Packet Decryption for 2Moons

Systemerror · 11/24/2008, 20:13

Well, here's the deal. I am looking for a method to decrypt the packets you receive from the 2moons server, filter out specific packets and then edit them, encrypt them and then let the client receive them (or if possible, skip the encrypting part). I suppose this is do-able by a program, yes? Probably the blokes at UnderGround have something close to this, but I doubt it's ever gonna be released. Now I also read in nebulars CRC thread, that the same values of tables used in the CRC calculation are also used to encrypt/decrypt packets, but I have no idea where to start

Halp

?

elberacasa · 11/24/2008, 20:27

I was looking for the same thing.. I use exproxy/exanalyze i did analyze some packets when i pick/drop an argate, but i didn't have the program to decrypt/encrypt and resend... I will try to find some info too.. it would be great XD

wln6672 · 11/24/2008, 20:59

Hmm, i've try exproxy/exanalyze, it show connected but it didn't show any packet received or sent, i wonder why? Oops off topic.

Ok, not sure i can put this link but i heard this is a good packet editor.

Systemerror · 11/24/2008, 21:14

I'll try it later, thanks. I am trying to do an upgrading hack, I've found out exactly which packet is the packet that determines the failure/success of an item, but every time it changes because of the encryption so there is not much I can do.
Edit: Oh I have nsauditor already, but how exactly do I decrypt the packets with nsauditor? If it requires some kind of key, I suppose I can manage to solve that problem but yeah, I couldn't find the part where you decrypt with nsauditor.

HellSpider · 11/24/2008, 21:34

I have used Nsauditor for some months now. It's a nice piece of network analyzing software. Sometimes it however makes a huge lag to the computer when intercepting packets.

~~EliteDKTrader~~ · 11/25/2008, 01:52

Well theres 1 way to find the table of decryption and encryption. U must reverse with olly at begining of wsa_recv32 then there u gonna have to reverse the process to find the correct call from table. Good luck!

Systemerror · 11/25/2008, 15:01

Well, since I don't almost know ANYTHING about olly and even less about executables and modifying them so if anyone could point me to a quick-learn olly tutorial or something similar? I did get to WSARecv, WSARecvDisconnect, WSARecvFrom but I don't know what the heck should I do with it. Also, does this CryptEncrypt at 0083E288 :: 00C3E288 have something to do with encrypting/decrypting packets? I'm using furious420 unpacked executable btw. Other things I have questions about are those: CryptCreateHash [Name] :: 0083E140 :: 00C3E140
The reference is above.
CryptDeriveKey [Name] :: 0083E152 :: 00C3E152
The reference is above.
CryptHashData [Name] :: 0083E2C0 :: 00C3E2C0
The reference is above.
Anything to do with decrypting the packets?
Sorry if this seems dumb to any coding experts here, I'm a complete novice.
What I would like is somebody to tell me if I'm atleast at the right track, and maybe point me to a useful olly tutorial. I haven't tried attaching olly to the running game yet though, should I do that and see if I can find anything even though I can't do anything with it?
Thanks.
Edit. Is there a later version of dekaron packet sniffer out which could filter specific packets and modify them if the server sends the specific packet?

HellSpider · 11/25/2008, 18:34

Quote:

Originally Posted by Systemerror

Is there a later version of dekaron packet sniffer out which could filter specific packets and modify them if the server sends the specific packet?

I don't think Nebular has released any newer version than the one at projectrev. Perhaps there is a newer one in UG but I doubt it.

xhugox · 11/25/2008, 19:16

Quote:

Well, since I don't almost know ANYTHING about olly and even less about executables and modifying them so if anyone could point me to a quick-learn olly tutorial or something similar? I did get to WSARecv, WSARecvDisconnect, WSARecvFrom but I don't know what the heck should I do with it.

Somehow data has to be sent to the server.
This is done by using (data)packets.
Lets say you have build the packet, how shall it get transported to the server?

The transportation(communication) is done by using winsockets(2)[

]
and WS2_32.dll is the library used to program such a communication between client and server.
Well the functions in WS2_32.dll are well documented go to this site to get more information about its functions:

.

The functions used to send and receive data to/from server are:

WSASend(),WSARecv(), recv() and send().

In some low-protected games the communication is done like this;

Client form data at location x -> data gets send to winsock library to send it to the server.
Server sends packets to the winsock library-> Client reads information given.

In 2moons we have a encryption this means the communication will look like this:

Client form data at location x->data get encrypted->data get sent.
Server send data to client-> data get decrypted->data get read

Note: Decryption does not have to be the same like encryption. (I dunno about 2moons) So this means making a packet editor requires to decrypt packets properly and making a packet sender requires to encrypt the packets properly so the server accepts them.

