Attached is the source code and compiled DLLs that allow you to completely bypass Conquer's packet encryption. All you need to do is inject the CustomCO.dll in the Win32/Release directory into Conquer.exe, run the "Init" method that is exported by the DLL - and the client's packet encryption/decryption routines will be overwritten and do nothing.
An injector is also included in the files if you are too lazy to write your own. To use it, run CustomCOInjector.exe and open a new Conquer window and it will inject the DLL once the Conquer window is opened.
With this tool you can also write your own custom encryption for your private server if you like by overwriting the code in the hooked functions:
DecryptData_Hooked is for decrypting game server -> client packets.
Encrypt_Hooked is for encrypting/decrypting auth server <-> client packets.
EncryptData_Hooked is for encrypting client -> game server packets.
These functions are found in the Client.pas file.
Notes:
You must still append "TQServer" to the packets sent from your server.
You still have to send the handshake packet to the client when it connects to your game server - but because it is ignored by the client, you can just send something random like
- the client DOES reply to the handshake so you'll need to handle/ignore that.
Currently, the tool is configured to re-direct the client to 127.0.0.1 aka localhost. I will probably make it configurable later on. Until then, you will need to re-compile the project if you want to change it. You can get a free Delphi compiler [Only registered and activated users can see links. Click Here To Register...].
The tool does not remove the password encryption yet but I might make a version in the future that does.
The tool does not block TQ's anti-bot system, if anyone has a list of all the ports that the anti-bot system uses, feel free to post it here so I can include it in the tool.
Update
Added an experimental version that alters the MsgLoginProof packet (type 0x4BE aka 1214) to send the user's unencrypted password. The unencrypted password is stored at offset 4 and the packet now looks like this:
The handshake packet is also blocked from being sent by the client now. You still need to send the handshake from your server though.
I've also blocked some of the ports that the anti-cheat system uses and also the port(s) that's used when the client checks if it's up-to-date when opened.
An injector is also included in the files if you are too lazy to write your own. To use it, run CustomCOInjector.exe and open a new Conquer window and it will inject the DLL once the Conquer window is opened.
With this tool you can also write your own custom encryption for your private server if you like by overwriting the code in the hooked functions:
DecryptData_Hooked is for decrypting game server -> client packets.
Encrypt_Hooked is for encrypting/decrypting auth server <-> client packets.
EncryptData_Hooked is for encrypting client -> game server packets.
These functions are found in the Client.pas file.
Notes:
You must still append "TQServer" to the packets sent from your server.
You still have to send the handshake packet to the client when it connects to your game server - but because it is ignored by the client, you can just send something random like
