Jump to content
metin2dev
Metin2International
LucaC

Let's work together

Recommended Posts

First things first: I'm not a competent reverse engineer. I am well educated with software developement in general but this is not my field. So pardon me if I say anything stupid.

Since the last few GameForge's Metin2 updates inhibit us from accessing the new EterPack contents we are out of luck for new content...or not.

I have found a way to execute albitrary code (C++ and Python) within the latest Metin2Client update, bypassing all the checks that the game does (and I have also managed to dump a Themida-free version of metin2client.bin).

That's all fine and dandy, but unfortunately packGet has been patched so no luck for easy direct access. I have found a workaround to at least dump some textures, but that's about it.

 

What I'm getting at is that I need some help to make this work and hopefully bring the latest updates to all of you. If you think you can be of any help, PM me.

Share this post


Link to post
Share on other sites

Since no one seems interested I'll show some proof. Once again, I'm no reverse engineer, but I kinda know what I'm doing.

proof.thumb.jpg.ef8f85e64284da4dd8d5bd6b4b3ff651.jpg

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites

Interesting... a way you can dump "Audio tracks", "Textures" and "3D Models" is by directly patching DirectX DLL, XAudio and Granny DLL (theoricaly it will work). I found a projects that have done that with WinSock2 (easy way to reverse metin2 server or at least for new packets/new systems?).

Talking about EterPacks, it's almost "impossible" that you could not get access to EIX,EPK since the client is forced to dump them somehow. So a way must exist.

Spoiler

Compro io i bauli XD

 

Share this post


Link to post
Share on other sites
6 minutes ago, HellBoy said:

Not Bad do the armors 2 xD

I already have the possibility to do so, but I'm not going to spoon-feed everyone. I'll gladly release my work if people are willing to help.

 

4 hours ago, arves100 said:

Interesting... a way you can dump "Audio tracks", "Textures" and "3D Models" is by directly patching DirectX DLL, XAudio and Granny DLL (theoricaly it will work). I found a projects that have done that with WinSock2 (easy way to reverse metin2 server or at least for new packets/new systems?).

Talking about EterPacks, it's almost "impossible" that you could not get access to EIX,EPK since the client is forced to dump them somehow. So a way must exist.

  Reveal hidden contents

Compro io i bauli XD

 

Yup, quite true. I already managed to dump much stuff by hooking external libraries. I'm now working on hooking internal stuff but the Themida stub is a pain in the ass. I already have something in the works anyways.

Share this post


Link to post
Share on other sites

Just stop spamming forum with your children acts.
If you have something to share, do it, don't make a lot a reply without sense on this category, isn't off-topic.

I_don_t_hate_you_20140221_Idonthateyou.j


PS: Same guy like you was banned multiples time here (romanian guy), with fake accounts, he say he have "x10 years experience on programming" (and on reality he just do copy-paste of things and show just texts & photos), stole identity of anothers users of stackoverflow etc, i'm sure you are him, but i don't care, have fun with your new fake account. B)

 

  • Like 1

Share this post


Link to post
Share on other sites
5 hours ago, Tasho said:

 

 

I get what you mean, but isn't that a bit too much? You could have said that without sounding like an asshole imo.

On 30/1/2018 at 8:09 PM, LucaC said:

I already have the possibility to do so, but I'm not going to spoon-feed everyone. I'll gladly release my work if people are willing to help.

 

If you're trying to educate the community you are in the wrong place, nobody will help you unless they get something out of it, and the people who can help you about that matter have no interest in obtaining 2 textures.

I can clearly see you're competent and you know what you're doing, but if I had to guess the number of people in this community who EVEN REMOTELY KNOW what you are talking about..it'd be like 20, 25 at max.. many of which are not even active anymore since years.. if we also were to subtract those who do not give a fuck about this matter I'm not even sure we would reach 1, and this community is made of 15,763 people, I myself am not competent on the matter enough to help you.

99% of people are there just to leak and use everything they find without even saying "thank you", this is life.

Just look: 

ZestyFirsthandFireantSecondhandLightheartedArmadillo

 

It's only leechers, there is no respect for the devs here. I'm not going to say that your attitude is wrong, but if you're looking to educate people here, you're in the wrong place, they only want to be "spoon-fed" like you said. They're ignorant monkeys but that's how it is.

So, like Tasho said, if you want to be useful then be useful, else refrain from posting such topics.

  • Like 3
  • Sad 1

Share this post


Link to post
Share on other sites

Well then. If you're going to act like entitled and cute little snowflakes...

Also, just for clarity sake. I'm not romanian (wish I was tho, life is cheap there) and I don't really care about recognition. I don't claim to be a genius either (but I mean, if you guys are the object of comparison that's unfair for you). All of that being said, what do I do to get this account banned? This forum is already making my skin crawl.

 

(Bear in mind @Syreldar, I'm not complaining about your message. You actually have a point.)

  • Like 1

Share this post


Link to post
Share on other sites
16 minutes ago, LucaC said:

Well then. If you're going to act like entitled and cute little snowflakes...

