exmap: Maphack, Packet Logger, etc.

**poebota5** · 01-19-2018

any one banned ? )

**everknown** · 01-19-2018

Since patch 3.1.2, sometimes when loading different zone, it will cause game to hang until it crashes. It unhooked during long loading screen, the game will work again.

**maper** · 01-19-2018

Originally Posted by everknown

Since patch 3.1.2, sometimes when loading different zone, it will cause game to hang until it crashes. It unhooked during long loading screen, the game will work again.

I can't reproduce this issue - anything more specific you can share? Certain zones in particular, certain packet logging modes, etc?

**everknown** · 01-20-2018

Last night it was during map run T6-11.
Today after i saw your message, i went to try Merciless lab with it and it worked fine so far.
Will try to do some maps and see if i get same issue again.

---Edit---
I've done quite a few maps, haven't been able to reproduce the long loading screen that leads to crash either this time.

**Sart** · 01-20-2018

Thank you good work

**Nexusphobiker** · 01-21-2018

@maper did you try reversing the encryption mechanism? It seems to be Salsa20. I tested a bit a round and the key and iv seems to be set by the first login packet. I didnt get far though. They seem to be using montgomery multiplication and a lot of byte byte shuffling. Things i have so far:

Code:

byte[] pshufb = {07 06 05 04 03 02 01 00 0F 0E 0D 0C 0B 0A 09 08}
byte[] staticKey = {08 C9 BC F3 67 E6 09 6A 3B A7 CA 84 85 AE 67 BB 2B F8 94 FE 72 F3 6E 3C F1 36 1D 5F 3A F5 4F A5 D1 82 E6 AD 7F 52 0E 51 1F 6C 3E 2B 8C 68 05 9B 6B BD 41 FB AB D9 83 1F 79 21 7E 13 19 CD E0 5B}

Those are statics in the binary. pshufb seems to get used for all byte shuffles they do. The key creation starts after the first send&recv.

Edit: seems like they are using the crypto++ library

**maper** · 01-23-2018

Originally Posted by Nexusphobiker

@maper did you try reversing the encryption mechanism? It seems to be Salsa20. I tested a bit a round and the key and iv seems to be set by the first login packet. I didnt get far though. They seem to be using montgomery multiplication and a lot of byte byte shuffling. Things i have so far:

Code:

byte[] pshufb = {07 06 05 04 03 02 01 00 0F 0E 0D 0C 0B 0A 09 08}
byte[] staticKey = {08 C9 BC F3 67 E6 09 6A 3B A7 CA 84 85 AE 67 BB 2B F8 94 FE 72 F3 6E 3C F1 36 1D 5F 3A F5 4F A5 D1 82 E6 AD 7F 52 0E 51 1F 6C 3E 2B 8C 68 05 9B 6B BD 41 FB AB D9 83 1F 79 21 7E 13 19 CD E0 5B}

Those are statics in the binary. pshufb seems to get used for all byte shuffles they do. The key creation starts after the first send&recv.

Edit: seems like they are using the crypto++ library

Nah I haven't bothered to reverse the encryption. Not much motivation since I can hook before and after. Good work, though, looking into it!

**m4ttrick** · 01-29-2018

Actually, there is Salsa20 encryption - at least according to previous protocol reverse engineering attempt. But, as far as I understood, first login packet is encrypted by randomly generated private key, stored in game client memory, and then probably public key is sent to server, so every following packet can be encrypted.

If you analyse first login packet, you have the same 4 bytes at the beginning (\x00\x02\x00\x80) and 2 zeros on the end. With first packet length = 134, the rest is 128 bytes - so this probably confirms, that it is public key of some sort (RSA?).

If you want to know something more, please look at Blizzhackers • View topic - Path of Exile Protocol. But it is from 1.0 version I think, so there might be a complete overhaul of protocol. But OPN files are definetely worth looking at (GitHub - Zoxc/PoE-OPN: OPN files for the Path of Exile network protocol).

I'm also trying to figure out and reverse engineer protocol, but my goal is strictly different. I want to make something similar to famous Diablo II RedVex, that is man-in-the-middle proxy for PoE with plugins support. Will keep you informed if I find something interesting.

**Nexusphobiker** · 01-29-2018

Originally Posted by m4ttrick

Actually, there is Salsa20 encryption - at least according to previous protocol reverse engineering attempt. But, as far as I understood, first login packet is encrypted by randomly generated private key, stored in game client memory, and then probably public key is sent to server, so every following packet can be encrypted.

If you analyse first login packet, you have the same 4 bytes at the beginning (\x00\x02\x00\x80) and 2 zeros on the end. With first packet length = 134, the rest is 128 bytes - so this probably confirms, that it is public key of some sort (RSA?).

If you want to know something more, please look at Blizzhackers • View topic - Path of Exile Protocol. But it is from 1.0 version I think, so there might be a complete overhaul of protocol. But OPN files are definetely worth looking at (GitHub - Zoxc/PoE-OPN: OPN files for the Path of Exile network protocol).

I'm also trying to figure out and reverse engineer protocol, but my goal is strictly different. I want to make something similar to famous Diablo II RedVex, that is man-in-the-middle proxy for PoE with plugins support. Will keep you informed if I find something interesting.

That is actually beautiful. I didnt had too much time looking into it this week but this makes me want to look at it again. Thanks

**ttony113** · 01-31-2018

Interesting. I've been digging into the binary and i can confirm. As last of yesterday its still sending the initial \x00\x02\x00\x80, this packet is encrypted differently than the following data. I'm also trying to replicate the client, been trying to decompile how it decrypts the packet, it doesnt seem impossible just to replicate the logic. That said, this is probably the hardest approach i guess, but its the only one i know of right now.
Can confirm theyre using Crypto++.

**links1** · 01-31-2018

64-bit client only.

damn feels haha

**fudenciolino** · 02-05-2018

Would it be possible for the map to be revealed outside of PoE? Wouldn't it be safer to have it revealed in another window? Not messing with the game files at all.

**maper** · 02-06-2018

Originally Posted by fudenciolino

Would it be possible for the map to be revealed outside of PoE? Wouldn't it be safer to have it revealed in another window? Not messing with the game files at all.

It is possible. Whether or not it would be safer depends entirely on the implementation.

Not sure it would be worth the effort, though.

**kutomi1234** · 02-07-2018

Today was an update, this cheat still undetected?

**DiMATRON** · 02-08-2018

possible to show monsters on map ?

Shout-Out

User Tag List

Thread: exmap: Maphack, Packet Logger, etc.

Thread Tools

Search Thread

Similar Threads

[HACK] Undetected Warcraft 3 yHack (maphack, zoom hack etc..)

SwTor Server Packet logger 1.4 beta

WoWProxy[UD Packet Logger]

WoWProxy[UD Packet Logger]

fake programs loggers etc notice

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino