conquer cryptology

[go for it]

edit : maybe im using a stupid way to ask about stuff or maybe you don't want to bother helping me out which to why im helping myself and changing the way im asking about stuff , maybe that will work out and i get some help
here is what i got so far
subject was about how conquer cryptology/cryptography works since server start until client is fully connected with the private shared key

please someone confirm/continue what i've understanded

from my personal notes (forgive me for my bad english and bad information but all that have been done in 10 hrs of reading and trying)

Quote:

TL;DR
AuthServer_AnnounceNewConnection
generating a new PasswordCryptographySeed then send it using the authcryptography encrypt method which i

duno what encryption it's using , it encrypt them using the 4 keys (2 constant and 2 prolly is generated

each time)
that's how it encrypt the packets (decrypt is the reverse)
each byte power 171
byte >> 4 OR byte << 4
byte power ((byte)(_cryptKey1[this._encryptCounter.Key1] ^ _cryptKey2[this._encryptCounter.Key2])));
then it increase the encrypt counter

conclusion:
once on announce new connection event raised we do the following
define new authstate object using the ISocketWrapper object socket with a new AuthCryptography
then get the current PasswordCryptographySeed send it after encrypting it ,then change it for other

clients
then set the ISocketWrapper object "Connector" to the authstate object we created using that

ISocketWrapper socket

then the client reply to raise the event of AuthServer_AnnounceReceive with a packet of length 240
then we decrypt this packet using the decrypt method which i duno what cryptology it is
we get user name at offset 8 and password at offset 72 which both need to be converted using system text

encoding class

then server reply with a packet of lengeth 52 and type 1055 with Identifier on offset 4 and game ip on

offset 20 and game port on offset 12 also type on offset 8
types are
Banned = 0,
InvalidInfo = 1,
Ready = 2
if the length isn't 240 then the server will disconnect this connection

then at CreateServerKeyPacket
string P =

"E7A69EBDF105F2A6BBDEAD7E798F76A209AD73FB466431E2E 7352ED262F8C558F10BEFEA977DE9E21DCEE9B04D245F300EC CBBA03

E72630556D011023F9E857F";
string G = "05";
the prime is that number and generator is that 5
then it create the server key packet and send it to client

client replies with it's own result so the server use it to know client private key and figure out the
final shared private key
server decrypt this client packet with the blowfish GameCryptography decrypting method
if it's the first packet the game server recieve it decrypt it and get the shared private key , else it just decrypt it and start processing that packet

to sum up what i've got so far
client send a connecting request
server send password seed
client reply with a packet of length 240 with acc , pass and server
if information is correct server send a packet of length 52 and type 1055 Identifier on offset 4 and game ip on offset 20 and game port on offset 12 also type on offset 8
the client connect to the game server
then server send to the client the dh packet (p , g , result)
client reply with it's result
now both client and server got the shared private key

more over
server encrypt/drypt everything with blowfish key but the auth packet of client which it encrypt/decrypt it with AuthCryptography class (i duno what encryption it's using and sure it's not dh key because the dh key comes after the auth. process)

assuming all what i said is perfectly fine , i got some questions
what is the use of the dh key exchange ? i can't find any use for the private shared key they had
is there anything else i should know about client/server cryptography ?
does AsyncSocket automatically creates thread per connection ? or in another words how one socket connects all clients ?

thanks

[Super Aids]

Ever tried looking in a source?

[go for it]

Quote:

Originally Posted by Super Aids

Ever tried looking in a source?

i did trace tinity base since the socket receive connection until accounts login for more than 5 times
but did you ever tried tracing a source without knowing what you are actually seeing ?
i see numbers , i see variables , i see equations , but i don't understand everything , i see a key decrypting a packet but i duno how it's encrypted , i end up in methods where i understand but i duno what the hell it's doing
sorry bauss but yes i did try to search and work it out on my own but trust me it's not that easy and im still searching and reading to do it on my own
but im sorry once more , u know i respect you but do you search for everything you post asking for ? you did post asking for stuff i figured out on my own and that's not because it's easy or hard or even because im good and you are bad
it's simply because maybe you were confused or got too much to think about and forgot something , maybe and maybe and maybe
how many people out there can actually write there own sources ? 20 out of 100k ? don't blame me for trying maybe and im kinda sure that most of elitepvpers members don't know and more sure that who know will not help me , maybe they think they are wasting there time
maybe they don't want others to get more advanced and code server or even proxy
but what im definitely sure of is that
i live once , it's awkward to ask but more awkward not to ask and stay stupid
as long as im trying i got a chance , you better blame and make fun of people who don't want even to try and fail

just today i realized that asking others may not be as stupid as not even trying
im sorry mate but that's the truth and i couldn't stop myself typing it

[Lateralus]

The auth cipher is TQ's own cipher; all 4 keys are generated at initialization. The game server uses the blowfish cipher - you can find information about the blowfish cipher at Blowfish (cipher) - Wikipedia, the free encyclopedia - see either OpenSSL's source at - or CptSky's implementation (CFB64 mode - he also has one in C#) at - and here's the explanation of DH key exchange - Diffie

[CptSky]

We'll say that Alice is the client and Bob is the server.

Pre-5017 clients

COAC : Conquer Online Asymmetric Cipher (4096-bit key)

Alice and Bob agreed on an initialization vector (IV) for the COAC algorithm. This IV is generated from the P seed (0x13FA0F9D) and the G seed (0x6D5C7962).

