Honorable Member martysama0134 7178 Posted April 3, 2016 Honorable Member Share Posted April 3, 2016 (edited) M2 Download Center This is the hidden content, please Sign In or Sign Up ( Internal ) Well, such a thing is quite easy, and I know it since 2011~2012 (when the first 30k game cores were released to be more precise). You can find some diff patch files of that time for 30k game cores on the web that do this, but I will explain to you how to do it via source code editing. Before all, why the 40k game core files have a login more slower than usual? That's because ymir implemented an additional encryption security using cryptopp, and at login, they added some key agreement checks, which ended up the login to be more slower. You can actually disable such a feature, so that you can have the login fast like the old game revisions had. Disabling it will actually remove the "key agreement" issue, and will encrypt the connection with xtea instead of some cryptopp algorithms. (no big security issues, so it's safe to do) The edit is quite simple: Via server, you have to go and edit ^/Srcs/Server/common/service.h commenting #define _IMPROVED_PACKET_ENCRYPTION_ to // #define _IMPROVED_PACKET_ENCRYPTION_ Via client, same story for ^\Srcs\Client\EterBase\ServiceDefs.h commenting #define _IMPROVED_PACKET_ENCRYPTION_ to // #define _IMPROVED_PACKET_ENCRYPTION_ Additionally, in the client, you must also edit the archaic pong from ^\Srcs\Client\UserInterface\Locale.cpp like this: find #define LSS_SECURITY_KEY "testtesttesttest" change it to #define LSS_SECURITY_KEY "1234abcd5678efgh" Video of a quick login: (using a second rate connection, and with 4810 programs opened simultaneously) https://youtu.be/Rp2EeICMkFU Here how the code should be at the end: Enjoy your abione. Spoiler Edited September 2, 2022 by Metin2 Dev Core X - External 2 Internal 73 1 1 1 3 1 2 1 19 6 55 Check out my GitHub Link to comment Share on other sites More sharing options...
VegaS 1087 Posted April 3, 2016 Share Posted April 3, 2016 (edited) Edited August 20, 2022 by Metin2 Dev Core X - External 2 Internal 1 Link to comment Share on other sites More sharing options...
morion 59 Posted April 3, 2016 Share Posted April 3, 2016 Thanks marty, awesome release Link to comment Share on other sites More sharing options...
alondark 59 Posted April 3, 2016 Share Posted April 3, 2016 awesome bro, but troll is coming xd Link to comment Share on other sites More sharing options...
cBaraN 109 Posted April 3, 2016 Share Posted April 3, 2016 In my case, I can analyze everything with pong if I know reverse engineering. You're really misunderstand what does security mean. Maybe you can remove pong in the memory after run the binary but that doesn't mean I can't find the pong. Pong mechanism was pretty good in the first times but now it's not. You're giving everything to a key and it's not make sense for me. A system could be slow but it's safe. If the binary file is not compile with cython files, that binary file can use by someone. (Which one isn't using cipher) If you start to talk about systems and packets, it's not a big deal for reverse engineers or sniffers. You just want system to be faster than the current one but you're missing security. #Note I did what you exactly say in my server (8k+ online) but anybody can login after a while with this way. even If the player is login the game, he can't see anything and back to select server window. Best regars; Can BARAN... 3 Link to comment Share on other sites More sharing options...