What andrew wanted to tell you is that you have to start at the functions of the winsock library and then backtrace from where it is called (encryption/decryption routine) until you get the packet in plain text.
Backtracing the chat packets is the easiest since you know what you wrote(how the packet should look like) and what the final values(how the packet looks now) are.

Im wondering how to bind this encryption function into a program...
Is it possible to write a program which read some data and then just copy&paste the assembler code of the decryption routine by using _asm{assembler decryption code}?

wln6672 · 11/25/2008, 23:05

Wow....great. I'm completely noob at this. But at least i get the idea how packets in 2moons are send n received. Thanks for the lesson.

Systemerror · 11/26/2008, 00:05

Indeed. I'll see what I can do tomorrow.

Reporter4000 · 11/27/2008, 00:08

i have cracked packet encryption with a few friends.
and trust me, you are not going to be +9 hacking.
it is all server side now.

i even have an dekaron.exe that does the effect of never failing.
so you never ever fail, BUT server side you still do..

ill share it if you guys want it.

Systemerror · 11/27/2008, 00:41

Well, if thats so then for the sake of pure curiosity and learning, I'd like it. I think I'm giving up on this for now and start learning more about reverse engineering, olly and such. I'm sure the earlier I start, the better

I_Mystic_I · 11/27/2008, 02:29

Code:

void DecryptData(unsigned char * PacketData, unsigned char * DecryptedData, int Length)
{
	unsigned long DwordTableVal = 0xFFFFFFFF; 
    long ByteTableVal = 0; 
    long DecryptionFlagByte = PacketData[4] ^ 0x19; 
    long CurrentByte = 0;
        
    for(int i = 0; i < Length; i++) {
        CurrentByte = (PacketData[i] ^ DwordTableVal) & 0x0FF;
        DwordTableVal = (DwordTableVal >> 8) ^ Table[CurrentByte]; 
        ByteTableVal = ByteTable[(i & 0x0FF)];
        DecryptedData[i] = (ByteTableVal ^ PacketData[i]) ^ DecryptionFlagByte;
	}
}

void Flip4Byte(unsigned char * PacketData, unsigned char * DecryptedData)
{
	int c = 3;
    long * byte;
	byte = new long[4];

    for(int i = 0; i < 4; i++, c--) {
        byte[i] = PacketData[c];
        }

	for(int x = 0; x < 4; x++){ 
		DecryptedData[x] = byte[x]; 
	}
	delete[] byte;
}

void CalculateChecksum(unsigned char * PacketData, unsigned long DwordVal)
{
	int Counter = 0;
	long Byte1, Byte2, Byte3, Byte4; 
	Byte1 = Byte2 = Byte3 = Byte4 = 0;

	DwordVal = ~DwordVal;
	Byte1 = (DwordVal & 0x000000FF); 
	Byte2 = (DwordVal & 0x0000FF00) >> 8; 
	Byte3 = (DwordVal & 0x00FF0000) >> 16;
	Byte4 = (DwordVal & 0xFF000000) >> 24;
	
	PacketData[Counter++] = Byte4;
	PacketData[Counter++] = Byte3;
	PacketData[Counter++] = Byte2;
	PacketData[Counter++] = Byte1;
}

void EncryptData(unsigned char * PacketData, int Length, long FlagByte)
{
	long EncryptedByte = 0; 
	unsigned long DwordTableVal = 0;
	unsigned long DwordVal = 0xFFFFFFFF;
	int Counter = 4;

	for(int i = 0; i < Length; i++) {
		EncryptedByte = ((ByteTable[(Counter & 0x0FF)]) ^ FlagByte) ^ PacketData[Counter]; 
		PacketData[Counter++] = EncryptedByte;
		DwordTableVal = (EncryptedByte ^ DwordVal) & 0x0FF; 
		DwordVal = (DwordVal >> 8) ^ Table[DwordTableVal];
	}
	CalculateChecksum(PacketData, DwordVal);
}

Code:

unsigned long Table[] = { 
0x00000000,
0x77073096,
0xEE0E612C,
0x990951BA,
0x076DC419,
0x706AF48F,
0xE963A535,
0x9E6495A3,
0x0EDB8832,
0x79DCB8A4,
0xE0D5E91E,
0x97D2D988,
0x09B64C2B,
0x7EB17CBD,
0xE7B82D07,
0x90BF1D91,
0x1DB71064,
0x6AB020F2,
0xF3B97148,
0x84BE41DE,
0x1ADAD47D,
0x6DDDE4EB,
0xF4D4B551,
0x83D385C7,
0x136C9856,
0x646BA8C0,
0xFD62F97A,
0x8A65C9EC,
0x14015C4F,
0x63066CD9,
0xFA0F3D63,
0x8D080DF5,
0x3B6E20C8,
0x4C69105E,
0xD56041E4,
0xA2677172,
0x3C03E4D1,
0x4B04D447,
0xD20D85FD,
0xA50AB56B,
0x35B5A8FA,
0x42B2986C,
0xDBBBC9D6,
0xACBCF940,
0x32D86CE3,
0x45DF5C75,
0xDCD60DCF,
0xABD13D59,
0x26D930AC,
0x51DE003A,
0xC8D75180,
0xBFD06116,
0x21B4F4B5,
0x56B3C423,
0xCFBA9599,
0xB8BDA50F,
0x2802B89E,
0x5F058808,
0xC60CD9B2,
0xB10BE924,
0x2F6F7C87,
0x58684C11,
0xC1611DAB,
0xB6662D3D,
0x76DC4190,
0x01DB7106,
0x98D220BC,
0xEFD5102A,
0x71B18589,
0x06B6B51F,
0x9FBFE4A5,
0xE8B8D433,
0x7807C9A2,
0x0F00F934,
0x9609A88E,
0xE10E9818,
0x7F6A0DBB,
0x086D3D2D,
0x91646C97,
0xE6635C01,
0x6B6B51F4,
0x1C6C6162,
0x856530D8,
0xF262004E,
0x6C0695ED,
0x1B01A57B,
0x8208F4C1,
0xF50FC457,
0x65B0D9C6,
0x12B7E950,
0x8BBEB8EA,
0xFCB9887C,
0x62DD1DDF,
0x15DA2D49,
0x8CD37CF3,
0xFBD44C65,
0x4DB26158,
0x3AB551CE,
0xA3BC0074,
0xD4BB30E2,
0x4ADFA541,
0x3DD895D7,
0xA4D1C46D,
0xD3D6F4FB,
0x4369E96A,
0x346ED9FC,
0xAD678846,
0xDA60B8D0,
0x44042D73,
0x33031DE5,
0xAA0A4C5F,
0xDD0D7CC9,
0x5005713C,
0x270241AA,
0xBE0B1010,
0xC90C2086,
0x5768B525,
0x206F85B3,
0xB966D409,
0xCE61E49F,
0x5EDEF90E,
0x29D9C998,
0xB0D09822,
0xC7D7A8B4,
0x59B33D17,
0x2EB40D81,
0xB7BD5C3B,
0xC0BA6CAD,
0xEDB88320,
0x9ABFB3B6,
0x03B6E20C,
0x74B1D29A,
0xEAD54739,
0x9DD277AF,
0x04DB2615,
0x73DC1683,
0xE3630B12,
0x94643B84,
0x0D6D6A3E,
0x7A6A5AA8,
0xE40ECF0B,
0x9309FF9D,
0x0A00AE27,
0x7D079EB1,
0xF00F9344,
0x8708A3D2,
0x1E01F268,
0x6906C2FE,
0xF762575D,
0x806567CB,
0x196C3671,
0x6E6B06E7,
0xFED41B76,
0x89D32BE0,
0x10DA7A5A,
0x67DD4ACC,
0xF9B9DF6F,
0x8EBEEFF9,
0x17B7BE43,
0x60B08ED5,
0xD6D6A3E8,
0xA1D1937E,
0x38D8C2C4,
0x4FDFF252,
0xD1BB67F1 ,
0xA6BC5767,
0x3FB506DD,
0x48B2364B,
0xD80D2BDA,
0xAF0A1B4C,
0x36034AF6,
0x41047A60,
0xDF60EFC3,
0xA867DF55,
0x316E8EEF,
0x4669BE79,
0xCB61B38C,
0xBC66831A,
0x256FD2A0,
0x5268E236,
0xCC0C7795,
0xBB0B4703,
0x220216B9,
0x5505262F,
0xC5BA3BBE,
0xB2BD0B28,
0x2BB45A92,
0x5CB36A04,
0xC2D7FFA7,
0xB5D0CF31,
0x2CD99E8B,
0x5BDEAE1D,
0x9B64C2B0,
0xEC63F226,
0x756AA39C,
0x026D930A,
0x9C0906A9,
0xEB0E363F,
0x72076785,
0x05005713,
0x95BF4A82,
0xE2B87A14,
0x7BB12BAE,
0x0CB61B38,
0x92D28E9B,
0xE5D5BE0D,
0x7CDCEFB7,
0x0BDBDF21,
0x86D3D2D4,
0xF1D4E242,
0x68DDB3F8,
0x1FDA836E,
0x81BE16CD,
0xF6B9265B,
0x6FB077E1,
0x18B74777,
0x88085AE6,
0xFF0F6A70,
0x66063BCA,
0x11010B5C,
0x8F659EFF,
0xF862AE69,
0x616BFFD3,
0x166CCF45,
0xA00AE278,
0xD70DD2EE,
0x4E048354,
0x3903B3C2,
0xA7672661 ,
0xD06016F7,
0x4969474D,
0x3E6E77DB,
0xAED16A4A,
0xD9D65ADC,
0x40DF0B66,
0x37D83BF0,
0xA9BCAE53,
0xDEBB9EC5,
0x47B2CF7F,
0x30B5FFE9,
0xBDBDF21C,
0xCABAC28A,
0x53B39330,
0x24B4A3A6,
0xBAD03605,
0xCDD70693,
0x54DE5729,
0x23D967BF,
0xB3667A2E,
0xC4614AB8,
0x5D681B02,
0x2A6F2B94,
0xB40BBE37,
0xC30C8EA1,
0x5A05DF1B,
0x2D02EF8D,
0x00000000,
0x00007325,
0x00A550DC,
0x0044B4E0,
0x00A55124 ,
0x0044B890 
};

