BOI Packet Encryption

07/29/2010 17:26 ms#1

I've made some research about the packet encryption used in this game and I thought I'd share them.

BOI uses a simple XOR-Algorithm. Each byte of a packet is being XORed with the value of the previous byte. The first byte of every packet indicates its length. Furthermore the first byte of the very first packet sent after the connection was established is being XORed with the value 0xCD.

Example:
Let's say the client sends this packet right after connecting to the server.

Code:

0x06 0xA7 0x57 0x04 0x01 0x41

Since this is the first packet sent by the client the first byte (0x06) gets XORed with 0xCD. The 2nd byte is XORed with the 1nd byte, the 3rd one with the 2nd one and so on.
In the end the encrypted packet looks like this:

Code:

0xCB 0xA1 0xF0 0x53 0x05 0x40

Now image a second packet is sent:

Code:

0x03 0xAB 0x34

The first byte (0x03) is now XORed with 0x41 as the prevous original packet ends with this byte. This leads to the following encrypted packet:

Code:

0x42 0xA8 0x9F

In C-Code the Encryption-Function would look like this:

Code:

char LastByte = 0xCD;

Encrypt(char *src, char *dst, int len)
{
	for (int i = 0; i < len; i++)
	{
		dst[i] = src[i] ^ LastByte;
		LastByte = src[i];
	}
}

... and the Decryption-Function:

Code:

char LastByte = 0xCD;

Decrypt(char *src, char *dst, int len)
{
	for (int i = 0; i < len; i++)
	{
		dst[i] = src[i] ^ LastByte;
		LastByte = dst[i];
	}
}

07/30/2010 07:58 woodyfly#2

In English it means.... ?

07/30/2010 08:17 FamousOnion#3

It means that you can decrypt BOI packets using XOR swap algorithm and see whats in it...

07/30/2010 12:43 anthemsk8er#4

soooo nice

07/30/2010 16:40 ms#5

Correction:
Not only the first byte of each packet is responsible for its length, but the first 4 bytes.

07/31/2010 16:30 gold_lust#6

Can You Teach Us The Way Step By Step?:D:D

07/31/2010 18:30 ProToPro#7

there is no way lol, he just said that encryption is weak and can be easily cracked into.. if u cant understand how to do it from what he wrote.. then give it up right away..

08/02/2010 18:20 .Law.#8

Disconnect made a proxy for BOI, just check the other thread, you wouldn't understand the
encrypt<->decrypt functions with your knowledge, also theres no point in trying to explain it step by step.

08/04/2010 16:19 blackmorpheus#9

Very nice find, ill try to reverse engineer the packets, and make a packet bot.

08/04/2010 20:15 cr4zykid#10

just an ideea ... try research on looting test with feather what packets u send / get and without and try to find a way to manualy send those packets (when recieve packet of dropped item auto send loot packet ...) im totaly out of this only know my way @ AUTOIT ... but as i sed just an ideea ;)

08/09/2010 00:39 LemoniscooL#11

thanks man that relieves me a lot of work ^^
any ideas on what could be possible with the packets in BoI? actually im having a look at teleport walking and map teleport. the idea of auto loot without a feather is good ill have a look at it ^^

greetz

09/28/2011 11:55 Arco.#12

Does anyone know if this encryption is up to date?

09/28/2011 12:26 xAvengerx#13

when i attach WPE and begin recording packets nothing happens. no packets are being recorded. why?

09/28/2011 23:55 SuneC#14

Quote:

Originally Posted by xAvengerx

when i attach WPE and begin recording packets nothing happens. no packets are being recorded. why?

You need to check WSASend and WSARecv, not just send and recv.