|
You last visited: Today at 12:16
Advertisement
Looking for Encryption function
Discussion on Looking for Encryption function within the Aura Kingdom forum part of the MMORPGs category.
07/31/2014, 07:57
|
#1
|
elite*gold: 0 
Join Date: Aug 2012
Posts: 15
Received Thanks: 0
|
Looking for Encryption function
Please help. I'm on NA. It's taking forever to find it myself.
|
|
|
|
07/31/2014, 11:23
|
#2
|
elite*gold: 0
Join Date: Jan 2012
Posts: 3
Received Thanks: 0
|
It'll be very good, If someone releases encryption function. Just encryption function, how to use it and decrypt I know, but reversing for it, here I don't have any experience 
|
|
|
|
|
07/31/2014, 15:29
|
#3
|
elite*gold: 0
Join Date: Aug 2009
Posts: 99
Received Thanks: 27
|
Encrypt what ? Packets ?
|
|
|
|
|
07/31/2014, 16:22
|
#4
|
elite*gold: 0
Join Date: Jan 2012
Posts: 3
Received Thanks: 0
|
Quote:
Originally Posted by nonowmana
Encrypt what ? Packets ?
|
Yes
|
|
|
|
|
08/01/2014, 21:34
|
#5
|
elite*gold: 1
Join Date: Apr 2010
Posts: 13,772
Received Thanks: 15,036
|
I am not sure but this could be the function 
Code:
char __cdecl sub_D86780(int a1, int a2, __m64 *a3, int a4)
{
int v4; // edx@1
__m64 *v5; // esi@1
int v6; // eax@1
int v7; // ebx@1
int v8; // edi@2
int v9; // ebp@2
int v10; // ecx@3
int v11; // edx@3
int v17; // edx@6
int v18; // eax@6
int v19; // edx@6
unsigned __int64 v20; // mm0@6
int v21; // ecx@6
__m64 i; // mm2@6
int v23; // edx@7
int v24; // edx@7
int v25; // edx@8
int v26; // eax@8
int v27; // edx@8
int v28; // ecx@8
__m64 v29; // mm1@8
int v30; // edx@8
int v31; // eax@8
int v32; // edx@8
__m64 v33; // mm2@8
int v34; // ecx@8
__m64 v35; // mm1@8
int v36; // edx@8
int v37; // eax@8
int v38; // edx@8
__m64 v39; // mm2@8
int v40; // ecx@8
__m64 v41; // mm1@8
int v42; // edx@8
int v43; // eax@8
int v44; // edx@8
__m64 v45; // mm2@8
int v46; // ecx@8
__m64 v47; // mm1@8
int v48; // edx@8
int v49; // eax@8
int v50; // edx@8
__m64 v51; // mm2@8
int v52; // ecx@8
__m64 v53; // mm1@8
int v54; // edx@8
int v55; // eax@8
int v56; // edx@8
__m64 v57; // mm2@8
int v58; // ecx@8
__m64 v59; // mm1@8
int v60; // edx@8
int v61; // edx@8
__m64 v62; // mm2@8
__m64 v63; // mm1@8
int v64; // edx@12
int v65; // edx@12
int v66; // ecx@12
int v67; // ebp@12
int v68; // edx@12
int v69; // edx@12
int v70; // ecx@12
int v71; // ebp@12
int v72; // edx@12
int v73; // edx@12
int v74; // ecx@12
int v75; // ebp@12
int v76; // edx@12
int v77; // ebp@12
int v78; // edx@15
char v79; // cl@17
char v80; // dl@18
char v81; // dl@18
char *v83; // [sp+18h] [bp+8h]@2
char *v84; // [sp+1Ch] [bp+Ch]@11
int v85; // [sp+20h] [bp+10h]@4
v4 = a2;
v5 = a3;
v6 = 0;
v7 = 0;
if ( a2 )
{
LOBYTE(v7) = *(_BYTE *)(a1 + 4);
v8 = a1 + 8;
v9 = a4 - (_DWORD)a3;
v83 = (char *)a3 + a2;
LOBYTE(v6) = *(_BYTE *)a1 + 1;
if ( *(_DWORD *)(a1 + 264) == -1 )
{
v79 = *(_BYTE *)(v8 + v6);
do
{
LOBYTE(v7) = v79 + v7;
v80 = *(_BYTE *)(v8 + v7);
*(_BYTE *)(v8 + v7) = v79;
*(_BYTE *)(v8 + v6) = v80;
LOBYTE(v6) = v6 + 1;
v81 = LOBYTE(v5->m64_u64) ^ *(_BYTE *)(v8 + (unsigned __int8)(v79 + v80));
v5 = (__m64 *)((char *)v5 + 1);
v79 = *(_BYTE *)(v8 + v6);
*((_BYTE *)v5 + v9 - 1) = v81;
}
while ( (unsigned int)v5 < (unsigned int)v83 );
goto LABEL_19;
}
v10 = *(_DWORD *)(v8 + 4 * v6);
v11 = v4 & 0xFFFFFFFC;
if ( v11 )
{
v85 = a4 - (_DWORD)a3;
if ( !(v11 & 0xFFFFFFF8) )
goto LABEL_23;
_EBP = &dword_1845E70;
__asm { bt dword ptr [ebp+0], 1Ah }
if ( _CF )
{
v9 = v85;
*(_DWORD *)(a1 + 4) = (char *)a3 + (v11 & 0xFFFFFFF8) - 8;
LOBYTE(v7) = v10 + v7;
v17 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v10;
*(_DWORD *)(v8 + 4 * v6) = v17;
v18 = (unsigned __int8)(v6 + 1);
v19 = (unsigned __int8)(v10 + (_BYTE)v17);
v20 = a3->m64_u64;
v21 = *(_DWORD *)(v8 + 4 * v18);
for ( i = _mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v19)); ; i = _mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v24)) )
{
LOBYTE(v7) = v21 + v7;
v25 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v21;
*(_DWORD *)(v8 + 4 * v18) = v25;
v26 = (unsigned __int8)(v18 + 1);
v27 = (unsigned __int8)(v21 + (_BYTE)v25);
v28 = *(_DWORD *)(v8 + 4 * v26);
LOBYTE(v7) = v28 + v7;
v29 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v27)), 8u);
v30 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v28;
*(_DWORD *)(v8 + 4 * v26) = v30;
v31 = (unsigned __int8)(v26 + 1);
v32 = (unsigned __int8)(v28 + (_BYTE)v30);
v33 = _m_pxor(_m_pxor(i, (__m64)v20), v29);
v34 = *(_DWORD *)(v8 + 4 * v31);
LOBYTE(v7) = v34 + v7;
v35 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v32)), 0x10u);
v36 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v34;
*(_DWORD *)(v8 + 4 * v31) = v36;
v37 = (unsigned __int8)(v31 + 1);
v38 = (unsigned __int8)(v34 + (_BYTE)v36);
v39 = _m_pxor(v33, v35);
v40 = *(_DWORD *)(v8 + 4 * v37);
LOBYTE(v7) = v40 + v7;
v41 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v38)), 0x18u);
v42 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v40;
*(_DWORD *)(v8 + 4 * v37) = v42;
v43 = (unsigned __int8)(v37 + 1);
v44 = (unsigned __int8)(v40 + (_BYTE)v42);
v45 = _m_pxor(v39, v41);
v46 = *(_DWORD *)(v8 + 4 * v43);
LOBYTE(v7) = v46 + v7;
v47 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v44)), 0x20u);
v48 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v46;
*(_DWORD *)(v8 + 4 * v43) = v48;
v49 = (unsigned __int8)(v43 + 1);
v50 = (unsigned __int8)(v46 + (_BYTE)v48);
v51 = _m_pxor(v45, v47);
v52 = *(_DWORD *)(v8 + 4 * v49);
LOBYTE(v7) = v52 + v7;
v53 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v50)), 0x28u);
v54 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v52;
*(_DWORD *)(v8 + 4 * v49) = v54;
v55 = (unsigned __int8)(v49 + 1);
v56 = (unsigned __int8)(v52 + (_BYTE)v54);
v57 = _m_pxor(v51, v53);
v58 = *(_DWORD *)(v8 + 4 * v55);
LOBYTE(v7) = v58 + v7;
v59 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v56)), 0x30u);
v60 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v58;
*(_DWORD *)(v8 + 4 * v55) = v60;
v6 = (unsigned __int8)(v55 + 1);
v61 = (unsigned __int8)(v58 + (_BYTE)v60);
v62 = _m_pxor(v57, v59);
v10 = *(_DWORD *)(v8 + 4 * v6);
v63 = _mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v61));
v7 = (unsigned __int8)v7;
_CF = (unsigned int)v5 < *(_DWORD *)(a1 + 4);
++v5;
if ( !_CF )
break;
LOBYTE(v7) = v10 + v7;
v23 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v10;
*(_DWORD *)(v8 + 4 * v6) = v23;
v18 = (unsigned __int8)(v6 + 1);
