*HOT* Packet Encryption - Decrypt/ReEncrypt HowTo

[Ultima]

Quote:

Originally posted by monkeyleader@Jul 17 2005, 14:27
um about the whole packet thing... what is the point of making the keys?

can you explain what you exactly mean?

[meow`]

Ok, first thx for this nice tuto, then sorry for my bad english, i'm french so perhaps i don't see it but can u precise where is store the first and second key ? there is a routine to calculate them too or this key are fixe ?
sorry for noobish question, i'm not at home and i can't disassemble, thx a lot

[Ultima]

Quote:

Originally posted by meow`@Jul 21 2005, 08:38
Ok, first thx for this nice tuto, then sorry for my bad english, i'm french so perhaps i don't see it but can u precise where is store the first and second key ? there is a routine to calculate them too or this key are fixe ?
sorry for noobish question, i'm not at home and i can't disassemble, thx a lot

OK there are two keys that are used by conquer those two of the tutorial!

They are hardcoded don`t know where they are but they are fixed!

thoses keys are used for encryption and decryption but after logging into the server you get 2 keys from it.

with those you make two new keys that are used for communication with the server but only the packets from client to server are encrypted with those

the communication from server to client uses the old first two keys hope that makes thinks clear


maybe i should learn some france^^

[meow`]

Quote:

They are hardcoded don`t know where they are but they are fixed!

Right that was only that i would to know, thx a lot
Someone know the offset where is store this 2 first key please ?

[meow`]

Hy all,
first sorry for my bad english, but i'm french, so if u don't understand something please tell me and i'll try to correct my sentences

Ok so, i'm trying to study the protocol and i've got a problem with the second packet i send to the gameserver, so it's the client to the server's packet send after the language packet send.
In my example, the decrypt packet look like:
1C 00 F2 03 3F 5A 11 00 63 22 11 00 00 00 00 00 00 00 00 00 00 00 00 00 89 00 00 00
and the real encrypt packet send is:
74 2D B7 18 07 CE 4E 6F 06 88 04 A4 7B EC D5 EF B4 28 9F 29 FB 6E 5A 64 A7 A5 18 A5

this encrypt packet change on every session, so i think it's the first packet encrypt with the random key3 and key4 we receive.
so i try to generate this 2 new key with the second packet receive.
In my example, the real encrypt packet is:
47 48 AA 12 5A 2D 6B 2E 2D 88 01 CA 52 9F 24 14 F6 7A 08 C0 2A 64 6F 3E 6D 00 E3 2A FA 2D 87 C6
and the decrypt packet is:
20 00 1F 04 35 97 45 00 0D 87 23 09 31 32 37 2E 30 2E 30 2E 31 00 00 00 00 00 00 00 B8 16 00 00

So i extract the two vector like this:
first vector = 12th + 11th + 10th + 9th byte:
31 09 23 87
second vector = 8th + 7th + 6th + 5th byte:
0D 00 45 97

1>31092387 + 0D004597 = 3E09691E
2>3E09691E xor 4321 = 3E092A3F
3>31092387 xor 3E092A3F = 0F0009B8
4>0F0009B8 imul 0F0009B8 = 905E7440

first 4 bytes of my key3:
8A83909D xor 0F0009B8 = 85839925
25998385

first 4 bytes of my key4:
15E84F62 xor 905E7440 = 85B63B22
223BB685

So now, if i apply my 2 new key on the second packet i send to the gameserver, i must find the real encrypt packet..
1C xor 25 = 39
39 xor 22 = 1B
invert 1B = B1
B1 xor AB = 1A

i find "1A" for my first byte, and i want to find "74"...

So perharps i've got a problem with my counter, don't know, i would appreciated if someone can correct my mistake.

thx

[behelit]

Code:

SEND:1C 00 1C 04 xx xx xx xx 00 00 00 00 72 65 73 2E 64 61 74 00 00 00 00 00 00 00 00 00 |:ASCII:| ÉD   res.dat     
   [type 4  ] [ key3  ] [     ] [r e s . d a t]

this is the 2nd packet sent to the server
it uses the recv packet encryption (using keys 1 and 2)
but it starts from 0 and the counter is independant from the recv packets counter
so for this packet your counter should be at 52 since the first packet is 52 bytes

xor with key1
xor with key2
flip
xor with AB

[meow`]

Quote:

this is the 2nd packet sent to the server

yep but no i think we dont talk with the same packet, i have no problem with the res.dat packet, it's the second packet on the gameserver, not on the login server.
my problem is with the packet send just after the english lang packet, and i think i must use the key3 and key4 here.

