Hello UGBASE,
Iam releasing my solution for their new protection against 0.3.7 R5 Client Version spoof.
I was debugging both clients (R1 & R5) and discovered that on R5 there is 32 bits more sent via Clientjoin RPC also later if you bypass first part they checking client side via RPC_ClientCheck and obv u need to answer to that.
My solution code snippets:
First part while sending ClientJoin:Iam releasing my solution for their new protection against 0.3.7 R5 Client Version spoof.
I was debugging both clients (R1 & R5) and discovered that on R5 there is 32 bits more sent via Clientjoin RPC also later if you bypass first part they checking client side via RPC_ClientCheck and obv u need to answer to that.
My solution code snippets:
C++:
BitStream bsSend;
...
bsSend.Write(iVersion);
bsSend.Write(byteMod);
bsSend.Write(static_cast<BYTE>(m_NickName.length()));
bsSend.Write(m_NickName.c_str(), m_NickName.length());
bsSend.Write(uiClientChallengeResponse);
bsSend.Write(byteSerialLen);
bsSend.Write(szSerial, byteSerialLen);
bsSend.Write(byteClientVerLen);
bsSend.Write(szClientVersion, byteClientVerLen);
// FIX R5
{
unsigned char bits[] = { 0x6c, 0xb0, 0xa2, 0x70, 0x6f, 0x64, 0x5c, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x5c, 0x74, 0x65, 0x5f, 0x6c, 0x6f, 0x67, 0x6f, 0x2e, 0x70, 0x6e, 0x67, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0 };
bsSend.WriteBits(bits, sizeof(bits));
}
SendRPC(RPC_ClientJoin, bsSend, ...);
Second part after being connected (you need incomingRPC hook):
C++:
bool incomingRPC(unsigned char id, RPCParameters* rpcParams, void (*callback)(RPCParameters*))
{
...
if (id == RPC_ClientCheck)
{
uint8_t type;
uint32_t addr;
uint16_t offset;
uint16_t count;
bsData.Read(type);
bsData.Read(addr);
bsData.Read(offset);
bsData.Read(count);
if (type == 0x5)
{
if (addr == 0x520190 || addr == 0x5e8606)
{
BitStream bs;
bs.Write((uint8_t)0x5);
bs.Write((uint32_t)addr);
bs.Write((uint16_t)0xef38);
bs.Write((uint16_t)0xc459);
LocalClient->RPC(RPC_ClientCheck, &bs, HIGH_PRIORITY, RELIABLE, 0, false);
return false;
}
}
}
...
}
Thats it, all credits goes to me
#TeamExpl01T
Preview: