(Help) Packets Encrypted

jupapios · 08/17/2009, 23:14

Hi anyone know how to decrypt the packets of cabal (packets obtained for sniff, example Ehetereal, WPE)

I tried with XOR crypt but doing a same action in the game the packet change
I think that its a diferent XOR code per packet but I can find it

For example in the chat game I said "hello" 5 times and I got 5 diferent but with the same size

Those are the packets:

Here in text:

B3 30 38 CB 27 8E E1 D3 DB 84 78 9A EA F9 47 F4 4D 99 85

2D 15 CD 32 3E 69 C1 90 17 4A 82 28 1E 69 02 B2 AD C4 05

41 0C 2D 59 65 A1 01 6C DE DB 01 BD 59 F3 DB EC 4D E7 2F

...

The word used was "hello" without the " "
The 5 pakcets has to have hola encrypted
For helo the size is 19 whe I wrote for example helloo the size changes to 20, when I write hellooo the size is 21 and so on.

Thanks if you can help me

Psd: Sorry for my english

someone122 · 08/18/2009, 00:07

hm... everything i will say is -2

that should help you

for about 60% of packages you don't need to have right timestamp...

dlnqt · 08/18/2009, 03:24

nice thread, hmm -2? So if I convert every hex then I'll minus every byte by 2, I'll get the unencrypted packet? Hmm.. So every time I catch a packet, I'll minus it by 2? I guess you need a proxy server for this kind of hacks..

I hope someone122 or novacygni can provide an overview of a proxy server and dll injection/code caving in cabal

I have a question, what's the difference between a proxy server, dll injection, and code caving?

My understanding of a proxy server is that it will catch packets client to server and vice versa, proxy server catches a packet then unencrypts the packet, edit the unencrypted packet, then encrypts it again so the client or server will accept it. You would really need a lot of knowledge and I think the hardest part is the encryption and time stamping..

For DLL injection, I think you can call certain functions in-game with just a press of a hotkey, like pressing letter "P" will automatically buy pots from alchemist. I think this also deal with packets?

For code caving, involves asm/debugging like the function of CE. I believe this is the way to go for newbies? Since we just need to point which goes to which address, nop jne jmp whatever. and I've also read that at some point in the program, the packet will be pointed to the encryption process inside cabalmain.exe, so if we can find that point, just dump the code before it's encrypted? Or if you made a code cave, just point it to the encryption address..

I hope someone will point out my mistakes, thanks.

goldencoolsam · 08/18/2009, 14:41

Quote:

Originally Posted by dlnqt

nice thread, hmm -2? So if I convert every hex then I'll minus every byte by 2, I'll get the unencrypted packet? Hmm.. So every time I catch a packet, I'll minus it by 2? I guess you need a proxy server for this kind of hacks..

I hope someone122 or novacygni can provide an overview of a proxy server and dll injection/code caving in cabal

I have a question, what's the difference between a proxy server, dll injection, and code caving?

My understanding of a proxy server is that it will catch packets client to server and vice versa, proxy server catches a packet then unencrypts the packet, edit the unencrypted packet, then encrypts it again so the client or server will accept it. You would really need a lot of knowledge and I think the hardest part is the encryption and time stamping..

For DLL injection, I think you can call certain functions in-game with just a press of a hotkey, like pressing letter "P" will automatically buy pots from alchemist. I think this also deal with packets?

For code caving, involves asm/debugging like the function of CE. I believe this is the way to go for newbies? Since we just need to point which goes to which address, nop jne jmp whatever. and I've also read that at some point in the program, the packet will be pointed to the encryption process inside cabalmain.exe, so if we can find that point, just dump the code before it's encrypted? Or if you made a code cave, just point it to the encryption address..

I hope someone will point out my mistakes, thanks.

Dll Injection is exactly what his name say, you basically inject a DLL into an application to modify how it will act.

Code Caving is basically using code "gap" to manipulate the game in a certain way.

But for Proxy Server, i don't know what you mean, since a proxy server is only a "go-between" ; instead connecting dirrectly to the server, you connect to a proxy server, who connect himself to the desired server, then send you back the information. It may be used to catch packet, but since that proxy get the same packet flow you will normally get yourself if you connect dirrectly to the server, i guess it's useless, until you got a proxy server wich will unencrypt you the packet when you're unable to do it yourself xD

~~NovaCygni~~ · 08/19/2009, 11:37

Quote:

Originally Posted by goldencoolsam

i guess it's useless, until you got a proxy server wich will unencrypt you the packet when you're unable to do it yourself xD

Im sure thats what he's trying to do

1) The Encryption method is AES Rijndael, That alone still wont help you because you need to know the Encryption keys (* Key1 and Key2 *) to still be able to decrypt the packet.
2) Its Proxy, not "Proxy server", Its used to do the Packet Encryption and decrypting for you so yes, you can alter/inject your own packets at will.
3) Etheral and other "Sniffers" are no good for sniffing Encrypted MMORPG packets, Id suggest writing a C# sniffer to hook the Winsock Rec function in the Cabal.exe, just to let you log enough packets to work out the Key2 (* Clue : First packet contains it

*) and to work out the Packet structs
4) Codecaving is used to make the Exe have modified functions, i.e. Timestamp check added to the bottom of the exe which takes the current time and adds .45ms to the current time, then simply point all refrences to WinGetTime to this new WinGetTime code written at the bottom

5) Dll Injection is the best method for loading your Proxy/Bot as Gameguard being the hunk of shit that it is doesnt check refrenced dlls, the clue here btw is to Inject your dll via modifiying the oggvorbis.dll

Or easiar yet just Codecave Gameguard itself to call your bot program and then itll "Protect" your bots processes

Quote:

Originally Posted by dlnqt

nice thread, hmm -2? So if I convert every hex then I'll minus every byte by 2, I'll get the unencrypted packet? Hmm.. So every time I catch a packet, I'll minus it by 2? I guess you need a proxy server for this kind of hacks..

