Leaderboard

M2 Download Center Download Here ( Internal ) Hi there Devs, I would like to share my "little" system. If you aren't interested in the introduction/preview etc. and you just want to download it and put in to your server, just scroll down until the "[How-To] Set up" subtitle. The story Firstly let me tell this system's story. I've got an idea one year before, that it would be good if the players would be able to put their items into a "global" system where they could see the other player's items, and they could buy it for DC or gold (that time I worked with the latest vanilla core (not with the source)). Then in the following 8 days I made it (it took about 80-90 working hours). Originally the system was created for one of my friend's server. but this server has never started, and nobody used this system. After some mounts I've decided to publish it on the Hungarian forum, because it won't worth to work on it for long hours if nobody uses it and its just collecting dust on my computer. Then I've published it on the 2nd of December, 2014. After some time I've decided to translate it into English and I've got a new idea for a new feature. This feature was: the trade system (I will explain its working later). This idea inspired by one of the players (from a server where this system was able to use). He told me that it would be better if they could set the gold price via an item (what's value is very high). Then with more than 180 working hours (totally) behind my back I'm here. Overview [How-To] Set up Customizing the tradehouse Questions and Answers Notes changelog: 19th of August, 2015: I publicated the tradehouse here. my toDo list: add logging for the system (the released version don't log the actions in the tradehouse) Thanks for reading the topic, if you have any problem/remark feel free to ask it here or write me a PM. Have a good day!

M2 Download Center Download Here ( Internal ) Hello, im here today releasing my version of slot effect system. Is not the same as the official looks like but in the future i will update this to look the same. Screenshot to see how it looks like. Everything in this system was made by me. Tutorial: Go to UserInterface > PythonPlayer.cpp Search for : void CPythonPlayer::SetItemData(TItemPos Cell, const TItemData & c_rkItemInst) Add in the end of the funcion: PyCallClassMemberFunc(m_ppyGameWindow, "OnNewItem", Py_BuildValue("(i)", Cell.cell)); Compile It. Go to root > constInfo.py Add this somewhere: NEWITEMS = [] Save it. Go to root > game.py Add this function: def OnNewItem(self, cell): if not cell in constInfo.NEWITEMS: constInfo.NEWITEMS.append(cell) Save It. Go to root > uiinventory.py Search for : def RefreshBagSlotWindow(self): Add this before this: (if 0 == itemCount:) : if itemCount == 0 and slotNumber in constInfo.NEWITEMS: constInfo.NEWITEMS.remove(slotNumber) Add this under this: (setItemVNum(i, itemVnum, itemCount)) : self.wndItem.EnableCoverButton(i) if slotNumber in constInfo.NEWITEMS: self.wndItem.SetCoverButton(i, "d:/ymir work/ui/game/quest/slot_button_00.sub",\ "d:/ymir work/ui/game/quest/slot_button_00.sub",\ "d:/ymir work/ui/game/quest/slot_button_00.sub",\ "d:/ymir work/ui/new_icon.tga", FALSE, FALSE) self.wndItem.DisableCoverButton(i) Search for: def OverInItem(self, overSlotPos): Add under: slotPos = overSlotPos Add in the end: if overSlotPos in constInfo.NEWITEMS: self.wndItem.EnableCoverButton(slotPos) constInfo.NEWITEMS.remove(overSlotPos) Save It. Finally go to ymirwork/ui and add this file: [Hidden Content] Pack root and etc. Have fun This may not be the most optimized way to do this system, but at least you have a way. In the future i will post more updates such as a more optimized versions and with official effects. If you find any bugs please post it. #UPDATE Kind Regards, Frozen

Hello, I made this background some time ago, but i dont need it anymore. I dont want to delete it, because i have worked on it for a while. So i am sharing this with you, hoping that someone can use it. Download: [Hidden Content] Preview:

