Shaiya Packet Encryption ( Infos )

07/14/2011 06:10 wurstbrot123#1
Ive just taken a look at the Shaiya Packet Encryption
and the encryption itself is fairly simple. The encryption
itself is a simple Xor routine and ill show you how you
can use that. However, i dont know yet how the
client currently is Creating the Xortable. Luckily
the Xortable is always at the same address
you can find the base Address in the Function call one
Call above the Send call. The start of that Function
looks like this ( Shaiya Encryption function ):

Code:
CMP BYTE PTR DS:[2242E21],0
E SHORT game.004010DF
CMP DWORD PTR DS:[2242E18],0
JNZ SHORT game.004010CA
MOV EAX,DWORD PTR SS:[ESP+8] 
PUSH ESI
PUSH EAX
MOV EAX,DWORD PTR SS:[ESP+C]
MOV ECX,EAX
MOV ESI,game.02242E28
CALL game.004051B0
MOV ESI,game.02242E28

This line is currently intresting for us. It moves the
base Address of the Xortable into ESI. So 0x2242E28 would
be the address. This Address + 0x104 is currently a
Packetcounter. This Counter is also used for the Encryption.
The Xortable starts at Xortable base address + 0x108.

So we have the following Addresses for our Encryption function:

0x2242F2C = Packetcounter
0x2242F30 = Xortable start

Now we can use the following function to
Encrypt our Packets:

Code:
int packetcounter = 0x2242F2C;
int Xortable = 0x2242F30;

char* encryptpacket( char * packet )
{
	int encryptcounter = *(int*)packetcounter;
        // ( how many packets have been encrypted yet )
	for( int i = 0; i < packetsize; ++i )
	{
		packet[i] ^= *(char*)( XorTable + i + 108 + encryptcounter );
	}
	encryptcounter += 1;
	*(int*)packetcounter = encryptcounter;
        return packet;
}
PS:

You can only use this Function after you have at least send
one Loginpacket ( this are the first Packets that gets encryted ).
Simply because when the First Packet is to be sent but the
Xortable isnt created yet, the Client will create it and encrypt the
Packet. I might be wrong at any point, i did not test this yet,
i was just bored and took a look at it with OllyDBG

regards
Wurstbrot123
07/15/2011 15:12 zargon05#2
I could find that the function at 0x00404770 was writing to the Xortable memory address address that you had mentioned.
07/15/2011 16:31 wurstbrot123#3
I know where the function itself is ( it is currently in the same
big call for sending Packets ). But its a pretty big Routine
its probly a hell lot of work to reverse it completly.
Not sure if ill ever take a look at it. Anyway thank you
for Sharing :)
03/07/2013 14:56 warekurt#4
@wurstbrot123 Have you found out how encryption works from the start? I see with WireShark when we first open the game, the server sends us a packet and the client sends another one back. They both have the same OP Codes I think, "01 a1". Could these packets be how the XorTable is created?
03/07/2013 16:31 shikosan#5
Im not sure if its the same, but the ingame encryption algorithm (client side) contains 3 parts
XOR-Table (176 byte)
and two 128 bit XOR-Keys

the second key is used to actually encrypt the packet.
After the key is "consumed" (encryption counter is equal to key size), a new key is generated using the first key and the xor-table. At the end, the first key will be modified by adding 1 to it.

On which client version are your memory addresses based on?

hope that was helpful in any kind

,shiko
03/11/2013 07:17 wurstbrot123#6
When you look at the date i looked at it quiet a while
ago ( 2011 ) so i cant tell much about the current clients
and i dont remember what client Version it was back than
03/11/2013 07:33 warekurt#7
Thanks, just wanted to know if you recorded any progress afterwards.
03/11/2013 16:14 shikosan#8
whops, didnt look at the date hehe...

i got a working implementation of the ingame encryption/decryption algorithm. What im missing is the xor table creation part. im willing to trade my part for the xor table part.
03/11/2013 16:38 warekurt#9
Well did you try the first 2 packets client and server exchanges? If you know every detail about encryption you could share and I'll see if I can find any relation with those 2 packets.