*HOT* Packet Encryption - Decrypt/ReEncrypt HowTo

Page 6 of 8 « First 45 6 78
08/03/2006 16:47 tester#76
Quote:
Originally posted by HFMuRdOc@Aug 2 2006, 19:32
so... to decrypt packet:

D3 33 EF AD FB E3 7D 21 7A FB E8 05 A6 EF F4 C9 3F F3 E0 6D FE 77 2C 71 1A 8B 58 D5

i'd have to do:

Code:
11010011 -> D3
10101011 -> AB
= 01111000 -> 78

78 -> 87

10000111 -> 87
01100010 -> 62
= 11100101 -> E5

11100101 -> E5
10011101 -> 9D
= 01111000 -> 78



00110011 -> 33
10101011 -> AB
= 10011000 -> 98

98 -> 89

10001001 -> 89
01100010 -> 62
= 11101011 -> EB

11101011 -> EB
10010000 -> 90
= 01111011 -> 7B
and so forth with the following bytes of keys and code?
ummm why are you working in binary?

If you just wanna take the packet and decrypt it, first of all you need to know if this packet is from the client or if its from the server, if this is a game server packet and its from the client you also need to know Key3 and Key4

D3 has an int value of 211

so if this was a packet from the server then

((211 XOR Key1(Key1Counter)) XOR Key2(Key2Counter))
Convert result integer to hex value
Reverse the string (PRE ZERO OR POST 0 Dependant on client or server packet)
Convert Hex to an Integer XOR 171
Increment KeyCounter

I dunno wat your trying todo or what programming language your working in so i cant help much more than that
08/03/2006 18:06 HFMuRdOc#77
Quote:
Originally posted by tester+Aug 3 2006, 16:47--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (tester @ Aug 3 2006, 16:47)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--HFMuRdOc@Aug 2 2006, 19:32
so... to decrypt packet:

D3 33 EF AD FB E3 7D 21 7A FB E8 05 A6 EF F4 C9 3F F3 E0 6D FE 77 2C 71 1A 8B 58 D5

i'd have to do:

Code:
11010011 -> D3
10101011 -> AB
= 01111000 -> 78

78 -> 87

10000111 -> 87
01100010 -> 62
= 11100101 -> E5

11100101 -> E5
10011101 -> 9D
= 01111000 -> 78



00110011 -> 33
10101011 -> AB
= 10011000 -> 98

98 -> 89

10001001 -> 89
01100010 -> 62
= 11101011 -> EB

11101011 -> EB
10010000 -> 90
= 01111011 -> 7B
and so forth with the following bytes of keys and code?
ummm why are you working in binary?

If you just wanna take the packet and decrypt it, first of all you need to know if this packet is from the client or if its from the server, if this is a game server packet and its from the client you also need to know Key3 and Key4

D3 has an int value of 211

so if this was a packet from the server then

((211 XOR Key1(Key1Counter)) XOR Key2(Key2Counter))
Convert result integer to hex value
Reverse the string (PRE ZERO OR POST 0 Dependant on client or server packet)
Convert Hex to an Integer XOR 171
Increment KeyCounter

I dunno wat your trying todo or what programming language your working in so i cant help much more than that [/b][/quote]
i wasn't using any programming language, I was XORing manually, that's y I converted it to binary. And yes, it's a packet from the server. I just don't understand the following: do we start applying the counter since the first packet we receive when we connect or since the beggining of each packet? Basically what I did up there was:

D3 XOR AB -> 78 //first XORing

78 -> 87 //inverted

87 XOR 62 -> E5 //With the first byte from the 2nd key

E5 XOR 9D -> 78 //With the first byte from the 1st key.


On the other process I only changed to the 2nd byte from the 1st key and, of course, decrypted the 2nd byte from the packet.

Is this procedure correct?
08/03/2006 19:26 tester#78
Quote:
Originally posted by HFMuRdOc@Aug 3 2006, 18:06
i wasn't using any programming language, I was XORing manually, that's y I converted it to binary. And yes, it's a packet from the server. I just don't understand the following: do we start applying the counter since the first packet we receive when we connect or since the beggining of each packet? Basically what I did up there was:

D3 XOR AB -> 78 //first XORing

78 -> 87 //inverted

87 XOR 62 -> E5 //With the first byte from the 2nd key

E5 XOR 9D -> 78 //With the first byte from the 1st key.