Also, just for clarity sake. I'm not romanian (wish I was tho, life is cheap there) and I don't really care about recognition. I don't claim to be a genius either (but I mean, if you guys are the object of comparison that's unfair for you). All of that being said, what do I do to get this account banned? This forum is already making my skin crawl.

 

(Bear in mind @Syreldar, I'm not complaining about your message. You actually have a point.)

Sorry if i sounded rough, i tried to explain the situation the best i could.

A better community to share is metin2downloads (main lang: DE), the staff is active there, there are fewer normal users and more devs/expert people. Plus you can hide your posts unless someone likes them which is good. I'm also there as Darisil.

Share this post


Link to post
Share on other sites

Well what about hooking CMappedFile or well CEterPackManager::GetFromPack directly to get the data?

Also what did they patch in packGet

 zaiQY9I.png

 

I dont see any change well they pack their resources now so changing the .pyc to .gr2 for example with a packed binary wont work anymore (It could probably still work with the suspended proccess memory editing stuff) but well yeah they did not touch packGet and packExist directly those do the same things (with the exception that packExists has some extra checks you can patch out if)

If you have a unpacked working themida free version just go ahead and patch the functions with ida pro and disable the checks. If not you still should be able to do some stuff because well you have the correct function signatures and some more stuff.

Actually I reverse engineered it further there is no change in packGet that keeps you from extracting stuff maybe leuco shell just stops you from saving stuff?

Share this post


Link to post
Share on other sites
19 hours ago, Syreldar said:

I get what you mean, but isn't that a bit too much? You could have said that without sounding like an asshole imo.

If you're trying to educate the community you are in the wrong place, nobody will help you unless they get something out of it, and the people who can help you about that matter have no interest in obtaining 2 textures.

I can clearly see you're competent and you know what you're doing, but if I had to guess the number of people in this community who EVEN REMOTELY KNOW what you are talking about..it'd be like 20, 25 at max.. many of which are not even active anymore since years.. if we also were to subtract those who do not give a fuck about this matter I'm not even sure we would reach 1, and this community is made of 15,763 people, I myself am not competent on the matter enough to help you.

99% of people are there just to leak and use everything they find without even saying "thank you", this is life.

Just look: 

ZestyFirsthandFireantSecondhandLightheartedArmadillo

 

It's only leechers, there is no respect for the devs here. I'm not going to say that your attitude is wrong, but if you're looking to educate people here, you're in the wrong place, they only want to be "spoon-fed" like you said. They're ignorant monkeys but that's how it is.

So, like Tasho said, if you want to be useful then be useful, else refrain from posting such topics.

??

Share this post


Link to post
Share on other sites
Just now, .T4Ump said:

??

It's not about you, it's about the other guy who complained about the issue without having even bought the system.

If I can say my opinion, you shouldn't have helped him.

Share this post


Link to post
Share on other sites
3 minutes ago, Syreldar said:

It's not about you, it's about the other guy who complained about the issue without having even bought the system.

If I can say my opinion, you shouldn't have helped him.

He got the system from a friend.

Share this post


Link to post
Share on other sites
Just now, .T4Ump said:

He got the system from a friend.

Same, he didn't buy it, thus no respect for the developer.

Share this post


Link to post
Share on other sites
Just now, Syreldar said:

Same, he didn't buy it, thus no respect for the developer.

Come skype.

Share this post


Link to post
Share on other sites
15 hours ago, Baumi said:

If not you still should be able to do some stuff because well you have the correct function signatures and some more stuff.

No, I've tried 100 times to find a couple of functions what have never been changed and the patternfinder doesn't give back any valuable result. This is the reason why I stuck. And the offset of the functions always changed after every start so I can't tell to my tool that this function is on this offset hook it, because at the second start the function is on another offset already. Oh yeah, and I've tried the searching on the .BR binary as well and every single try was successful. So the lueco shell is sucks.

Btw should be enough to modify only one byte in the memory and you'll be able to unpack via python.

int __cdecl sub_5161660(int a1, int a2)
{
  int v3; // ST14_4
  char v4; // [esp+Ch] [ebp-164h]
  int v5; // [esp+15Ch] [ebp-14h]
  int v6; // [esp+160h] [ebp-10h]
  int v7; // [esp+16Ch] [ebp-4h]

  if ( !PyTuple_GetString(a2, 0, &v6) )
    return Py_BuildException(0);
  if ( packExists(v6) )
  {
    sub_53DA140(&v4);
    v7 = 0;
    v5 = 0;
    if ( sub_5441430(0, (int)&v4, v6, (int)&v5) )
    {
      sub_53DA3D0(&v4);
      v3 = python27_Py_BuildValue("s#");
      v7 = -1;
      sub_53DA580(&v4);
      return v3;
    }
    v7 = -1;
    sub_53DA580(&v4);
  }
  return Py_BuildException(0);
}
int __cdecl sub_5161660(int a1, int a2)
{
  int result; // eax
  int v3; // ST14_4
  char v4; // [esp+Ch] [ebp-164h]
  int v5; // [esp+15Ch] [ebp-14h]
  int v6; // [esp+160h] [ebp-10h]
  int v7; // [esp+16Ch] [ebp-4h]