Honorable Member martysama0134 7178 Posted April 3, 2016 Author Honorable Member Share Posted April 3, 2016 (edited) 44 minutes ago, cBaraN said: In my case, I can analyze everything with pong if I know reverse engineering. You're really misunderstand what does security mean. Maybe you can remove pong in the memory after run the binary but that doesn't mean I can't find the pong. Pong mechanism was pretty good in the first times but now it's not. You're giving everything to a key and it's not make sense for me. A system could be slow but it's safe. If the binary file is not compile with cython files, that binary file can use by someone. (Which one isn't using cipher) If you start to talk about systems and packets, it's not a big deal for reverse engineers or sniffers. You just want system to be faster than the current one but you're missing security. #Note I did what you exactly say in my server (8k+ online) but anybody can login after a while with this way. even If the player is login the game, he can't see anything and back to select server window. Best regars; Can BARAN... As man in the middle, even with _IMPROVED_PACKET_ENCRYPTION_ enabled, sniffing all the packets is quite possible. The major problem is becoming the man in the middle. It's faster sending malicious stuff to some game admins. A lot of them would fall for that. (many people tried in the past to do such a thing with me unsuccessfully) Anyway, the only major league problem in metin2, which afflicts every server, is that the login password is sent as clear text and readable if sniffed, but it can be hashed via client quite easily. (probably, this will be the next thing I will try to do) Even if you use cython, there's a simple way to use the binary without considering "rootlib" inside. About the note: many servers already did such a thing. Test made right now: https://metin2.download/picture/027DMJ79p2fShkhjM3401IfzCm1jsbYC/.png All entities are in there, and no disconnection. Edited August 20, 2022 by Metin2 Dev Core X - External 2 Internal 12 3 2 Check out my GitHub Link to comment Share on other sites More sharing options...
cBaraN 109 Posted April 3, 2016 Share Posted April 3, 2016 (edited) 7 minutes ago, martysama0134 said: As man in the middle, even with _IMPROVED_PACKET_ENCRYPTION_ enabled, sniffing all the packets is quite possible. The major problem is becoming the man in the middle. It's faster sending malicious stuff to some game admins. A lot of them would fall for that. (many people tried in the past to do such a thing with me unsuccessfully) Anyway, the only major league problem in metin2, which afflicts every server, is that the login password is sent as clear text and readable if sniffed, but it can be hashed via client quite easily. (probably, this will be the next thing I will try to do) Even if you use cython, there's a simple way to use the binary without considering "rootlib" inside. About the note: many servers already did such a thing. Test made right now: https://metin2.download/picture/027DMJ79p2fShkhjM3401IfzCm1jsbYC/.png All entities are in there, and no disconnection. At first, I want to talk about your note. I made this test with 8k+ online, I just see you're testing this with 2 players. It's not answering of my question at the moment anyway. The client is sending everything clearly. A sniffer can read this easily but I can't give everything to a standard key. This key can see by someone else using HXD, Ollydbg, IDA Pro and so on. even If you hide everything with themida or enigma, you can see everything again. Also, cipher is not using only for login. It's using by Guild Mark Downloader, Select Phase, Handshake Phase and Game Phase. And you're giving everything to a standard key again. Do you think it makes sense for you? Best regars; Can BARAN... Edited August 20, 2022 by Metin2 Dev Core X - External 2 Internal 2 Link to comment Share on other sites More sharing options...
Premium Runah 19 Posted April 5, 2016 Premium Share Posted April 5, 2016 Faster and better. Good Job. A new project is coming up very soon. Stay tunned. Metin2dev Topic Nexus2 Facebook Nexus2 Discord Link to comment Share on other sites More sharing options...
MORTE 78 Posted April 5, 2016 Share Posted April 5, 2016 Hello, is it safe or not? Link to comment Share on other sites More sharing options...
VegaS 1087 Posted April 5, 2016 Share Posted April 5, 2016 38 minutes ago, MORTE said: Hello, is it safe or not? If we were to measure the square footage then divided the total to 2, would come out as yes. Link to comment Share on other sites More sharing options...
Active Member Koray 1999 Posted April 5, 2016 Active Member Share Posted April 5, 2016 On Sunday, April 03, 2016 at 8:24 PM, cBaraN said: In my case, I can analyze everything with pong if I know reverse engineering. You're really misunderstand what does security mean. Maybe you can remove pong in the memory after run the binary but that doesn't mean I can't find the pong. Pong mechanism was pretty good in the first times but now it's not. You're giving everything to a key and it's not make sense for me. A system could be slow but it's safe. If the binary file is not compile with cython files, that binary file can use by someone. (Which one isn't using cipher) If you start to talk about systems and packets, it's not a big deal for reverse engineers or sniffers. You just want system to be faster than the current one but you're missing security. #Note I did what you exactly say in my server (8k+ online) but anybody can login after a while with this way. even If the player is login the game, he can't see anything and back to select server window. Best regars; Can BARAN... "At the first" If you're know reverse engineering, You can get cipher and cipher stored functions from client so you can not need protect client with "pong" mechanism. Marty making disable this stuff because this pretty old and useless Anyone can get your pong anytime, you can get from server as dynamic or you can store in client with veriable. This no problem, if you send pong to client and this is in operable state peoples *reverse engineers* can be get your pong. tl;dr For protection.. "pong" is wrong way. And.. If you get more security, you can start with re-activate sequence mechanism. 2 Link to comment Share on other sites More sharing options...