[Ultima]

Quote:

Originally posted by meow`@Aug 2 2005, 07:15
Hy all,
first sorry for my bad english, but i'm french, so if u don't understand something please tell me and i'll try to correct my sentences

Ok so, i'm trying to study the protocol and i've got a problem with the second packet i send to the gameserver, so it's the client to the server's packet send after the language packet send.
In my example, the decrypt packet look like:
1C 00 F2 03 3F 5A 11 00 63 22 11 00 00 00 00 00 00 00 00 00 00 00 00 00 89 00 00 00
and the real encrypt packet send is:
74 2D B7 18 07 CE 4E 6F 06 88 04 A4 7B EC D5 EF B4 28 9F 29 FB 6E 5A 64 A7 A5 18 A5

this encrypt packet change on every session, so i think it's the first packet encrypt with the random key3 and key4 we receive.
so i try to generate this 2 new key with the second packet receive.
In my example, the real encrypt packet is:
47 48 AA 12 5A 2D 6B 2E 2D 88 01 CA 52 9F 24 14 F6 7A 08 C0 2A 64 6F 3E 6D 00 E3 2A FA 2D 87 C6
and the decrypt packet is:
20 00 1F 04 35 97 45 00 0D 87 23 09 31 32 37 2E 30 2E 30 2E 31 00 00 00 00 00 00 00 B8 16 00 00

So i extract the two vector like this:
first vector = 12th + 11th + 10th + 9th byte:
31 09 23 87
second vector = 8th + 7th + 6th + 5th byte:
0D 00 45 97

1>31092387 + 0D004597 = 3E09691E
2>3E09691E xor 4321 = 3E092A3F
3>31092387 xor 3E092A3F = 0F0009B8
4>0F0009B8 imul 0F0009B8 = 905E7440

first 4 bytes of my key3:
8A83909D xor 0F0009B8 = 85839925
25998385

first 4 bytes of my key4:
15E84F62 xor 905E7440 = 85B63B22
223BB685

So now, if i apply my 2 new key on the second packet i send to the gameserver, i must find the real encrypt packet..
1C xor 25 = 39
39 xor 22 = 1B
invert 1B = B1
B1 xor AB = 1A

i find "1A" for my first byte, and i want to find "74"...

So perharps i've got a problem with my counter, don't know, i would appreciated if someone can correct my mistake.

thx

first thing to say you got the wrong key of the key packet

Quote:

and the decrypt packet is:
20 00 1F 04 35 97 45 00 0D 87 23 09 31 32 37 2E 30 2E 30 2E 31 00 00 00 00 00 00 00 B8 16 00 00

you took

Quote:

So i extract the two vector like this:
first vector = 12th + 11th + 10th + 9th byte:
31 09 23 87
second vector = 8th + 7th + 6th + 5th byte:
0D 00 45 97

but its

0923870D

and

00459735

so try it with those

[meow`]

hum in the old guide about the old 28 key packet length, the guy say to take the 11th,10th,9th,8th and 7th,6th,5th,4th bytes but in the example, he take the 12th,11th,10th,9th and the 8th,7th,6th,5th bytes.
now like it say, the packet are 32 length and u need to decal this selection, so i just say like the guide i take the 12th,11th,10th,9th and the 8th,7th,6th,5th bytes but in real i take the 13th,12th,11th,10th and 9th,8th,7th,6th, perhaps its a mistake, dont know, i try like u say and i dont find the same packet again..

[behelit]

in the guide he's counting from 0
you should end up with this
but to encrypt the language packet (110 English) you should use key1 and 2 with counters at 0

[Ultima]

the first packet send to the gameserver is not encrypted with key 3 and 4 cause in that packet you tell the game server the keys you get from the login server and after that packet key 3 and 4 are used

but after the change from login to gameserver you have to reset the counter thats all

[meow`]

yep yep i have no problem to send the english packet too, and my counter for the key3 and key4 are set to 0.
behelit: i find the same key then u, but dont find the good encrypt packet again like this.

1C xor F3 = EF
EF xor 26 = C9
inv = 9C
9C xor AB = 37

37 != 74

[behelit]

for the 2nd packet the counters would be at 29
it works in my app but i cant do it manually
i havnt looked at the encryption methods for a while :P

here we go:

74 xor AB = DF
FD xor 26 = DB
DB xor C7 = 1C

[meow`]

Yes it's ok, thx for ur help ultima and behelit !
So we need to jump the length of the lang packet without use it with this key...
Just a little think, there a mistake in the soft u have use to post the screenshot, the key isn't correct, there some bytes in excess, i think the buffer isn't proper correctly

thx

[jMerliN]

Quote:

Originally posted by wondersven+Jan 12 2005, 03:09--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (wondersven @ Jan 12 2005, 03:09)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--razorwolf@Jan 12 2005, 04:28 AM

Reverse engineering

ya, I know that.

but what indicates the algorythm? [/b][/quote]
Generally you can start by breakpointing or hooking the winsock send and receive funcs and backtracing the functions called in succession to them using a simple stack check and find the encryption/decryption algorithms this way then reverse into C++ and reproduce the same exact effect that the game does for your own use.