Hello guys. I'm Narvikz, I've been in the Metin2 scene since forever, actually I feel like I'm kind of the furniture already and unluckily full of dust by now This will actually be one of the slight amount of contributes I've given to metin2dev, I've jumped off ship a while back since this game died but apparently some troll still support it, anyway that's not related to this thread so let's keep it out of here. As there's still demand for some reason so is there a supply of game hacks, it's the basics of games, the more players there are the bigger the market for payhax and so the more profitable they are. I was contacted by a friend of mine (Runah Services) which told me that he wasn't unable to detect m2bob in any way, he also said that there are very few people who are doing it and those who are able to detect were keeping it private, he did not find anyone providing a satisfactory service to protect against these tools. What I have to say about this? You fools, you clueless fools. So, let's face it, you guys just don't have a clue about what you are doing. Right off the bat I could enumerate dozens of ways to systematically detect that m2bob is running on some system and think of its basic architecture. But first, let's talk about its architecture and how we can defeat it. Architecture M2Bob - Patcher.exe: This is the start up process when you first start using M2bob, this will generate a 128-bit Digest (probably md5) for each file that is to be checked on disk, send it through a POST HTML request to an API that will compare the client side files to the server side up-to-date files, if any file's digest is any different it will download the most up to date file using the HTTP protocol and replace it at disk. This patcher will connect to a web server hosted at the subdomain ni220471_1.vweb02.nitrado.net and as you can see in the spoiler, little reservations has Slait as to what's hosted there. Once everything is updated it will open M2Bob.exe which we'll talk about next. M2Bob.exe This file when opened from outside the Program Files will create a randomly named (yet with constant size - 10 characters) folder inside of the Program Files folder of your computer and then another one with the same template. After that it will spawn a copy of itself with a random name (yet same size once again) and do the same for the M2Bob_Dll.dll changing its extension to ".e" instead of "dll". After that it will open that randomly named executable and execute from there. Once you press the button to start the game it will spawn a metin2client instance, it will inject its module into the process memory. After that it doesn't close the open HANDLE to the game which leaves us a HUGE detection vector to take advantage of. M2Bob_Dll.dll This module once injected into metin2client will run a few Signature Scans to find the game's subroutines it needs to call in order to simulate game actions. If you take a look into the module's memory you can see those patterns and its masks quite easily, this uses a standard FindPattern function that's been around since the very start of the cheating scene. It will then automate the actions of the player using complex algorithms which are not relevant for what we care about. Security wise all M2Bob does is hooking Module32Next and whenever at your iteration through the module list you hit the m2bob random named module it jumps it to the next one, successfully hiding its module from the simplest of all module enumeration techniques. Good job Slait, always work for the minimal standards and do not think out of the box The hooking method used is the BIGGEST PILE OF CRAP I'VE EVER SEEN being done on a Windows NT based Operative System This is still a detour with a trampoline hook at function start but instead of replacing the first 5 bytes with a JMP + 32 bit absolute memory address he does THE MOST RETARDED SHIT I'VE SEEN IN A WHILE. Trust me guys, I've seen so much retarded shit lately, but Slait takes the crown on this one, he really deserves it since he's put a lot of effort into this. Instead of copying the first five bytes of this function, replacing it by a simple JMP to a memory region where it has these first five bytes followed by his detour function and then a trampoline JMP back to where it all started, he managed to do a 8 FUCKING BYTE LONG in-line hook, when literally every Windows API function is compatible with Hotpatching (easy first 5 bytes hooks). System Overview The whole system is really weak, it circumvents the protection mechanisms that is supposed to which are a PILE OF CRAP like Hackshield and GameGuard or whatever the fuck GameForge is using nowadays, but it