|
You last visited: Today at 23:39
Advertisement
[Release] Packet encryption / structure
Discussion on [Release] Packet encryption / structure within the General Gaming Discussion forum part of the General Gaming category.
10/20/2010, 15:15
|
#1
|
elite*gold: 0
Join Date: Oct 2006
Posts: 225
Received Thanks: 207
|
[Release] Packet encryption / structure
=============================================
========= FANTASY TENNIS PACKET SYSTEM ========
============== by AnotherCoder ==============
=============================================
1. ENCRYPTION
2. PACKET STRUCTURE
Code:
[COLOR="Navy"]for(int i = 0; i < packet_size; i++)
{
decrypted_packet[i] = encrypted_packet[i] ^ XOR_Table[(i&3)];
}
1. ENCRYPTION
The packet encryption of Fantasy Tennis is very simple, it is just a normal XOR encryption.
If you do not know what a XOR encryption is, or how to use it in your programming language,
look it up.
Here are some nice explanations:
Exclusive or - Wikipedia, the free encyclopediaBitwise operation - Wikipedia, the free encyclopedia
I will not go any further into explaining what XOR is because most programmers have already used it,
and if you do not know what it is then I am sure that you will not understand anything of this thread anyway.
Okay so let us continue.
Fantasy Tennis uses a 4-byte XOR-table to encrypt their packets here is an example of how it works:
So let us say this is our encrypted packet buffer:
{c6 89 7c 39 d3 9d 78}
and this is our XOR-table:
{a3, f1, 1d, 54}
then you have to decrypt the buffer like this:
c6 XOR a3 = 65
89 XOR f1 = 78
7c XOR 1d = 61
39 XOR 54 = 6d
d3 XOR a3 = 70
9d XOR f1 = 6c
78 XOR 1d = 65
the decrypted packet would be:
HEX: {65 78 61 6d 70 6c 65}
ASCII: example
packet[0] XOR table[0], packet[1] XOR table[1], packet[2] XOR table[2],
packet[3] XOR table[3], packet[4] XOR table[0], packet[5] XOR table[1] ...
I hope you get what I mean you use the first byte of the table to decrypt the first byte of the packet, then the second byte of the table to decrypt the second byte of the packet...and the fourth byte of the table to decrypt the fourth byte of the packet AND THEN the first byte of the table again, to decrypt the fifth byte of the packet and so on.
a C/C++ implementation would be:
that is all? Yes this is enough to decrypt the packets.
So you might be wondering, uhh? Where do I get the XOR-table from? Well good question.
Once you connect to a Fantasy Tennis server, regardless of whether it is a login or a gameserver, the server sends you an unencrypted packet which contains the XOR-tables. Tables? Yes 1 table for send and 1 table for recv
I will give you an example, so well give me a few seconds to start FantasyTennis...
Ok this is the packet that I received:
00 00 00 00 9A FF 10 00 B8 35 14 9F F6 BA 09 78 04 00 00 00 00 00 00 00
B8 35 14 9F <- send XOR-table
F6 BA 09 78 <- recv XOR-table
after I received this packet from the server, the client sent this packet:
AA 67 5F 98 19 3A 03 9F D9 35 75 9F D9 35 75 9F D9 35 14 9F D9 54 75 FE D9 35 82 3F C9 37 14
So let us try to decrypt it with the XOR-table we have got:
Code:
[COLOR="Navy"] unsigned char packet[] = {[COLOR="DarkRed"]0xAA, 0x67, 0x5F, 0x98, 0x19, 0x3A, 0x03, 0x9F, 0xD9, 0x35, 0x75, 0x9F, 0xD9, 0x35, 0x75, 0x9F, 0xD9, 0x35, 0x14, 0x9F, 0xD9, 0x54, 0x75, 0xFE, 0xD9, 0x35, 0x82, 0x3F, 0xC9, 0x37, 0x14[/COLOR]};
unsigned char xor[] = {[COLOR="RoyalBlue"]0xB8, 0x35, 0x14, 0x9F[/COLOR]};
for(int i = 0; i < 31; i++)
{
printf("%02x ", packet[i]^xor[(i&3)]);
}[/COLOR]
Output: 12 52 4b 07 a1 0f 17 00 61 00 61 00 61 00 61 00 61 00 00 00 61 61 61 61 61 00 96 a0 71 02 00
ASCII : ↕ R K í ☼ ↨ a a a a a a a a a a û á q ☻
I logged in with aaaaa aaaaa, so yeah it worked the packet is decrypted, nice done.