Code:
byte[] randomHandshake = { 0x35, 0xB1, 0x69, 0xE0, 0x6A, 0xEC, 0x9F, 0x92, 0x58, 0x70, 0xF6, 0x6F, 0x24, 0xFC, 0x02, 0xAC, 0x90, 0x5E, 0x32, 0x22, 0xE9, 0xF1, 0xB0, 0xBF, 0xFC, 0xCA, 0x93, 0x9C, 0x3B, 0x2D, 0xC0, 0x2D, 0x21, 0x3F, 0x3C, 0xA5, 0x8E, 0x41, 0xC9, 0x6F, 0xFF, 0x27, 0xC7, 0x5F, 0x9D, 0x35, 0x54, 0x33, 0x86, 0x8B, 0xAD, 0x6F, 0xE3, 0xE9, 0x61, 0x7A, 0x9D, 0x40, 0x37, 0x2F, 0xAD, 0xC2, 0x94, 0x04, 0x0A, 0x01, 0x44, 0x54, 0x5F, 0x39, 0x43, 0x1C, 0x91, 0x68, 0xA7, 0x43, 0x61, 0x07, 0xC5, 0x8D, 0x00, 0x3A, 0x73, 0xD1, 0xC1, 0x2B, 0x57, 0xC6, 0x67, 0x7E, 0xE7, 0xE4, 0xA3, 0xE5, 0x4E, 0xAD, 0xD9, 0x58, 0x3F, 0x57, 0x0A, 0x4F, 0x20, 0x83, 0xA2, 0x2A, 0x59, 0xBD, 0xFA, 0x46, 0x48, 0x6B, 0x44, 0xE3, 0x69, 0x40, 0xD2, 0xAA, 0xB4, 0x1B, 0x79, 0x3E, 0x78, 0x4D, 0x52, 0xA6, 0x52, 0x55, 0xC0, 0x96, 0xE5, 0xB7, 0x3D, 0x92, 0xB9, 0x71, 0xA6, 0x3D, 0x28, 0x01, 0xAC, 0x3C, 0x99, 0xB7, 0xA2, 0x52, 0xBB, 0x3B, 0xF5, 0x5A, 0xD1, 0xF6, 0x1A, 0x01, 0x06, 0xD0, 0x89, 0x07, 0x1B, 0xCC, 0xDC, 0xDA, 0xE4, 0x4F, 0xAB, 0xF3, 0x0B, 0x9A, 0x6D, 0x58, 0x72, 0xDB, 0x54, 0x96, 0xA2, 0x9C, 0x4D, 0x79, 0x2C, 0xB8, 0xF6, 0x11, 0x23, 0x31, 0xEE, 0x48, 0xB3, 0xB8, 0x2A, 0xF7, 0x6F, 0xD5, 0x6A, 0xF4, 0x8D, 0x00, 0x3D, 0x3B, 0xDF, 0x47, 0x0B, 0x8A, 0x52, 0x79, 0xB4, 0xE3, 0x60, 0x09, 0x3C, 0xF1, 0x58, 0xC4, 0x6C, 0x12, 0xC1, 0x4D, 0x5A, 0x21, 0x53, 0xA4, 0x17, 0x21, 0xB3, 0x74, 0x3A, 0x22, 0xDA, 0xA2, 0xFD, 0x26, 0x6A, 0x44, 0x90, 0x0F, 0xF6, 0x0E, 0x53, 0x0F, 0xE2, 0xEA, 0x83, 0xCD, 0x36, 0x7F, 0x39, 0x6F, 0x7B, 0xAE, 0xF8, 0xF4, 0xEF, 0xA9, 0x48, 0x0D, 0x05, 0x60, 0x73, 0x39, 0x58, 0x55, 0x0D, 0x9A, 0xC1, 0x79, 0x68, 0x63, 0x8B, 0x27, 0xF4, 0x1F, 0x4A, 0xDF, 0x2F, 0x0E, 0x6F, 0x34, 0x32, 0x8C, 0x3F, 0x79, 0x14, 0x43, 0x69, 0x02, 0x31, 0xC3, 0x37, 0xB4, 0xEB, 0xA5, 0x53, 0x2F, 0x11, 0xFA, 0x8D, 0xFB, 0xA8, 0x8E, 0x4E, 0x63, 0x4C, 0xFC, 0x81, 0x60, 0xF3, 0xBB, 0x5F, 0xCD, 0x5A, 0x50, 0xE9, 0x3A, 0xAF, 0x4B, 0x74, 0xA7, 0x16, 0x11, 0x89, 0xCC, 0x01, 0x89, 0xCF, 0xBD, 0x2B, 0x49, 0xBA, 0x8A, 0x4D, 0x54, 0x00, 0xFF, 0x73, 0x34, 0xE1, 0x8B, 0xEA, 0xF6, 0x57 };
Currently, the tool is configured to re-direct the client to 127.0.0.1 aka localhost. I will probably make it configurable later on. Until then, you will need to re-compile the project if you want to change it. You can get a free Delphi compiler [Only registered and activated users can see links. Click Here To Register...].
The tool does not remove the password encryption yet but I might make a version in the future that does.
The tool does not block TQ's anti-bot system, if anyone has a list of all the ports that the anti-bot system uses, feel free to post it here so I can include it in the tool.
Update
Added an experimental version that alters the MsgLoginProof packet (type 0x4BE aka 1214) to send the user's unencrypted password. The unencrypted password is stored at offset 4 and the packet now looks like this:
Code:
06 01 BE 04 73 65 63 72 65 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
I've also blocked some of the ports that the anti-cheat system uses and also the port(s) that's used when the client checks if it's up-to-date when opened.
