all lvl2 epvp Members quitted playing Conquer Online, so we release our Packet Encryption Guide, I hope it is usefull for all AGH's out there
You will not use any information obtained from this guide for malicious purposes.
All information from this guide is for intellectual purposes only, and you are responsible for how you use it.
This guide may only be posted on the elitepvpers network, so if you see it anywhere else, please let me know about it.
Posted on: Nov 8 2004
Contact me for copy & paste permission
DO NOT PM ME, if you want to know how to make hacks with these informations
English translation by Noir and Lowfyr for e*pvp
Update:
Quote:
Originally posted by Ultima
one month after the guide came out they made litle change in the firs packet you recive its now 32 bytes long not 28 like in the guide and for the key you have to start taking the keys now at the 5th position not the 4th thats all they won`t patch anything cause its most likeley to complex and they don`t even make money with conquer only with the dbs so i dont think the ll make anything
|
Guide to Conquer Online package en- and decryption
Content:
1. The keys
a. General information
b. The first 2 keys
c. Creating the 3rd and 4th key
2. Encryption of packages
a. The counter
b. The encryption of incoming packages
c. The encryption of outgoing packages
3. The de- and encryption as a server
The keys
General information
There are 4 keys in the encryption of Conquer Online. Actually there are only 2. But this 2 keys will be encrypted, after the singup at the login server, by 2 additional keys sent by the server. This keys will be used as new keys for outgoing packages. So there are 4 keys.
The first 2 keys:
1st key
Code:
9D 90 83 8A D1 8C E7 F6 25 28 EB 82 99 64 8F 2E
2D 40 D3 FA E1 BC B7 E6 B5 D8 3B F2 A9 94 5F 1E
BD F0 23 6A F1 EC 87 D6 45 88 8B 62 B9 C4 2F 0E
4D A0 73 DA 01 1C 57 C6 D5 38 DB D2 C9 F4 FF FE
DD 50 C3 4A 11 4C 27 B6 65 E8 2B 42 D9 24 CF EE
6D 00 13 BA 21 7C F7 A6 F5 98 7B B2 E9 54 9F DE
FD B0 63 2A 31 AC C7 96 85 48 CB 22 F9 84 6F CE
8D 60 B3 9A 41 DC 97 86 15 F8 1B 92 09 B4 3F BE
1D 10 03 0A 51 0C 67 76 A5 A8 6B 02 19 E4 0F AE
AD C0 53 7A 61 3C 37 66 35 58 BB 72 29 14 DF 9E
3D 70 A3 EA 71 6C 07 56 C5 08 0B E2 39 44 AF 8E
CD 20 F3 5A 81 9C D7 46 55 B8 5B 52 49 74 7F 7E
5D D0 43 CA 91 CC A7 36 E5 68 AB C2 59 A4 4F 6E
ED 80 93 3A A1 FC 77 26 75 18 FB 32 69 D4 1F 5E
7D 30 E3 AA B1 2C 47 16 05 C8 4B A2 79 04 EF 4E
0D E0 33 1A C1 5C 17 06 95 78 9B 12 89 34 BF 3E
2nd key
Code:
62 4F E8 15 DE EB 04 91 1A C7 E0 4D 16 E3 7C 49
D2 3F D8 85 4E DB F4 01 8A B7 D0 BD 86 D3 6C B9
42 2F C8 F5 BE CB E4 71 FA A7 C0 2D F6 C3 5C 29
B2 1F B8 65 2E BB D4 E1 6A 97 B0 9D 66 B3 4C 99
22 0F A8 D5 9E AB C4 51 DA 87 A0 0D D6 A3 3C 09
92 FF 98 45 0E 9B B4 C1 4A 77 90 7D 46 93 2C 79
02 EF 88 B5 7E 8B A4 31 BA 67 80 ED B6 83 1C E9
72 DF 78 25 EE 7B 94 A1 2A 57 70 5D 26 73 0C 59
E2 CF 68 95 5E 6B 84 11 9A 47 60 CD 96 63 FC C9
52 BF 58 05 CE 5B 74 81 0A 37 50 3D 06 53 EC 39
C2 AF 48 75 3E 4B 64 F1 7A 27 40 AD 76 43 DC A9
32 9F 38 E5 AE 3B 54 61 EA 17 30 1D E6 33 CC 19
A2 8F 28 55 1E 2B 44 D1 5A 07 20 8D 56 23 BC 89
12 7F 18 C5 8E 1B 34 41 CA F7 10 FD C6 13 AC F9
82 6F 08 35 FE 0B 24 B1 3A E7 00 6D 36 03 9C 69
F2 5F F8 A5 6E FB 14 21 AA D7 F0 DD A6 F3 8C D9
Creating the 3rd and 4th key:
You'll receive the 3rd and 4th key by encrypting the the 1st and 2nd key with the keys sent by the server to the client. The key for it is in the 1st package you receive from the server. This is exactly the 2nd package at all.