ScreamMyName 100 Posted April 6, 2016 Share Posted April 6, 2016 dude wtf is wrong with your npp get sublime.. or at least a better theme Link to comment Share on other sites More sharing options...
cBaraN 109 Posted April 6, 2016 Share Posted April 6, 2016 15 hours ago, Koray said: "At the first" If you're know reverse engineering, You can get cipher and cipher stored functions from client so you can not need protect client with "pong" mechanism. Marty making disable this stuff because this pretty old and useless Anyone can get your pong anytime, you can get from server as dynamic or you can store in client with veriable. This no problem, if you send pong to client and this is in operable state peoples *reverse engineers* can be get your pong. tl;dr For protection.. "pong" is wrong way. And.. If you get more security, you can start with re-activate sequence mechanism. At first, sweatheart even If you send the pong or whatever you said, I can get this again. even If you send this key as dynamic to client, there is a formula or something like that, right? (:. Anyway, let's say you're sending this key as dynamic to client and client is storing that in the memory. Also, let's make that hard, you're removing that in the memory when you don't use it. Do you know there is something called breakpoint? Okay, here we go. - Connect to server and server will make sure about everything and send the dynamic key to the client. - Client will receive the key, and when the client doesn't use it, the client will remove that in the memory. (There is a condition here, I can put a breakpoint when you do that.) - even If I can't put a breakpoint, I can use hook and hook your client's function. Let's make ultra-hard, you're packed that with enigma or themida or whatever you're using. If I know reverse engineering, I can unpack your client, right? Okay, let's make ultra-ultra-hard, you could use modified UPX like GameGuard. Do you know what? If I know reverse engineering, I can unpack it again and it's back us to the first question. what's the matter with the standard key or the dynamic key? There is a word in the unreal world. Don't try to fight reverse engineer. Best regards; Can BARAN... Link to comment Share on other sites More sharing options...
panher 31 Posted April 6, 2016 Share Posted April 6, 2016 Removing the encryption system ymir, Webzen that, gameforge compatible full pack max 50mb, 100mb transferred into ready to play. AutoPatcher size up to 10MB To download the provided 50,100mb (tpye) 1, 2, 3, 4, --- 5.6 Lzo We do not use the full installation We are entering upload files installed on Gameforge. 1GB file .rar 40 minutes10 + 100mb plug-new PvP 5 minutes Link to comment Share on other sites More sharing options...
Premium tierrilopes 452 Posted April 6, 2016 Premium Share Posted April 6, 2016 You can also eliminate that 3s delay after chosing character and the loading of files. Actually, i done only this above and i do get the same login speed as yourself, without touching improved_packet. Link to comment Share on other sites More sharing options...
Honorable Member martysama0134 7178 Posted April 6, 2016 Author Honorable Member Share Posted April 6, 2016 19 hours ago, MORTE said: Hello, is it safe or not? Well, all the old game cores until r2089m never had "_IMPROVED_PACKET_ENCRYPTION_". If you disable it, it's like just the old times speaking of auth speed. The old system used a static xtea encryption key, when the second uses a dynamic cryptopp algorithm for that. A "man in the middle" can break both quite easily, so it's up to you. All metin2 used the old version for many years. Check out my GitHub Link to comment Share on other sites More sharing options...