doesn't really think out of the box when it comes to protection and obfuscation. Slait wouldn't stand a chance if GameForge purchased an actual decent service from someone who has a single clue about what they're doing (lol, even fucking Bastian Suter would perform better) instead of this pile of crap. There's no solid DRM and the system is overall really weak and shouldn't take much longer than a few hours to crack to a talented reverse engineer. Detection Vectors Well, I don't even know where to start, the whole system is flawed and weak, there's holes everywhere so I'll enumerate some quick detection vectors I can think off, and yes, I HAVE TESTED MOST OF THOSE AND THEY WORK Method #1 - Hidden Memory Pages (TESTED & WORKING) Iterate through memory pages and using VirtualQuery find those which are 4096 byte long (size of the PE Header) and being used, for those check if you can get a DOS MZ executable signature, and if you do then you most probably have a PE Header memory page. Interpret cast that memory address to NT Header and check the TimeDateStamp and or SizeOfCode or other parameters that are constant (there's tons of them) and allow you to uniquely identify m2bob. Method #2 - Open HANDLEs to game process (TESTED & WORKING) You're gonna have to use the Native API and some Undocumented structures and functions to get this done, it's really easy to do so though, shouldn't take you longer than an hour to being able to enumerate all you need to do this. Calling NtQuerySystemInformation with SystemHandleInformation as first parameter while the return value of this function is different than STATUS_INFO_LENGTH_MISMATCH or STATUS_BUFFER_OVERFLOW you are able to populate a SYSTEM_HANDLE_INFORMATION object which will have the first 4 bytes as the count of SYSTEM_HANDLE objects present in an array that follows it. This list once populated will contain a list that contains all the HANDLEs opened in your environment, this means all the File, Registry Keys, Processes, Threads, etc, HANDLEs will be enumerated and will be in that list. But to know the type of HANDLE you're dealing with you have to first call QueryObject on that HANDLE with ObjectTypeInformation to know more about it. This will get you a UNICODE string that will contain the HANDLE type, you only want the ones that are "Process" so you can filter the irrelevant ones out. Then you can check if the HANDLE is targeting your game's process id (you can get your process id at the PEB of your process), if it is you're gonna want to run some checks on that process to check whether if it's a legit one or a blacklisted one. You can do this by opening a HANDLE to it with OpenProcess and PROCESS_QUERY_LIMITED_INFORMATION as parameter. Then you're gonna want to get the executable path in disk using QueryFullProcessImageName, from there you can just read the first 4096 bytes of that file, cast them to NT Header and do the same checks as mentioned above. Alternatively you could just open the handle with PROCESS_VM_READ privileges, and use ReadProcessMemory to get the PE Header, but PROCESS_QUERY_LIMITED_INFORMATION never fails, even if the process is run as administrator or it is a system process and since m2bob doesn't use any Dynamic Forking technique it is pointless to use anything more than that. Method #3 - Integrity checks at Module32Next (TESTED & WORKING) Okay, this might sound retarded because there's malware that will spread to every process in the target system and hide itself using a user-mode rootkit that might hook Module32Next, thing is, Slait's kind of hooking is so retarded there is no actual way this would raise a false positive. This is his retarded hook: The 1st byte will always be FF, the 2nd will always be 25, the 7th will always be E4 and the 8th stays at a constant F8 as well. Check those and insert a huge dildo in Slait's ass, seriously, isn't that hard really. Do you think that's even hard? Please...... Method #4 - DNS Cache (Untested But Will Work) So, now we're jumping to the shitty methods that are only here to fill the thread just so you can be proven wrong when you say it can't be done. Basically whenever you resolve a domain name a UDP request is sent to your DNS Server asking for the resolution of a certain domain or subdomain, it will answer with some records for that domain, these records contain the IP Address it