[Release] Packet encryption / structure

10/20/2010 15:15 ZeroTen#1


=============================================
========= FANTASY TENNIS PACKET SYSTEM ========
============== by AnotherCoder ==============
=============================================


1. ENCRYPTION
2. PACKET STRUCTURE


Code:
[COLOR="Navy"]for(int i = 0; i < packet_size; i++)
{
    decrypted_packet[i] = encrypted_packet[i] ^ XOR_Table[(i&3)];
}
1. ENCRYPTION

The packet encryption of Fantasy Tennis is very simple, it is just a normal XOR encryption.
If you do not know what a XOR encryption is, or how to use it in your programming language,
look it up.
Here are some nice explanations: 
Exclusive or - Wikipedia, the free encyclopedia
Bitwise operation - Wikipedia, the free encyclopedia

I will not go any further into explaining what XOR is because most programmers have already used it,
and if you do not know what it is then I am sure that you will not understand anything of this thread anyway.
Okay so let us continue.

Fantasy Tennis uses a 4-byte XOR-table to encrypt their packets here is an example of how it works:

So let us say this is our encrypted packet buffer: 
{c6 89 7c 39 d3 9d 78}

and this is our XOR-table:
{a3, f1, 1d, 54}

then you have to decrypt the buffer like this:

c6 XOR a3 = 65
89 XOR f1 = 78
7c XOR 1d = 61
39 XOR 54 = 6d
d3 XOR a3 = 70
9d XOR f1 = 6c
78 XOR 1d = 65

the decrypted packet would be:

HEX: {65 78 61 6d 70 6c 65}
ASCII: example

packet[0] XOR table[0], packet[1] XOR table[1], packet[2] XOR table[2], 
packet[3] XOR table[3], packet[4] XOR table[0], packet[5] XOR table[1] ...

I hope you get what I mean ;) you use the first byte of the table to decrypt the first byte of the packet, then the second byte of the table to decrypt the second byte of the packet...and the fourth byte of the table to decrypt the fourth byte of the packet AND THEN the first byte of the table again, to decrypt the fifth byte of the packet and so on.

a C/C++ implementation would be:
that is all? Yes :) this is enough to decrypt the packets.

So you might be wondering, uhh? Where do I get the XOR-table from? Well good question.
Once you connect to a Fantasy Tennis server, regardless of whether it is a login or a gameserver, the server sends you an unencrypted packet which contains the XOR-tables. Tables? Yes 1 table for send and 1 table for recv ;)

I will give you an example, so well give me a few seconds to start FantasyTennis...
Ok this is the packet that I received:

00 00 00 00 9A FF 10 00 B8 35 14 9F F6 BA 09 78 04 00 00 00 00 00 00 00

B8 35 14 9F <- send XOR-table
F6 BA 09 78 <- recv XOR-table

after I received this packet from the server, the client sent this packet:

AA 67 5F 98 19 3A 03 9F D9 35 75 9F D9 35 75 9F D9 35 14 9F D9 54 75 FE D9 35 82 3F C9 37 14

So let us try to decrypt it with the XOR-table we have got:

Code:
[COLOR="Navy"]	unsigned char packet[] = {[COLOR="DarkRed"]0xAA, 0x67, 0x5F, 0x98, 0x19, 0x3A, 0x03, 0x9F, 0xD9, 0x35, 0x75, 0x9F, 0xD9, 0x35, 0x75, 0x9F, 0xD9, 0x35, 0x14, 0x9F, 0xD9, 0x54, 0x75, 0xFE, 0xD9, 0x35, 0x82, 0x3F, 0xC9, 0x37, 0x14[/COLOR]};
	unsigned char xor[] = {[COLOR="RoyalBlue"]0xB8, 0x35, 0x14, 0x9F[/COLOR]};

	for(int i = 0; i < 31; i++)
	{
		printf("%02x ", packet[i]^xor[(i&3)]);
	}[/COLOR]
Output: 12 52 4b 07 a1 0f 17 00 61 00 61 00 61 00 61 00 61 00 00 00 61 61 61 61 61 00 96 a0 71 02 00
ASCII : ↕ R K í ☼ ↨ a a a a a a a a a a û á q ☻

I logged in with aaaaa aaaaa, so yeah it worked :) the packet is decrypted, nice done.



2. PACKET STRUCTURE

2bytes [header1]
2bytes [header2]
2bytes [packetId]
2bytes [data_size]
x bytes [data] x = data_size

Example: Let us use the login packet from above

12 52 4b 07 a1 0f 17 00 61 00 61 00 61 00 61 00 61 00 00 00 61 61 61 61 61 00 96 a0 71 02 00


That is all :) you can now decrypt and encrypt the packets from send / recv and should be able to unterstand their structure.
You cannot edit or send your own packets yet because header1 and header2 differ between each packet and has to be built by yourself.

