|
You last visited: Today at 04:51
Advertisement
dh key
Discussion on dh key within the CO2 Programming forum part of the Conquer Online 2 category.
03/19/2014, 11:00
|
#1
|
elite*gold: 0 
Join Date: Apr 2011
Posts: 93
Received Thanks: 20
|
dh key
i`m using this code to get dh key in proxy paradise
Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Runtime.InteropServices;
using OpenSSL;
namespace ProxyParadise.Cryptography
{
public class ClientDHPacket
{
public string Client_PubKey;
int JunkLength;
public ClientDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(7);//JUNK
BR.ReadUInt32();//Length
JunkLength = BR.ReadInt32();
BR.ReadBytes(JunkLength);
Client_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
public void Edit(byte[] Packet, string NewKey)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryWriter BW = new BinaryWriter(MS);
BW.Seek(19 + JunkLength, SeekOrigin.Current);
BW.Write(Encoding.ASCII.GetBytes(NewKey));
}
}
public class ServerDHPacket
{
public byte[] ServerIV;
public byte[] ClientIV;
public string P;
public string G;
public string Server_PubKey;
int JunkLength;
public ServerDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(11);//JUNK
BR.ReadUInt32();//Length - Like i care of it
JunkLength = BR.ReadInt16();
BR.ReadBytes(JunkLength);//JUNK length
ServerIV = BR.ReadBytes(BR.ReadInt32());
ClientIV = BR.ReadBytes(BR.ReadInt32());
P = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
G = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
Server_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
public void Edit(byte[] Packet, string EditedPubKey)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryWriter BW = new BinaryWriter(MS);
BW.Seek(55 + JunkLength + P.Length + G.Length, SeekOrigin.Current);
BW.Write(Encoding.ASCII.GetBytes(EditedPubKey));
BW.Close();
MS.Close();
}
}
}
but i get this error : Non-negative number required.
Parameter name: count
at
BR.ReadBytes(JunkLength);//JUNK length
|
|
|
|
03/19/2014, 11:47
|
#2
|
elite*gold: 0
Join Date: Feb 2006
Posts: 726
Received Thanks: 271
|
Well JunkLength is assigned by reading the next 2 bytes (a short) starting at offset 16.
Judging by your error, it is either being assigned no number at all, or a negative number.
|
|
|
|
|
03/19/2014, 12:05
|
#3
|
elite*gold: 0
Join Date: Apr 2011
Posts: 93
Received Thanks: 20
|
Quote:
Originally Posted by Aceking
Well JunkLength is assigned by reading the next 2 bytes (a short) starting at offset 16.
Judging by your error, it is either being assigned no number at all, or a negative number.
|
it`s a negative number but how to fix it ?
|
|
|
|
|
03/19/2014, 12:15
|
#4
|
elite*gold: 0
Join Date: Feb 2006
Posts: 726
Received Thanks: 271
|
Breakpoint it, see what value is being pushed to it.
If it is a negative number, then that value is coming from the server. So you are either looking at the wrong offsets or the server is sending the wrong values.
|
|
|
|
|
03/19/2014, 12:34
|
#5
|
elite*gold: 0
Join Date: Mar 2014
Posts: 8
Received Thanks: 6
|
Quote:
Originally Posted by Aceking
Breakpoint it, see what value is being pushed to it.
If it is a negative number, then that value is coming from the server. So you are either looking at the wrong offsets or the server is sending the wrong values.
|
If I recall correctly, the last time I offhandedly tried to compile the Proxy Paradise source, the JunkByte function was returning something like "-10002398472". It's rather outdated, and the first thing that needs to be done is to have all of the offsets patched. Also, I doubt he knows how to place a breakpoint (correct me if I'm wrong, but I'm going to go ahead and take that liberty).
To OP:
TL;DR the addresses are wrong, fix them first.
|
|
|
|
|
03/19/2014, 13:33
|
#6
|
elite*gold: 0
Join Date: Feb 2006
Posts: 726
Received Thanks: 271
|
Quote:
Originally Posted by Benzaldehyde
If I recall correctly, the last time I offhandedly tried to compile the Proxy Paradise source, the JunkByte function was returning something like "-10002398472". It's rather outdated, and the first thing that needs to be done is to have all of the offsets patched. Also, I doubt he knows how to place a breakpoint (correct me if I'm wrong, but I'm going to go ahead and take that liberty).
To OP:
TL;DR the addresses are wrong, fix them first.
|
Could be quite right there. I have a working proxy paradise but its for a lower patch and uses blowfish.
|
|
|
|
|
03/19/2014, 19:22
|
#7
|
elite*gold: 0
Join Date: Apr 2011
Posts: 93
Received Thanks: 20
|
Quote:
Originally Posted by Benzaldehyde
If I recall correctly, the last time I offhandedly tried to compile the Proxy Paradise source, the JunkByte function was returning something like "-10002398472". It's rather outdated, and the first thing that needs to be done is to have all of the offsets patched. Also, I doubt he knows how to place a breakpoint (correct me if I'm wrong, but I'm going to go ahead and take that liberty).
