Hi anyone know how to decrypt the packets of cabal (packets obtained for sniff, example Ehetereal, WPE)
I tried with XOR crypt but doing a same action in the game the packet change
I think that its a diferent XOR code per packet but I can find it
For example in the chat game I said "hello" 5 times and I got 5 diferent but with the same size
Those are the packets:
Here in text:
B3 30 38 CB 27 8E E1 D3 DB 84 78 9A EA F9 47 F4 4D 99 85
2D 15 CD 32 3E 69 C1 90 17 4A 82 28 1E 69 02 B2 AD C4 05
41 0C 2D 59 65 A1 01 6C DE DB 01 BD 59 F3 DB EC 4D E7 2F
...
The word used was "hello" without the " "
The 5 pakcets has to have hola encrypted
For helo the size is 19 whe I wrote for example helloo the size changes to 20, when I write hellooo the size is 21 and so on.
nice thread, hmm -2? So if I convert every hex then I'll minus every byte by 2, I'll get the unencrypted packet? Hmm.. So every time I catch a packet, I'll minus it by 2? I guess you need a proxy server for this kind of hacks..
I hope someone122 or novacygni can provide an overview of a proxy server and dll injection/code caving in cabal
I have a question, what's the difference between a proxy server, dll injection, and code caving?
My understanding of a proxy server is that it will catch packets client to server and vice versa, proxy server catches a packet then unencrypts the packet, edit the unencrypted packet, then encrypts it again so the client or server will accept it. You would really need a lot of knowledge and I think the hardest part is the encryption and time stamping..
For DLL injection, I think you can call certain functions in-game with just a press of a hotkey, like pressing letter "P" will automatically buy pots from alchemist. I think this also deal with packets?
For code caving, involves asm/debugging like the function of CE. I believe this is the way to go for newbies? Since we just need to point which goes to which address, nop jne jmp whatever. and I've also read that at some point in the program, the packet will be pointed to the encryption process inside cabalmain.exe, so if we can find that point, just dump the code before it's encrypted? Or if you made a code cave, just point it to the encryption address..
I hope someone will point out my mistakes, thanks.
nice thread, hmm -2? So if I convert every hex then I'll minus every byte by 2, I'll get the unencrypted packet? Hmm.. So every time I catch a packet, I'll minus it by 2? I guess you need a proxy server for this kind of hacks..
I hope someone122 or novacygni can provide an overview of a proxy server and dll injection/code caving in cabal
I have a question, what's the difference between a proxy server, dll injection, and code caving?
My understanding of a proxy server is that it will catch packets client to server and vice versa, proxy server catches a packet then unencrypts the packet, edit the unencrypted packet, then encrypts it again so the client or server will accept it. You would really need a lot of knowledge and I think the hardest part is the encryption and time stamping..
For DLL injection, I think you can call certain functions in-game with just a press of a hotkey, like pressing letter "P" will automatically buy pots from alchemist. I think this also deal with packets?
For code caving, involves asm/debugging like the function of CE. I believe this is the way to go for newbies? Since we just need to point which goes to which address, nop jne jmp whatever. and I've also read that at some point in the program, the packet will be pointed to the encryption process inside cabalmain.exe, so if we can find that point, just dump the code before it's encrypted? Or if you made a code cave, just point it to the encryption address..
I hope someone will point out my mistakes, thanks.
Dll Injection is exactly what his name say, you basically inject a DLL into an application to modify how it will act.
Code Caving is basically using code "gap" to manipulate the game in a certain way.
But for Proxy Server, i don't know what you mean, since a proxy server is only a "go-between" ; instead connecting dirrectly to the server, you connect to a proxy server, who connect himself to the desired server, then send you back the information. It may be used to catch packet, but since that proxy get the same packet flow you will normally get yourself if you connect dirrectly to the server, i guess it's useless, until you got a proxy server wich will unencrypt you the packet when you're unable to do it yourself xD
i guess it's useless, until you got a proxy server wich will unencrypt you the packet when you're unable to do it yourself xD
Im sure thats what he's trying to do
1) The Encryption method is AES Rijndael, That alone still wont help you because you need to know the Encryption keys (* Key1 and Key2 *) to still be able to decrypt the packet.
2) Its Proxy, not "Proxy server", Its used to do the Packet Encryption and decrypting for you so yes, you can alter/inject your own packets at will.