v24 = (unsigned __int8)(v10 + (_BYTE)v23);
v20 = v5->m64_u64;
*(unsigned __int64 *)((char *)&v5[-1].m64_u64 + v85) = (unsigned __int64)_m_pxor(v62, _m_psllq(v63, 0x38u));
v21 = *(_DWORD *)(v8 + 4 * v18);
}
*(unsigned __int64 *)((char *)&v5[-1].m64_u64 + v85) = (unsigned __int64)_m_pxor(v62, _m_psllq(v63, 0x38u));
_m_femms();
if ( (char *)v5 == v83 )
goto LABEL_19;
}
else
{
LABEL_23:
v84 = (char *)a3 + v11 - 4;
do
{
LOBYTE(v7) = v10 + v7;
v64 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v10;
*(_DWORD *)(v8 + 4 * v6) = v64;
LOBYTE(v6) = v6 + 1;
v65 = (unsigned __int8)(v10 + (_BYTE)v64);
v66 = *(_DWORD *)(v8 + 4 * v6);
v67 = *(_DWORD *)(v8 + 4 * v65);
LOBYTE(v7) = v66 + v7;
v68 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v66;
*(_DWORD *)(v8 + 4 * v6) = v68;
LOBYTE(v6) = v6 + 1;
v69 = (unsigned __int8)(v66 + (_BYTE)v68);
v67 = __ROR__(v67, 8);
v70 = *(_DWORD *)(v8 + 4 * v6);
v71 = *(_DWORD *)(v8 + 4 * v69) | v67;
LOBYTE(v7) = v70 + v7;
v72 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v70;
*(_DWORD *)(v8 + 4 * v6) = v72;
LOBYTE(v6) = v6 + 1;
v73 = (unsigned __int8)(v70 + (_BYTE)v72);
v71 = __ROR__(v71, 8);
v74 = *(_DWORD *)(v8 + 4 * v6);
v75 = *(_DWORD *)(v8 + 4 * v73) | v71;
LOBYTE(v7) = v74 + v7;
v76 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v74;
*(_DWORD *)(v8 + 4 * v6) = v76;
LOBYTE(v6) = v6 + 1;
v75 = __ROR__(v75, 8);
v77 = __ROR__(*(_DWORD *)(v8 + 4 * (unsigned __int8)(v74 + (_BYTE)v76)) | v75, 8);
_CF = (unsigned int)v5 < (unsigned int)v84;
*(_DWORD *)((char *)&v5->m64_u64 + v85) = LODWORD(v5->m64_u64) ^ v77;
v5 = (__m64 *)((char *)v5 + 4);
v10 = *(_DWORD *)(v8 + 4 * v6);
}
while ( _CF );
if ( (char *)v5 == v83 )
goto LABEL_19;
v9 = v85;
}
}
do
{
LOBYTE(v7) = v10 + v7;
v78 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v10;
*(_DWORD *)(v8 + 4 * v6) = v78;
LOBYTE(v6) = v6 + 1;
LOBYTE(v78) = LOBYTE(v5->m64_u64) ^ *(_DWORD *)(v8 + 4 * (unsigned __int8)(v10 + (_BYTE)v78));
v5 = (__m64 *)((char *)v5 + 1);
v10 = *(_DWORD *)(v8 + 4 * v6);
*((_BYTE *)v5 + v9 - 1) = v78;
}
while ( (unsigned int)v5 < (unsigned int)v83 );
LABEL_19:
LOBYTE(v6) = v6 - 1;
*(_DWORD *)(a1 + 4) = v7;
*(_BYTE *)a1 = v6;
}
return v6;
}
|
|
|
|
|
08/01/2014, 22:35
|
#6
|
elite*gold: 0
Join Date: Jun 2007
Posts: 100
Received Thanks: 36
|
Quote:
Originally Posted by Omdihar
I am not sure but this could be the function |
The code is kinda hard to follow... but how about the XoR Table?
Do you have the code for it also?
|
|
|
|
|
08/01/2014, 23:37
|
#7
|
elite*gold: 1
Join Date: Apr 2010
Posts: 13,772
Received Thanks: 15,036
|
Quote:
Originally Posted by mandark15
The code is kinda hard to follow... but how about the XoR Table?
Do you have the code for it also?
|
No but I am currently investigating how the xor table gets generated
|
|
|
|
|
08/01/2014, 23:46
|
#8
|
elite*gold: 0
Join Date: Jun 2007
Posts: 100
Received Thanks: 36
|
Quote:
Originally Posted by Omdihar
No but I am currently investigating how the xor table gets generated |
I see, from what I understand thought the first time it generates it increments by 1... then half way through the process it does something this is where I got lost. After that it continues incrementing the rest by 1.
