Blowfish key

Speedie123 · 03/07/2012, 15:05

Hey guys.
I was wondering what's the best way to get the blowfish key?
I've tried some other stuff from ultimation but it doesnt work with protected servers, so may i ask for a trusted way?
and how to replace the new key into the exe using hex or w/e
Thanks.

Spirited · 03/07/2012, 20:36

Some servers just edit it using a hex editor. You can open Conquer.exe in Notepad++ and find it next to "TQServer". Other servers might use a loader to inject it with a new blowfish key. In any case, it's pretty easy to figure out the BF key by reverse engineering the loader. I know there's a few tutorials and programs out there to help you in the Programming Section. Good luck!

_DreadNought_ · 03/07/2012, 20:46

Fang incorect, "AFAIK" The BFKey is a fixed string and cannot be changed via hooking.

Spirited · 03/07/2012, 20:53

Quote:

Originally Posted by _DreadNought_

Fang incorect, "AFAIK" The BFKey is a fixed string and cannot be changed via hooking.

So it's not possible to hook the client's method that sets the key in the game cipher? It's not possible to inject a new method that sets the cipher using another key? o.O

_DreadNought_ · 03/07/2012, 20:59

When you think about it that way yes, but simply just changing the string at the address in memory its set to, no.

-impulse- · 03/07/2012, 21:08

Quote:

Originally Posted by Fаng

So it's not possible to hook the client's method that sets the key in the game cipher? It's not possible to inject a new method that sets the cipher using another key? o.O

Not in CO's case... well it's not exactly easy.
TQ's programmers that wrote CO's encryption implemented all by hand... so a simple detour wouldn't work (like get the lib and includes for openssl and set up a detour on BF_set_key from openssl) because you dont have the function pointer.
But, if you can get the function's pointer then you can hook the function and get the parameters easily.

On the other hand, if you're dealing with a CO.exe like classic co's, which is packed and closes the game if it finds c-e, ollydbg, programming environments (VC#, VC++), it's going to be a lot harder.
If you don't succeed with hooking/detours, you could always try a bruteforce but it might take you around a month to be able to find the right combination considering that there are 94^16 (^ = power) possible arrangements. (Starting from '0' to '~').

If you're trying bruteforce... good luck with that.

Speedie123 · 03/08/2012, 13:56

I still couldnt know how to get it after all.

Lateralus · 03/08/2012, 14:44

Attach with a debugger; Enigma decrypts at runtime. I swear I've posted this same thing at least 5 times now.

Speedie123 · 03/08/2012, 23:34

Sorry, can you link me it?

~~injection illusion logic~~ · 03/09/2012, 01:23

link u what ? debugger ? if u duno how to get it then im pretty sure u dont know a thing about asm , so google asm books and read some and come back

Speedie123 · 03/09/2012, 01:51

Dude, I've asked clearly for help.
So, Could you just tell me a trusted way?

_DreadNought_ · 03/09/2012, 01:53

Google OlyDBG.

I'll do it for you I guess,

use google to learn how to use the software and you can do everything as so.

Speedie123 · 03/09/2012, 02:26

I know the ollydbg.
I was asking for a way to get the blowfish key.
Could you show me it?
Oweee, thanks.

Speedie123 · 03/10/2012, 14:29

Up guys.

×Holo · 03/10/2012, 16:01

Please, don't bump a thread that you won't get a simple answer on..

you have to get throw alot first.