help,please help me with CM_KEY!!!

12/10/2012 11:52 csuwind#1

Dear all,
I have some problem about perfect login packet of CM_KEY.
bellow is the list for login packets:
Login Packets
0x01 SM_LOGIN_CHALLANGE server->client
0x03 CM_LOGIN_ANNOUNCE client->server
0x02 SM_KEY server->client
0x02 CM_KEY client->server [encrypted]

My problem is that for CM_KEY, i really don't know how it is encrypted.

i have captured some packets from elementclient.exe. Would somebody help me ?

SM_LOGIN_CHALLANGE: 0133107F5F005F088931BFF3A92E8AC757D2CD000300011431 30303030303861303865313465613064343235000000000000 000000
CM_LOGIN_ANNOUNCE: 031502363510AB201B3DD3CF398E899EA077B5BBCCD900
SM_KEY: 021210 379688348176C6C948289FE3F003CB2A00
CM_KEY E1E5821D47A2555DADCDFC7EEA1E82513F5B036F (encrypted)

I really don't know how does CM_KEY gernerated by elementclient.exe ?

Thanks.

12/10/2012 12:21 Sᴡoosh#2

Random bytes that you choose and then encrypt with client key...

12/11/2012 10:24 csuwind#3

Dears,
would you please tell me that why client wants to give a random data which was encrypted by server key ? also, would you please tell me which type of encrypto the client use ? md5 ? rc4 , thank you.

Dears,
would you please tell me that why client wants to give a random data which was encrypted by server key ? also, would you please tell me which type of encrypto the client use ? md5 ? rc4 , thank you.

12/11/2012 10:40 Sᴡoosh#4

Crypto is rc4 and hmac md5.

Key is result of hmac md5 (loginhash [0x3 packet] + serverkeyhash [0x2 packet]) ^ username. You then encrypt random bytes with it.

That's all i'm saying about this topic - good luck.

12/11/2012 10:55 csuwind#5

Dears ,
thanks for your kindly reply. But i still don't know why client wants to give the server a random bytes which was encrypted ? Is this usefull for the server if the bytes are random ?

12/11/2012 11:00 Sᴡoosh#6

Server uses these bytes to generate server -> client key. How should client know key otherwise?

This is a keyless exchange, simular to diffie hellman.

12/11/2012 11:26 csuwind#7

Dears,
Thank you. I got it. In fact, I am from China, all the game include Perfect World , Jade Dynasty Bot are developed by a company named Perfect World in Beijing. If you have any problem about china game forum or any other thing, please send me Message then i can help you.
Good luck.

12/11/2012 12:20 Sᴡoosh#8

Alright, cool that you figured it out. Yeah, I know of Wanmei - but i'm more interested in the server side of things nowadays :)

Cheers

12/12/2012 09:24 csuwind#9

Dear Swoosh,
I still have some problem with this. Yesterday I again wrote some C++ code to process the data.
Bellow is my finding:

SM_LOGIN_CHALLANGE: 0133107F5F005F088931BFF3A92E8AC757D2CD000300011431 30303030303861303865313465613064343235000000000000 000000
CM_LOGIN_ANNOUNCE: 031502363510AB201B3DD3CF398E899EA077B5BBCCD900
SM_KEY: 021210 379688348176C6C948289FE3F003CB2A00
CM_KEY: E1E5821D47A2555DADCDFC7EEA1E82513F5B036F (encrypted)

1.E1E5821D47A2555DADCDFC7EEA1E82513F5B036F is encrypted by

RC4
{
(
HAMC_MD5
(
user,
HAMC_MD5
(
md5(user+pass) ,key1
)
+ key2
)
)
,
random 16 byte ( this should be real RC4 C2S key)
}

Would you please check whether is right ?

2. If we guess, when we use the encrypted CM_KEY (20 bytes) as data to get RC4 with the key which we caculate,
I think the dencrypt data must have the format 021210XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00, because this should be the format of CM_KEY.
AM i right ?

3.In fact, when I use the above soluaton to caculate the captured packets, I really get the dencrypt data with format 021210XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00,
so i guss the middle data XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX should be RC4 c2s key.
But yesterday when i use another people's dll plugin which is for cheat engine 5.5 to capture elementclient.exe's login data and decrypte the data,
and it shows that the RC4 c2s key is another array byte.
I am really confused about my result.

Would you please help me answer my question ? thanks very much.