LucaC 49 Posted January 30, 2018 Share Posted January 30, 2018 First things first: I'm not a competent reverse engineer. I am well educated with software developement in general but this is not my field. So pardon me if I say anything stupid. Since the last few GameForge's Metin2 updates inhibit us from accessing the new EterPack contents we are out of luck for new content...or not. I have found a way to execute albitrary code (C++ and Python) within the latest Metin2Client update, bypassing all the checks that the game does (and I have also managed to dump a Themida-free version of metin2client.bin). That's all fine and dandy, but unfortunately packGet has been patched so no luck for easy direct access. I have found a workaround to at least dump some textures, but that's about it. What I'm getting at is that I need some help to make this work and hopefully bring the latest updates to all of you. If you think you can be of any help, PM me. Link to comment Share on other sites More sharing options...
LucaC 49 Posted January 31, 2018 Author Share Posted January 31, 2018 Since no one seems interested I'll show some proof. Once again, I'm no reverse engineer, but I kinda know what I'm doing. 3 Link to comment Share on other sites More sharing options...
HellBoy 200 Posted January 31, 2018 Share Posted January 31, 2018 (edited) Not Bad do the armors 2 xD Edited August 24, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
LucaC 49 Posted January 31, 2018 Author Share Posted January 31, 2018 6 minutes ago, HellBoy said: Not Bad do the armors 2 xD I already have the possibility to do so, but I'm not going to spoon-feed everyone. I'll gladly release my work if people are willing to help. 4 hours ago, arves100 said: Interesting... a way you can dump "Audio tracks", "Textures" and "3D Models" is by directly patching DirectX DLL, XAudio and Granny DLL (theoricaly it will work). I found a projects that have done that with WinSock2 (easy way to reverse metin2 server or at least for new packets/new systems?). Talking about EterPacks, it's almost "impossible" that you could not get access to EIX,EPK since the client is forced to dump them somehow. So a way must exist. Reveal hidden contents Compro io i bauli XD Yup, quite true. I already managed to dump much stuff by hooking external libraries. I'm now working on hooking internal stuff but the Themida stub is a pain in the ass. I already have something in the works anyways. Link to comment Share on other sites More sharing options...
LucaC 49 Posted February 1, 2018 Author Share Posted February 1, 2018 (edited) So... even if everyone was not interested in contributing I managed to figure it out by myself. With a simple runtime patch, packGet can be pwned and forced to load any file. I'll probably contribute some leaks with you guys anyways. (pc2) warrior_christmas_2017_red.dds warrior_christmas_2017_silver.dds Spoiler Edited September 3, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
Tasho 244 Posted February 1, 2018 Share Posted February 1, 2018 (edited) Just stop spamming forum with your children acts. If you have something to share, do it, don't make a lot a reply without sense on this category, isn't off-topic. PS: Same guy like you was banned multiples time here (romanian guy), with fake accounts, he say he have "x10 years experience on programming" (and on reality he just do copy-paste of things and show just texts & photos), stole identity of anothers users of stackoverflow etc, i'm sure you are him, but i don't care, have fun with your new fake account. Edited August 26, 2022 by Metin2 Dev Core X - External 2 Internal 1 Link to comment Share on other sites More sharing options...
Premium Syreldar 1892 Posted February 1, 2018 Premium Share Posted February 1, 2018 On 2/1/2018 at 3:36 AM, Tasho said: I get what you mean, but isn't that a bit too much? You could have said that without sounding like an asshole imo. On 1/30/2018 at 8:09 PM, LucaC said: I already have the possibility to do so, but I'm not going to spoon-feed everyone. I'll gladly release my work if people are willing to help. If you're trying to educate the community you are in the wrong place, nobody will help you unless they get something out of it, and the people who can help you about that matter have no interest in obtaining 2 textures. I can clearly see you're competent and you know what you're doing, but if I had to guess the number of people in this community who EVEN REMOTELY KNOW what you are talking about..it'd be like 20, 25 at max.. many of which are not even active anymore since years.. if we also were to subtract those who do not give a fuck about this matter I'm not even sure we would reach 1, and this community is made of 15,763 people, I myself am not competent on the matter enough to help you. 99% of people are there just to leak and use everything they find without even saying "thank you", this is life. Just look: It's only leechers, there is no respect for the devs here. I'm not going to say that your attitude is wrong, but if you're looking to educate people here, you're in the wrong place, they only want to be "spoon-fed" like you said. They're ignorant monkeys but that's how it is. So, like Tasho said, if you want to be useful then be useful, else refrain from posting such topics. 1 3 "Nothing's free in this life. Ignorant people have an obligation to make up for their ignorance by paying those who help them. Either you got the brains or cash, if you lack both you're useless." Syreldar Link to comment Share on other sites More sharing options...
