Register for your free account! | Forgot your password?

Go Back   elitepvpers > General Gaming > General Gaming Discussion
You last visited: Today at 23:39

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



[Release] Packet encryption / structure

Discussion on [Release] Packet encryption / structure within the General Gaming Discussion forum part of the General Gaming category.

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Oct 2006
Posts: 225
Received Thanks: 207
[Release] Packet encryption / structure



=============================================
========= FANTASY TENNIS PACKET SYSTEM ========
============== by AnotherCoder ==============
=============================================


1. ENCRYPTION
2. PACKET STRUCTURE


Code:
[COLOR="Navy"]for(int i = 0; i < packet_size; i++)
{
    decrypted_packet[i] = encrypted_packet[i] ^ XOR_Table[(i&3)];
}
1. ENCRYPTION

The packet encryption of Fantasy Tennis is very simple, it is just a normal XOR encryption.
If you do not know what a XOR encryption is, or how to use it in your programming language,
look it up.
Here are some nice explanations: 
Exclusive or - Wikipedia, the free encyclopediaBitwise operation - Wikipedia, the free encyclopedia

I will not go any further into explaining what XOR is because most programmers have already used it,
and if you do not know what it is then I am sure that you will not understand anything of this thread anyway.
Okay so let us continue.

Fantasy Tennis uses a 4-byte XOR-table to encrypt their packets here is an example of how it works:

So let us say this is our encrypted packet buffer: 
{c6 89 7c 39 d3 9d 78}

and this is our XOR-table:
{a3, f1, 1d, 54}

then you have to decrypt the buffer like this:

c6 XOR a3 = 65
89 XOR f1 = 78
7c XOR 1d = 61
39 XOR 54 = 6d
d3 XOR a3 = 70
9d XOR f1 = 6c
78 XOR 1d = 65

the decrypted packet would be:

HEX: {65 78 61 6d 70 6c 65}
ASCII: example

packet[0] XOR table[0], packet[1] XOR table[1], packet[2] XOR table[2], 
packet[3] XOR table[3], packet[4] XOR table[0], packet[5] XOR table[1] ...

I hope you get what I mean  you use the first byte of the table to decrypt the first byte of the packet, then the second byte of the table to decrypt the second byte of the packet...and the fourth byte of the table to decrypt the fourth byte of the packet AND THEN the first byte of the table again, to decrypt the fifth byte of the packet and so on.

a C/C++ implementation would be:

that is all? Yes this is enough to decrypt the packets.

So you might be wondering, uhh? Where do I get the XOR-table from? Well good question.
Once you connect to a Fantasy Tennis server, regardless of whether it is a login or a gameserver, the server sends you an unencrypted packet which contains the XOR-tables. Tables? Yes 1 table for send and 1 table for recv

I will give you an example, so well give me a few seconds to start FantasyTennis...
Ok this is the packet that I received:

00 00 00 00 9A FF 10 00 B8 35 14 9F F6 BA 09 78 04 00 00 00 00 00 00 00

B8 35 14 9F <- send XOR-table
F6 BA 09 78 <- recv XOR-table

after I received this packet from the server, the client sent this packet:

AA 67 5F 98 19 3A 03 9F D9 35 75 9F D9 35 75 9F D9 35 14 9F D9 54 75 FE D9 35 82 3F C9 37 14

So let us try to decrypt it with the XOR-table we have got:

Code:
[COLOR="Navy"]	unsigned char packet[] = {[COLOR="DarkRed"]0xAA, 0x67, 0x5F, 0x98, 0x19, 0x3A, 0x03, 0x9F, 0xD9, 0x35, 0x75, 0x9F, 0xD9, 0x35, 0x75, 0x9F, 0xD9, 0x35, 0x14, 0x9F, 0xD9, 0x54, 0x75, 0xFE, 0xD9, 0x35, 0x82, 0x3F, 0xC9, 0x37, 0x14[/COLOR]};
	unsigned char xor[] = {[COLOR="RoyalBlue"]0xB8, 0x35, 0x14, 0x9F[/COLOR]};

	for(int i = 0; i < 31; i++)
	{
		printf("%02x ", packet[i]^xor[(i&3)]);
	}[/COLOR]
Output: 12 52 4b 07 a1 0f 17 00 61 00 61 00 61 00 61 00 61 00 00 00 61 61 61 61 61 00 96 a0 71 02 00
ASCII : ↕ R K í ☼ ↨ a a a a a a a a a a û á q ☻

I logged in with aaaaa aaaaa, so yeah it worked the packet is decrypted, nice done.



2. PACKET STRUCTURE

2bytes [header1]
2bytes [header2]
2bytes [packetId]
2bytes [data_size]
x bytes [data] x = data_size

Example: Let us use the login packet from above

12 52 4b 07 a1 0f 17 00 61 00 61 00 61 00 61 00 61 00 00 00 61 61 61 61 61 00 96 a0 71 02 00


That is all you can now decrypt and encrypt the packets from send / recv and should be able to unterstand their structure.
You cannot edit or send your own packets yet because header1 and header2 differ between each packet and has to be built by yourself.

I will show you how to do that if this thread attracts enough skilled programmers who know what they do

and do not forget to press the thanks button
[/COLOR]

ZeroTen / AnotherCoder
ZeroTen is offline  
Thanks
16 Users
Old 10/20/2010, 16:02   #2
 
NikeAlex2's Avatar
 
elite*gold: 0
Join Date: Dec 2009
Posts: 1,205
Received Thanks: 291
Goob job. Mal sehen, ob es irgendwer versteht. Bezweifle ich ;D

@off topic kurz
wie weit bist du mit pserver? kann dir keine pn schreiben --> voll


EDIT:
Quote:
Originally Posted by ZeroTen View Post
a C/C++ implementation would be:

Code:
[COLOR="Navy"]for(int i = 0; i < packet_size; i++)
{
    decrypted_packet[i] = encrypted_packet[i] ^ XOR_Table[(i&3)];
}[/COLOR]
For the VB Users this would be:
Code:
[COLOR="Blue"]For i As Integer = 0 To packet_size - 1
	decrypted_packet(i) = encrypted_packet(i) Xor XOR_Table((i And 3))
Next[/COLOR]
NikeAlex2 is offline  
Old 10/20/2010, 17:31   #3
 
elite*gold: 0
Join Date: Jul 2009
Posts: 1,097
Received Thanks: 388
lol my poor head,i dont understand this language @.@ but however i give you a thank @.@
†[Dr.±Stein]† is offline  
Old 10/20/2010, 19:29   #4
 
Dakaj's Avatar
 
elite*gold: 0
Join Date: Apr 2009
Posts: 210
Received Thanks: 26
Die, die es brauchen, werden es schon verstehen ;D
Hätte nie gedacht das es trotzdem so simple ist xD
Mich interesiert auch was nun mim Server ist =/

ps. deinen Thanks haste !
Dakaj is offline  
Old 10/20/2010, 19:47   #5
 
NikeAlex2's Avatar
 
elite*gold: 0
Join Date: Dec 2009
Posts: 1,205
Received Thanks: 291
Hoffentlich schaut Zero hier noch rein.

Naja der Grundstein ist simple. Das wird aber schon noch schwieriger
NikeAlex2 is offline  
Old 10/21/2010, 19:46   #6
 
Slaeghtor's Avatar
 
elite*gold: 0
Join Date: Jul 2010
Posts: 63
Received Thanks: 64
Working...
Slaeghtor is offline  
Old 10/22/2010, 12:18   #7
 
Fusel.'s Avatar
 
elite*gold: 18
Join Date: Aug 2008
Posts: 1,371
Received Thanks: 152
Quote:
Originally Posted by deforever View Post
lol my poor head,i dont understand this language @.@ but however i give you a thank @.@
This language is english
But i think you don't understand how this work


Un nein ich raffs auch nich, aber ich lass es lieber bevor ich hier dumme fragen stelle ô.o
Fusel. is offline  
Old 10/22/2010, 14:44   #8
 
elite*gold: 0
Join Date: Oct 2009
Posts: 768
Received Thanks: 550
Quote:
Originally Posted by ZeroTen View Post
c6 XOR a3 = 65
89 XOR f1 = 78
7c XOR 1d = 61
39 XOR 54 = 6d
d3 XOR a1 = 70
9d XOR f1 = 6c
78 XOR 1d = 65
By your xor table it should be

d3 XOR a3 = 70

Though, well done. Private servers can now raise up .

Possible implementation of Fantasy Tennis cryptography (C#):
PHP Code:
using System;

namespace 
FantasyTennis.Networking
{
    public static class 
Cryptography
    
{
        private static 
byte[] Keys = new byte[] { 0xa30xf10x1d0x54 };

        public static 
void Encrypt(byte[] buffer)
        {
            if(
buffer == null || buffer.Length == 0)
                return;
            for (
int count 0count buffer.Lengthcount++)
                
buffer[count] ^= Keys[count 4];
        }
        public static 
void Decrypt(byte[] buffer)
        {
            
Encrypt(buffer);
        }
    }

Also, I believe that the first 4 bytes sent in any packet are actually the time(timeGetTime). I'll do some research and update.
-impulse- is offline  
Old 10/22/2010, 15:21   #9
 
elite*gold: 0
Join Date: Oct 2006
Posts: 225
Received Thanks: 207
Quote:
Originally Posted by -impulse- View Post
By your xor table it should be

d3 XOR a3 = 70
Yeah you are right, I fixxed that, thanks.

