dh key

03/19/2014 11:00 kakamankoko#1
i`m using this code to get dh key in proxy paradise
Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Runtime.InteropServices;
using OpenSSL;

namespace ProxyParadise.Cryptography
{
    public class ClientDHPacket
    {
        public string Client_PubKey;
        int JunkLength;
        public ClientDHPacket(byte[] Packet)
        {
            MemoryStream MS = new MemoryStream(Packet);
            BinaryReader BR = new BinaryReader(MS);
            BR.ReadBytes(7);//JUNK
            BR.ReadUInt32();//Length
            JunkLength = BR.ReadInt32();
            BR.ReadBytes(JunkLength);
            Client_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
            BR.Close();
            MS.Close();
        }
        public void Edit(byte[] Packet, string NewKey)
        {
            MemoryStream MS = new MemoryStream(Packet);
            BinaryWriter BW = new BinaryWriter(MS);
            BW.Seek(19 + JunkLength, SeekOrigin.Current);
            BW.Write(Encoding.ASCII.GetBytes(NewKey));
        }
    }
    public class ServerDHPacket
    {
        public byte[] ServerIV;
        public byte[] ClientIV;
        public string P;
        public string G;
        public string Server_PubKey;
        int JunkLength;

        public ServerDHPacket(byte[] Packet)
        {
            MemoryStream MS = new MemoryStream(Packet);
            BinaryReader BR = new BinaryReader(MS);
            BR.ReadBytes(11);//JUNK
            BR.ReadUInt32();//Length - Like i care of it
            JunkLength = BR.ReadInt16();
            BR.ReadBytes(JunkLength);//JUNK length
            ServerIV = BR.ReadBytes(BR.ReadInt32());
            ClientIV = BR.ReadBytes(BR.ReadInt32());
            P = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
            G = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
            Server_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
            BR.Close();
            MS.Close();
        }

        public void Edit(byte[] Packet, string EditedPubKey)
        {
            MemoryStream MS = new MemoryStream(Packet);
            BinaryWriter BW = new BinaryWriter(MS);
            BW.Seek(55 + JunkLength + P.Length + G.Length, SeekOrigin.Current);
            BW.Write(Encoding.ASCII.GetBytes(EditedPubKey));
            BW.Close();
            MS.Close();
        }
    }

}
but i get this error : Non-negative number required.
Parameter name: count

at
BR.ReadBytes(JunkLength);//JUNK length
03/19/2014 11:47 Aceking#2
Well JunkLength is assigned by reading the next 2 bytes (a short) starting at offset 16.

Judging by your error, it is either being assigned no number at all, or a negative number.
03/19/2014 12:05 kakamankoko#3
Quote:
Originally Posted by Aceking View Post
Well JunkLength is assigned by reading the next 2 bytes (a short) starting at offset 16.

Judging by your error, it is either being assigned no number at all, or a negative number.
it`s a negative number but how to fix it ?
03/19/2014 12:15 Aceking#4
Breakpoint it, see what value is being pushed to it.

If it is a negative number, then that value is coming from the server. So you are either looking at the wrong offsets or the server is sending the wrong values.
03/19/2014 12:34 Benzaldehyde#5
Quote:
Originally Posted by Aceking View Post
Breakpoint it, see what value is being pushed to it.

If it is a negative number, then that value is coming from the server. So you are either looking at the wrong offsets or the server is sending the wrong values.
If I recall correctly, the last time I offhandedly tried to compile the Proxy Paradise source, the JunkByte function was returning something like "-10002398472". It's rather outdated, and the first thing that needs to be done is to have all of the offsets patched. Also, I doubt he knows how to place a breakpoint (correct me if I'm wrong, but I'm going to go ahead and take that liberty).

To OP:
TL;DR the addresses are wrong, fix them first.
03/19/2014 13:33 Aceking#6
Quote:
Originally Posted by Benzaldehyde View Post
If I recall correctly, the last time I offhandedly tried to compile the Proxy Paradise source, the JunkByte function was returning something like "-10002398472". It's rather outdated, and the first thing that needs to be done is to have all of the offsets patched. Also, I doubt he knows how to place a breakpoint (correct me if I'm wrong, but I'm going to go ahead and take that liberty).

To OP:
TL;DR the addresses are wrong, fix them first.
Could be quite right there. I have a working proxy paradise but its for a lower patch and uses blowfish.
03/19/2014 19:22 kakamankoko#7
Quote:
Originally Posted by Benzaldehyde View Post
If I recall correctly, the last time I offhandedly tried to compile the Proxy Paradise source, the JunkByte function was returning something like "-10002398472". It's rather outdated, and the first thing that needs to be done is to have all of the offsets patched. Also, I doubt he knows how to place a breakpoint (correct me if I'm wrong, but I'm going to go ahead and take that liberty).