2. PACKET STRUCTURE
2bytes [header1]
2bytes [header2]
2bytes [packetId]
2bytes [data_size]
x bytes [data] x = data_size
Example: Let us use the login packet from above
12 52 4b 07 a1 0f 17 00 61 00 61 00 61 00 61 00 61 00 00 00 61 61 61 61 61 00 96 a0 71 02 00
That is all you can now decrypt and encrypt the packets from send / recv and should be able to unterstand their structure.
You cannot edit or send your own packets yet because header1 and header2 differ between each packet and has to be built by yourself.
I will show you how to do that if this thread attracts enough skilled programmers who know what they do
and do not forget to press the thanks button
[/COLOR]
ZeroTen / AnotherCoder
|
|
|
10/20/2010, 16:02
|
#2
|
elite*gold: 0
Join Date: Dec 2009
Posts: 1,205
Received Thanks: 291
|
Goob job. Mal sehen, ob es irgendwer versteht. Bezweifle ich ;D
@off topic kurz
wie weit bist du mit pserver? kann dir keine pn schreiben --> voll
EDIT:
Quote:
Originally Posted by ZeroTen
a C/C++ implementation would be:
Code:
[COLOR="Navy"]for(int i = 0; i < packet_size; i++)
{
decrypted_packet[i] = encrypted_packet[i] ^ XOR_Table[(i&3)];
}[/COLOR]
|
For the VB Users this would be:
Code:
[COLOR="Blue"]For i As Integer = 0 To packet_size - 1
decrypted_packet(i) = encrypted_packet(i) Xor XOR_Table((i And 3))
Next[/COLOR]
|
|
|
10/20/2010, 17:31
|
#3
|
elite*gold: 0
Join Date: Jul 2009
Posts: 1,097
Received Thanks: 388
|
lol my poor head,i dont understand this language @.@ but however i give you a thank @.@
|
|
|
10/20/2010, 19:29
|
#4
|
elite*gold: 0
Join Date: Apr 2009
Posts: 210
Received Thanks: 26
|
Die, die es brauchen, werden es schon verstehen ;D
Hätte nie gedacht das es trotzdem so simple ist xD
Mich interesiert auch was nun mim Server ist =/
ps. deinen Thanks haste !
|
|
|
10/20/2010, 19:47
|
#5
|
elite*gold: 0
Join Date: Dec 2009
Posts: 1,205
Received Thanks: 291
|
Hoffentlich schaut Zero hier noch rein.
Naja der Grundstein ist simple. Das wird aber schon noch schwieriger
|
|
|
10/21/2010, 19:46
|
#6
|
elite*gold: 0
Join Date: Jul 2010
Posts: 63
Received Thanks: 64
|
Working...
|
|
|
10/22/2010, 12:18
|
#7
|
elite*gold: 18
Join Date: Aug 2008
Posts: 1,371
Received Thanks: 152
|
Quote:
Originally Posted by deforever
lol my poor head,i dont understand this language @.@ but however i give you a thank @.@
|
This language is english
But i think you don't understand how this work
Un nein ich raffs auch nich, aber ich lass es lieber bevor ich hier dumme fragen stelle ô.o
|
|
|
10/22/2010, 14:44
|
#8
|
elite*gold: 0
Join Date: Oct 2009
Posts: 768
Received Thanks: 550
|
Quote:
Originally Posted by ZeroTen
c6 XOR a3 = 65
89 XOR f1 = 78
7c XOR 1d = 61
39 XOR 54 = 6d
d3 XOR a1 = 70
9d XOR f1 = 6c
78 XOR 1d = 65
|
By your xor table it should be
d3 XOR a3 = 70
Though, well done. Private servers can now raise up .
Possible implementation of Fantasy Tennis cryptography (C#):
PHP Code:
using System;
namespace FantasyTennis.Networking { public static class Cryptography { private static byte[] Keys = new byte[] { 0xa3, 0xf1, 0x1d, 0x54 };
public static void Encrypt(byte[] buffer) { if(buffer == null || buffer.Length == 0) return; for (int count = 0; count < buffer.Length; count++) buffer[count] ^= Keys[count % 4]; } public static void Decrypt(byte[] buffer) { Encrypt(buffer); } } }
Also, I believe that the first 4 bytes sent in any packet are actually the time(timeGetTime). I'll do some research and update.
|
|
|
10/22/2010, 15:21
|
#9
|
elite*gold: 0
Join Date: Oct 2006
Posts: 225
Received Thanks: 207
|
Quote:
Originally Posted by -impulse-
By your xor table it should be
d3 XOR a3 = 70
|
Yeah you are right, I fixxed that, thanks.
