Hercules WPE Free - June 14th Patch

for anyone who requires, the 3 keys are hardcoded to each client, you can search the keys in hex editor and modify for something unique.

for those with IDA / OllyDBG, the keys are pushed just before the PACKET_CZ_ENTER reference (not the actual string)

.text:007962A7 0F 84 77 FC FF FF jz loc_795F24.text:007962AD 8B 0D 04 0F 98 00 mov ecx, dword_980F04.text:007962B3 68 05 22 05 22 push 22052205h // key 3.text:007962B8 68 05 22 05 22 push 22052205h // key 2.text:007962BD 68 05 22 05 76 push 76052205h // key 1.text:007962C2 E8 A9 64 E3 FF call sub_5CC770.text:007962C7 68 6C 30 89 00 push offset aPacket_cz_ente ; "PACKET_CZ_ENTER".text:007962CC E8 6F 19 C7 FF call nullsub_1.text:007962D1 B9 2D 02 00 00 mov ecx, 22Dh.text:007962D6 83 C4 04 add esp, 4.text:007962D9 66 89 4C 24 48 mov word ptr [esp+3ECh+cp+2], cx
how about this?

Code:
___:0084CE64 6A 04                                   push    4               ; cbData___:0084CE66 8D 85 DC FB FF FF                       lea     eax, [ebp+Data]___:0084CE6C 50                                      push    eax             ; lpData___:0084CE6D 6A 04                                   push    4               ; dwType___:0084CE6F 53                                      push    ebx             ; Reserved___:0084CE70 68 C8 FD 96 00                          push    offset aCash_category ; "CASH_CATEGORY"___:0084CE75 51                                      push    ecx             ; hKey___:0084CE76 FF 15 14 20 96 00                       call    RegSetValueExA___:0084CE7C 8B 95 70 FC FF FF                       mov     edx, [ebp+hKey+2]___:0084CE82 52                                      push    edx             ; hKey___:0084CE83 FF 15 0C 20 96 00                       call    RegCloseKey___:0084CE89___:0084CE89                         loc_84CE89:                             ; CODE XREF: sub_84B8E0+157Cj___:0084CE89 68 E8 2C 9A 00                          push    offset aPacket_cz_ente ; "PACKET_CZ_ENTER"
 
Just an update the structure is a bit different in the new clients. The 3 key pushes comes up a lot of instructions before

push PACKET_CZ_ENTER.

so just scroll up a bit once you find 

68 6C 30 89 00 (push offset aPacket_cz_ente)
then read more of this
default_smile.png


 
@Yommy

Thank you Yommy 
default_biggrin.png


Sorry my bad 
default_tongue.png


Yommy, you know how to add new packets and Encryption keys to hercules server?

Sorry my english really really bad 
default_sad.png
 

 
for anyone who requires, the 3 keys are hardcoded to each client, you can search the keys in hex editor and modify for something unique.

for those with IDA / OllyDBG, the keys are pushed just before the PACKET_CZ_ENTER reference (not the actual string)

Code:
.text:007962A7 0F 84 77 FC FF FF                       jz      loc_795F24.text:007962AD 8B 0D 04 0F 98 00                       mov     ecx, dword_980F04.text:007962B3 68 05 22 05 22                          push    22052205h // key 3.text:007962B8 68 05 22 05 22                          push    22052205h // key 2.text:007962BD 68 05 22 05 76                          push    76052205h // key 1.text:007962C2 E8 A9 64 E3 FF                          call    sub_5CC770.text:007962C7 68 6C 30 89 00                          push    offset aPacket_cz_ente ; "PACKET_CZ_ENTER".text:007962CC E8 6F 19 C7 FF                          call    nullsub_1.text:007962D1 B9 2D 02 00 00                          mov     ecx, 22Dh.text:007962D6 83 C4 04                                add     esp, 4.text:007962D9 66 89 4C 24 48                          mov     word ptr [esp+3ECh+cp+2], cx
I'm trying to use OllyDbg but it seems that oly does not load all the hex
 
Appears this error:
 
bhp.png

 
after press Shift+F7 appears unable to process exception
 
I'm using Hex 2013/08/07 and want to make my own keys 
default_mellow.png

 
for anyone who requires, the 3 keys are hardcoded to each client, you can search the keys in hex editor and modify for something unique.

