The password encryption is basically the same as before with some added extras. The server now sends a extra 32 bit cypher before login starts, the base key has changed, there is a character by character substitution before encryption, and a further encryption based on the ascii sum of the pz user name.
I did get quite far into working it out before other commitments took me away. If I get back on it in the near future I'll probably post here with it.
Yeah, it's still RC5. The key to seed it now is based on that int received from the server. It's used to create some 16 random bytes (srand(), rand() from msvcrt), and the 16 byte sequence is what seeds the RC5.
In addition to the RC5 though, there's another layer of encryption, which is seeded from the sum of all the username's character's ASCII values, and that seed then creates a 256 int16 key, which is then sorted by most sig byte only. The cryptography then works based on key indexes and converting scan codes to virtual key characters (ie, MapVirtualKey());
.Net implementation of that part here anyway. Reflect it if you need to port to another language. It has no external dependencies.
Also an RC5 implementation for those who were lazy and hardcoded the old key rather than implementing the keygen routine.
It depends on the version. From 4267 to 5017 TQ used the blowfish(cipher) algorithm and for their latest patch a modified version of RSA is used (as far as I know).
Yeah, it's still RC5. The key to seed it now is based on that int received from the server. It's used to create some 16 random bytes (srand(), rand() from msvcrt), and the 16 byte sequence is what seeds the RC5.
In addition to the RC5 though, there's another layer of encryption, which is seeded from the sum of all the username's character's ASCII values, and that seed then creates a 256 int16 key, which is then sorted by most sig byte only. The cryptography then works based on key indexes and converting scan codes to virtual key characters (ie, MapVirtualKey());
.Net implementation of that part here anyway. Reflect it if you need to port to another language. It has no external dependencies.
Also an RC5 implementation for those who were lazy and hardcoded the old key rather than implementing the keygen routine.
Credit to Ultimation & Myself.
Nice one, lol that saved me some time in ollydbg. I knew you guys woulda sussed it.
Quote:
Originally Posted by Neo~
Why are you such a nerd?
I guarantee he's smarter than you. Probably by several times. Contrary to normal belief, someone smarter than you (which may be a great proportion of the population) is not a nerd.
It's all in unknownone's dll he attached earlier in this post. Just use a reflector to open the dll and you can see the source in any language you prefer. You should really thank him for this not me mang.
The only part missing from the DLL is the creation of the RC5 key. It's just an int sent from the server to the client on connect in an 0x423 packet. For a basic template of how you'd implement it..
Code:
using Liberate.Cryptography;
using msvcrt;
class Connection
{
private readonly int passCryptoSeed;
//...
public Connection(Socket socket)
{
this.passCryptoSeed = (new Random()).Next();
var seedPacket = new PasswordCryptographySeedPacket()
{
Seed = this.passCryptoSeed
};
this.SendPacket(seedPacket);
//...
}
public void OnLoginPacket(LoginPacket loginPacket)
{
msvcrt.srand(this.passCryptoSeed);
var rc5Key = new byte[0x10];
for (int i = 0; i < 0x10; i++)
rc5Key[i] = (byte)msvcrt.rand();
var password = Encoding.ASCII.GetString(
(new ConquerPasswordCryptpographer(loginPacket.Username)).Decrypt(
(new RC5(rc5Key)).Decrypt(loginPacket.Password)));
//...
}
//...
}
Not dome much .NET stuff myself, just a little worried about the seeding of the PRNG like that. Are the variables used in srand() and rand() private to that particular thread or are they global for the entire application? If the latter is true, it could cause problems to a whole server application to have the seed constantly reset to a relatively small integer everytime someone logs on. A multi threaded application could also call rand() right in the middle of the key generation causing a failed login. Of course, if the routines are pure to the thread it isn't an issue.
Not dome much .NET stuff myself, just a little worried about the seeding of the PRNG like that. Are the variables used in srand() and rand() private to that particular thread or are they global for the entire application? If the latter is true, it could cause problems to a whole server application to have the seed constantly reset to a relatively small integer everytime someone logs on. A multi threaded application could also call rand() right in the middle of the key generation causing a failed login. Of course, if the routines are pure to the thread it isn't an issue.
Code:
public class rand
{
static int _seed;
int seed;
public rand(int seed)
{
this.seed = seed;
}
public final int _next()
{
seed *= 0x343fd;
seed += 0x269Ec3;
return (seed >> 0x10) & 0x7FFF;
}
public static void seed(int seed)
{
_seed = seed;
}
public static final int next()
{
_seed *= 0x343fd;
_seed += 0x269Ec3;
return (_seed >> 0x10) & 0x7FFF;
}
public static final int next(int max)
{
return (next() % (max + 1));
}
public static final int next(int min, int max)
{
return (next() % (int) (((max) + 1) - (min))) + (min);
}
}
could just do
rand rand = new rand(seed)
rand._next();
or static mode
rand.seed(seed)
rand.next()
That's in Java, basically a copy of what msvcrt does because Java's random sucks
edit: Also, I'm having some problems with my encryptions still, it decrypts correctly about half the letters (and all upper case). I think the mapping may be wrong, not sure (using sparkie's source).
For example:
Encrypted (by client): teest
Decrypted (by proxy): ( S( (contains 2 spaces after ( )
AuthServer password encryption 04/26/2009 - CO2 Private Server - 1 Replies Well thought it would fit in this section.
Most of the sources I seen works this way: the first time an account login, it takes the "encrypted" password received and set it in the database. I've been trying to figure the encryption used, but with no success, my ASM skills just sucks.
So, could anyone decent with assembler/debugging help me with this?
CO password encryption 11/30/2008 - Conquer Online 2 - 3 Replies Was it ever released? I know it was hiding in dev section for some time but I don't know if it ever got out. If it has, a friendly link to where to? Or if not, maybe an explanation? It's quite a weird encryption at first glance. Thanks in advance.
<hr>Append on Apr 6 2007, 20:50<hr> As much as people would probably not like to help out, I'm trying to get stuff going for the benefit of the community : [ I'm doing a c++ server emu and so far everything's going smooth except the password...
Conquer Password Encryption? 12/25/2007 - Conquer Online 2 - 4 Replies Me and my bro are currently making a private server and we need help with the password encryption. Any help would be greatly appreciated. :D
![[HELP] Password encryption](https://www.elitepvpers.com/forum/iconimages/co2-private-server/help-password-encryption_ltr.gif){kind=small}
