[Int] Need dump from few packets

01/11/2013 02:25 szopenfx#1

Hi all!
I'm Working on standalone kal sniffer - it will not be based on client directly.
I only want to sniff packets and decode it correctly (without modification).

So... What i need?
Need few packet dumps first raw - from sniffer like wireshark and the same packets decoded by... You :) I know that no one give me working international server packet sniffer based on client hook but I think my request is rational.

Need only few packets started from server choose until char will be loaded.

Now i have some problems, first of all i think they changed old swordcrypt packet encoding/decoding key from 0 to 23 after that i get correct signature $2A (welcome packet) and connection packet but something is wrong... so I want compare it.

Ya I know next packets are encrypted by AES and i think i know how to bite it.

anyone help?

01/11/2013 03:51 Mahatma#2

i don't think that you will be able to work out how it's crypted just by analysing the packets sniffed by wireshark and without doing some reverse engineering / debugging the engine.exe
but well...if you want to i can give you some packets

Code:

//Connect-Packet (0x08) - crypted with xor-crypt:
connectPacket->fillBuffer("bdddddbb",0x08,appTime,clientinfo->getConnectionParam(0),clientinfo->getConnectionParam(1),clientinfo->getConnectionParam(2),clientinfo->getConnectionParam(3),1,2); //connection params are recieved by the updater (everything uncrypted)

--> recv welcome packet (0x2a) (also crypted with xor crypt)

Code:

//Version-Check (0x09) - crypted with xor+aes:
versionCheck->fillBuffer("bdbd",0x09,clientinfo->getSync(),1,version); //you need to calculate sync and version with the information you get in 0x2a packet

Code:

//Login (0x02) - crypted with xor+aes:
loginPacket->fillBuffer("bdss",0x02,clientinfo->getSync(),clientinfo->getUserName(),clientinfo->getPassword());

--> recv loginAnswer (0x2b) - crypted with xor+aes

Code:

//2nd Password(0x75) - crypted with xor+aes:
secondPasswordPacket->fillBuffer("bdbs",0x75,clientinfo->getSync(),0,clientinfo->get2ndPassword());

--> recv available chars (0x11) - crypted with xor+aes
--> recv restore charinfo (0x19) - crypted with xor+aes

xor-key and (packed) aes key are also recieved by 0x2a packet
xor-send key gets increased by every packet which is sent
xor-recv key is always the same

good luck! :-)

01/11/2013 04:41 szopenfx#3

so... I missed XOR that's why i get bad data - I don't have any packet data before and after encryption. If I get them then it's easy to calculate XOR key from it.
Thanks for above information it helped me a lot. Now I'm sure that packet ID's are correct and also get fresh info about bytes - very useful.
I don't have working hook on recv/send function, years ago I wrote it in Delphi but probably now it didn't work correctly and will be detected by HS. (C++ is not my lovely language) Also I don't need to calculate any data like getSync because I will read it (don't care about modification). Thanks again if someone could also send me those dumps I will be appreciated - if not I just spend more time to calculate it but who care :) the most important info I have now.

01/12/2013 05:25 szopenfx#4

This is rally only XOR or something more? Tested single XOR with all 256 possible key's, XOR + swordcrypt, swordcrytp + XOR in all 64 possible key's and nothing -,-.
Swordcrypt Table was changed? My encrypt/decrypt table steel work on config.pk files.
My $08 packet to compare is based on getConnectionParam values from named shared memory and i know that it's good.

01/12/2013 05:44 pleaX#5

Table was changed

01/12/2013 16:43 meak1#6

U need the xorkey, the AESKEY and the table from the current engine.
AESKEY change after any update from KalOnline.

PHP Code:


			
unsigned char XORKey[]={
0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0x0F, 0x1E, 0x2D, 0x3C, 0x4B, 0x5A, 0x69, 0x78};

this was my clientless login...

PHP Code:


			
char Packet[25];
memcpy(Packet, "\x19\x00\x08\x9D\x1E\x00\x00\x39\x11\x93\x16\x89\xCE\x9E\x59\x90\xA9\xD8\x36\x00\xB7\x5C\x7E\x00\x01", 25);
send(s,Packet,sizeof(Packet),0);

recv(s,buf,sizeof(buf),0);
Plen = (*(PWORD(buf)));
DecryptTable(RecvKey,(unsigned char*)buf+2,Plen-2);
Print('R',buf[0],buf);

if(buf[2] == 0x2A){
SendKey=*(BYTE*)&buf[7];
RecvKey=*(BYTE*)&buf[7];
Sync=*(DWORD*)&buf[83];

_asm{
    MOV EAX, Sync
    SHR EAX, 0x7
    MOV ECX, EAX
    MOV EDX, EAX
    SHR EDX, 0x9
    SHL EDX, 0x9
    SUB EAX, EDX
    XOR EAX, 0x1A85
    MOV Sync, EAX
}
printf("Sync:%x\n",Sync);
printf("KEY:%x\n",SendKey);
AcceptAddy=*(DWORD*)&buf[3];