My understanding of a proxy server is that it will catch packets client to server and vice versa, proxy server catches a packet then unencrypts the packet, edit the unencrypted packet, then encrypts it again so the client or server will accept it. You would really need a lot of knowledge and I think the hardest part is the encryption and time stamping..

For code caving, involves asm/debugging like the function of CE. I believe this is the way to go for newbies? Since we just need to point which goes to which address, nop jne jmp whatever. and I've also read that at some point in the program, the packet will be pointed to the encryption process inside cabalmain.exe, so if we can find that point, just dump the code before it's encrypted? Or if you made a code cave, just point it to the encryption address..

Nope, the -2 is part of the Algo used in the Modified AES Rijndael method Cabal uses
Nothing hard about it really, the Encryption is AES rijndael, the Key1 is in the Cabal.exe itself and the Key2 is recieved in the first packet from Server>Client... Timestamping is basically Calling the current time with WinGetTime and adding .45ms to the current time before sending the packet on to the server
Ollydbg is the PRO's Tool of choice for researching values and performing research to advance other areas of botting
You shouldnt try Flying before you can Walk, let alone run! but yes, you can inject packets into the exe itself so the exe does the Encryption for you,, but this is far from basic!

Quote:

For example in the chat game I said "hello" 5 times and I got 5 diferent but with the same size

Thats because the Timestamp changed in each packet, which would make the whole string be encrypted diffrently not just part of it...

Targius · 08/28/2009, 14:55

hmmm Maybe this part of cabot been usefull?

Code:

using System;
using System.Collections.Generic;
using System.Text;

namespace Cabot
{
    class Cryption
    {
        public byte[] MainKey;
        uint[] Keys2 = { 0xFFFFFFFF, 0xFFFFFF00, 0xFFFF0000, 0xFF000000 };
        public void Decrypt(ref byte[] packet)
        {
            uint size = (uint)packet.Length;
            Array.Resize(ref packet, packet.Length + 4);
            uint i = 4;
            uint Key = BitConverter.ToUInt32(MainKey, (BitConverter.ToInt32(packet, 0) & 0x3FFF) * 4);
            BitConverter.GetBytes(BitConverter.ToInt32(packet, 0) ^ 0x7AB38CF1).CopyTo(packet, 0);
            uint t = (size - 4) >> 2; //Shift right 2 = divide by 4
            uint t1;
            while (t > 0)
            {
                t1 = BitConverter.ToUInt32(packet, (int)i);
                Key = Key ^ t1;
                BitConverter.GetBytes(Key).CopyTo(packet, i);
                t1 = t1 & 0x3FFF;
                Key = BitConverter.ToUInt32(MainKey, (int)(t1 * 4));
                i += 4;
                t--;
            }
            t1 = Keys2[((size - 4) & 3)];
            t1 = ~t1;
            t1 = t1 & Key;
            BitConverter.GetBytes(BitConverter.ToUInt32(packet, (int)i) ^ t1).CopyTo(packet, i);
            Array.Resize(ref packet, (int)size);
        }
        public struct PacketInfo
        {
            public uint Key; //Encryption basekey
            public uint Step; //Encryption Step
            public uint Mul; //Encryption Multiplier
            public PacketInfo(bool setup)
            {
                Key = 0xB43CC06E;
                Step = 0;
                Mul = 1;
            }
        }
        public void Encrypt(ref byte[] packet,ref PacketInfo PI)
        {
            uint size = (uint)packet.Length;
            Array.Resize(ref packet, packet.Length + 4);
            if (size < 0x0A)
                return;
            BitConverter.GetBytes(BitConverter.ToInt32(packet, 0) ^ PI.Key).CopyTo(packet, 0);
            uint Key = (BitConverter.ToUInt32(packet, 0) & 0x3FFF) * (uint)PI.Mul;
            Key = BitConverter.ToUInt32(MainKey, (int)(Key * 4));
            uint t = (size - 8) >> 2; //Shift right 2 = divide by 4
            uint t1;
            uint i = 8;
            while (t > 0)
            {
                t1 = BitConverter.ToUInt32(packet, (int)i);
                t1 = t1 ^ Key;
                BitConverter.GetBytes(t1).CopyTo(packet, i);
                t1 = (t1 & 0x3FFF) * (uint)PI.Mul;
                Key = BitConverter.ToUInt32(MainKey, (int)(t1 * 4));
                i += 4;
                t--;
            }
            t1 = Keys2[((size - 8) & 3)];
            t1 = ~t1;
            uint t2 = (t1 & Key) ^ BitConverter.ToUInt32(packet, (int)i);
            BitConverter.GetBytes((t1 & Key) ^ BitConverter.ToUInt32(packet, (int)i)).CopyTo(packet, i);
            Array.Resize(ref packet, packet.Length - 4);
            t1 = (Key & 0x3FFF) * (uint)PI.Mul;
            t1 = t2 ^ BitConverter.ToUInt32(MainKey, (int)(t1 * 4));
            BitConverter.GetBytes(t1).CopyTo(packet, 4);
            PI.Step = ((PI.Step + 1) & 0x3FFF);
            PI.Key = BitConverter.ToUInt32(MainKey, (int)((PI.Step * PI.Mul) * 4));
        }
    }
}

My english so bad, and my programmable skill more badly then my english =)
I`m trying undesrtand this code, but not sure i can write something/
I`m not sure about in this procedures keys right

Where i can check/got keys ?
NovaCygni wrote

Quote:

log enough packets to work out the Key2 (* Clue : First packet contains it *) and to work out the Packet structs

but still need key 1 or no ?