Quote:
Originally Posted by -impulse-
Also, I believe that the first 4 bytes sent in any packet are actually the time(timeGetTime). I'll do some research and update.
|
No it's not
They build the first 2 bytes and the next 2 bytes in 2 different ways, they use a table and the data of the packet to build the bytes that is why they add the first 4 bytes at the end when the packet data is already written into the buffer.
|
|
|
10/22/2010, 19:19
|
#10
|
elite*gold: 0
Join Date: Oct 2009
Posts: 768
Received Thanks: 550
|
Quote:
Originally Posted by ZeroTen
Yeah you are right, I fixxed that, thanks.
No it's not
They build the first 2 bytes and the next 2 bytes in 2 different ways, they use a table and the data of the packet to build the bytes that is why they add the first 4 bytes at the end when the packet data is already written into the buffer.
|
Well, you know better than I do, so you might be right...
|
|
|
10/26/2010, 18:24
|
#11
|
elite*gold: 252
Join Date: Mar 2008
Posts: 3,111
Received Thanks: 3,911
|
Thank you^^ I think I understand now.. But one question: How can I see these packets?
|
|
|
10/26/2010, 18:39
|
#12
|
elite*gold: 0
Join Date: Jun 2008
Posts: 451
Received Thanks: 410
|
Quote:
Originally Posted by Shannonfan
Thank you^^ I think I understand now.. But one question: How can I see these packets?
|
Ich weiß nicht was du für Vorkenntnisse hasst, jedoch muss du Send und WSASend hooken und den buffer auslesen.
Bei Recv und WSARecv musst du die Funktion ersst durchlaufen lassen und dann den Buffer auslesen.
Achtung bei Recv und WSARecv ist der Return wert der funktion die length.
|
|
|
10/26/2010, 19:17
|
#13
|
elite*gold: 252
Join Date: Mar 2008
Posts: 3,111
Received Thanks: 3,911
|
Okay bisher habe ich noch gar keine Kenntnisse.. Wird aber mal Zeit, welche zu bekommen Ich werde mal danach googlen, vielen Dank.
€: Ohje, ob ich da zurecht finde... ich schau mal weiter...
|
|
|
10/26/2010, 21:40
|
#14
|
elite*gold: 0
Join Date: Oct 2009
Posts: 768
Received Thanks: 550
|
Might you people please use English for this thread only? At least this one...it is one I really understand...and it's really useful. I already managed to get to sniffing game server's ips and ports and the auth server(port 5894) sends them in the packet 4112.
Right now, I'm going to write a C# project to cover what I know so far.
I also found out that, every single server uses the exact same encryption.
**
I'd really be very thankful if Lazeboy or ZeroTen would pm me with their msns.
** EDIT
I do it as a proxy as, I can edit the auth server's ip so I make the client connect to my IP, I can then modify whatever comes and goes. When it comes to the part of the game server ports and ips, I modify the packet and set there my IP everywhere, keep the good ips, start listening on the ports I gave to the client, and whenever the client connects to a certain port, I know which ip is the good one to connect to the right game server. BTW, I've know a bug...and it's really awesome!
|
|
|
|
Similar Threads
|
[Request] Packet Structure for CharData Packet
05/16/2011 - Silkroad Online - 4 Replies
can someone tell me which structure the CharData packet has? i would really appreciate this, since im still noob in such things. its just too high for me/ too much information for my head. :handsdown:
S->C(3013)...
|
How can I check the packet structure?
08/02/2009 - Kal Online - 2 Replies
Hey,
We have this packet header database:
SEND:
0x00____________ Restore Char
0x01____________ AntiCp
0x02____________ Login
0x03____________ HackShield + engine.exe CRC check
0x04____________ CreateChar
|
packet structure
03/09/2008 - Conquer Online 2 - 16 Replies
For what I'd like to do, I think packets are the place to start. After that, probably java then C and VB. This is a question for the people here who are self-taught... what resources would you recommend for...
1. understanding packet structure
2. learning some programming language without enrolling at the local university
I'm mainly interested in packet structure and how to capture/decipher/edit/send them, and eventually I'd like to "automate" these functions by writing some programs. ...
|
All times are GMT +1. The time now is 23:39.
|
|