Active Member Koray 1999 Posted April 6, 2016 Active Member Share Posted April 6, 2016 5 hours ago, cBaraN said: At first, sweatheart even If you send the pong or whatever you said yea sure, I'm said already " if you send pong to client and this is in operable state peoples *reverse engineers* can be get your pong. " Maybe you need try first learn reading. Do you want fight? Well, 5 hours ago, cBaraN said: - Connect to server and server will make sure about everything and send the dynamic key to the client. When you send pong to client use polymorphism or encryption as time dynamic and You receive respond as salt and convert again with polymorphism or encrypion as serverside. Try now bypass serverside compare operation.. 5 hours ago, cBaraN said: - Client will receive the key, and when the client doesn't use it, the client will remove that in the memory. (There is a condition here, I can put a breakpoint when you do that.) If you can not send pong as salt or checking validate in client this enough protection for you. We can protect game binary from breakpoints Only 1 API and ~5 line(ntdll.dll!NtSetInformationThread, ThreadHideFromDebugger flag) I think this tip is enough.. 5 hours ago, cBaraN said: - even If I can't put a breakpoint, I can use hook and hook your client's function. We can check code validation in client if you try change any bytes this easy detectable 5 hours ago, cBaraN said: Let's make ultra-hard, you're packed that with enigma or themida or whatever you're using. If I know reverse engineering, I can unpack your client, right? Yea you can unpack themida or enigma in seconds, My suggestion try with hardest like VMProtect or Shielden, dude year is 2016, who is using Themida? xD 5 hours ago, cBaraN said: Okay, let's make ultra-ultra-hard, you could use modified UPX like GameGuard Ahahahaha, That's enough for me, really. You can continue reverse to upx xD Next time please write with yourself account, kişiliksiz. 1 Link to comment Share on other sites More sharing options...
cBaraN 109 Posted April 7, 2016 Share Posted April 7, 2016 11 hours ago, Koray said: Do you want fight? Well, Yeah, I do as always 11 hours ago, Koray said: When you send pong to client use polymorphism or encryption as time dynamic and You receive respond as salt and convert again with polymorphism or encrypion as serverside. Try now bypass serverside compare operation.. even If you encrypt it or send as salt or whatever you said, you have to send that key or what ever you named that to the client, right? 11 hours ago, Koray said: If you can not send pong as salt or checking validate in client this enough protection for you. We can protect game binary from breakpoints Only 1 API and ~5 line(ntdll.dll!NtSetInformationThread, ThreadHideFromDebugger flag) I think this tip is enough.. Isn't like what you did in your protection system? blablablablabla; HideMyFunctionFromTheard; NtGlobalFlag, if you don't know anything about that. I just wanted to show you (: // Do I have to catch you with je? __asm { mov eax, fs:[30h] mov al, eax[eax + 68h] and al, 70h }; Let's say, you're trying very very hard. You're using INT3 aka breakpoint to stop debug informations or something like that. The first look you might think that's a good way but there is more way about to debug it. Let's say, you're using those things; NtGlobalFlag Heap Flags Anti Step Over Hook checker with the address mechanism. (You probably do that like what you did for your game security. Ugh..) I'm just saying what If I'm using hiding debugger? Whatever, that's a simple question. 11 hours ago, Koray said: We can check code validation in client if you try change any bytes this easy detectable And it's easy to bypass it. Let's continue 11 hours ago, Koray said: Yea you can unpack themida or enigma in seconds, My suggestion try with hardest like VMProtect or Shielden, dude year is 2016, who is using Themida? xD YMIR & Webzen YMIR Games (Winlicense). At first, you have to learn something about this. You and your sh*tty things are no big deal for me 11 hours ago, Koray said: Ahahahaha, That's enough for me, really. You can continue reverse to upx xD I think, you misunderstand me about that. Do you know there is something called fake signature? Please.. We're living in 2016! Who wanna use UPX or something like that. You might right there but you can't even understand what does fake signature mean Whatever, let's continue. You're doing everything about to protect your game binary file but you can't even block that as 100%. Best Regards Can BARAN.. Link to comment Share on other sites More sharing options...