And thank you for sharing the codes =)
|
|
|
|
|
08/02/2014, 14:11
|
#9
|
elite*gold: 1
Join Date: Apr 2010
Posts: 13,772
Received Thanks: 15,036
|
I removed the unnecessary parts
Code:
char __cdecl XORPacket(int xorTable, int bufSize, __m64 *buffer, int bufferTwo)
{
int buffSize_0; // edx@1
unsigned int buffer_0; // esi@1
int mostLikelyZero; // eax@1
int xorSecondOffset; // ebx@1
int xorThirdOffsetPtr; // edi@2
int bufferTwo_0; // ebp@2
int xorTableThirdOffset_0; // ecx@3
int someBitShiftingShitWithBufferSize; // edx@3
int v78; // edx@15
int bufferEnd; // [sp+18h] [bp+8h]@2
buffSize_0 = bufSize;
buffer_0 = (unsigned int)buffer;
mostLikelyZero = 0;
xorSecondOffset = 0;
if ( bufSize )
{
LOBYTE(xorSecondOffset) = *(_BYTE *)(xorTable + 4);
xorThirdOffsetPtr = xorTable + 8;
bufferTwo_0 = bufferTwo - (_DWORD)buffer;
bufferEnd = (int)((char *)buffer + bufSize);
LOBYTE(mostLikelyZero) = *(_BYTE *)xorTable + 1;
xorTableThirdOffset_0 = *(_DWORD *)(xorThirdOffsetPtr + 4 * mostLikelyZero);
someBitShiftingShitWithBufferSize = buffSize_0 & 0xFFFFFFFC;
do
{
LOBYTE(xorSecondOffset) = xorTableThirdOffset_0 + xorSecondOffset;
v78 = *(_DWORD *)(xorThirdOffsetPtr + 4 * xorSecondOffset);
*(_DWORD *)(xorThirdOffsetPtr + 4 * xorSecondOffset) = xorTableThirdOffset_0;
*(_DWORD *)(xorThirdOffsetPtr + 4 * mostLikelyZero) = v78;
LOBYTE(mostLikelyZero) = mostLikelyZero + 1;
LOBYTE(v78) = *(_BYTE *)buffer_0++ ^ *(_DWORD *)(xorThirdOffsetPtr
+ 4 * (unsigned __int8)(xorTableThirdOffset_0 + (_BYTE)v78));
xorTableThirdOffset_0 = *(_DWORD *)(xorThirdOffsetPtr + 4 * mostLikelyZero);
*(_BYTE *)(bufferTwo_0 + buffer_0 - 1) = v78;
}
while ( buffer_0 < bufferEnd );
LOBYTE(mostLikelyZero) = mostLikelyZero - 1;
*(_DWORD *)(xorTable + 4) = xorSecondOffset;
*(_BYTE *)xorTable = mostLikelyZero;
}
return mostLikelyZero;
}
EDIT:
Still need to figure out how the xor table gets generated :c
encryption.h
Code:
#pragma once
#include <stdint.h>
uint8_t xorTable[] =
{
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
0x4F, 0x00, 0x00, 0x00, 0x5B, 0x00, 0x00, 0x00,
0x57, 0x00, 0x00, 0x00, 0x5D, 0x00, 0x00, 0x00,
0x53, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00,
0xE6, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00,
0x69, 0x00, 0x00, 0x00, 0xF2, 0x00, 0x00, 0x00,
0x4E, 0x00, 0x00, 0x00, 0xE2, 0x00, 0x00, 0x00,
0x52, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00,
0x3A, 0x00, 0x00, 0x00, 0xCF, 0x00, 0x00, 0x00,
0x22, 0x00, 0x00, 0x00, 0xF5, 0x00, 0x00, 0x00,
0xD3, 0x00, 0x00, 0x00, 0x62, 0x00, 0x00, 0x00,
0x1C, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00,
0xB1, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00,
0xD5, 0x00, 0x00, 0x00, 0x7A, 0x00, 0x00, 0x00,
0xFA, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
0xA5, 0x00, 0x00, 0x00, 0xB4, 0x00, 0x00, 0x00,
0x30, 0x00, 0x00, 0x00, 0xF9, 0x00, 0x00, 0x00,
0x64, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00,
0x9C, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00,
0x0D, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x00, 0x00,
0x83, 0x00, 0x00, 0x00, 0xAD, 0x00, 0x00, 0x00,
0x32, 0x00, 0x00, 0x00, 0x9F, 0x00, 0x00, 0x00,
0x7E, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00,
0xC1, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00,
0xC3, 0x00, 0x00, 0x00, 0x6A, 0x00, 0x00, 0x00,
0x39, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00,
0xCC, 0x00, 0x00, 0x00, 0xB6, 0x00, 0x00, 0x00,
0x0A, 0x00, 0x00, 0x00, 0xCE, 0x00, 0x00, 0x00,
0xF1, 0x00, 0x00, 0x00, 0xB3, 0x00, 0x00, 0x00,
0x43, 0x00, 0x00, 0x00, 0xE1, 0x00, 0x00, 0x00,
0x7B, 0x00, 0x00, 0x00, 0xA2, 0x00, 0x00, 0x00,
0x3F, 0x00, 0x00, 0x00, 0xF3, 0x00, 0x00, 0x00,
0x55, 0x00, 0x00, 0x00, 0xC9, 0x00, 0x00, 0x00,
0x12, 0x00, 0x00, 0x00, 0xC5, 0x00, 0x00, 0x00,
0x58, 0x00, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00,
