Spell Decrypting.

03/17/2011 21:34 Lateralus#1
I have the spell decryption in my (4267-based) source, but I'm curious as to where it is found in the client, and how to translate these sorts of encryption/decryption to a higher-level language, since I'm wanting to slightly change these methods. Cryptography is where I'm majorly lacking in expertise...

My question is a little broad; but does anyone just want to work with me in understanding these things?
03/17/2011 21:38 Kiyono#2
Couldn't you just ask Hybrid? He overwrote the spell encryption with his own.
03/17/2011 21:41 Lateralus#3
Quote:
Originally Posted by Kiyono View Post
Couldn't you just ask Hybrid? He overwrote the spell encryption with his own.
Haha, I asked him at about the same time you posted this. o.o
03/17/2011 22:29 tanelipe#4
The best way to starting tracking where the encryption is would probably be the packet that gets sent when you use a spell. From there you backtrace to the point in ASM that calls the method that passes the parameters to this send function and then just try and find the function that encrypts the parameters.


(Or you could take advantage of one of the XOR values that are constant and look for that in OllyDbg)
03/17/2011 22:42 Lateralus#5
Quote:
Originally Posted by tanelipe View Post
The best way to starting tracking where the encryption is would probably be the packet that gets sent when you use a spell. From there you backtrace to the point in ASM that calls the method that passes the parameters to this send function and then just try and find the function that encrypts the parameters.


(Or you could take advantage of one of the XOR values that are constant and look for that in OllyDbg)
I found the function by backtracking the request attack packet magic subtype, just don't understand exactly how to find which values correspond to which registers, and etc...
03/18/2011 06:01 Ian*#6
eh removed it.
03/18/2011 06:05 Lateralus#7
Quote:
Originally Posted by Ian* View Post
eh removed it.
Removed what?
03/18/2011 13:47 tanelipe#8
Aren't the parameters pushed to the encryption function? You could see how those parameters are stored into the registers inside the encrypt function since they (parameters) are passed in as plain values such as 1045 etc.
03/18/2011 15:05 Lateralus#9
Quote:
Originally Posted by tanelipe View Post
Aren't the parameters pushed to the encryption function? You could see how those parameters are stored into the registers inside the encrypt function since they (parameters) are passed in as plain values such as 1045 etc.
Thanks man, got it. :D
05/15/2011 12:17 _DreadNought_#10
Quote:
Originally Posted by tanelipe View Post
The best way to starting tracking where the encryption is would probably be the packet that gets sent when you use a spell. From there you backtrace to the point in ASM that calls the method that passes the parameters to this send function and then just try and find the function that encrypts the parameters.


(Or you could take advantage of one of the XOR values that are constant and look for that in OllyDbg)
How would one find that? o.O
05/15/2011 21:51 Lateralus#11
Quote:
Originally Posted by _DreadNought_ View Post
How would one find that? o.O
Find where packet type 1022 is constructed, find the subtype 0x15 (magic subtype), and the encryption is close.