To OP:
TL;DR the addresses are wrong, fix them first.
|
i`m using it on another server patch 5830 and it`s working perfectly and i edited most of the packets and i added aimbot/ npc action.. many features to it but when i try to do it on another server i got that error , i`m kinda good at c# but not at C# networking, so if you have time be kind and tell me please what offsets i need to edit and where i find them on proxy paradise , if you don`t thank you anyway
|
|
|
|
|
03/19/2014, 21:57
|
#8
|
elite*gold: 0
Join Date: Feb 2006
Posts: 726
Received Thanks: 271
|
Quote:
Originally Posted by kakamankoko
i`m using it on another server patch 5830 and it`s working perfectly and i edited most of the packets and i added aimbot/ npc action.. many features to it but when i try to do it on another server i got that error , i`m kinda good at c# but not at C# networking, so if you have time be kind and tell me please what offsets i need to edit and where i find them on proxy paradise , if you don`t thank you anyway
|
The reason it isnt working is because the offsets probably changed. So the value you are reading for junkbytes isn't correct.
Code:
BR.ReadBytes(11);//JUNK
BR.ReadUInt32();//Length - Like i care of it
JunkLength = BR.ReadInt16();
BR.ReadBytes(JunkLength);//JUNK length
On the above, the first line, reads 11 bytes so it is offsets 0-10.
The second, reads 4 bytes as an int, so it reads 11-14.
Then it assigns JunkLength from offsets 15-16.
And then whatever value is assigned to junklength, it reads next.
Your problem is the fact that offset 15 and 16 doesn't contain the necessary value.
You need to find the correct offsets for the values, and then change the first line so the reader will read the correct offsets when it reaches them.
Find a public source for the patch you are targetting to find the offsets you need.
Or, use what you currently have to dump the offsets, and then determine what offsets you need.
Little bit of work, but not impossible.
|
|
|
|
|
03/20/2014, 16:59
|
#9
|
elite*gold: 0
Join Date: Apr 2011
Posts: 93
Received Thanks: 20
|
Quote:
Originally Posted by Aceking
The reason it isnt working is because the offsets probably changed. So the value you are reading for junkbytes isn't correct.
Code:
BR.ReadBytes(11);//JUNK
BR.ReadUInt32();//Length - Like i care of it
JunkLength = BR.ReadInt16();
BR.ReadBytes(JunkLength);//JUNK length
On the above, the first line, reads 11 bytes so it is offsets 0-10.
The second, reads 4 bytes as an int, so it reads 11-14.
Then it assigns JunkLength from offsets 15-16.
And then whatever value is assigned to junklength, it reads next.
Your problem is the fact that offset 15 and 16 doesn't contain the necessary value.
You need to find the correct offsets for the values, and then change the first line so the reader will read the correct offsets when it reaches them.
Find a public source for the patch you are targetting to find the offsets you need.
Or, use what you currently have to dump the offsets, and then determine what offsets you need.
Little bit of work, but not impossible. |
that`s the server side dhkey
Code:
using System;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using Org.BouncyCastle.Crypto.Digests;
using Org.BouncyCastle.Utilities.Encoders;
using CO2_CORE_DLL.Security.Cryptography;
namespace Conquer_Online_Server.Network.GamePackets
{
public static class DHKeyExchange
{
public class ServerKeyExchange
{
DiffieHellman _keyExchange;
byte[] _serverIv;
byte[] _clientIv;
public byte[] CreateServerKeyPacket()
{
_clientIv = new byte[8];
_serverIv = new byte[8];
string P = "E7A69EBDF105F2A6BBDEAD7E798F76A209AD73FB466431E2E7352ED262F8C558F10BEFEA977DE9E21DCEE9B04D245F300ECCBBA03E72630556D011023F9E857F";
string G = "05";
_keyExchange = new DiffieHellman(P, G);
return GeneratePacket(_serverIv, _clientIv, P, G, _keyExchange.GenerateRequest());
}
public Cryptography.GameCryptography HandleClientKeyPacket(string PublicKey, Cryptography.GameCryptography cryptographer)
{
_keyExchange.HandleResponse(PublicKey);
byte[] data = _keyExchange.ToBytes();
var md5 = new MD5Digest();
var firstRun = new byte[md5.GetDigestSize() * 2];
md5.BlockUpdate(data, 0, data.TakeWhile(x => x != 0).Count());
md5.DoFinal(firstRun, 0);
Array.Copy(firstRun, 0, firstRun, md5.GetDigestSize(), md5.GetDigestSize());
var n = Hex.Encode(firstRun);
md5.BlockUpdate(n, 0, n.Length);
md5.DoFinal(firstRun, md5.GetDigestSize());
byte[] key = Hex.Encode(firstRun);
cryptographer.SetKey(key);
cryptographer.SetIvs(_clientIv, _serverIv);
return cryptographer;