LucaC 49 Posted February 1, 2018 Author Share Posted February 1, 2018 Well then. If you're going to act like entitled and cute little snowflakes... Also, just for clarity sake. I'm not romanian (wish I was tho, life is cheap there) and I don't really care about recognition. I don't claim to be a genius either (but I mean, if you guys are the object of comparison that's unfair for you). All of that being said, what do I do to get this account banned? This forum is already making my skin crawl. (Bear in mind @Syreldar, I'm not complaining about your message. You actually have a point.) 1 Link to comment Share on other sites More sharing options...
Premium Syreldar 1892 Posted February 1, 2018 Premium Share Posted February 1, 2018 16 minutes ago, LucaC said: Well then. If you're going to act like entitled and cute little snowflakes... Also, just for clarity sake. I'm not romanian (wish I was tho, life is cheap there) and I don't really care about recognition. I don't claim to be a genius either (but I mean, if you guys are the object of comparison that's unfair for you). All of that being said, what do I do to get this account banned? This forum is already making my skin crawl. (Bear in mind @Syreldar, I'm not complaining about your message. You actually have a point.) Sorry if i sounded rough, i tried to explain the situation the best i could. A better community to share is metin2downloads (main lang: DE), the staff is active there, there are fewer normal users and more devs/expert people. Plus you can hide your posts unless someone likes them which is good. I'm also there as Darisil. "Nothing's free in this life. Ignorant people have an obligation to make up for their ignorance by paying those who help them. Either you got the brains or cash, if you lack both you're useless." Syreldar Link to comment Share on other sites More sharing options...
Baumi 73 Posted February 1, 2018 Share Posted February 1, 2018 (edited) Well what about hooking CMappedFile or well CEterPackManager::GetFromPack directly to get the data? Also what did they patch in packGet I dont see any change well they pack their resources now so changing the .pyc to .gr2 for example with a packed binary wont work anymore (It could probably still work with the suspended proccess memory editing stuff) but well yeah they did not touch packGet and packExist directly those do the same things (with the exception that packExists has some extra checks you can patch out if) If you have a unpacked working themida free version just go ahead and patch the functions with ida pro and disable the checks. If not you still should be able to do some stuff because well you have the correct function signatures and some more stuff. Actually I reverse engineered it further there is no change in packGet that keeps you from extracting stuff maybe leuco shell just stops you from saving stuff? Edited August 20, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
Premium TAUMP 856 Posted February 1, 2018 Premium Share Posted February 1, 2018 On 2/1/2018 at 4:07 AM, Syreldar said: I get what you mean, but isn't that a bit too much? You could have said that without sounding like an asshole imo. If you're trying to educate the community you are in the wrong place, nobody will help you unless they get something out of it, and the people who can help you about that matter have no interest in obtaining 2 textures. I can clearly see you're competent and you know what you're doing, but if I had to guess the number of people in this community who EVEN REMOTELY KNOW what you are talking about..it'd be like 20, 25 at max.. many of which are not even active anymore since years.. if we also were to subtract those who do not give a fuck about this matter I'm not even sure we would reach 1, and this community is made of 15,763 people, I myself am not competent on the matter enough to help you. 99% of people are there just to leak and use everything they find without even saying "thank you", this is life. Just look: It's only leechers, there is no respect for the devs here. I'm not going to say that your attitude is wrong, but if you're looking to educate people here, you're in the wrong place, they only want to be "spoon-fed" like you said. They're ignorant monkeys but that's how it is. So, like Tasho said, if you want to be useful then be useful, else refrain from posting such topics. ?? Link to comment Share on other sites More sharing options...