On the other process I only changed to the 2nd byte from the 1st key and, of course, decrypted the 2nd byte from the packet.

Is this procedure correct?
the 2 counters are set to 0 at the login server and then reset to 0 at the game server, they are incremented from the time you connect once for every byte. You increment the first counter until it reaches 255 then u reset it to 0 and increment the second counter by 1 then u repeat this until the second counter hits 255 at which time you reset them both to 0, this is based on you using an array for the keys which will run from 0 - 255

your proceedure is correct if you where decrypting a packet from the client to the server, you need to reverse it to decrypt a packet from the server to the client
08/03/2006 20:18 HFMuRdOc#79
Quote:
Originally posted by tester+Aug 3 2006, 19:26--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (tester @ Aug 3 2006, 19:26)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--HFMuRdOc@Aug 3 2006, 18:06
i wasn't using any programming language, I was XORing manually, that's y I converted it to binary. And yes, it's a packet from the server. I just don't understand the following: do we start applying the counter since the first packet we receive when we connect or since the beggining of each packet? Basically what I did up there was:

D3 XOR AB -> 78 //first XORing

78 -> 87 //inverted

87 XOR 62 -> E5 //With the first byte from the 2nd key

E5 XOR 9D -> 78 //With the first byte from the 1st key.


On the other process I only changed to the 2nd byte from the 1st key and, of course, decrypted the 2nd byte from the packet.

Is this procedure correct?
the 2 counters are set to 0 at the login server and then reset to 0 at the game server, they are incremented from the time you connect once for every byte. You increment the first counter until it reaches 255 then u reset it to 0 and increment the second counter by 1 then u repeat this until the second counter hits 255 at which time you reset them both to 0, this is based on you using an array for the keys which will run from 0 - 255

your proceedure is correct if you where decrypting a packet from the client to the server, you need to reverse it to decrypt a packet from the server to the client [/b][/quote]
so, since this packet was sent from the server to the client i'd have to do

Code:
D3 XOR 9D -> 4E
4E XOR 62 -> 2C

2C -> C2

C2 XOR AB -> 69
right?

I'm going to try to do a decrypter in C, but i'm still trying to fid an eBook explaining packet capturing and editing.
08/03/2006 20:52 tester#80
yea thats right, i cant help u with c i prolly could help u with c# tho
08/03/2006 22:09 unknownone#81
Quote:
Originally posted by HFMuRdOc@Aug 3 2006, 19:18
so, since this packet was sent from the server to the client i'd have to do

Code:
D3 XOR 9D -> 4E
4E XOR 62 -> 2C

2C -> C2

C2 XOR AB -> 69
right?

I'm going to try to do a decrypter in C, but i'm still trying to fid an eBook explaining packet capturing and editing.
You wouldn't neccesarily xor with 9D and 62. It depends entirely on the decryption counter. The counter does not start at zero for each packet, so that would only work if your packet there is the first packet sent/received.

It is possible to figure out what the counter was at when you got that packet. basically, you would loop 0-65536, and decrypt the first 2 bytes, then compare them to the length of the packet in bytes. The first 2 bytes of a decrypted packet contain the packet length.

There isn't really need for an ebook about packet capturing, its a simple topic, theres are tutorials on the internet, even on the MSDN site. Basically you just need to set up a few TCP connections, and receive data as a char[] array. Read the winsock examples on msdn, and also read Beej's guide ([Only registered and activated users can see links. Click Here To Register...]), which is a little more detailed, but its written for berkley sockets, not winsock (although winsock is berkley compliant). It covers all the basics you need.

Also PM me or tester your msn addy if you need help, alot easier to help over msn than the forum.
08/04/2006 01:04 HFMuRdOc#82
Quote:
Originally posted by unknownone+Aug 3 2006, 22:09--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (unknownone @ Aug 3 2006, 22:09)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--HFMuRdOc@Aug 3 2006, 19:18
so, since this packet was sent from the server to the client i'd have to do

Code:
D3 XOR 9D -> 4E
4E XOR 62 -> 2C

2C -> C2

C2 XOR AB -> 69
right?

I'm going to try to do a decrypter in C, but i'm still trying to fid an eBook explaining packet capturing and editing.
You wouldn't neccesarily xor with 9D and 62. It depends entirely on the decryption counter. The counter does not start at zero for each packet, so that would only work if your packet there is the first packet sent/received.