0x96, 0x00, 0x00, 0x00, 0xCD, 0x00, 0x00, 0x00,
0x71, 0x00, 0x00, 0x00, 0xFB, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00,
0x56, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x95, 0x00, 0x00, 0x00, 0x86, 0x00, 0x00, 0x00,
0xBF, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x00, 0x00,
0xEA, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00,
0x4B, 0x00, 0x00, 0x00, 0x6F, 0x00, 0x00, 0x00,
0xD2, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00,
0x68, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00,
0x80, 0x00, 0x00, 0x00, 0x3B, 0x00, 0x00, 0x00,
0x73, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00,
0x27, 0x00, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00,
0x8D, 0x00, 0x00, 0x00, 0xE9, 0x00, 0x00, 0x00,
0x5A, 0x00, 0x00, 0x00, 0xDF, 0x00, 0x00, 0x00,
0xED, 0x00, 0x00, 0x00, 0xBC, 0x00, 0x00, 0x00,
0xC7, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00,
0x5C, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00,
0x8A, 0x00, 0x00, 0x00, 0x89, 0x00, 0x00, 0x00,
0xF8, 0x00, 0x00, 0x00, 0xAB, 0x00, 0x00, 0x00,
0x85, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
0xDE, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0xA6, 0x00, 0x00, 0x00, 0x77, 0x00, 0x00, 0x00,
0x9E, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00,
0xDC, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00,
0x11, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00,
0xD4, 0x00, 0x00, 0x00, 0x8F, 0x00, 0x00, 0x00,
0xA7, 0x00, 0x00, 0x00, 0x7C, 0x00, 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0xE7, 0x00, 0x00, 0x00,
0xB5, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00,
0xAA, 0x00, 0x00, 0x00, 0xD1, 0x00, 0x00, 0x00,
0x63, 0x00, 0x00, 0x00, 0xCA, 0x00, 0x00, 0x00,
0xDD, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
0xE0, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00,
0xE5, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00,
0x36, 0x00, 0x00, 0x00, 0x93, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00,
0x45, 0x00, 0x00, 0x00, 0xFE, 0x00, 0x00, 0x00,
0xA3, 0x00, 0x00, 0x00, 0xEE, 0x00, 0x00, 0x00,
0x97, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00,
0xDB, 0x00, 0x00, 0x00, 0x9A, 0x00, 0x00, 0x00,
0xBB, 0x00, 0x00, 0x00, 0xCB, 0x00, 0x00, 0x00,
0xB9, 0x00, 0x00, 0x00, 0xEF, 0x00, 0x00, 0x00,
0x0B, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0xB2, 0x00, 0x00, 0x00,
0xB0, 0x00, 0x00, 0x00, 0xBE, 0x00, 0x00, 0x00,
0x6E, 0x00, 0x00, 0x00, 0xB7, 0x00, 0x00, 0x00,
0x98, 0x00, 0x00, 0x00, 0x5F, 0x00, 0x00, 0x00,
0x19, 0x00, 0x00, 0x00, 0xD8, 0x00, 0x00, 0x00,
0x4D, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x00, 0x00,
0xF0, 0x00, 0x00, 0x00, 0xE4, 0x00, 0x00, 0x00,
0x28, 0x00, 0x00, 0x00, 0x9B, 0x00, 0x00, 0x00,
0xA8, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
0xBA, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x87, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x00, 0x00,
0x78, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00,
0x26, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00,
0x82, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00,
0x49, 0x00, 0x00, 0x00, 0x7D, 0x00, 0x00, 0x00,
0x8B, 0x00, 0x00, 0x00, 0x76, 0x00, 0x00, 0x00,
0xD9, 0x00, 0x00, 0x00, 0xC6, 0x00, 0x00, 0x00,
0x4C, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00,
0xAC, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x00,
0x16, 0x00, 0x00, 0x00, 0xEB, 0x00, 0x00, 0x00,
0x8E, 0x00, 0x00, 0x00, 0xFC, 0x00, 0x00, 0x00,
0x91, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00,
0xD7, 0x00, 0x00, 0x00, 0xD0, 0x00, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00,
0x2C, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00,
0x90, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00,
