MsgAccount encryption

04/03/2021 20:47 asaadmohammed74#1
i'm trying to port my private servers clientless bot to the official game.
my problem is the MsgAccount(1942). this is a sample packet sent from the client to the server

Code:
00000000  D8 01 96 07 C1 38 07 C8 E7 E5 E0 AB 44 E8 C2 64  Ø.–.Á8.Èçåà«DèÂd
00000016  DD EF 3A B4 BD 65 11 A2 4C 0D 41 C8 09 57 1A BF  Ýï:´½e.¢L.AÈ.W.¿
00000032  D7 4E B7 D1 33 C2 39 58 F9 73 10 F2 3E BB 19 DD  ×N·Ñ3Â9Xùs.ò>».Ý
00000048  30 A6 38 5E 35 F4 F3 FF 7B 27 61 0C DF 41 43 DA  0¦8^5ôóÿ{'a.ßACÚ
00000064  00 F0 B8 FF 55 A9 72 65 86 CA 3B 0D 17 48 C4 23  .ð¸ÿU©re†Ê;..HÄ#
00000080  F9 BE 95 B0 4D F8 59 53 F9 73 10 F2 3E BB 19 DD  ù¾•°MøYSùs.ò>».Ý
00000096  30 A6 38 5E F9 73 10 F2 3E BB 19 DD 30 A6 38 5E  0¦8^ùs.ò>».Ý0¦8^
00000112  09 57 1A BF D7 4E B7 D1 33 C2 39 58 F9 73 10 F2  .W.¿×N·Ñ3Â9Xùs.ò
00000128  3E BB 19 DD 30 A6 38 5E 26 AE 96 90 73 22 FE CA  >».Ý0¦8^&®–.s"þÊ
00000144  FE E3 EA 67 16 53 C8 81 AC 38 E8 CA 19 79 05 1B  þãêg.SÈ.¬8èÊ.y..
00000160  7C 95 43 B5 7D DA DF 00 3C 4A 5D FF 75 12 D4 C3  |•Cµ}Úß.<J]ÿu.ÔÃ
00000176  2A 32 5F EC 24 5B 52 26 F1 D5 DC 72 78 11 F4 5E  *2_ì$[R&ñÕÜrx.ô^
00000192  15 E2 C5 A2 AD 10 8B 90 59 36 62 AF 38 4D 5E A8  .âÅ¢..‹.Y6b¯8M^¨
00000208  29 47 49 98 56 6F D6 B9 C9 40 1F 18 2A D7 6C 76  )GI˜VoÖ¹É@..*×lv
00000224  23 F0 9E 24 64 AC BB BC D7 EE A9 4A A4 7D FB 8C  #ðž$d¬»¼×î©J¤}ûŒ
00000240  40 5F 75 D4 8B 74 8F 33 99 AE 8F 06 E7 60 F2 71  @_uÔ‹t.3™®..ç`òq
00000256  F9 73 10 F2 3E BB 19 DD 30 A6 38 5E F9 73 10 F2  ùs.ò>».Ý0¦8^ùs.ò
00000272  3E BB 19 DD 30 A6 38 5E F9 73 10 F2 3E BB 19 DD  >».Ý0¦8^ùs.ò>».Ý
00000288  30 A6 38 5E F9 73 10 F2 3E BB 19 DD 30 A6 38 5E  0¦8^ùs.ò>».Ý0¦8^
00000304  F9 73 10 F2 3E BB 19 DD 30 A6 38 5E F9 73 10 F2  ùs.ò>».Ý0¦8^ùs.ò
00000320  3E BB 19 DD 30 A6 38 5E F9 73 10 F2 3E BB 19 DD  >».Ý0¦8^ùs.ò>».Ý
00000336  30 A6 38 5E 37 A2 84 1E 4C 20 16 ED 16 9E C8 2F  0¦8^7¢„.L .í.žÈ/
00000352  36 F1 D5 95 F9 5C 87 57 A2 87 FF F2 29 15 BB 4F  6ñÕ•ù\‡W¢‡ÿò).»O
00000368  92 82 FC 1B 0C 9A AF 10 06 1E D7 12 50 52 D9 D4  ’‚ü..š¯...×.PRÙÔ
00000384  F0 D1 B0 F0 8A 5F FD BD C3 9E 4C C7 F0 1B F6 30  ðÑ°ðŠ_ý½ÃžLÇð.ö0
00000400  35 B4 FE FD F0 A7 D4 10 52 F4 BB DD 5B 3E A5 45  5´þýð§Ô.Rô»Ý[>¥E
00000416  46 61 55 D0 19 38 80 1E 07 1E 28 E5 87 48 09 1D  FaUÐ.8€...(å‡H..
00000432  87 70 B7 0B 2B C5 DE 10 68 C7 21 81 BD 45 44 AE  ‡p·.+ÅÞ.hÇ!.½ED®
00000448  5F 48 A7 7B 33 7A 2F 6E 23 23 0C 2F E4 95 E2 56  _H§{3z/n##./ä•âV
00000464  A6 74 F7 EB FD C2 66 E9                          ¦t÷ëýÂfé
any this is the same packet before being encrypted