It is possible to figure out what the counter was at when you got that packet. basically, you would loop 0-65536, and decrypt the first 2 bytes, then compare them to the length of the packet in bytes. The first 2 bytes of a decrypted packet contain the packet length.

There isn't really need for an ebook about packet capturing, its a simple topic, theres are tutorials on the internet, even on the MSDN site. Basically you just need to set up a few TCP connections, and receive data as a char[] array. Read the winsock examples on msdn, and also read Beej's guide ([Only registered and activated users can see links. Click Here To Register...]), which is a little more detailed, but its written for berkley sockets, not winsock (although winsock is berkley compliant). It covers all the basics you need.

Also PM me or tester your msn addy if you need help, alot easier to help over msn than the forum. [/b][/quote]
yes, the 9D and 62 were just an example.

"you would loop 0-65536, and decrypt the first 2 bytes"

lol it'd take a bit of time to do that :P
it's easyer to just do what you want to observe as soon as u enter the game and then logout. You can detect the login server -> game server change by the change in IP/port of the server and then count some bytes :)

thx for the tuts and links, i'll look into it.


PS: does any1 know how the hell did they get the keys??
08/04/2006 09:53 tester#83
Quote:
Originally posted by HFMuRdOc@Aug 4 2006, 01:04
yes, the 9D and 62 were just an example.

"you would loop 0-65536, and decrypt the first 2 bytes"

lol it'd take a bit of time to do that :P
it's easyer to just do what you want to observe as soon as u enter the game and then logout. You can detect the login server -> game server change by the change in IP/port of the server and then count some bytes :)

thx for the tuts and links, i'll look into it.


PS: does any1 know how the hell did they get the keys??
He said loop 0-65536 because there are 65536 possible combinations of the 2 keys, really you wouldnt loop 65536 times. You have to have 2 variables for counters and as I stated before increment the first counter by 1 when the first counter reaches 256 (or 255 if your using an array as they start from 0) you increment the second counter by 1, then you continue this til the second counter reaches 256 and the first counter is 256 then you have used all 65536 combinations, so you reset the counters to 0.

You cant do what your suggesting "it's easyer to just do what you want to observe as soon as u enter the game and then logout" because theres alot of data sent and received befor the game even appears, example you get all your character stats and whats currently in your inventory. So the counters are already being incremented before you do your action.

If you know C, try doing it in C# I can help you a little then, theres also a C# libary that someone posted.
08/04/2006 14:33 HFMuRdOc#84
Quote:
Originally posted by tester+Aug 4 2006, 09:53--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (tester @ Aug 4 2006, 09:53)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--HFMuRdOc@Aug 4 2006, 01:04
yes, the 9D and 62 were just an example.

"you would loop 0-65536, and decrypt the first 2 bytes"

lol it'd take a bit of time to do that :P
it's easyer to just do what you want to observe as soon as u enter the game and then logout. You can detect the login server -> game server change by the change in IP/port of the server and then count some bytes :)

thx for the tuts and links, i'll look into it.


PS: does any1 know how the hell did they get the keys??
He said loop 0-65536 because there are 65536 possible combinations of the 2 keys, really you wouldnt loop 65536 times. You have to have 2 variables for counters and as I stated before increment the first counter by 1 when the first counter reaches 256 (or 255 if your using an array as they start from 0) you increment the second counter by 1, then you continue this til the second counter reaches 256 and the first counter is 256 then you have used all 65536 combinations, so you reset the counters to 0.

You cant do what your suggesting "it's easyer to just do what you want to observe as soon as u enter the game and then logout" because theres alot of data sent and received befor the game even appears, example you get all your character stats and whats currently in your inventory. So the counters are already being incremented before you do your action.

If you know C, try doing it in C# I can help you a little then, theres also a C# libary that someone posted. [/b][/quote]
"He said loop 0-65536 because there are 65536 possible combinations of the 2 keys"

yeah i kno and it takes a lot of time manually.

"So the counters are already being incremented before you do your action.

I also know that. I would count the bytes beginning from the packet that changes ip/port representing the change to the game server from the login server. if i do it fast there won't be too many bytes to count. Besides what i do want to observe is the packet sent to the client saying the inventory.