Active Member Koray 1999 Posted April 7, 2016 Active Member Share Posted April 7, 2016 1 hour ago, cBaraN said: what ever you named that to the client, right? Nah, you do not have to send right pong to client you can get client key and compare this in server, if this pong it's wrong you can easy and silent detect 1 hour ago, cBaraN said: Isn't like what you did in your protection system? blablablablabla; HideMyFunctionFromTheard; NtGlobalFlag, if you don't know anything about that. I just wanted to show you (: // Do I have to catch you with je? __asm { mov eax, fs:[30h] mov al, eax[eax + 68h] and al, 70h }; I'm said about "ThreadHideFromDebugger" not "HideMyFunctionFromThreard" lol I think you doesn't readed first part from my message "Maybe you need try first learn reading." Here is basic document: http://nsylvain.blogspot.com.tr/2007/08/threadhidefromdebugger-but-why.html 1 hour ago, cBaraN said: Let's say, you're trying very very hard. You're using INT3 aka breakpoint to stop debug informations or something like that. The first look you might think that's a good way but there is more way about to debug it. Let's say, you're using those things; NtGlobalFlag Heap Flags Anti Step Over Hook checker with the address mechanism. (You probably do that like what you did for your game security. Ugh..) I'm just saying what If I'm using hiding debugger? Whatever, that's a simple question At the first, You don't need use "hiding debugger" for this shits. This tricks already easy patchable as manual. If you want good debug detect system you can easy detect with system informations APIs, like NtQueryInformationProcess or DbgUiRemoteBreakin. You can not catch from this APIs without modifcation with hook, and this easy detectable. And "hiding debugger", I don't understand what do you mean. If you mean hide debugger process, if you haven't any kernel mode support you can not bypass with user mode. So.. Hidden processes can be detectable. If you mean with plugins, my said tricks already patching with hook, I said already hooks easy be detectable. 1 hour ago, cBaraN said: And it's easy to bypass it. Let's continue Easy? lol. I don't mean checks about memory blocks.. I mean check direct sections code integration 1 hour ago, cBaraN said: YMIR & Webzen YMIR Games (Winlicense). At first, you have to learn something about this. You and your sh*tty things are no big deal for me "YMIR & Webzen YMIR Games (Winlicense)." wat? Maybe you need learn somethings about packers, I don't said my said protections %100 protect you but at least better protect from Themida or Enigma 1 hour ago, cBaraN said: You might right there but you can't even understand what does fake signature mean Who cares is fake signature? Unpacked gameguard modules and unpack methods already published xD 1 hour ago, cBaraN said: You're doing everything about to protect your game binary file but you can't even block that as 100%. Yes, anyone can not %100 protect from debug. But we can make better good defender mechanism for scripter kids, like you. 1 Link to comment Share on other sites More sharing options...
ScreamMyName 100 Posted April 9, 2016 Share Posted April 9, 2016 This topic is very confusing, is this a safe way or not? Just a simple straight answer will be good. 1 Link to comment Share on other sites More sharing options...
Rainbow3D 54 Posted April 10, 2016 Share Posted April 10, 2016 Awasome!! Nice man Link to comment Share on other sites More sharing options...
ds_aim 241 Posted May 27, 2016 Share Posted May 27, 2016 Never do this , i tested this long long time ago since 2014. -You will have unknow packet header errors. (Ingame kicks) -You will get sequence erros( Ingame kicks ) -You will get buffer overflow problems. (ingame kicks ) This tutorial is really shit and also useless. If you want to keep improved disable you need to rewrite sequence table and made automati buffer adjust functions (Like me ) With this disabled this codes will be valid codes : if (buffer_has_space (m_lpOutputBuffer) < iSize + 8) { sys_err ("desc buffer mem_size overflow. memsize(%u) write_pos(%u) iSize(%d)", m_lpOutputBuffer->mem_size, m_lpOutputBuffer->write_point_pos, iSize); m_iPhase = PHASE_CLOSE; } Just disable improved_packet_encryption and install offline shop. You will get buffer overflow prolems. Never do this. 2 Link to comment Share on other sites More sharing options...
MichaelM 40 Posted July 11, 2016 Share Posted July 11, 2016 On 09.04.2016 at 8:39 AM, ScreamMyName said: This topic is very confusing, is this a safe way or not? Just a simple straight answer will be good. No, it is not. This method its a hack. Link to comment Share on other sites More sharing options...
Zeke 811 Posted July 15, 2016 Share Posted July 15, 2016 Remove the protection, it will be faster -.- logic 1 Link to comment Share on other sites More sharing options...
Premium Crystal™ 25 Posted July 15, 2016 Premium Share Posted July 15, 2016 I could never say that this shit is protection..xD Link to comment Share on other sites More sharing options...
Recommended Posts