Code:
00000000  D8 01 96 07 00 00 00 00 41 41 41 41 41 41 41 41  Ø.–.....AAAAAAAA
00000016  41 00 32 32 00 00 00 00 09 00 00 00 0F 00 00 00  A.22............
00000032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000048  00 00 00 00 00 00 00 00 0F 00 00 00 00 00 00 00  ................
00000064  D0 21 A8 0D 00 00 00 00 00 00 00 00 00 00 00 00  Ð!¨.............
00000080  11 00 00 00 1F 00 00 00 00 00 00 00 00 00 00 00  ................
00000096  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000112  0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000128  00 00 00 00 00 00 00 00 43 68 61 6D 70 69 6F 6E  ........Champion
00000144  73 5F 45 55 00 01 8B 01 0C 00 00 00 0F 00 00 00  s_EU..‹.........
00000160  28 2C 1F 0C 68 95 B4 13 A8 D7 4D 11 70 17 00 00  (,..h•´.¨×M.p...
00000176  00 00 00 00 00 00 00 00 30 30 31 39 39 39 37 35  ........00199975
00000192  63 66 32 31 00 D0 65 E1 0C 00 00 00 0F 00 00 00  cf21.Ðeá........
00000208  81 B0 AF E5 25 D3 70 BD 1A A5 B4 F1 CC 1E AC 0D  .°¯å%Óp½.¥´ñÌ.¬.
00000224  05 31 30 00 00 00 00 00 00 E3 7B B4 4C 80 34 19  .10......ã{´L€4.
00000240  00 1C 3B 19 00 8C DB DE 00 02 00 00 00 28 3B 19  ..;..ŒÛÞ.....(;.
00000256  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000272  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000288  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000304  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000320  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000336  00 00 00 00 00 00 00 00 61 73 61 61 64 00 06 71  ........asaad..q
00000352  20 94 06 71 A8 92 06 01 05 00 00 00 0F 00 00 00   ”.q¨’..........
00000368  81 B0 AF E5 25 D3 70 BD 1A A5 B4 F1 CC 1E AC 0D  .°¯å%Óp½.¥´ñÌ.¬.
00000384  05 BF B2 E1 56 C9 8D 1C B9 AE F1 1D 74 C5 46 05  .¿²áVÉ..¹®ñ.tÅF.
00000400  41 41 AA 11 AB 64 39 27 BB F0 8C AE D4 DF 7F A3  AAª.«d9'»ðŒ®Ôß.£
00000416  DC 53 38 E9 9C D0 65 E1 D6 D8 D2 D8 03 DD 5F D5  ÜS8éœÐeáÖØÒØ.Ý_Õ
00000432  81 B0 AF E5 25 D3 70 BD 1A A5 B4 F1 CC 1E AC 0D  .°¯å%Óp½.¥´ñÌ.¬.
00000448  05 BF B2 E1 00 00 00 00 41 41 41 41 41 41 41 41  .¿²á....AAAAAAAA
00000464  41 00 32 32 00 00 00 00                          A.22....
the encryption is done with seed=0, username=AAAAAAAAA, password=asaad.

this is a block-cipher and it uses the seed sent from the server in packet(1059).

i tried RC5, but wasn't successful.

i can't find any info on this encryption and it's not used in any private server.

any help ? i just need a push in the right direction. i don't need any code maybe pseudocode
04/06/2021 00:35 Santa#2
Have you tried throwing the client into something like ghidra or IDA? What version does your clientless bot target currently?
04/09/2021 08:26 asaadmohammed74#3
Quote:
Originally Posted by Santa View Post
Have you tried throwing the client into something like ghidra or IDA? What version does your clientless bot target currently?
sorry for the late reply.
yes I tried reversing the client and what I found out was that there is a function exported from TQPlat with ordinal number 55.
this function takes a buffer, buffer length, seed and username pointer, among other things.

it then fills the buffer with the unencrypted packet first then it encrypt the buffer.