To OP:
TL;DR the addresses are wrong, fix them first.
i`m using it on another server patch 5830 and it`s working perfectly and i edited most of the packets and i added aimbot/ npc action.. many features to it but when i try to do it on another server i got that error , i`m kinda good at c# but not at C# networking, so if you have time be kind and tell me please what offsets i need to edit and where i find them on proxy paradise , if you don`t thank you anyway
03/19/2014 21:57 Aceking#8
Quote:
Originally Posted by kakamankoko View Post
i`m using it on another server patch 5830 and it`s working perfectly and i edited most of the packets and i added aimbot/ npc action.. many features to it but when i try to do it on another server i got that error , i`m kinda good at c# but not at C# networking, so if you have time be kind and tell me please what offsets i need to edit and where i find them on proxy paradise , if you don`t thank you anyway
The reason it isnt working is because the offsets probably changed. So the value you are reading for junkbytes isn't correct.

Code:
 BR.ReadBytes(11);//JUNK
            BR.ReadUInt32();//Length - Like i care of it
            JunkLength = BR.ReadInt16();
            BR.ReadBytes(JunkLength);//JUNK length
On the above, the first line, reads 11 bytes so it is offsets 0-10.
The second, reads 4 bytes as an int, so it reads 11-14.
Then it assigns JunkLength from offsets 15-16.
And then whatever value is assigned to junklength, it reads next.

Your problem is the fact that offset 15 and 16 doesn't contain the necessary value.
You need to find the correct offsets for the values, and then change the first line so the reader will read the correct offsets when it reaches them.

Find a public source for the patch you are targetting to find the offsets you need.
Or, use what you currently have to dump the offsets, and then determine what offsets you need.
Little bit of work, but not impossible.
03/20/2014 16:59 kakamankoko#9
Quote:
Originally Posted by Aceking View Post
The reason it isnt working is because the offsets probably changed. So the value you are reading for junkbytes isn't correct.

Code:
 BR.ReadBytes(11);//JUNK
            BR.ReadUInt32();//Length - Like i care of it
            JunkLength = BR.ReadInt16();
            BR.ReadBytes(JunkLength);//JUNK length
On the above, the first line, reads 11 bytes so it is offsets 0-10.
The second, reads 4 bytes as an int, so it reads 11-14.
Then it assigns JunkLength from offsets 15-16.
And then whatever value is assigned to junklength, it reads next.

Your problem is the fact that offset 15 and 16 doesn't contain the necessary value.
You need to find the correct offsets for the values, and then change the first line so the reader will read the correct offsets when it reaches them.

Find a public source for the patch you are targetting to find the offsets you need.
Or, use what you currently have to dump the offsets, and then determine what offsets you need.
Little bit of work, but not impossible.
that`s the server side dhkey
Code:
using System;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using Org.BouncyCastle.Crypto.Digests;
using Org.BouncyCastle.Utilities.Encoders;
using CO2_CORE_DLL.Security.Cryptography;

namespace Conquer_Online_Server.Network.GamePackets
{
    public static class DHKeyExchange
    {
        public class ServerKeyExchange
        {
            DiffieHellman _keyExchange;
            byte[] _serverIv;
            byte[] _clientIv;

