-
Member
-
Active Member
Since patch 3.1.2, sometimes when loading different zone, it will cause game to hang until it crashes. It unhooked during long loading screen, the game will work again.
-
Post Thanks / Like - 1 Thanks
fudenciolino (1 members gave Thanks to everknown for this useful post)
-
Originally Posted by
everknown
Since patch 3.1.2, sometimes when loading different zone, it will cause game to hang until it crashes. It unhooked during long loading screen, the game will work again.
I can't reproduce this issue - anything more specific you can share? Certain zones in particular, certain packet logging modes, etc?
-
Post Thanks / Like - 1 Thanks
fudenciolino (1 members gave Thanks to maper for this useful post)
-
Active Member
Last night it was during map run T6-11.
Today after i saw your message, i went to try Merciless lab with it and it worked fine so far.
Will try to do some maps and see if i get same issue again.
---Edit---
I've done quite a few maps, haven't been able to reproduce the long loading screen that leads to crash either this time.
Last edited by everknown; 01-20-2018 at 06:07 PM.
-
Post Thanks / Like - 1 Thanks
maper (1 members gave Thanks to everknown for this useful post)
-
Member
-
Post Thanks / Like - 1 Thanks
fudenciolino (1 members gave Thanks to Sart for this useful post)
-
Member
@maper did you try reversing the encryption mechanism? It seems to be Salsa20. I tested a bit a round and the key and iv seems to be set by the first login packet. I didnt get far though. They seem to be using montgomery multiplication and a lot of byte byte shuffling. Things i have so far:
Code:
byte[] pshufb = {07 06 05 04 03 02 01 00 0F 0E 0D 0C 0B 0A 09 08}
byte[] staticKey = {08 C9 BC F3 67 E6 09 6A 3B A7 CA 84 85 AE 67 BB 2B F8 94 FE 72 F3 6E 3C F1 36 1D 5F 3A F5 4F A5 D1 82 E6 AD 7F 52 0E 51 1F 6C 3E 2B 8C 68 05 9B 6B BD 41 FB AB D9 83 1F 79 21 7E 13 19 CD E0 5B}
Those are statics in the binary. pshufb seems to get used for all byte shuffles they do. The key creation starts after the first send&recv.
Edit: seems like they are using the crypto++ library
Last edited by Nexusphobiker; 01-21-2018 at 04:49 PM.
-
Post Thanks / Like - 1 Thanks
fudenciolino (1 members gave Thanks to Nexusphobiker for this useful post)
-
Originally Posted by
Nexusphobiker
@maper did you try reversing the encryption mechanism? It seems to be Salsa20. I tested a bit a round and the key and iv seems to be set by the first login packet. I didnt get far though. They seem to be using montgomery multiplication and a lot of byte byte shuffling. Things i have so far:
Code:
byte[] pshufb = {07 06 05 04 03 02 01 00 0F 0E 0D 0C 0B 0A 09 08}
byte[] staticKey = {08 C9 BC F3 67 E6 09 6A 3B A7 CA 84 85 AE 67 BB 2B F8 94 FE 72 F3 6E 3C F1 36 1D 5F 3A F5 4F A5 D1 82 E6 AD 7F 52 0E 51 1F 6C 3E 2B 8C 68 05 9B 6B BD 41 FB AB D9 83 1F 79 21 7E 13 19 CD E0 5B}
Those are statics in the binary. pshufb seems to get used for all byte shuffles they do. The key creation starts after the first send&recv.
Edit: seems like they are using the crypto++ library
Nah I haven't bothered to reverse the encryption. Not much motivation since I can hook before and after. Good work, though, looking into it!
-
Post Thanks / Like - 1 Thanks
fudenciolino (1 members gave Thanks to maper for this useful post)
-
Member
Actually, there is Salsa20 encryption - at least according to previous protocol reverse engineering attempt. But, as far as I understood, first login packet is encrypted by randomly generated private key, stored in game client memory, and then probably public key is sent to server, so every following packet can be encrypted.
If you analyse first login packet, you have the same 4 bytes at the beginning (\x00\x02\x00\x80) and 2 zeros on the end. With first packet length = 134, the rest is 128 bytes - so this probably confirms, that it is public key of some sort (RSA?).
If you want to know something more, please look at Blizzhackers • View topic - Path of Exile Protocol. But it is from 1.0 version I think, so there might be a complete overhaul of protocol. But OPN files are definetely worth looking at (GitHub - Zoxc/PoE-OPN: OPN files for the Path of Exile network protocol).
I'm also trying to figure out and reverse engineer protocol, but my goal is strictly different. I want to make something similar to famous Diablo II RedVex, that is man-in-the-middle proxy for PoE with plugins support. Will keep you informed if I find something interesting.
-
Post Thanks / Like - 2 Thanks
-
Member
Originally Posted by
m4ttrick
Actually, there is Salsa20 encryption - at least according to previous protocol reverse engineering attempt. But, as far as I understood, first login packet is encrypted by randomly generated private key, stored in game client memory, and then probably public key is sent to server, so every following packet can be encrypted.
If you analyse first login packet, you have the same 4 bytes at the beginning (\x00\x02\x00\x80) and 2 zeros on the end. With first packet length = 134, the rest is 128 bytes - so this probably confirms, that it is public key of some sort (RSA?).
If you want to know something more, please look at
Blizzhackers • View topic - Path of Exile Protocol. But it is from 1.0 version I think, so there might be a complete overhaul of protocol. But OPN files are definetely worth looking at (
GitHub - Zoxc/PoE-OPN: OPN files for the Path of Exile network protocol).
I'm also trying to figure out and reverse engineer protocol, but my goal is strictly different. I want to make something similar to famous Diablo II RedVex, that is man-in-the-middle proxy for PoE with plugins support. Will keep you informed if I find something interesting.
That is actually beautiful. I didnt had too much time looking into it this week but this makes me want to look at it again. Thanks
-
Post Thanks / Like - 1 Thanks
fudenciolino (1 members gave Thanks to Nexusphobiker for this useful post)
-
Member
Interesting. I've been digging into the binary and i can confirm. As last of yesterday its still sending the initial \x00\x02\x00\x80, this packet is encrypted differently than the following data. I'm also trying to replicate the client, been trying to decompile how it decrypts the packet, it doesnt seem impossible just to replicate the logic. That said, this is probably the hardest approach i guess, but its the only one i know of right now.
Can confirm theyre using Crypto++.
-
Post Thanks / Like - 1 Thanks
Nexusphobiker (1 members gave Thanks to ttony113 for this useful post)
-
Member
64-bit client only.
damn feels haha
-
Member
Would it be possible for the map to be revealed outside of PoE? Wouldn't it be safer to have it revealed in another window? Not messing with the game files at all.
-
Originally Posted by
fudenciolino
Would it be possible for the map to be revealed outside of PoE? Wouldn't it be safer to have it revealed in another window? Not messing with the game files at all.
It is possible. Whether or not it would be safer depends entirely on the implementation.
Not sure it would be worth the effort, though.
-
Member
Today was an update, this cheat still undetected?
-
Member
possible to show monsters on map ?