I will show you how to do that if this thread attracts enough skilled programmers who know what they do ;)

and do not forget to press the thanks button ;)
[/COLOR]

ZeroTen / AnotherCoder
10/20/2010 16:02 NikeAlex2#2
Goob job. Mal sehen, ob es irgendwer versteht. Bezweifle ich ;D

@off topic kurz
wie weit bist du mit pserver? kann dir keine pn schreiben --> voll


EDIT:
Quote:
Originally Posted by ZeroTen View Post
a C/C++ implementation would be:

Code:
[COLOR="Navy"]for(int i = 0; i < packet_size; i++)
{
    decrypted_packet[i] = encrypted_packet[i] ^ XOR_Table[(i&3)];
}[/COLOR]
For the VB Users this would be:
Code:
[COLOR="Blue"]For i As Integer = 0 To packet_size - 1
	decrypted_packet(i) = encrypted_packet(i) Xor XOR_Table((i And 3))
Next[/COLOR]
10/20/2010 17:31 †[Dr.±Stein]†#3
lol my poor head,i dont understand this language @.@ but however i give you a thank @.@
10/20/2010 19:29 Dakaj#4
Die, die es brauchen, werden es schon verstehen ;D
Hätte nie gedacht das es trotzdem so simple ist xD
Mich interesiert auch was nun mim Server ist =/

ps. deinen Thanks haste !
10/20/2010 19:47 NikeAlex2#5
Hoffentlich schaut Zero hier noch rein. :D

Naja der Grundstein ist simple. Das wird aber schon noch schwieriger
10/21/2010 19:46 Slaeghtor#6
Working...
10/22/2010 12:18 Fusel.#7
Quote:
Originally Posted by deforever View Post
lol my poor head,i dont understand this language @.@ but however i give you a thank @.@
This language is english :)
But i think you don't understand how this work :D


Un nein ich raffs auch nich, aber ich lass es lieber bevor ich hier dumme fragen stelle ô.o
10/22/2010 14:44 -impulse-#8
Quote:
Originally Posted by ZeroTen View Post
c6 XOR a3 = 65
89 XOR f1 = 78
7c XOR 1d = 61
39 XOR 54 = 6d
d3 XOR a1 = 70
9d XOR f1 = 6c
78 XOR 1d = 65
By your xor table it should be

d3 XOR a3 = 70

Though, well done. Private servers can now raise up :D.

Possible implementation of Fantasy Tennis cryptography (C#):
PHP Code:
using System;

namespace FantasyTennis.Networking
{
    public static class Cryptography
    {
        private static byte[] Keys = new byte[] { 0xa30xf10x1d0x54 };

        public static void Encrypt(byte[] buffer)
        {
            if(buffer == null || buffer.Length == 0)
                return;
            for (int count 0count buffer.Lengthcount++)
                buffer[count] ^= Keys[count 4];
        }
        public static void Decrypt(byte[] buffer)
        {
            Encrypt(buffer);
        }
    }
Also, I believe that the first 4 bytes sent in any packet are actually the time(timeGetTime). I'll do some research and update.
10/22/2010 15:21 ZeroTen#9
Quote:
Originally Posted by -impulse- View Post
By your xor table it should be

d3 XOR a3 = 70
Yeah you are right, I fixxed that, thanks.

Quote:
Originally Posted by -impulse- View Post
Also, I believe that the first 4 bytes sent in any packet are actually the time(timeGetTime). I'll do some research and update.
No it's not ;)
They build the first 2 bytes and the next 2 bytes in 2 different ways, they use a table and the data of the packet to build the bytes that is why they add the first 4 bytes at the end when the packet data is already written into the buffer.
10/22/2010 19:19 -impulse-#10
Quote:
Originally Posted by ZeroTen View Post
Yeah you are right, I fixxed that, thanks.


No it's not ;)
They build the first 2 bytes and the next 2 bytes in 2 different ways, they use a table and the data of the packet to build the bytes that is why they add the first 4 bytes at the end when the packet data is already written into the buffer.
Well, you know better than I do, so you might be right...
10/26/2010 18:24 .Alessa#11
Thank you^^ I think I understand now.. But one question: How can I see these packets?
10/26/2010 18:39 Lazeboy#12
Quote:
Originally Posted by Shannonfan View Post
Thank you^^ I think I understand now.. But one question: How can I see these packets?
Ich weiß nicht was du für Vorkenntnisse hasst, jedoch muss du Send und WSASend hooken und den buffer auslesen.
Bei Recv und WSARecv musst du die Funktion ersst durchlaufen lassen und dann den Buffer auslesen.
Achtung bei Recv und WSARecv ist der Return wert der funktion die length.
10/26/2010 19:17 .Alessa#13
Okay bisher habe ich noch gar keine Kenntnisse.. Wird aber mal Zeit, welche zu bekommen :D Ich werde mal danach googlen, vielen Dank.

€: Ohje, ob ich da zurecht finde... ich schau mal weiter...
10/26/2010 21:40 -impulse-#14
Might you people please use English for this thread only? At least this one...it is one I really understand...and it's really useful. I already managed to get to sniffing game server's ips and ports and the auth server(port 5894) sends them in the packet 4112.

Right now, I'm going to write a C# project to cover what I know so far.

I also found out that, every single server uses the exact same encryption.


**
I'd really be very thankful if Lazeboy or ZeroTen would pm me with their msns.

** EDIT
I do it as a proxy as, I can edit the auth server's ip so I make the client connect to my IP, I can then modify whatever comes and goes. When it comes to the part of the game server ports and ips, I modify the packet and set there my IP everywhere, keep the good ips, start listening on the ports I gave to the client, and whenever the client connects to a certain port, I know which ip is the good one to connect to the right game server. BTW, I've know a bug...and it's really awesome!