            public byte[] CreateServerKeyPacket()
            {
                _clientIv = new byte[8];
                _serverIv = new byte[8];
                string P = "E7A69EBDF105F2A6BBDEAD7E798F76A209AD73FB466431E2E7352ED262F8C558F10BEFEA977DE9E21DCEE9B04D245F300ECCBBA03E72630556D011023F9E857F";
                string G = "05";
                _keyExchange = new DiffieHellman(P, G);
                return GeneratePacket(_serverIv, _clientIv, P, G, _keyExchange.GenerateRequest());
            }
            public Cryptography.GameCryptography HandleClientKeyPacket(string PublicKey, Cryptography.GameCryptography cryptographer)
            {
                _keyExchange.HandleResponse(PublicKey);
                byte[] data = _keyExchange.ToBytes();
                var md5 = new MD5Digest();
                var firstRun = new byte[md5.GetDigestSize() * 2];
                md5.BlockUpdate(data, 0, data.TakeWhile(x => x != 0).Count());
                md5.DoFinal(firstRun, 0);
                Array.Copy(firstRun, 0, firstRun, md5.GetDigestSize(), md5.GetDigestSize());
                var n = Hex.Encode(firstRun);
                md5.BlockUpdate(n, 0, n.Length);
                md5.DoFinal(firstRun, md5.GetDigestSize());
                byte[] key = Hex.Encode(firstRun);
                cryptographer.SetKey(key);
                cryptographer.SetIvs(_clientIv, _serverIv);
                return cryptographer;
            }
            public byte[] GeneratePacket(byte[] ServerIV1, byte[] ServerIV2, string P, string G, string ServerPublicKey)
            {
                int PAD_LEN = 11;
                int _junk_len = 12;
                string tqs = "TQServer";
                MemoryStream ms = new MemoryStream();
                byte[] pad = new byte[PAD_LEN];
                Kernel.Random.NextBytes(pad);
                byte[] junk = new byte[_junk_len];
                Kernel.Random.NextBytes(junk);
                int size = 47 + P.Length + G.Length + ServerPublicKey.Length + 12 + 8 + 8;
                BinaryWriter bw = new BinaryWriter(ms);
                bw.Write(pad);
                bw.Write(size - PAD_LEN);
                bw.Write((UInt32)_junk_len);
                bw.Write(junk);
                bw.Write((UInt32)ServerIV2.Length);
                bw.Write(ServerIV2);
                bw.Write((UInt32)ServerIV1.Length);
                bw.Write(ServerIV1);
                bw.Write((UInt32)P.ToCharArray().Length);
                foreach (char fP in P.ToCharArray())
                {
                    bw.BaseStream.WriteByte((byte)fP);
                }
                bw.Write((UInt32)G.ToCharArray().Length);
                foreach (char fG in G.ToCharArray())
                {
                    bw.BaseStream.WriteByte((byte)fG);
                }
                bw.Write((UInt32)ServerPublicKey.ToCharArray().Length);
                foreach (char SPK in ServerPublicKey.ToCharArray())
                {
                    bw.BaseStream.WriteByte((byte)SPK);
                }
                foreach (char tq in tqs.ToCharArray())
                {
                    bw.BaseStream.WriteByte((byte)tq);
                }
                byte[] Packet = new byte[ms.Length];
                Packet = ms.ToArray();
                ms.Close();
                return Packet;
            }
        }
    }
}
i tried to make the numbers from 11 to 18 in the first offset but no luck and i what i can figure out from this code at it should be 12 " int _junk_len = 12;"
but still the same problem. i think the owner of the server that i`m trying to bot on changed this so how to log it , is there is any packet for this to log or something and if it`s available what is this packet id
03/20/2014 20:24 Aceking#10
The code you already posted is reading the packet....
Code:
public ServerDHPacket(byte[] Packet)
        {
            MemoryStream MS = new MemoryStream(Packet);
            BinaryReader BR = new BinaryReader(MS);
            BR.ReadBytes(11);//JUNK
            BR.ReadUInt32();//Length - Like i care of it
            JunkLength = BR.ReadInt16();
            BR.ReadBytes(JunkLength);//JUNK length
            ServerIV = BR.ReadBytes(BR.ReadInt32());
            ClientIV = BR.ReadBytes(BR.ReadInt32());
            P = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
            G = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
            Server_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
            BR.Close();
            MS.Close();
        }
With some modifications you could easily dump the entire packet and then analyze it for what you need.
However I think this is a little out of your skillset.

But proxy paradise already has a method for dumping packets so maybe you can just use that.
03/20/2014 21:03 pro4never#11
It all depends on the patch you are targeting.

Encryption has changed a few times and the exchange process is different in some newer patches. Sounds like you have some good help already though and I have zero clue about later patches. Best of luck though.

<EDIT>

You just said you are using it on a different server... You need to pull the encryption key the server is using (from conquer.exe) or you will have problems.

If you don't have the proper public key then you're not going to be able to intercept/spoof the exchange process.
03/20/2014 21:31 kakamankoko#12
Quote:
Originally Posted by pro4never View Post
It all depends on the patch you are targeting.

Encryption has changed a few times and the exchange process is different in some newer patches. Sounds like you have some good help already though and I have zero clue about later patches. Best of luck though.

<EDIT>

You just said you are using it on a different server... You need to pull the encryption key the server is using (from conquer.exe) or you will have problems.

If you don't have the proper public key then you're not going to be able to intercept/spoof the exchange process.
key from conquer.exe is : TQClient TQServer C238xs65pjy7HU9Q

so what should i do after this ?
03/20/2014 21:57 Aceking#13
There will be a variable in the proxy that is already storing this value. You need to replace it with what you posted above.
03/20/2014 22:12 kakamankoko#14
Quote:
Originally Posted by Aceking View Post
There will be a variable in the proxy that is already storing this value. You need to replace it with what you posted above.
that`s the first thing i`v done when i got it but still same problem. i dont know how to thank you guys for replaying!