3) Etheral and other "Sniffers" are no good for sniffing Encrypted MMORPG packets, Id suggest writing a C# sniffer to hook the Winsock Rec function in the Cabal.exe, just to let you log enough packets to work out the Key2 (* Clue : First packet contains it *) and to work out the Packet structs
4) Codecaving is used to make the Exe have modified functions, i.e. Timestamp check added to the bottom of the exe which takes the current time and adds .45ms to the current time, then simply point all refrences to WinGetTime to this new WinGetTime code written at the bottom
5) Dll Injection is the best method for loading your Proxy/Bot as Gameguard being the hunk of shit that it is doesnt check refrenced dlls, the clue here btw is to Inject your dll via modifiying the oggvorbis.dll Or easiar yet just Codecave Gameguard itself to call your bot program and then itll "Protect" your bots processes
Quote:
Originally Posted by dlnqt
nice thread, hmm -2? So if I convert every hex then I'll minus every byte by 2, I'll get the unencrypted packet? Hmm.. So every time I catch a packet, I'll minus it by 2? I guess you need a proxy server for this kind of hacks..
My understanding of a proxy server is that it will catch packets client to server and vice versa, proxy server catches a packet then unencrypts the packet, edit the unencrypted packet, then encrypts it again so the client or server will accept it. You would really need a lot of knowledge and I think the hardest part is the encryption and time stamping..
For code caving, involves asm/debugging like the function of CE. I believe this is the way to go for newbies? Since we just need to point which goes to which address, nop jne jmp whatever. and I've also read that at some point in the program, the packet will be pointed to the encryption process inside cabalmain.exe, so if we can find that point, just dump the code before it's encrypted? Or if you made a code cave, just point it to the encryption address..
Nope, the -2 is part of the Algo used in the Modified AES Rijndael method Cabal uses
Nothing hard about it really, the Encryption is AES rijndael, the Key1 is in the Cabal.exe itself and the Key2 is recieved in the first packet from Server>Client... Timestamping is basically Calling the current time with WinGetTime and adding .45ms to the current time before sending the packet on to the server
Ollydbg is the PRO's Tool of choice for researching values and performing research to advance other areas of botting
You shouldnt try Flying before you can Walk, let alone run! but yes, you can inject packets into the exe itself so the exe does the Encryption for you,, but this is far from basic!
Quote:
For example in the chat game I said "hello" 5 times and I got 5 diferent but with the same size
Thats because the Timestamp changed in each packet, which would make the whole string be encrypted diffrently not just part of it...
My english so bad, and my programmable skill more badly then my english =)
I`m trying undesrtand this code, but not sure i can write something/
I`m not sure about in this procedures keys right Where i can check/got keys ?
NovaCygni wrote
Quote:
log enough packets to work out the Key2 (* Clue : First packet contains it *) and to work out the Packet structs
Encrypted Password 05/31/2009 - General Coding - 7 Replies moin ,Ich hab ne frage ,wie bekommt man aus einem encrypted Password also das Pw was gecodet ist z.b sowas hier.
"*D9160A149F862BCB7B2AB9DFE0C4EE330C264A64&q uot;
ein ganz "Normales" Password raus. Irgendwie muss man das doch "Analysieren" oder "entcoden" könen:confused::confused:
mfg nico
Informations about encrypted protocol 05/19/2009 - General Gaming Discussion - 0 Replies Hi all,
i try to find maximum informations about the encrypted protocol the game use. If someone has some infos ;O)
Encrypted HTML of Conquer 02/01/2007 - Conquer Online 2 - 9 Replies I have found a possible encrypted file of something in Conquer. I am not an expert, so I have absolutely no inkling what this could be about. Experts please try to decipher this, and determine what it is all about. It could be player info, but I dunno...
Please TRY!
Need help for encrypted packets ! PLSE 09/30/2005 - General Coding - 3 Replies Hi alle!
Ich versuch die encryption fuer m@trix online zu cracken!
Es geht um die encryptions der pakete zum einloggen im server(password und login)(fuer einen MXOsimulator)
Mit dem KANAL plugin von PEiD fand ich eine ganze Liste von crypts : CRC32_-_CryptGenRandom_-_DES_-_List of primes_-_MD5
_SHA1_-_SHA-512/384_-_TWOFISH.
Ich hab schon Loginpakete eingefangen und brauch jetzt nur noch wissen wie ich sie decryptiere!
Ich danke fuer jede Hilfe :cool:
Or easiar yet just Codecave Gameguard itself to call your bot program and then itll "Protect" your bots processes 
Where i can check/got keys ?