0xB8, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
0x81, 0x00, 0x00, 0x00, 0xA1, 0x00, 0x00, 0x00,
0xBD, 0x00, 0x00, 0x00, 0xC8, 0x00, 0x00, 0x00,
0x1D, 0x00, 0x00, 0x00, 0xF6, 0x00, 0x00, 0x00,
0x79, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00,
0x84, 0x00, 0x00, 0x00, 0xC4, 0x00, 0x00, 0x00,
0xDA, 0x00, 0x00, 0x00, 0x92, 0x00, 0x00, 0x00,
0x2B, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00,
0x09, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00,
0x23, 0x00, 0x00, 0x00, 0xFD, 0x00, 0x00, 0x00,
0x25, 0x00, 0x00, 0x00, 0x9D, 0x00, 0x00, 0x00,
0x2F, 0x00, 0x00, 0x00, 0x1F, 0x00, 0x00, 0x00,
0x70, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00,
0x37, 0x00, 0x00, 0x00, 0x99, 0x00, 0x00, 0x00,
0xE3, 0x00, 0x00, 0x00, 0xF7, 0x00, 0x00, 0x00,
0x5E, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00,
0x6D, 0x00, 0x00, 0x00, 0x8C, 0x00, 0x00, 0x00,
0xA9, 0x00, 0x00, 0x00, 0xA0, 0x00, 0x00, 0x00,
0xD6, 0x00, 0x00, 0x00, 0x1A, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xAE, 0x00, 0x00, 0x00
};
char __cdecl XORPacket(uint8_t *xorTable, int bufSize, uint8_t *buffer, uint8_t *bufferTwo);
encryption.cpp
Code:
#include "encryption.h"
char __cdecl XORPacket(uint8_t *xorTable, int bufSize, uint8_t *buffer, uint8_t *bufferTwo)
{
int buffSize_0; // edx@1
uint8_t *buffer_0; // esi@1
uint8_t mostLikelyZero; // eax@1
uint8_t xorSecondOffset; // ebx@1
uint8_t *xorThirdOffsetPtr; // edi@2
uint8_t *bufferTwo_0; // ebp@2
int xorTableThirdOffset_0; // ecx@3
int someBitShiftingShitWithBufferSize; // edx@3
int v78; // edx@15
uint8_t *bufferEnd; // [sp+18h] [bp+8h]@2
buffSize_0 = bufSize;
buffer_0 = buffer;
mostLikelyZero = 0;
xorSecondOffset = 0;
if (bufSize)
{
xorSecondOffset = *(uint8_t*)(xorTable + 4);
xorThirdOffsetPtr = xorTable + 8;
bufferTwo_0 = (uint8_t*)(((uint32_t)bufferTwo) - ((uint32_t)buffer));
bufferEnd = buffer + bufSize;
mostLikelyZero = *(uint8_t*)xorTable + 1;
xorTableThirdOffset_0 = *(uint32_t*)(xorThirdOffsetPtr + 4 * mostLikelyZero);
someBitShiftingShitWithBufferSize = buffSize_0 & 0xFFFFFFFC;
do
{
xorSecondOffset = xorTableThirdOffset_0 + xorSecondOffset;
v78 = *(uint32_t*)(xorThirdOffsetPtr + 4 * xorSecondOffset);
*(uint32_t*)(xorThirdOffsetPtr + 4 * xorSecondOffset) = xorTableThirdOffset_0;
*(uint32_t*)(xorThirdOffsetPtr + 4 * mostLikelyZero) = v78;
mostLikelyZero = mostLikelyZero + 1;
v78 = *(uint8_t*)buffer_0++ ^ *(uint32_t*)(xorThirdOffsetPtr
+ 4 * (unsigned __int8)(xorTableThirdOffset_0 + (uint8_t)v78));
xorTableThirdOffset_0 = *(uint32_t*)(xorThirdOffsetPtr + 4 * mostLikelyZero);
*(uint8_t*)(((uint32_t)bufferTwo_0) + ((uint32_t)buffer_0) - 1) = v78;
} while (buffer_0 < bufferEnd);
mostLikelyZero = mostLikelyZero - 1;
*(uint32_t*)(xorTable + 4) = xorSecondOffset;
*(uint8_t*)xorTable = mostLikelyZero;
}
return mostLikelyZero;
}
|
|
|
|
|
08/02/2014, 22:04
|
#10
|
elite*gold: 0
Join Date: Aug 2012
Posts: 15
Received Thanks: 0
|
**** bro. You put in work. Thanks, man.
|
|
|
|
|
08/02/2014, 22:20
|
#11
|
elite*gold: 1
Join Date: Apr 2010
Posts: 13,772
Received Thanks: 15,036
|
It's working fine, use it for a packet sniffer or whatever
I still don't get it how the xor table gets generated.
I guess it's related to the first packet sent by the server on connection (266 Bytes), but It looks like they are doing something with the received bytes before copying it to the xor table.
Need the detours library? - 
Code:
#include <Windows.h>
#include "detours.h"
#include "encryption.h"
#pragma comment(lib, "detours.lib")
typedef bool(__cdecl *xorPacketType)(uint8_t*, int, uint8_t*, uint8_t*);
xorPacketType xorPacketOrig = nullptr;
bool __cdecl xorPacketHook(uint8_t *xorTab, int bufSize, uint8_t *buffer, uint8_t *bufferTwo)
{
//Actually I was testing if my cleaned up function is working and it is!
