So, more and more servers are using new lameguard, and we are getting client crash + hdd ban.

What we have to do is to modify client and disable gameguard and then normally inject tower)

As a test server I took http://l2dragoneye.com/.
It has typical antibot which we can't bypass.

1. What i noticed that if I change dsetupp.dll or gameguard.des files, l2.exe is not starting.

So our main task is to change existing L2.exe to the normal one.
the l2.exe from dragoneye is not taking information from .dll and .ini files of system, but from somewhere else...


So what i did next is replaced existing l2.exe from the decrypted one from fyyre. I also replaced dsetup.dll from fyyere and deleted gameguard.des. But now when i entered id and pass I couldn't connect...

Next step was editing l2.ini.
I added there server Ip: 178.33.233.111; port:7777 and protocol 268.
started l2.exe and woalala! i entered server until the game server...
But there i got: Your protocol version is different

Now i'm stucked i need your help. any ideas how to go further?
If we enter server with such modified client, lameguard will be cracked

To see the original protocol version create a BAT file whit (L2.exe -L2ProtocolVersion}
and run it. Then replace it on your modified system... try

changing protocol to correct one will work yes but the main issue is, lameguard send info about ur client pc ip and number of clients logged in upon choosing server, those infos don't get send in normal client and thus server side will still notice you are logged in but you didn't send.

(07-02-2012 10:38 AM)Fox Wrote:  To see the original protocol version create a BAT file whit (L2.exe -L2ProtocolVersion}
and run it. Then replace it on your modified system... try

I did that...
I changed protocol in l2.ini but no result...
it doesn't gives a shit what's written there, still gives protcol version error

---

(07-02-2012 10:40 AM)amiroooo Wrote:  changing protocol to correct one will work yes but the main issue is, lameguard send info about ur client pc ip and number of clients logged in upon choosing server, those infos don't get send in normal client and thus server side will still notice you are logged in but you didn't send.

So maybe we can send those packets using wp ppc? http://x33.ru/saur/

---

What i see is that client is sending protocol version packet at the moment of server selection...
The problem is that it is different at every entrance:
0b010ed800000036ea471b8c7c77b0d67dc32e2e6ec6827bbf ad785ff6c485a10bc4ecfaea7ec2899084394bb8efe80ea03c bcf86adf539fb6183319e2892308942f63e19bae381193a117 dffdb26c7a7634650cf13a1ed6626cec97a8327816e1afa15c 867359e18fa07b62b005792265e26c0e187d5a4f5fef9c4351 d0aa9bd0847147c2b3434d10ae945493c258c64216e0f84782 8177affab5fe4bb61966afa20b8280aa6555811f6d05a5c993 d8fbfee6e77c4ef6c5d1424caa986fde1e7eeface70d83d7a9 006287784c186b32617313d2c5cae7f3950f532e97c5603311 5253bc2ed4d87c005c8e60f58efff3d5da123c6bd9d263e0eb 96666f86d2880544d3dd24c5cb4e360b22


0b010ed8000000e834479c537db70bc7a7c3f02fc2504d6b83 737881f708e7117706cc5cfc7f52becc20462dca524850c3a9 3c80213e7fcbb6d332c6ce7d025d7c51c4e01d2f0f90cc3448 1ba33ea67aec357a8c4a089f89e3336dc82880a6163fae57dc ecad594b51a0a5626e0446a33a63327cc67cbc10966ac04232 51d1ba3ee506203d16addb9ab17e664af5dbc9ffced3ec28a0 da6c3cd3cc4fca6b494b4bacedcb509bfb722918340380690b ef84a8e210a63f03b45d814dc919ad444dfa1887a2cb56467c dea4f43b60309dc14a04ff2f6cefaedc91fddc338f853284c6 604acf772a9ca1515e0e3764fcdd7d9a35b53891be89f0b99a 91cd9518b9ed915a2b30f0f8284ee80bfc

Maybe we an attach script smthn like this ?
I'm very bad at programming


const
ProcolVersionPacket=Hstr('??????');

BEGIN
if (_gBuff[3]=#$0E) and (not(_gFromServ))
_gOutBuff:=ProcolVersionPacket;
END.

p.s.

Login packets are encrypted by lameguard, thats main problem...

Lameguard and other antibots modifity login packet or other specyfic packets (enterworld [usually only auth server packets]), usually by hooking some functions, you can use HookShark tool to detect some of them. If server dont get specyfic packet, it wont let you in. These packets are encrypted by anti-bots in 99% of cases. And thats makes every antibot specyfic...

There is more, antibots got own threads or they injected/hooked into other threads, thats are scan procedures, they scan all functions, memory, dll's, open processes and windows if they detect a hack they can send some message to server and terminate/(usually close socket/process) game.

To crack anti-bot you need to find that scan procedure, and it's not easy to find...

so it's hopeless =/

Sorry for my BAD English

If I helped +1 ME

There's a guy who's selling lameguard bypass.
Try pming him.