[Script] Launch aoc without requiring the patcher to run first

[raindog]

It's actually really quite simple.

Code:

    if ( !IsDebuggerPresent() )     {       v51 = 15;       v52 = 0;       LOBYTE(v53) = 0;       sub_421910((int)&v54, "HttpPatchFolder", 15u);       v21 = sub_5427E0();       v56 = *(_DWORD *)(sub_543D80(&v55, &v54, v21) + 20) != 0;       if ( v57 >= 16 )         sub_42A1F0();       v57 = 15;       v58 = 0;       LOBYTE(v59) = 0;       if ( v51 >= 16 )         sub_42A1F0();       if ( v56 )       {         v56 = sub_5B1670();         v11 = sub_5B1A90();         v60 = v11;         if ( (!v56 || !v11) && (sub_F1AEA0("bValidClientHash && bValidPatcherKey", ".\Main.cpp", 238, 1), !v60) || !v56 )         {           ShellExecuteA(0, "open", "ConanPatcher.exe", &Parameters, 0, 1);           ExitProcess(0);         }       }     }

Which basically says "Skip hash check if we are being debugged." The more complete approach however is this: 1. Get current 64-bit system time: __time64_t cur_time = _time64(0); 2. use TEA (hxxp://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm) to encrypt with your key = {0x5BCE568E, 0x0FB2E8CBC, 0x0A324E6D8, 0x0F22BF865} and delta = 0x61C886470 3. Convert value from step 2 to a hex string. 4. Use process explorer to get the value of -clienthash 5. Start the process: exec AgeOfConan.exe -clienthash -key For anyone who found this as annoying as I did, you're welcome.

[Yemmiz]

It's actually really quite simple.

Riiight...

Nice stuff, but I'm not a much into hex and stuff so I won't even try it :P would be neat to have that future build into that other program from that other thread on the forum

[alhaz]

Looks interesting but i dont understand.

Is it possible to do a simple js or vbs to use this?

[Sychotix]

yeah i looked into trying to do this by jumping a few checks... It didnt turn out to well. I was able to make it start to launch... but then it would go WTF!!!!!! and take up 100% of my CPU. Jumping a few checks would be alot easier than doing all that math and stuff =D.

Wish they would have just done a check for username/password like Wolfteam did... I used to be able to do "yada/yada/yada/Wolfteam/Wolfteam.exe" username password and login just like that. /cough password was not needed so you could do "softnyx" or "gm" /cough. Too bad they fixed it though and you needed to convert your password to hex.

[Padwen]

wait, does this bypass the game from updating?

If so, we could go back to like, the opening live version (while others are on current version) and use the exploits they patched.

[Sychotix]

highly doubt it. THe server would probably cut the connection cuz it would be like "WTF WRONG GAME DUDE!"

[foojoo]

by the time you figure this out, the game would be done patching, and you can play :P

[raindog]

I might release a simple exe that will do this for you, I'm really surprised that people find this so tough...

[Yemmiz]

I might release a simple exe that will do this for you, I'm really surprised that people find this so tough...

That would be great !

[hydraulix]

yeah, that would be slick. any help would be appreciated greatly!

[Gele]

I might release a simple exe that will do this for you, I'm really surprised that people find this so tough...

Yeah, that will be awesome.

[solariz]

Hi raindog,

I read your note about the Age of conan launch which is protected by the client hash (md5) and a key. I'm currently trying to figure out how to generate this key. I`m not a C++ programmer I`m used to use C# which is kindly different. I successfully get a TEA encryption running in my code but I can't figure out some important things:

1) the windows64 Time what exactly should this string look like ? In c# you only have other ways to generate this or use ext. libs

2) you specified 3 keys for TEA + the delta. The original TEA implementation use only a string as key phrase do you have any tip for me how to get this working ?

My Current function returns a string and accept a string as key:
public string TEAEncrypt(string Data, string Key)

Code:

        public void code(uint[] v, uint[] k)
        {
            uint y = v[0];
            uint z = v[1];
            uint sum = 0;
            uint delta = 0x9e3779b9;
            uint n = 32;

            while (n-- > 0)
            {
                sum += delta;
                y += (z << 4) + k[0] ^ z + sum ^ (z >> 5) + k[1];
                z += (y << 4) + k[2] ^ y + sum ^ (y >> 5) + k[3];
            }

            v[0] = y;
            v[1] = z;
        }

thanks alot.

[ct_bored]

You can bypass the patcher by just changing one JL command in AoC to a JMP, or whatever else you want, really. Bit simpler than recreating encryption. You'll need some clienthash value, though I don't know how valid it has to be. I'm sure missing major patches would cause problems, but I can use the exact same clienthash and dummy (invalid) key values for days in a row with no problems.

Basically I just patch on patch days and grab the clienthash from the patcher, and then startup without it until the next official patch day. All the little in-between updates don't seem to matter.

[ppilatee]

You can bypass the patcher by just changing one JL command in AoC to a JMP, or whatever else you want, really. Bit simpler than recreating encryption. You'll need some clienthash value, though I don't know how valid it has to be. I'm sure missing major patches would cause problems, but I can use the exact same clienthash and dummy (invalid) key values for days in a row with no problems.

Basically I just patch on patch days and grab the clienthash from the patcher, and then startup without it until the next official patch day. All the little in-between updates don't seem to matter.

If anyone wants to manually patch around the loader, get out your favorite hex editor and follow these simple steps:

1) BACKUP YOUR ORIGINAL AGEOFCONAN.EXE, you'll regret it patch days if you don't.

2) Open AgeofConan.exe in your favorite hex editor

3) Skip to the location: 0x02A05B

4) Change the bytes: 746D
to: EB6D

5) Save, Close your editor, Run!

This basically just jumps around the hash check all together.

[aoczek]

simplest way:

If you right click on your Age of Conan Shortcut and click properties you should see something like this

"C:Program FilesFuncomAge of ConanAgeOfConan.exe"

by adding -novideo to this, the game will open without the intro movies. Granted, Enter also skips the movies after they load, which takes about 1 second on a decent system. However, it takes a little while for videos to load on the minimum system, and thus several seconds are added to boot time.

other commands:

AgeOfConan.exe -novideo -noconsole -username %1 -password %2