resolves to, and that IP address will be the one you'll connect using the Internet Protocol version 4. Your operative system will cache those resolutions so that each time you need to have that domain solved it doesn't bother your DNS Server with requests each time and there is a faster resolution, you can use this to beat M2Bob once again. You don't wanna look for m2bob.net since that could flag players that just crawled around that website, but if you flag their patch server subdomain, you can actually accurately flag players that have been using m2bob. Remember ni220471_1.vweb02.nitrado.net? Yup, flag the shit out of it. Method #5 - USN Journal (Untested But Will Work) The USN Journal is a system in the NTFS that keeps track of changes to files in the user's system. It will contain the timestamp of the said change, the file name and the reason for the log. The first two need no explanation, as to the third it could range from Opening the file, deleting, moving, renaming, creating, etc, etc. How's this useful? Remember how opening M2Bob.exe spawns a different executable in the Program Files folder and opens it? Well, you don't access that executable directly, you still open M2Bob.exe, this means that you could just look for entries in the USN Journal in the last 15 minutes or so that contain the name M2Bob.exe and are followed by some program in the Program Files folder a few milliseconds after (or even skip the latter) that has been opened and just kick the player from the game whenever you detect it. Aditional Methods Detection Vectors, detection vectors everywhere, I laugh at all the incompetents that for months tried to do it and failed systematically, you fools, how can you be so clueless? Even though Module32Next is hooked Module32NextW is not, which means that if you use the UNICODE alternative of the kernel32 library you will get unfiltered results - Good fucking job Slait, Incompetence at its fittest (inb4 every incompetent out there edits a public anti cheat source to use Module32NextW LOL) Haven't checked it, but even though Windows API module enumeration modules are hooked to spoof the results, you should be able to use the InInitializationOrderModuleList, InLoadOrderModuleList or the InMemoryOrderModuleList to find its module. Just be h4rdc0r3 and use Syscalls. Since you're incompetent you won't do this, hell you couldn't even get the indexes for your own operative system version let alone do it for 20 different versions per each function you wanna call. Anyway just implement the native API functions without actually calling them, this can be done really easy and WITH LITTLE INLINE ASM CODE using naked hooks, that will make sure that you don't break the stack inside of the function. You can look into this HERE. Your function call will be done within the kernel, meaning that this would bypass any placed hooks by Slait. Why the hell would your metin2 game process own 2 windows bruh? Doesn't make sense to me, just kick them dude. Signature Scans, this is pointless because his system is all flawed but could be a nice backup resort if he ever decides to use his brain. Pretty sure m2bob has some exported shit in their PE Header, just scan for it using the hidden PE Header detection shown above. As I'm really fucking tired already of writing a long ass thread incomparable to anything ever seen before here or anywhere released publicly online I won't even write down any more detection vectors, the system is filled with holes, I think I've proven my point already and it's pointless to keep doing this. This is a rant thread because you guys that own a metin2 server to make a quick buck should be ashamed of how unskilled you actually are, you are complete incompetents that keep leeching public releases and stealing other people's/servers' work, claiming it as your own or often not even mentioning it since people just don't even care any more. You provide public PAID services on an area you don't have a clue about, you're just scamming customers and selling them dreams. It is really frustrating for me since I left the scene when I was still a kid, I barely knew English and I stayed mostly on my local country's forums, my contributes back then were merely in the translation area, I've put a lot of effort into it now that I think about it, after that I limited my contributes to helping people