void BeginPacketEncryption(char * in,char * out){
for (int i = 0, num = 0; i < 0x0C; i++){ //0x0C hardcoded maybe but im sure its same
ge4_007125F0((char*)(in + num), (char*)(out + num), (char*)KEY, 0x5b);//POC it works
num += 0x08;
}
}
Code: Select all
#include "stdafx.h"
__declspec(naked)WORD ge4_0041FBF0(char * packet_buffer,int a){
__asm{
MOV EDX, DWORD PTR SS : [ESP + 4]
XOR EAX, EAX
CMP EDX, EAX
JNZ ge4_0041FBFB
RETN
ge4_0041FBFB :
XOR ECX, ECX
CMP DWORD PTR SS : [ESP + 8], EAX
JLE ge4_0041FC27
PUSH ESI
ge4_0041FC04 :
MOV ESI, ECX
AND ESI, 0x80000001
JNS ge4_0041FC13
DEC ESI
OR ESI, 0xFFFFFFFE
INC ESI
ge4_0041FC13 :
MOVZX ESI, BYTE PTR DS : [ECX + EDX]
JE ge4_0041FC1D
ADD EAX, ESI
JMP ge4_0041FC1F
ge4_0041FC1D :
XOR EAX, ESI
ge4_0041FC1F :
INC ECX
CMP ECX, DWORD PTR SS : [ESP + 0xC]
JL ge4_0041FC04
POP ESI
ge4_0041FC27 :
RETN; <= Procedure End
}
}
void generate_packet(char * username,char * hash_pass,char * packet_buffer){
WORD d=0;
unsigned char digest[MD5_DIGEST_LENGTH];
MD5_CTX c;
MD5_Init(&c);
MD5_Update(&c, hash_pass, strlen(hash_pass));
MD5_Final(digest, &c);
memset(packet_buffer, 0x00, 100);
*(BYTE*)packet_buffer = 0x04;
*(BYTE*)(packet_buffer+0x0A) = 0x5B;
memcpy(packet_buffer + 0x0C, username, strlen(username));
memcpy(packet_buffer + 0x1D, digest, MD5_DIGEST_LENGTH);
*(BYTE*)(packet_buffer + 0x2E) = 0x01; //realm id
*(BYTE*)(packet_buffer + 0x30) = 0x65;
memcpy(packet_buffer + 0x34, "USA", 3);
*(WORD*)(packet_buffer + 0x3C) = 0x0201;
*(BYTE*)(packet_buffer + 0x59) = 0x74;
d = ge4_0041FBF0(packet_buffer, 0x5B);
*(WORD*)(packet_buffer + 6) = d;
}
Code: Select all
WORD OP_CODE = 0x0060;
char outp[102] = "\00";
generate_packet(username, password, (char*)outp + 2);
*(WORD*)outp = OP_CODE;
BeginPacketEncryption((char *)(outp + 2), (char *)(outp + 2));
i will make also a multyclient patch and maybe an xtrap bypass in future
have fun