I couldn't reverse the TQPlat dll because it uses some form of anti-tracing, so I can't single-step inside it or it goes into infinite loop until I stop.
04/09/2021 16:38 teroareboss1#4
Quote:
Originally Posted by asaadmohammed74 View Post
i'm trying to port my private servers clientless bot to the official game.
my problem is the MsgAccount(1942). this is a sample packet sent from the client to the server

Code:
00000000  D8 01 96 07 C1 38 07 C8 E7 E5 E0 AB 44 E8 C2 64  Ø.–.Á8.Èçåà«DèÂd
00000016  DD EF 3A B4 BD 65 11 A2 4C 0D 41 C8 09 57 1A BF  Ýï:´½e.¢L.AÈ.W.¿
00000032  D7 4E B7 D1 33 C2 39 58 F9 73 10 F2 3E BB 19 DD  ×N·Ñ3Â9Xùs.ò>».Ý
00000048  30 A6 38 5E 35 F4 F3 FF 7B 27 61 0C DF 41 43 DA  0¦8^5ôóÿ{'a.ßACÚ
00000064  00 F0 B8 FF 55 A9 72 65 86 CA 3B 0D 17 48 C4 23  .ð¸ÿU©re†Ê;..HÄ#
00000080  F9 BE 95 B0 4D F8 59 53 F9 73 10 F2 3E BB 19 DD  ù¾•°MøYSùs.ò>».Ý
00000096  30 A6 38 5E F9 73 10 F2 3E BB 19 DD 30 A6 38 5E  0¦8^ùs.ò>».Ý0¦8^
00000112  09 57 1A BF D7 4E B7 D1 33 C2 39 58 F9 73 10 F2  .W.¿×N·Ñ3Â9Xùs.ò
00000128  3E BB 19 DD 30 A6 38 5E 26 AE 96 90 73 22 FE CA  >».Ý0¦8^&®–.s"þÊ
00000144  FE E3 EA 67 16 53 C8 81 AC 38 E8 CA 19 79 05 1B  þãêg.SÈ.¬8èÊ.y..
00000160  7C 95 43 B5 7D DA DF 00 3C 4A 5D FF 75 12 D4 C3  |•Cµ}Úß.<J]ÿu.ÔÃ
00000176  2A 32 5F EC 24 5B 52 26 F1 D5 DC 72 78 11 F4 5E  *2_ì$[R&ñÕÜrx.ô^
00000192  15 E2 C5 A2 AD 10 8B 90 59 36 62 AF 38 4D 5E A8  .âÅ¢..‹.Y6b¯8M^¨
00000208  29 47 49 98 56 6F D6 B9 C9 40 1F 18 2A D7 6C 76  )GI˜VoÖ¹É@..*×lv
00000224  23 F0 9E 24 64 AC BB BC D7 EE A9 4A A4 7D FB 8C  #ðž$d¬»¼×î©J¤}ûŒ
00000240  40 5F 75 D4 8B 74 8F 33 99 AE 8F 06 E7 60 F2 71  @_uÔ‹t.3™®..ç`òq
00000256  F9 73 10 F2 3E BB 19 DD 30 A6 38 5E F9 73 10 F2  ùs.ò>».Ý0¦8^ùs.ò
00000272  3E BB 19 DD 30 A6 38 5E F9 73 10 F2 3E BB 19 DD  >».Ý0¦8^ùs.ò>».Ý
00000288  30 A6 38 5E F9 73 10 F2 3E BB 19 DD 30 A6 38 5E  0¦8^ùs.ò>».Ý0¦8^
00000304  F9 73 10 F2 3E BB 19 DD 30 A6 38 5E F9 73 10 F2  ùs.ò>».Ý0¦8^ùs.ò
00000320  3E BB 19 DD 30 A6 38 5E F9 73 10 F2 3E BB 19 DD  >».Ý0¦8^ùs.ò>».Ý
00000336  30 A6 38 5E 37 A2 84 1E 4C 20 16 ED 16 9E C8 2F  0¦8^7¢„.L .í.žÈ/
00000352  36 F1 D5 95 F9 5C 87 57 A2 87 FF F2 29 15 BB 4F  6ñÕ•ù\‡W¢‡ÿò).»O
00000368  92 82 FC 1B 0C 9A AF 10 06 1E D7 12 50 52 D9 D4  ’‚ü..š¯...×.PRÙÔ
00000384  F0 D1 B0 F0 8A 5F FD BD C3 9E 4C C7 F0 1B F6 30  ðÑ°ðŠ_ý½ÃžLÇð.ö0
00000400  35 B4 FE FD F0 A7 D4 10 52 F4 BB DD 5B 3E A5 45  5´þýð§Ô.Rô»Ý[>¥E
00000416  46 61 55 D0 19 38 80 1E 07 1E 28 E5 87 48 09 1D  FaUÐ.8€...(å‡H..
00000432  87 70 B7 0B 2B C5 DE 10 68 C7 21 81 BD 45 44 AE  ‡p·.+ÅÞ.hÇ!.½ED®
00000448  5F 48 A7 7B 33 7A 2F 6E 23 23 0C 2F E4 95 E2 56  _H§{3z/n##./ä•âV
00000464  A6 74 F7 EB FD C2 66 E9                          ¦t÷ëýÂfé
any this is the same packet before being encrypted