Quote:
Originally Posted by -impulse- View Post
Also, I believe that the first 4 bytes sent in any packet are actually the time(timeGetTime). I'll do some research and update.
No it's not
They build the first 2 bytes and the next 2 bytes in 2 different ways, they use a table and the data of the packet to build the bytes that is why they add the first 4 bytes at the end when the packet data is already written into the buffer.
ZeroTen is offline  
Old 10/22/2010, 19:19   #10
 
elite*gold: 0
Join Date: Oct 2009
Posts: 768
Received Thanks: 550
Quote:
Originally Posted by ZeroTen View Post
Yeah you are right, I fixxed that, thanks.


No it's not
They build the first 2 bytes and the next 2 bytes in 2 different ways, they use a table and the data of the packet to build the bytes that is why they add the first 4 bytes at the end when the packet data is already written into the buffer.
Well, you know better than I do, so you might be right...
-impulse- is offline  
Old 10/26/2010, 18:24   #11
 
elite*gold: 252
Join Date: Mar 2008
Posts: 3,111
Received Thanks: 3,911
Thank you^^ I think I understand now.. But one question: How can I see these packets?
.Alessa is offline  
Old 10/26/2010, 18:39   #12
 
Lazeboy's Avatar
 
elite*gold: 0
Join Date: Jun 2008
Posts: 451
Received Thanks: 410
Quote:
Originally Posted by Shannonfan View Post
Thank you^^ I think I understand now.. But one question: How can I see these packets?
Ich weiß nicht was du für Vorkenntnisse hasst, jedoch muss du Send und WSASend hooken und den buffer auslesen.
Bei Recv und WSARecv musst du die Funktion ersst durchlaufen lassen und dann den Buffer auslesen.
Achtung bei Recv und WSARecv ist der Return wert der funktion die length.
Lazeboy is offline  
Old 10/26/2010, 19:17   #13
 
elite*gold: 252
Join Date: Mar 2008
Posts: 3,111
Received Thanks: 3,911
Okay bisher habe ich noch gar keine Kenntnisse.. Wird aber mal Zeit, welche zu bekommen Ich werde mal danach googlen, vielen Dank.

€: Ohje, ob ich da zurecht finde... ich schau mal weiter...
.Alessa is offline  
Old 10/26/2010, 21:40   #14
 
elite*gold: 0
Join Date: Oct 2009
Posts: 768
Received Thanks: 550
Might you people please use English for this thread only? At least this one...it is one I really understand...and it's really useful. I already managed to get to sniffing game server's ips and ports and the auth server(port 5894) sends them in the packet 4112.

Right now, I'm going to write a C# project to cover what I know so far.

I also found out that, every single server uses the exact same encryption.


**
I'd really be very thankful if Lazeboy or ZeroTen would pm me with their msns.

** EDIT
I do it as a proxy as, I can edit the auth server's ip so I make the client connect to my IP, I can then modify whatever comes and goes. When it comes to the part of the game server ports and ips, I modify the packet and set there my IP everywhere, keep the good ips, start listening on the ports I gave to the client, and whenever the client connects to a certain port, I know which ip is the good one to connect to the right game server. BTW, I've know a bug...and it's really awesome!
-impulse- is offline  
Reply


Similar Threads Similar Threads
[Request] Packet Structure for CharData Packet
05/16/2011 - Silkroad Online - 4 Replies
can someone tell me which structure the CharData packet has? i would really appreciate this, since im still noob in such things. its just too high for me/ too much information for my head. :handsdown: S->C(3013)...
How can I check the packet structure?
08/02/2009 - Kal Online - 2 Replies
Hey, We have this packet header database: SEND: 0x00____________ Restore Char 0x01____________ AntiCp 0x02____________ Login 0x03____________ HackShield + engine.exe CRC check 0x04____________ CreateChar
packet structure
03/09/2008 - Conquer Online 2 - 16 Replies
For what I'd like to do, I think packets are the place to start. After that, probably java then C and VB. This is a question for the people here who are self-taught... what resources would you recommend for... 1. understanding packet structure 2. learning some programming language without enrolling at the local university I'm mainly interested in packet structure and how to capture/decipher/edit/send them, and eventually I'd like to "automate" these functions by writing some programs. ...



All times are GMT +1. The time now is 23:39.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2024 elitepvpers All Rights Reserved.