}
public byte[] GeneratePacket(byte[] ServerIV1, byte[] ServerIV2, string P, string G, string ServerPublicKey)
{
int PAD_LEN = 11;
int _junk_len = 12;
string tqs = "TQServer";
MemoryStream ms = new MemoryStream();
byte[] pad = new byte[PAD_LEN];
Kernel.Random.NextBytes(pad);
byte[] junk = new byte[_junk_len];
Kernel.Random.NextBytes(junk);
int size = 47 + P.Length + G.Length + ServerPublicKey.Length + 12 + 8 + 8;
BinaryWriter bw = new BinaryWriter(ms);
bw.Write(pad);
bw.Write(size - PAD_LEN);
bw.Write((UInt32)_junk_len);
bw.Write(junk);
bw.Write((UInt32)ServerIV2.Length);
bw.Write(ServerIV2);
bw.Write((UInt32)ServerIV1.Length);
bw.Write(ServerIV1);
bw.Write((UInt32)P.ToCharArray().Length);
foreach (char fP in P.ToCharArray())
{
bw.BaseStream.WriteByte((byte)fP);
}
bw.Write((UInt32)G.ToCharArray().Length);
foreach (char fG in G.ToCharArray())
{
bw.BaseStream.WriteByte((byte)fG);
}
bw.Write((UInt32)ServerPublicKey.ToCharArray().Length);
foreach (char SPK in ServerPublicKey.ToCharArray())
{
bw.BaseStream.WriteByte((byte)SPK);
}
foreach (char tq in tqs.ToCharArray())
{
bw.BaseStream.WriteByte((byte)tq);
}
byte[] Packet = new byte[ms.Length];
Packet = ms.ToArray();
ms.Close();
return Packet;
}
}
}
}
i tried to make the numbers from 11 to 18 in the first offset but no luck and i what i can figure out from this code at it should be 12 " int _junk_len = 12;"
but still the same problem. i think the owner of the server that i`m trying to bot on changed this so how to log it , is there is any packet for this to log or something and if it`s available what is this packet id
|
|
|
|
|
03/20/2014, 20:24
|
#10
|
elite*gold: 0
Join Date: Feb 2006
Posts: 726
Received Thanks: 271
|
The code you already posted is reading the packet....
Code:
public ServerDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(11);//JUNK
BR.ReadUInt32();//Length - Like i care of it
JunkLength = BR.ReadInt16();
BR.ReadBytes(JunkLength);//JUNK length
ServerIV = BR.ReadBytes(BR.ReadInt32());
ClientIV = BR.ReadBytes(BR.ReadInt32());
P = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
G = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
Server_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
With some modifications you could easily dump the entire packet and then analyze it for what you need.
However I think this is a little out of your skillset.
But proxy paradise already has a method for dumping packets so maybe you can just use that.
|
|
|
|
|
03/20/2014, 21:03
|
#11
|
elite*gold: 21
Join Date: Jul 2005
Posts: 9,193
Received Thanks: 5,376
|
It all depends on the patch you are targeting.
Encryption has changed a few times and the exchange process is different in some newer patches. Sounds like you have some good help already though and I have zero clue about later patches. Best of luck though.
<EDIT>
You just said you are using it on a different server... You need to pull the encryption key the server is using (from conquer.exe) or you will have problems.
If you don't have the proper public key then you're not going to be able to intercept/spoof the exchange process.
|
|
|
|
|
03/20/2014, 21:31
|
#12
|
elite*gold: 0
Join Date: Apr 2011
Posts: 93
Received Thanks: 20
|
Quote:
Originally Posted by pro4never
It all depends on the patch you are targeting.
Encryption has changed a few times and the exchange process is different in some newer patches. Sounds like you have some good help already though and I have zero clue about later patches. Best of luck though.
<EDIT>
You just said you are using it on a different server... You need to pull the encryption key the server is using (from conquer.exe) or you will have problems.
If you don't have the proper public key then you're not going to be able to intercept/spoof the exchange process.
|
key from conquer.exe is : TQClient TQServer C238xs65pjy7HU9Q
so what should i do after this ?
|
|
|
|
|
03/20/2014, 21:57
|
#13
|
elite*gold: 0
Join Date: Feb 2006
Posts: 726
Received Thanks: 271
|
There will be a variable in the proxy that is already storing this value. You need to replace it with what you posted above.
|
|
|
|
|
03/20/2014, 22:12
|
#14
|
elite*gold: 0
Join Date: Apr 2011
Posts: 93
Received Thanks: 20
|
Quote:
Originally Posted by Aceking
There will be a variable in the proxy that is already storing this value. You need to replace it with what you posted above.
|
that`s the first thing i`v done when i got it but still same problem. i dont know how to thank you guys for replaying!
|
|
|
|
All times are GMT +2. The time now is 04:51.
|
|