_asm{
MOV EAX,AcceptAddy
XOR EDX,EDX
MOV ECX,0x0ED1
DIV ECX
ADD EDX,0x235C
mov SendLogin,EDX
}
}
printf("Key for Serv: 0x%X\n",SendLogin);
char Packet2[12];
memcpy(Packet2, "\x0C\x00\x09", 3);
memcpy(Packet2+5,"\x00\x00\x01",3);
*(DWORD*)&Packet2[3]=Sync;
*(DWORD*)&Packet2[8]=SendLogin;
send(s,Packet2,sizeof(Packet2),0);

char Login[28];
char ID[255];
GetPrivateProfileStringA("AUTOLOGIN","ID", 0, ID, 255, ".\\Autologin.ini"); 
char PW[255];
 GetPrivateProfileStringA("AUTOLOGIN","PW", 0, PW, 255, ".\\Autologin.ini"); 
memcpy(Login, "\x1C\x00\x02",3);
*(DWORD*)&Login[3]=Sync;
memcpy(Login+5, "\x00\x00",2);
memcpy(Login+7,ID,strlen(ID));        
memcpy(Login+7+strlen(ID), "\x00",1);
memcpy(Login+7+strlen(ID)+1,PW,strlen(PW));    
memcpy(Login+7+strlen(ID)+1+strlen(PW),"\x00",1);
                //memcpy(Login+7+sizeof(ID)+1+sizeof(PW), "\x00",1);
send(s,Login,sizeof(Login),0);

recv(s,buf,sizeof(buf),0);
Plen = (*(PWORD(buf)));
DecryptTable(RecvKey,(unsigned char*)buf+2,Plen-2);
DecryptPacketAES(buf);
Print('R',buf[0],buf);

if(buf[2] == 0x2B){
    char Login[17];
    memcpy(Login, "\x11\x00\x75",3);
    *(DWORD*)&Login[3]=Sync;
    memcpy(Login+5, "\x00\x00\x00", 3);
    char Secrete[255];
 GetPrivateProfileStringA("AUTOLOGIN","2PW", 0, Secrete, 255, ".\\Autologin.ini"); 
 memcpy(Login+8, Secrete, 9);
send(s,Login,sizeof(Login),0);

recv(s,buf,sizeof(buf),0);
Plen = (*(PWORD(buf)));
DecryptTable(RecvKey,(unsigned char*)buf+2,Plen-2);
DecryptPacketAES(buf);
Print('R',122,buf);
Sleep(2000);


DWORD charID;
if(buf[2] == 0x11){

    charID=*(DWORD*)&buf[9];
//    charID=*(DWORD*)&buf[40];
    printf("Char Found!\n");
}

//LOGIN the char...
char Packet2[19];
memcpy(Packet2, "\x13\x00\x0A", 3);
    *(DWORD*)&Packet2[3]=Sync;
    memcpy(Packet2+5, "\x00\x00", 2);
    *(DWORD*)&Packet2[7]=charID;
    memcpy(Packet2+10, "\x00\x00\x00\x00\x00\x00\x00\x00\x00", 9);
send(s,Packet2,sizeof(Packet2),0);

char Packet3[12];
memcpy(Packet3, "\x0C\x00\x0B", 3);
    *(DWORD*)&Packet3[3]=Sync;
    memcpy(Packet3+5, "\x00\x00\x01\x7A\x43\x00\x00", 7);
send(s,Packet3,sizeof(Packet3),0);

01/18/2013 07:31 szopenfx#7

@pleaX thanks for that info I found new tables for SwordCrypt (or dunno how call it but historical first encryption in KalOnline, also standard in priv svr)

@Mahatma I entered a bit of confusion after your post. Probably by naming this encryption - when I changed xor crypt algoritm to SwordCrypt with new tables your informations were found to be clear and correct, thx.

For full 128bit block of data is used AES - if not full there is used simple XOR encryption with 16 byte key (like @meak1 talk about) I known that long time ago but never tested, till now:P

@meak1 Thanks also go to you, maybe I use those sync and AcceptAddy, to make rally stand alone application... dunno what with HS, CRC calculation, but this is topic for another story.

so... at last...
...Probably the first working Proxy written in Delphi for international servers :P

01/18/2013 20:45 meak1#8

HS is rly big, got an Dll to debug at runtime
but still rly hard

Got the first HS packet working which is Sended after Login but i stopped to work on the HS packet, to hard...

But i was near the goal d;

HS sends login packet and all 10minutes an CRC packet idk, had no time for KalOnline, i mean i dont work on Kal anymore ;\

01/18/2013 22:31 szopenfx#9

I found info that HS ask for chosen random memory region from KalOnline, so I think it's almost impossible to make HS client emulator without running process or process dump.
My RE skill is quite low... so probably i will send only "ping" packets (to keep connection) and HS/CRC request to KalOnline client, rest will be handled by my program.

01/18/2013 22:53 meak1#10

u mean u can use clientless without beeing dc? i mean after HS ask for answer d;?

01/18/2013 23:39 huby#11

Haha ur using delphi ?? Such a prehistory programm :P