Alice send a connection request to Bob which validate the account/password and return to Alice a unique ID (B seed) and a connection token (A seed). Alice takes those two keys and generates a new key for the COAC algorithm. The key is used to encrypt the data, while Bob will generate the same new key using A, B values to decrypt the data.

RC5 : Rivest Cipher 5 (128-bit key, 64-bit blocks, 12 rounds)
N.B. The P, Q magics shouldn't be changed but TQ already changed them. (RC5_PW32 = 0xB7E15163, RC5_QW32 = 0x9E3779B9)

Alice and Bob agreed on a 128-bit seed ({ 0x3C, 0xDC, 0xFE, 0xE8, 0xC4, 0x54, 0xD6, 0x7E, 0x16, 0xA6, 0xF8, 0x1A, 0xE8, 0xD0, 0x38, 0xBE }). They'll generate the key with the seed. Alice will encrypt the password using RC5 and Bob will decrypt it.

Post-5017 clients (using Blowfish)

COAC : Conquer Online Asymmetric Cipher (4096-bit key)

Alice and Bob agreed on an initialization vector (IV) for the COAC algorithm. This IV is generated from the P seed (0x13FA0F9D) and the G seed (0x6D5C7962).

Alice send a connection request to Bob which validate the account/password.

Diffie-Hellman

Alice and Bob agreed on the P (A320A85EDD79171C341459E94807D71D39BB3B3F3B5161CA8 4894F3AC3FC7FEC317A2DDEC83B66D30C29261C6492643061A ECFCF4A051816D7C359A6A7B7D8FB), G (05) keys which are public. P is prime and G is primitive root mod P. When Alice will establish a connection with Bob, Bob chose a secret key a and send to Alice the public key A which is G ^ a mod P. Alice chose a secret key b and send to Bob the public key B which is G ^ b mod P. Both compute the secret key s which will be used to decrypt and encrypt the following code. s is B ^ a mod P or A ^ b mod P.

During this exchange, Bob will also send the IVs to be used by Alice for encryption and decryption. Each IV blocks is 64-bit.

Blowfish (448-bit key max, 64-bit blocks, 16 rounds, CFB64 mode)
N.B. A block is XORed with an IV block for encryption/decryption. So, the IV blocks are 64-bit too.

Alice and Bob agreed on a default seed (can't remember the key...) for generating the Blowfish key and doing the DH exchange. Also, both IVs are zero-filled. When the exchange is done, Alice and Bob generate the new key using their secret s key and they set the new IVs that Bob choose. Following that point, they should have a safe tunnel to communicate using Blowfish.

RC5 : Rivest Cipher 5 (128-bit key, 64-bit blocks, 12 rounds)
N.B. The P, Q magics shouldn't be changed but TQ already changed them. (RC5_PW32 = 0xB7E15163, RC5_QW32 = 0x9E3779B9)

Alice and Bob agreed on a 128-bit seed ({ 0x3C, 0xDC, 0xFE, 0xE8, 0xC4, 0x54, 0xD6, 0x7E, 0x16, 0xA6, 0xF8, 0x1A, 0xE8, 0xD0, 0x38, 0xBE }). They'll generate the key with the seed. Alice will encrypt the password using RC5 and Bob will decrypt it.

[pro4never]

Correct me if I'm wrong but newer TQ patches use the CAST cipher versus Blowfish for the game server encryption. They are very similar to implement but are not the same (not really an issue as you're going to be using an existing library 99 percent of the time)


<edit> Gawd damnit... I'm too slow and a far more accurate and complete example is listed above me. Snipping my original post into spoiler QQ

 Spoiler

But yes, it seems you have your description correct.


Client>Auth Connects
Auth>Client Sends Encrypted (auth cipher) password seed (password cipher)
Client>Auth Sends Encrypted (auth cipher) login request (password encrypted using password cipher + password seed)
Auth>Client Sends Response

If the auth response equals a successful login attempt it will contain a server IP and port that allows the client to now connect to the game server.

Client>Game Connects
Game>Client Sends DHKeyExchange packet (Server Key containing p, g, result as you mentioned)
Client>Game Sends DhKeyExchange packet (Client key result)


The client and game server are now connected and encryption is complete. They can proceed with normal login routine which goes something like...

Client>Server LoginRequest (using key from auth server)
Server>Client MessagePacket (listing create character or continue login)
Server>Client HeroInformationPacket
Server>Client GeneralActionPacket (change map)


There's also a bunch of things going Client>Server which deal with requesting skills, profs, friends, etcetc but you're essentially done login at this point.

[CptSky]

Quote:

Originally Posted by pro4never

Correct me if I'm wrong but newer TQ patches use the CAST cipher versus Blowfish for the game server encryption. They are very similar to implement but are not the same (not really an issue as you're going to be using an existing library 99 percent of the time)[...]

New patches use CAST-5 cipher, but it's a block cipher really similar to Blowfish... It uses the CFB64 mode too, so, it will be identical. The only thing will be MD5 with the DH and the password cipher.

[_DreadNought_]

I'm really impressed someone took the time to understand it and has managed to show that while seeking help in further understand.

Nice to see that once and awhile.

[go for it]

thanks CptSky im really mean it
thanks pro4never and what you said was still helpful
thanks Lateralus pretty useful links
thanks _DreadNought_
thanks bauss for ******* me off and making me work my *** out even more :P