Code:
00000000  D8 01 96 07 00 00 00 00 41 41 41 41 41 41 41 41  Ø.–.....AAAAAAAA
00000016  41 00 32 32 00 00 00 00 09 00 00 00 0F 00 00 00  A.22............
00000032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000048  00 00 00 00 00 00 00 00 0F 00 00 00 00 00 00 00  ................
00000064  D0 21 A8 0D 00 00 00 00 00 00 00 00 00 00 00 00  Ð!¨.............
00000080  11 00 00 00 1F 00 00 00 00 00 00 00 00 00 00 00  ................
00000096  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000112  0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000128  00 00 00 00 00 00 00 00 43 68 61 6D 70 69 6F 6E  ........Champion
00000144  73 5F 45 55 00 01 8B 01 0C 00 00 00 0F 00 00 00  s_EU..‹.........
00000160  28 2C 1F 0C 68 95 B4 13 A8 D7 4D 11 70 17 00 00  (,..h•´.¨×M.p...
00000176  00 00 00 00 00 00 00 00 30 30 31 39 39 39 37 35  ........00199975
00000192  63 66 32 31 00 D0 65 E1 0C 00 00 00 0F 00 00 00  cf21.Ðeá........
00000208  81 B0 AF E5 25 D3 70 BD 1A A5 B4 F1 CC 1E AC 0D  .°¯å%Óp½.¥´ñÌ.¬.
00000224  05 31 30 00 00 00 00 00 00 E3 7B B4 4C 80 34 19  .10......ã{´L€4.
00000240  00 1C 3B 19 00 8C DB DE 00 02 00 00 00 28 3B 19  ..;..ŒÛÞ.....(;.
00000256  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000272  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000288  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000304  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000320  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000336  00 00 00 00 00 00 00 00 61 73 61 61 64 00 06 71  ........asaad..q
00000352  20 94 06 71 A8 92 06 01 05 00 00 00 0F 00 00 00   ”.q¨’..........
00000368  81 B0 AF E5 25 D3 70 BD 1A A5 B4 F1 CC 1E AC 0D  .°¯å%Óp½.¥´ñÌ.¬.
00000384  05 BF B2 E1 56 C9 8D 1C B9 AE F1 1D 74 C5 46 05  .¿²áVÉ..¹®ñ.tÅF.
00000400  41 41 AA 11 AB 64 39 27 BB F0 8C AE D4 DF 7F A3  AAª.«d9'»ðŒ®Ôß.£
00000416  DC 53 38 E9 9C D0 65 E1 D6 D8 D2 D8 03 DD 5F D5  ÜS8éœÐeáÖØÒØ.Ý_Õ
00000432  81 B0 AF E5 25 D3 70 BD 1A A5 B4 F1 CC 1E AC 0D  .°¯å%Óp½.¥´ñÌ.¬.
00000448  05 BF B2 E1 00 00 00 00 41 41 41 41 41 41 41 41  .¿²á....AAAAAAAA
00000464  41 00 32 32 00 00 00 00                          A.22....
the encryption is done with seed=0, username=AAAAAAAAA, password=asaad.

this is a block-cipher and it uses the seed sent from the server in packet(1059).

i tried RC5, but wasn't successful.

i can't find any info on this encryption and it's not used in any private server.

any help ? i just need a push in the right direction. i don't need any code maybe pseudocode
they don't use RC5 or other publish crypto.. is other crypto (i think just Ultimation reverse this)

The easy way is to search the address crypto and you can bypass this.
04/09/2021 18:14 asaadmohammed74#5
Quote:
Originally Posted by teroareboss1 View Post
they don't use RC5 or other publish crypto.. is other crypto (i think just Ultimation reverse this)

The easy way is to search the address crypto and you can bypass this.
the problem is I can't reverse TQPlat.dll because of the anti debugging, it detects the trap flag set by the debugger to single step, and goes into an infinite loop.