with general Linux/BSD issues, but then it seemed that owning a Metin2 Private Servers built with pieces and pieces of stolen or leaked work was a trend, and I got really really pissed at the whole scene, I just started trolling all the retards asking for assistance with BSD issues that are from 101 classes, obvious errors that even my grandfather could solve and other retarded threads. Have Fun guys, I know most of you won't use this for anything since even being spoonfed all the methods you're so clueless you can't write this down on code, but maybe there's some one out there that will actually use some nice tips like this, and since I gave them to one guy privately on skype I might as well post them publicly for everyone to see. I've been contacted by SandMann016 to work with him, and to be honest it kind of makes me sad that I am releasing this, I never managed to proceed with those plans but still, he seemed to be a decent guy back when I first met him, but oh well, here it is now. /rant

M2 Download Center Download Here ( Internal ) Here is over 200 icons of belts. Enjoy Screen: Download: [Hidden Content]

M2 Download Center Download Here ( Internal ) Hi Devs! i want share you lolly effect Let's start Open common/lenght.h and search SE_EQUIP_LOVE_PENDANT make new line and paste this SE_EQUIP_MAGIC_CANDY, Open common/vnumhelper.cpp and search const bool IsLovePendant(DWORD vnum) { return 71145 == vnum; } make new line and paste static const bool IsMagicCandy(DWORD vnum) { return 71188 == vnum; } Common is done! Open game/char_item.cpp and search else if (true == CItemVnumHelper::IsLovePendant(dwVnum)) { this->EffectPacket(SE_EQUIP_LOVE_PENDANT); } make new line and paste else if (true == CItemVnumHelper::IsMagicCandy(dwVnum)) { this->EffectPacket(SE_EQUIP_MAGIC_CANDY); } Open game/unique_item.cpp search UNIQUE_ITEM_RAMADAN_RING = 71135, make new line and paste UNIQUE_MAGIC_CANDY = 71188, Game is Done! Open Client/instancebase.h and Search EFFECT_LOVE_PENDANT_EQUIP make new line and paste EFFECT_EQUIP_CANDY, open Client/packet.h and search SE_EQUIP_LOVE_PENDANT, make new line and paste SE_EQUIP_MAGIC_CANDY, open Client/PythonNetworkStreamPhaseGameItem.cpp search case SE_EQUIP_LOVE_PENDANT: effect = CInstanceBase::EFFECT_LOVE_PENDANT_EQUIP; break; make new line and paste case SE_EQUIP_MAGIC_CANDY: effect = CInstanceBase::EFFECT_EQUIP_CANDY; break; open Client/PythonCharacterManagerModule.cpp CInstanceBase::EFFECT_LOVE_PENDANT_EQUIP); make new line and paste PyModule_AddIntConstant(poModule, "EFFECT_EQUIP_CANDY", CInstanceBase::EFFECT_EQUIP_CANDY); Client is done! Open root/playersettingsmodule.py search chrmgr.RegisterCacheEffect(chrmgr.EFFECT_LOVE_PENDANT_EQUIP, "", "d:/ymir work/effect/etc/buff/buff_item4.mse") make new line and paste chrmgr.RegisterCacheEffect(chrmgr.EFFECT_EQUIP_CANDY, "", "d:/ymir work/effect/etc/buff/buff_candy2.mse") item_proto.sql 71188 ºÎÈ°Àı »çÅÁ Lolly The Magical 16 0 0 1 106624 0 128 0 0 0 0 0 0 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -1 -1 -1 -1 -1 -1 0 0 0 item_proto.txt 71188 Ãʽ´ŞÀÇ ¹İÁö ITEM_UNIQUE UNIQUE_NONE 1 NONE NONE WEAR_SHIELD NONE 0 0 0 0 0 REAL_TIME 0 LIMIT_NONE 0 APPLY_NONE 0 APPLY_NONE 0 APPLY_NONE 0 0 0 0 0 0 0 0 0 0 item_names 71188 Lolly the Magical effect Click here for download effect Ingame screen: sorry i dont know how to make blocks for topic. Good luck

no, not really. Just some bugs fixed. And necessary for cython.

This is the my version: loginwindow.py (in locale): { "name" : "WepPageButton", "type" : "button", "x" : , #write here the x coordinate "y" : , #write here the y coordinate "default_image" : "d:/ymir work/ui/public/large_button_01.sub", "over_image" : "d:/ymir work/ui/public/large_button_02.sub", "down_image" : "d:/ymir work/ui/public/large_button_03.sub", "text" : , #write here the button text }, intrologin.py (in root) search: import uiScriptLocale Write under: import webbrowser Now search: self.loginExitButton = GetObject("LoginExitButton") Write under: self.WepPageButton = GetObject("WepPageButton") Now search: self.loginExitButton.SetEvent(ui.__mem_func__(self.__OnClickExitButton)) Write under: self.WepPageButton.SetEvent(ui.__mem_func__(self.__WebPageTest)) Now create this function: def __WebPageTest(self): webbrowser.open_new("write here your url") The last thing put this, in the lib folder: [Hidden Content]