//You can use xorPacketOrig here as well if you want
//return xorPacketOrig(xorTab, bufSize, buffer, bufferTwo);
//Modify the buffer here!
return XORPacket(xorTab, bufSize, buffer, bufferTwo);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH)
{
xorPacketOrig = (xorPacketType)DetourFunction((PBYTE)0x00D86780, (PBYTE)xorPacketHook);
MessageBoxA(0, "Hooked bra!", "", 0);
}
return true;
}
|
|
|
|
|
08/06/2014, 14:29
|
#12
|
elite*gold: 0
Join Date: Jan 2012
Posts: 3
Received Thanks: 0
|
/delete/
|
|
|
|
|
10/05/2014, 08:20
|
#13
|
elite*gold: 0
Join Date: Sep 2014
Posts: 2
Received Thanks: 0
|
what is the address of encryption function in current version?
|
|
|
|
|
11/06/2014, 16:12
|
#14
|
elite*gold: 1
Join Date: Apr 2010
Posts: 13,772
Received Thanks: 15,036
|
Quote:
Originally Posted by twilightsaga
what is the address of encryption function in current version?
|
XORPacket - Pattern:
Code:
55 53 56 57 8B 7C 24 14 8B 54 24 18
|
|
|
|
|
11/06/2014, 21:52
|
#15
|
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
|
I've got interested into AuraKingdom and i saw that the generation of the XorTable was not found so i've decided to look for it and i've found it. I'll just explain how the table gets generated and some other information.
Information:- The table got a size of 0x100
- It gets generated in the same function as WSAConnect
- It uses a random salt from the client
- 2 Tables gets generated and both are exactly the same (i don't know why)
- The table get's encrypted and sent to the server
- The table changes in the Encryption function
Generation:
First of all the table is random which means you can decide how the table is generated (tested it by changing the salt and it worked).
I haven't took a deep look into the generation of the salt since you can decide by yourself how it gets generated.
Here is a code snippet how you could generate the Table:
Code:
#define TABLE_SIZE 0x100
#define SALT_SIZE 0x5
unsigned char TableSalt[SALT_SIZE] = { 0x13, 0x33, 0x33, 0x33, 0x37 };
void GenerateTable(int* table) {
unsigned char add_value = 0;
unsigned char old_value = 0;
for (int i = 0; i < TABLE_SIZE; i++) {
table[i] = i;
}
for (int i = 0; i < TABLE_SIZE; i++) {
add_value += TableSalt[i % 5] + table[i];
old_value = table[add_value];
table[add_value] = table[i];
table[i] = old_value;
}
}
A table with the salt like in the code would look like this:
Code:
0x00000024, 0x00000067, 0x000000C1, 0x000000D2, 0x000000FF,
0x00000041, 0x0000007A, 0x00000078, 0x000000EF, 0x00000043,
0x0000002E, 0x000000D8, 0x000000E0, 0x00000010, 0x00000006,
0x000000A3, 0x0000004E, 0x000000CE, 0x0000006C, 0x000000B5,
0x000000FC, 0x00000044, 0x0000008D, 0x0000002D, 0x00000083,
0x000000F5, 0x000000BB, 0x00000042, 0x0000008A, 0x000000A8,
0x0000003C, 0x0000004B, 0x0000002B, 0x000000DF, 0x00000011,
0x0000009E, 0x00000017, 0x0000007D, 0x0000003B, 0x000000E7,
0x000000CB, 0x00000077, 0x00000046, 0x00000059, 0x00000052,
0x00000021, 0x00000053, 0x00000036, 0x00000031, 0x00000000,
0x000000C4, 0x00000089, 0x000000FA, 0x000000C6, 0x000000B7,
0x000000C5, 0x00000069, 0x00000070, 0x00000090, 0x00000049,
0x000000BA, 0x00000055, 0x0000009B, 0x00000032, 0x00000019,
0x000000A6, 0x000000E8, 0x00000091, 0x0000007E, 0x00000051,
0x0000005B, 0x00000097, 0x000000BF, 0x00000094, 0x000000B8,
0x00000066, 0x000000B6, 0x00000018, 0x000000A0, 0x00000012,
0x00000057, 0x00000080, 0x0000009D, 0x00000015, 0x00000013,
0x000000C2, 0x000000F0, 0x000000AB, 0x0000009F, 0x0000008B,
0x000000BE, 0x000000CA, 0x000000F8, 0x000000D4, 0x000000E9,
0x0000008C, 0x000000C3, 0x00000038, 0x00000082, 0x000000B3,