Premium Syreldar 1892 Posted February 1, 2018 Premium Share Posted February 1, 2018 Just now, .T4Ump said: ?? It's not about you, it's about the other guy who complained about the issue without having even bought the system. If I can say my opinion, you shouldn't have helped him. "Nothing's free in this life. Ignorant people have an obligation to make up for their ignorance by paying those who help them. Either you got the brains or cash, if you lack both you're useless." Syreldar Link to comment Share on other sites More sharing options...
Premium TAUMP 856 Posted February 1, 2018 Premium Share Posted February 1, 2018 3 minutes ago, Syreldar said: It's not about you, it's about the other guy who complained about the issue without having even bought the system. If I can say my opinion, you shouldn't have helped him. He got the system from a friend. Link to comment Share on other sites More sharing options...
Premium Syreldar 1892 Posted February 1, 2018 Premium Share Posted February 1, 2018 Just now, .T4Ump said: He got the system from a friend. Same, he didn't buy it, thus no respect for the developer. "Nothing's free in this life. Ignorant people have an obligation to make up for their ignorance by paying those who help them. Either you got the brains or cash, if you lack both you're useless." Syreldar Link to comment Share on other sites More sharing options...
Premium TAUMP 856 Posted February 1, 2018 Premium Share Posted February 1, 2018 Just now, Syreldar said: Same, he didn't buy it, thus no respect for the developer. Come skype. Link to comment Share on other sites More sharing options...
Honorable Member xP3NG3Rx 19773 Posted February 2, 2018 Honorable Member Share Posted February 2, 2018 15 hours ago, Baumi said: If not you still should be able to do some stuff because well you have the correct function signatures and some more stuff. No, I've tried 100 times to find a couple of functions what have never been changed and the patternfinder doesn't give back any valuable result. This is the reason why I stuck. And the offset of the functions always changed after every start so I can't tell to my tool that this function is on this offset hook it, because at the second start the function is on another offset already. Oh yeah, and I've tried the searching on the .BR binary as well and every single try was successful. So the lueco shell is sucks. Btw should be enough to modify only one byte in the memory and you'll be able to unpack via python. int __cdecl sub_5161660(int a1, int a2) { int v3; // ST14_4 char v4; // [esp+Ch] [ebp-164h] int v5; // [esp+15Ch] [ebp-14h] int v6; // [esp+160h] [ebp-10h] int v7; // [esp+16Ch] [ebp-4h] if ( !PyTuple_GetString(a2, 0, &v6) ) return Py_BuildException(0); if ( packExists(v6) ) { sub_53DA140(&v4); v7 = 0; v5 = 0; if ( sub_5441430(0, (int)&v4, v6, (int)&v5) ) { sub_53DA3D0(&v4); v3 = python27_Py_BuildValue("s#"); v7 = -1; sub_53DA580(&v4); return v3; } v7 = -1; sub_53DA580(&v4); } return Py_BuildException(0); } int __cdecl sub_5161660(int a1, int a2) { int result; // eax int v3; // ST14_4 char v4; // [esp+Ch] [ebp-164h] int v5; // [esp+15Ch] [ebp-14h] int v6; // [esp+160h] [ebp-10h] int v7; // [esp+16Ch] [ebp-4h] if ( !PyTuple_GetString(a2, 0, &v6) ) return Py_BuildException(0); sub_53DA140(&v4); v7 = 0; v5 = 0; if ( sub_5441430(0, (int)&v4, v6, (int)&v5) ) { sub_53DA3D0(&v4); v3 = python27_Py_BuildValue("s#"); v7 = -1; sub_53DA580(&v4); result = v3; } else { v7 = -1; sub_53DA580(&v4); result = Py_BuildException(0); } return result; } metin2client.exe:051616A0 test edx, edx metin2client.exe:051616A2 jnz short loc_51616CA metin2client.exe:051616A4 push 0 metin2client.exe:051616A6 call Py_BuildException metin2client.exe:051616AB add esp, 4 metin2client.exe:051616AE jmp loc_516176A metin2client.exe:051616B3 ; --------------------------------------------------------------------------- metin2client.exe:051616B3 mov eax, [ebp+var_10] metin2client.exe:051616B6 push eax metin2client.exe:051616B7 call packExists metin2client.exe:051616BC add esp, 4 FROM: 85 D2 75 0F 6A 00 E8 45 58 28 00 83 C4 04 E9 B7 00 00 00 8B 45 F0 50 E8 D4 FE FF FF 83 C4 04 TO: 85 D2 75 26 6A 00 E8 45 58 28 00 83 C4 04 E9 B7 00 00 00 8B 45 F0 50 E8 D4 FE FF FF 83 C4 04 "75 0F" is a short jump at 0x51616A2 Sig: (85 D2 75 0F 6A 00 E8 ?? ?? ?? ?? 