for those with IDA / OllyDBG, the keys are pushed just before the PACKET_CZ_ENTER reference (not the actual string)

.text:007962A7 0F 84 77 FC FF FF jz loc_795F24.text:007962AD 8B 0D 04 0F 98 00 mov ecx, dword_980F04.text:007962B3 68 05 22 05 22 push 22052205h // key 3.text:007962B8 68 05 22 05 22 push 22052205h // key 2.text:007962BD 68 05 22 05 76 push 76052205h // key 1.text:007962C2 E8 A9 64 E3 FF call sub_5CC770.text:007962C7 68 6C 30 89 00 push offset aPacket_cz_ente ; "PACKET_CZ_ENTER".text:007962CC E8 6F 19 C7 FF call nullsub_1.text:007962D1 B9 2D 02 00 00 mov ecx, 22Dh.text:007962D6 83 C4 04 add esp, 4.text:007962D9 66 89 4C 24 48 mov word ptr [esp+3ECh+cp+2], cx
I'm trying to use OllyDbg but it seems that oly does not load all the hex
 
Appears this error:
 
bhp.png

 
after press Shift+F7 appears unable to process exception
 
I'm using Hex 2013/08/07 and want to make my own keys 
default_mellow.png



I believe these are the packet keys for 2013-08-07 => 3D807D80 , 5E805580 , 7E241DE0

You can look for "68807D803D688055805E68E01D247E" in ollydbg to find them.

Remember to put the client in your RO folder and open it in ollydbg from there only and olly needs admin rights. 

 
for anyone who requires, the 3 keys are hardcoded to each client, you can search the keys in hex editor and modify for something unique.

for those with IDA / OllyDBG, the keys are pushed just before the PACKET_CZ_ENTER reference (not the actual string)

.text:007962A7 0F 84 77 FC FF FF jz loc_795F24.text:007962AD 8B 0D 04 0F 98 00 mov ecx, dword_980F04.text:007962B3 68 05 22 05 22 push 22052205h // key 3.text:007962B8 68 05 22 05 22 push 22052205h // key 2.text:007962BD 68 05 22 05 76 push 76052205h // key 1.text:007962C2 E8 A9 64 E3 FF call sub_5CC770.text:007962C7 68 6C 30 89 00 push offset aPacket_cz_ente ; "PACKET_CZ_ENTER".text:007962CC E8 6F 19 C7 FF call nullsub_1.text:007962D1 B9 2D 02 00 00 mov ecx, 22Dh.text:007962D6 83 C4 04 add esp, 4.text:007962D9 66 89 4C 24 48 mov word ptr [esp+3ECh+cp+2], cx
I'm trying to use OllyDbg but it seems that oly does not load all the hex
 
Appears this error:
 
bhp.png

 
after press Shift+F7 appears unable to process exception
 
I'm using Hex 2013/08/07 and want to make my own keys 
default_mellow.png



I believe these are the packet keys for 2013-08-07 => 3D807D80 , 5E805580 , 7E241DE0

You can look for "68807D803D688055805E68E01D247E" in ollydbg to find them.

Remember to put the client in your RO folder and open it in ollydbg from there only and olly needs admin rights. 
yes, but this packet keys do not work, i can still spam with WPE & other toolz.

 
yes, but this packet keys do not work, i can still spam with WPE & other toolz.
This is because:
Yes, the 2012-04 clients (and possibly a few others) have their keys chosen in such a way that makes the client effectively always use the same encryption key for each sent packet (thus allowing you to replay a packet as much as you want in WPE.)

You can either use a newer client, or edit the keys yourself in both client (you'll have to hex-edit it) and server (edit the appropriate packetKeys line for your PACKETVER in src/map/packets.h and recompile.)
 
 
i think we need something restructurize information, because very hard to find need information

 
thx a lot yommy for this wonderful feature.

does this feature work against bots also?

 
there is one thing i want to clarify, should i edit this packet keys = 3D807D80 , 5E805580 , 7E241DE0 in order to block WPE?

Thanks!

 
I just want to ask what Client is the best and Working with this system.

 
Back
Top