0x000000D3, 0x000000FD, 0x0000005E, 0x00000068, 0x00000002,
0x000000ED, 0x0000005C, 0x00000073, 0x00000048, 0x000000A9,
0x00000063, 0x00000026, 0x0000001A, 0x000000FB, 0x0000000E,
0x000000A2, 0x0000001F, 0x00000092, 0x0000009A, 0x000000DB,
0x00000085, 0x000000BC, 0x00000086, 0x00000025, 0x0000007C,
0x00000095, 0x00000047, 0x0000000F, 0x0000001E, 0x000000AD,
0x000000F2, 0x00000022, 0x000000CF, 0x00000087, 0x00000027,
0x0000000B, 0x000000F7, 0x00000008, 0x00000039, 0x000000EC,
0x00000050, 0x000000F4, 0x00000054, 0x00000034, 0x000000DD,
0x000000B0, 0x000000F1, 0x000000AF, 0x0000000D, 0x00000007,
0x00000093, 0x00000030, 0x0000001C, 0x0000007B, 0x0000003A,
0x00000005, 0x00000037, 0x0000001D, 0x00000045, 0x00000004,
0x000000AA, 0x00000023, 0x000000D9, 0x00000029, 0x0000005A,
0x000000A5, 0x00000076, 0x000000A7, 0x000000F3, 0x0000000A,
0x00000081, 0x00000071, 0x00000058, 0x000000D0, 0x000000D1,
0x000000B9, 0x0000001B, 0x000000C9, 0x00000003, 0x0000008E,
0x00000096, 0x000000C8, 0x0000004C, 0x000000DE, 0x000000E1,
0x0000004D, 0x000000C7, 0x000000AC, 0x0000002F, 0x00000009,
0x0000004A, 0x0000006A, 0x00000056, 0x0000009C, 0x00000079,
0x000000DA, 0x00000020, 0x00000099, 0x00000061, 0x000000F9,
0x000000D6, 0x000000EA, 0x000000E5, 0x0000004F, 0x000000F6,
0x000000E2, 0x0000002A, 0x0000002C, 0x0000003E, 0x000000B1,
0x000000B2, 0x000000AE, 0x00000075, 0x0000006F, 0x00000060,
0x00000033, 0x000000A1, 0x00000040, 0x0000000C, 0x000000EE,
0x0000005D, 0x000000A4, 0x00000014, 0x000000D7, 0x000000CD,
0x00000064, 0x000000E6, 0x000000E3, 0x00000084, 0x0000003D,
0x0000003F, 0x000000C0, 0x00000028, 0x000000CC, 0x0000006D,
0x00000001, 0x00000074, 0x000000DC, 0x0000008F, 0x00000088,
0x00000035, 0x00000016, 0x000000EB, 0x0000007F, 0x00000065,
0x0000006E, 0x000000FE, 0x0000005F, 0x000000D5, 0x000000B4,
0x00000062, 0x0000006B, 0x00000098, 0x000000BD, 0x000000E4,
0x00000072
I hope it's helpful, if you have questions feel free to ask me
Edit:
The first packet you receive is always the same.
But the packet you send the first time is always different, but i haven't figured out how it gets created yet.
|
|
|
|
 |
|
Similar Threads
|
std::function of a function returning an std::function
11/11/2013 - C/C++ - 19 Replies
Nun muss ich nach langer Zeit auch mal wieder einen Thread erstellen, weil mir Google nicht mehr weiterhelfen kann.
Ich verzweifle an Folgendem Vorhaben:
#include <Windows.h>
#include <string>
#include <iostream>
using namespace std;
|
Running Function 2 after Function 1 finished
09/15/2013 - AutoIt - 3 Replies
Hey, its me again.
Im stuck on a problem since yesterday and as much as i hate to ask for help, i really dont know what else to try. I want Function 2 to run after Function 1 has finished. I tried GuiCtrlSetOnEvent and MsgLoop, but i dont really understand it. I tried to read tutorials but they didnt help at all.
The line that are underline is what im talking about. I want gamestart() to run first and when its finished, i want iniviteteam() to run.
#AutoIt3Wrapper_UseX64=n...
|
Encryption of DO
04/04/2013 - DarkOrbit - 28 Replies
Hey,
I talked with a guy, who is interested in coding.
He looked for the encryption just for fun and gave me this:
http://pastebin.com/2iLKJUcs
Maybe it helps. I don't know :)
Please dont ask, what this is or how to use it.
Its for the better developer here ala Heaven, Gnome or First
|
[VIP-function] ToxicSYS [VIP-function]
08/14/2010 - WarRock Hacks, Bots, Cheats & Exploits - 1 Replies
heeeey E-pvpers :pimp:
this is a new hack by TSYS
Status : UNDETECTED
Functions (VIDEO) :
YouTube - WarRock - Bikini event VIP hack
|
All times are GMT +1. The time now is 12:18.
|
|