I don't know a lil bit of C# so...
08/04/2006 16:03 tester#85
Quote:
Originally posted by HFMuRdOc@Aug 4 2006, 14:33
Besides what i do want to observe is the packet sent to the client saying the inventory.
i believe packet 3f0 is items in your inventory and 3f1 is like removal of an item i may have this the wrong way round though
08/18/2006 18:10 HFMuRdOc#86
well, I managed to do a packet decrypter during my vacation. I also wanted to start learning WinPCap but I forgot to install the drivers...... maybe within a week I'll do a sniffer/decrypter, but I don't have much time right now...

edit: kewl thing I did messing around wth packets :D

[Only registered and activated users can see links. Click Here To Register...]
08/23/2006 00:46 Lurker3#87
Quote:
Originally posted by HFMuRdOc@Aug 4 2006, 01:04
PS: does any1 know how the hell did they get the keys??
CO generating the keys using some simple loops & seed values:
Code:
004DDB16 /&#036; 53       PUSH EBX
004DDB17 |. 55       PUSH EBP
004DDB18 |. 56       PUSH ESI
004DDB19 |. 57       PUSH EDI
004DDB1A |. 8BE9      MOV EBP,ECX
004DDB1C |. B2 9D      MOV DL,9D
004DDB1E |. 33FF      XOR EDI,EDI
004DDB20 |. BE 00010000   MOV ESI,100
004DDB25 |> 33C9      /XOR ECX,ECX
004DDB27 |. 8ACA      |MOV CL,DL
004DDB29 |. 88142F     |MOV BYTE PTR DS&#58;&#91;EDI+EBP&#93;,DL
004DDB2C |. 8BDE      |MOV EBX,ESI
004DDB2E |. 8BC1      |MOV EAX,ECX
004DDB30 |. 69C0 FA000000 |IMUL EAX,EAX,0FA
004DDB36 |. 99       |CDQ
004DDB37 |. F7FB      |IDIV EBX
004DDB39 |. 8BC2      |MOV EAX,EDX
004DDB3B |. 83C0 0F    |ADD EAX,0F
004DDB3E |. 0FAFC1     |IMUL EAX,ECX
004DDB41 |. 83C0 13    |ADD EAX,13
004DDB44 |. 99       |CDQ
004DDB45 |. 8BCE      |MOV ECX,ESI
004DDB47 |. F7F9      |IDIV ECX
004DDB49 |. 47       |INC EDI
004DDB4A |. 3BFE      |CMP EDI,ESI
004DDB4C |.^7C D7     &#092;JL SHORT Conquer.004DDB25
004DDB4E |. B2 62      MOV DL,62
004DDB50 |. 33FF      XOR EDI,EDI
004DDB52 |> 8AC2      /MOV AL,DL	al=62 dl=62
004DDB54 |. B1 5C     |MOV CL,5C
004DDB56 |. F6E9      |IMUL CL  ax 2338
004DDB58 |. 80C1 1D    |ADD CL,1D ax 2355
004DDB5B |. 2AC8      |SUB CL,AL   22f3
004DDB5D |. 8AC1      |MOV AL,CL
004DDB5F |. F6EA      |IMUL DL
004DDB61 |. 04 6D     |ADD AL,6D
004DDB63 |. 88942F 0001000>|MOV BYTE PTR DS&#58;&#91;EDI+EBP+100&#93;,DL
004DDB6A |. 47       |INC EDI
004DDB6B |. 3BFE      |CMP EDI,ESI
004DDB6D |. 8AD0      |MOV DL,AL
004DDB6F |.^7C E1     &#092;JL SHORT Conquer.004DDB52
004DDB71 |. 5F       POP EDI
004DDB72 |. 5E       POP ESI
004DDB73 |. 8BC5      MOV EAX,EBP
004DDB75 |. 5D       POP EBP
004DDB76 |. 5B       POP EBX
004DDB77 &#092;. C3       RETN
08/23/2006 01:04 Lurker3#88
Some notes I made before I got bored writing them:
09/01/2006 20:14 HFMuRdOc#89
hmm ok gonna look into that, ty :)
09/18/2006 15:35 SchnorrerKing#90
find des genial aber irgendwie is mir das zu hoch kann das einer für dumme nochmal erklären?
Page 6 of 8 « First 45 6 78