  if ( !PyTuple_GetString(a2, 0, &v6) )
    return Py_BuildException(0);
  sub_53DA140(&v4);
  v7 = 0;
  v5 = 0;
  if ( sub_5441430(0, (int)&v4, v6, (int)&v5) )
  {
    sub_53DA3D0(&v4);
    v3 = python27_Py_BuildValue("s#");
    v7 = -1;
    sub_53DA580(&v4);
    result = v3;
  }
  else
  {
    v7 = -1;
    sub_53DA580(&v4);
    result = Py_BuildException(0);
  }
  return result;
}
metin2client.exe:051616A0 test    edx, edx
metin2client.exe:051616A2 jnz     short loc_51616CA
metin2client.exe:051616A4 push    0
metin2client.exe:051616A6 call    Py_BuildException
metin2client.exe:051616AB add     esp, 4
metin2client.exe:051616AE jmp     loc_516176A
metin2client.exe:051616B3 ; ---------------------------------------------------------------------------
metin2client.exe:051616B3 mov     eax, [ebp+var_10]
metin2client.exe:051616B6 push    eax
metin2client.exe:051616B7 call    packExists
metin2client.exe:051616BC add     esp, 4


FROM:
85 D2 75 0F 6A 00 E8 45 58 28 00 83 C4 04 E9 B7 00 00 00 8B 45 F0 50 E8 D4 FE FF FF 83 C4 04
TO:
85 D2 75 26 6A 00 E8 45 58 28 00 83 C4 04 E9 B7 00 00 00 8B 45 F0 50 E8 D4 FE FF FF 83 C4 04

"75 0F" is a short jump at 0x51616A2
Sig:
(85 D2 75 0F 6A 00 E8 ?? ?? ?? ?? 83 C4 04 E9 ?? ?? ?? ?? 8B 45 F0 50 E8 ?? ?? ?? ?? 83 C4 04) + 3

The 26 instead of 0F will skip the dot and the extension check if-statement. So after the patch the packGet would looks like this:
 

PyObject * packGet(PyObject * poSelf, PyObject * poArgs)
{
	char * strFileName;
	if (!PyTuple_GetString(poArgs, 0, &strFileName))
		return Py_BuildException();

	CMappedFile file;
	const void * pData = NULL;
	if (CEterPackManager::Instance().Get(file, strFileName, &pData))
		return Py_BuildValue("s#", pData, file.Size());

	return Py_BuildException();
}

 

  • Like 1

Share this post


Link to post
Share on other sites

Hm I could put some time into reversing leuco shell

https://puu.sh/zeXKf/36c3eae0ef.mp4

or well maybe do some tries on getting an running binary / patching out leuco shell

Btw are you using the correct thread?  I think they are starting a fake thread or something like that

The string encryption kinda sucks but when I have that solved it should be pretty easy to figure out how it works

Probably it would be easier to modify the leuco shell dll or if we have enough information about it replacing it with a own version.

Well the easiest method should still be doing a clear unpack of the binary, I have a almost clear unpack 

 

gNpwDbk.png

 

URGIKD7.png

even the virtualized functions everything unpacked its just not executeable I got this from a friend who used the same Tool to unpack as I did but had better results

You can also use this to extract every file with one issue, it works with "r" mode but there are no file extension checks

     handle = app.OpenTextFile(filename)
    count = app.GetTextFileLineCount(handle)
    for i in xrange(count):
        line = app.GetTextFileLine(handle, i)

Share this post


Link to post
Share on other sites

Leuco Shell among any other protection is quite useless. The problem that gets you all is that the main module (seen as metin2client.bin) is a fake one. You need to fetch the real module (which is hidden from the module list, you have to either rebuild it or use an external tool that's already able to do so) address and do your patching from there.

(You can't use offsets, the addresses are randomized)

For example you'll find metin2client.bin at 0xB50000 and the hidden real module at 0x3230000. There are two really easy ways to accomplish this.

Share this post


Link to post
Share on other sites
vor 1 Minute schrieb LucaC:

Leuco Shell among any other protection is quite useless. The problem that gets you all is that the main module (seen as metin2client.bin) is a fake one. You need to fetch the real module (which is hidden from the module list, you have to either rebuild it or use an external tool that's already able to do so) address and do your patching from there.

 

9L19sMR.png

In this function they take a snapshot of the process and probabbly hide the real one

5b6yPks.png

Share this post


Link to post
Share on other sites
On 2018. 02. 02. at 1:36 PM, LucaC said:

There are two really easy ways to accomplish this.

Oh, than I'm really stupid, because I don't know any way from those :lol:.

Share this post


Link to post
Share on other sites
La 01/02/2018 la 23:52, Syreldar a spus:

It's not about you, it's about the other guy who complained about the issue without having even bought the system.

If I can say my opinion, you shouldn't have helped him.

What's the problem here ?

I received that system from a guy, and i needed to debug it . (I did it alone aswell)

If someone needs some systems, can send me a message , and i will send it.

VeGaS is the shitty coder, which is not selling systems to Romanians, that's why he's receveing so much hate from Romania.

Kind Regards,

Andrew.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×