The package with the key looks like this one:
Code:
*** RECV - size: 28
1C 00 1C 04 2E A6 44 00 F4 48 5C 20 36 34 2E 31 * *�.�..¦D.ôH\ 64.1
35 31 2E 38 31 2E 32 30 34 00 00 00 * * * * * * * * * * 51.81.204...
The key in the incoming package is the 11th + 10th + 9th + 8th byte from startup.
In this example: 20 5C 48 F4
The 2nd key is the 7th + 6th + 5th + 4th byte in the package.
In this example: 00 44 A6 2E
And now, to get the 3rd and 4th key, you need to do this:
1.) Add key 1 with key 2 205C48F4 + 0044A62E = 20A0EF22
2.) XOR result of 1.) with 4321 XOR 20A0EF22, 4321 = 20A0AC03
3.) XOR Key 1 with result of 2.) XOR 205C48F4, 20A0AC03 = 00FCE4F7
4.) IMUL result 3.) with result 3.) IMUL FCE4F7, FCE4F7 = F9D39310E651
(logical multiplication // result is only 4 byte long -> 9310E651)
And now, to create the 3rd and 4th key correctly, you need to do this:
Always use the first 4 bytes of the 1st key with the result of 3.) and produce it with XOR:
The 1st 4 bytes of the 1st key (vice versa, originally: 9D 90 83 8A):
8A 83 90 9D
With the result of 3.):
00 FC E4 F7
The result:
8A 7F 74 6A
The result must also be rated the other way round. Thus, the first four bytes of the key now are:
6A 74 7F 8A
Repeat that until you converted the complete 1st key.
The 2nd key has to be converted the same way, but with the difference that you need to use the result of 4.),
not 3.).
The 1st 4 bytes of the 2nd key (vice versa, originally: 62 4F E8 15):
15 E8 4F 62
With the result of 4.):
93 10 E6 51
The result:
86 F8 A9 33
The result must also be rated the other way round. Thus, the first four bytes of the key now are:
33 A9 F8 86
Now you have the 3rd and 4th key you need to have to send packages.
Decryption of packages:
The counter
To decrypt the encrypted packets, you need the four 256 byte keys that I have introduced above.
- To decrypt the packets wich you get from the server you need the 1st and the 2nd key.
- You need the 3rd and 4th Key for the packets they're sent from your client.
Check the differences between the login and the game server, the encryption is the same but there 4 Counters overall (Two Counters for the sent packets and another two Counters for the received packets)
All the four Counters are set to 00 for each new session. The packets are de/encrypted always byte wise. After each de/encrypted byte the counter increases by 1, if one of the two counters hits FF it will roll back to 00 and the other counter will be increased by 1. If the other counter hits FF both counters will get a "rollback" to 00.
There are 4 counters for each server (Login- and Gameserver).
Encrypt the received Packets
There are four steps to encrypt the packets:
For Example we're using the Login packet that is sent from the client to the login Server
Decrypted Packet:
Code:
34 00 1B 04 54 65 73 74 54 65 73 74 00 00 00 00 00 00 00 00 51 15 EE 1B 19 45 2C 6E 5C 01 5C 41 56 25 F6 D7 45 61 67 6C 65 00 00 00 00 00 00 00 00 00 00 00
Encrypted Packet:
Code:
17 84 04 65 D5 13 C4 A5 9A 59 04 E2 14 CB 75 6F 5F 89 B0 22 86 17 18 52 47 54 FC 44 D2 D4 BD 78 33 D0 D0 56 C6 55 83 26 8F 05 35 AB 16 C1 7F 6D 59 87 BA 20
step 1
XOR the encrypted byte and the X. byte from the key (X = 1st Counter)
XOR 34, 9D ---> A9
step 2
Encrypt (XOR) the result with the N. byte from the 2nd key (N = 2nd Counter)
XOR A9, 62 ---> CB
step 3
now you have to invert our new result
CB is now BC (CB -> BC)
step 4
finally you have to encrypt (XOR) the result from step 3 with AB.
XOR ESI, 0AB ---> 17
Repeat that with the hole Packet.
- After each encrypted byte the first counter will be increased.
- After 256 bytes the second Counter will be increased by 1
- After 65536 bytes both counters will get a "rollback" to 00 (and the same procedure will start again (00/00)
After you're connected to the Gameserver the Counters are set to 00.
Encrypt the "Client sent" packets
To decrypt the packets they are sent by the client to the Server you must use the same Routine that I've introduced above (just invert the hole Client-Encrypt/Decrypt Process).
so:
1. XOR byte Packet, AB
2. invert E1
3. XOR E2, 62
4. XOR E3, 9D
(E1, E2, E3 = result from 1., 2. and 3.)
Encrypt and Decrypt as Server
To start a Server, you must use the same Routine that I've introduced above (just invert the hole Client-Encrypt/Decrypt Process), the Keys are the same.
Every Player becomes a individual key. The client is using this key for the encryption routine before he sends the informations to the Server.
:hm:
) <--- the best way to bot