83 C4 04 E9 ?? ?? ?? ?? 8B 45 F0 50 E8 ?? ?? ?? ?? 83 C4 04) + 3 The 26 instead of 0F will skip the dot and the extension check if-statement. So after the patch the packGet would looks like this: PyObject * packGet(PyObject * poSelf, PyObject * poArgs) { char * strFileName; if (!PyTuple_GetString(poArgs, 0, &strFileName)) return Py_BuildException(); CMappedFile file; const void * pData = NULL; if (CEterPackManager::Instance().Get(file, strFileName, &pData)) return Py_BuildValue("s#", pData, file.Size()); return Py_BuildException(); } 1 Link to comment Share on other sites More sharing options...
Baumi 73 Posted February 2, 2018 Share Posted February 2, 2018 (edited) Hm I could put some time into reversing leuco shell https://metin2.download/picture/r3F9504x09DVmF8K988YXgTtGTP6KMUj/.gif or well maybe do some tries on getting an running binary / patching out leuco shell Btw are you using the correct thread? I think they are starting a fake thread or something like that The string encryption kinda sucks but when I have that solved it should be pretty easy to figure out how it works Probably it would be easier to modify the leuco shell dll or if we have enough information about it replacing it with a own version. Well the easiest method should still be doing a clear unpack of the binary, I have a almost clear unpack even the virtualized functions everything unpacked its just not executeable I got this from a friend who used the same Tool to unpack as I did but had better results You can also use this to extract every file with one issue, it works with "r" mode but there are no file extension checks handle = app.OpenTextFile(filename) count = app.GetTextFileLineCount(handle) for i in xrange(count): line = app.GetTextFileLine(handle, i) Edited August 27, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
LucaC 49 Posted February 2, 2018 Author Share Posted February 2, 2018 Leuco Shell among any other protection is quite useless. The problem that gets you all is that the main module (seen as metin2client.bin) is a fake one. You need to fetch the real module (which is hidden from the module list, you have to either rebuild it or use an external tool that's already able to do so) address and do your patching from there. (You can't use offsets, the addresses are randomized) For example you'll find metin2client.bin at 0xB50000 and the hidden real module at 0x3230000. There are two really easy ways to accomplish this. Link to comment Share on other sites More sharing options...
Baumi 73 Posted February 2, 2018 Share Posted February 2, 2018 (edited) vor 1 Minute schrieb LucaC: Leuco Shell among any other protection is quite useless. The problem that gets you all is that the main module (seen as metin2client.bin) is a fake one. You need to fetch the real module (which is hidden from the module list, you have to either rebuild it or use an external tool that's already able to do so) address and do your patching from there. In this function they take a snapshot of the process and probabbly hide the real one Edited August 20, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
Honorable Member xP3NG3Rx 19773 Posted February 16, 2018 Honorable Member Share Posted February 16, 2018 On 2018. 02. 02. at 1:36 PM, LucaC said: There are two really easy ways to accomplish this. Oh, than I'm really stupid, because I don't know any way from those . Link to comment Share on other sites More sharing options...
apocalyptic 4 Posted March 27, 2018 Share Posted March 27, 2018 La 01/02/2018 la 23:52, Syreldar a spus: It's not about you, it's about the other guy who complained about the issue without having even bought the system. If I can say my opinion, you shouldn't have helped him. What's the problem here ? I received that system from a guy, and i needed to debug it . (I did it alone aswell) If someone needs some systems, can send me a message , and i will send it. VeGaS is the shitty coder, which is not selling systems to Romanians, that's why he's receveing so much hate from Romania. Kind Regards, Andrew. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now