long ByteTable[] = { 
0x00, 
0x96,
0x2C,
0xBA,
0x19,
0x8F,
0x35,
0xA3,
0x32,
0xA4,
0x1E,
0x88,
0x2B,
0xBD,
0x07,
0x91,
0x64,
0xF2,
0x48,
0xDE,
0x7D,
0xEB,
0x51,
0xC7,
0x56,
0xC0,
0x7A,
0xEC,
0x4F,
0xD9,
0x63,
0xF5,
0xC8,
0x5E,
0xE4,
0x72,
0xD1,
0x47,
0xFD,
0x6B,
0xFA,
0x6C,
0xD6,
0x40,
0xE3,
0x75,
0xCF,
0x59,
0xAC,
0x3A,
0x80,
0x16,
0xB5,
0x23,
0x99,
0x0F,
0x9E,
0x08,
0xB2,
0x24,
0x87,
0x11,
0xAB,
0x3D,
0x90,
0x06,
0xBC,
0x2A,
0x89,
0x1F,
0xA5,
0x33,
0xA2,
0x34,
0x8E,
0x18,
0xBB,
0x2D,
0x97,
0x01,
0xF4,
0x62,
0xD8,
0x4E,
0xED,
0x7B,
0xC1,
0x57,
0xC6,
0x50,
0xEA,
0x7C,
0xDF,
0x49,
0xF3,
0x65,
0x58,
0xCE,
0x74,
0xE2,
0x41,
0xD7,
0x6D,
0xFB,
0x6A,
0xFC,
0x46,
0xD0,
0x73,
0xE5,
0x5F,
0xC9,
0x3C,
0xAA,
0x10,
0x86,
0x25,
0xB3,
0x09,
0x9F,
0x0E,
0x98,
0x22,
0xB4,
0x17,
0x81,
0x3B,
0xAD,
0x20,
0xB6,
0x0C,
0x9A,
0x39,
0xAF,
0x15,
0x83,
0x12,
0x84,
0x3E,
0xA8,
0x0B,
0x9D,
0x27,
0xB1,
0x44,
0xD2,
0x68,
0xFE,
0x5D,
0xCB,
0x71,
0xE7,
0x76,
0xE0,
0x5A,
0xCC,
0x6F,
0xF9,
0x43,
0xD5,
0xE8,
0x7E,
0xC4,
0x52,
0xF1 ,
0x67,
0xDD,
0x4B,
0xDA,
0x4C,
0xF6,
0x60,
0xC3,
0x55,
0xEF,
0x79,
0x8C,
0x1A,
0xA0,
0x36,
0x95,
0x03,
0xB9,
0x2F,
0xBE,
0x28,
0x92,
0x04,
0xA7,
0x31,
0x8B,
0x1D,
0xB0,
0x26,
0x9C,
0x0A,
0xA9,
0x3F,
0x85,
0x13,
0x82,
0x14,
0xAE,
0x38,
0x9B,
0x0D,
0xB7,
0x21,
0xD4,
0x42,
0xF8,
0x6E,
0xCD,
0x5B,
0xE1,
0x77,
0xE6,
0x70,
0xCA,
0x5C,
0xFF,
0x69,
0xD3,
0x45,
0x78,
0xEE,
0x54,
0xC2,
0x61,
0xF7,
0x4D,
0xDB,
0x4A,
0xDC,
0x66,
0xF0,
0x53,
0xC5,
0x7F,
0xE9,
0x1C,
0x8A,
0x30,
0xA6,
0x05,
0x93,
0x29,
0xBF,
0x2E,
0xB8,
0x02,
0x94,
0x37,
0xA1,
0x1B,
0x8D,
0x00,
0x25,
0xDC,
0xE0,
0x24,
0x90, 
};

Systemerror · 11/27/2008, 19:39

Thanks, although yet again I have no idea what to do with the code

Shame on me, lol

Tried compiling, attaching to the dekaron executable but without any results.