[Delphi source][5770 +/-] Completely removing packet encryption from the client
Discussion on [Delphi source][5770 +/-] Completely removing packet encryption from the client within the CO2 Programming forum part of the Conquer Online 2 category.
[Delphi source][5770 +/-] Completely removing packet encryption from the client
Attached is the source code and compiled DLLs that allow you to completely bypass Conquer's packet encryption. All you need to do is inject the CustomCO.dll in the Win32/Release directory into Conquer.exe, run the "Init" method that is exported by the DLL - and the client's packet encryption/decryption routines will be overwritten and do nothing.
An injector is also included in the files if you are too lazy to write your own. To use it, run CustomCOInjector.exe and open a new Conquer window and it will inject the DLL once the Conquer window is opened.
With this tool you can also write your own custom encryption for your private server if you like by overwriting the code in the hooked functions:
DecryptData_Hooked is for decrypting game server -> client packets.
Encrypt_Hooked is for encrypting/decrypting auth server <-> client packets.
EncryptData_Hooked is for encrypting client -> game server packets.
These functions are found in the Client.pas file.
Notes:
You must still append "TQServer" to the packets sent from your server.
You still have to send the handshake packet to the client when it connects to your game server - but because it is ignored by the client, you can just send something random like
- the client DOES reply to the handshake so you'll need to handle/ignore that.
Currently, the tool is configured to re-direct the client to 127.0.0.1 aka localhost. I will probably make it configurable later on. Until then, you will need to re-compile the project if you want to change it. You can get a free Delphi compiler .
The tool does not remove the password encryption yet but I might make a version in the future that does.
The tool does not block TQ's anti-bot system, if anyone has a list of all the ports that the anti-bot system uses, feel free to post it here so I can include it in the tool.
Update
Added an experimental version that alters the MsgLoginProof packet (type 0x4BE aka 1214) to send the user's unencrypted password. The unencrypted password is stored at offset 4 and the packet now looks like this:
The handshake packet is also blocked from being sent by the client now. You still need to send the handshake from your server though.
I've also blocked some of the ports that the anti-cheat system uses and also the port(s) that's used when the client checks if it's up-to-date when opened.
Very cool concept. Instead of having to work around the cipher algorithms that they might change in the future, why deal with them. Keep up the work, I love seeing developments like this.
Very cool concept. Instead of having to work around the cipher algorithms that they might change in the future, why deal with them. Keep up the work, I love seeing developments like this.
Um, I don't mean to sound like a ****, but who are you kidding? The ciphers have chanced twice, maybe 3 times (if once before I joined the community) in all of Conquer... o_o
And then secondly, even if they do change, depending on the approach used, it's quite likely where you need to hook could change as well.
Also, the source indicates this is patch-specific (well the "concept" isn't, in fact this isn't the first of it's kind; but the constants are).
Um, I don't mean to sound like a ****, but who are you kidding? The ciphers have chanced twice, maybe 3 times (if once before I joined the community) in all of Conquer... o_o
And then secondly, even if they do change, depending on the approach used, it's quite likely where you need to hook could change as well.
Also, the source indicates this is patch-specific (well the "concept" isn't, in fact this isn't the first of it's kind; but the constants are).
I appreciated the concept. I recognize that Conquer's cryptography doesn't change often (six times - Blowfish, RC5 Seed Exchange, Cast, MD5 in DH, back to Blowfish, and SRP). Who am I kidding sounds like I'm trying to fool someone. The concept is nice, and I don't think I'm trying to kid someone into thinking one way or another. I'm simply displaying my opinion, which is my appreciation of his work. Sorry if you took it another way.
I appreciated the concept. I recognize that Conquer's cryptography doesn't change often (six times - Blowfish, RC5 Seed Exchange, Cast, MD5 in DH, back to Blowfish, and SRP). Who am I kidding sounds like I'm trying to fool someone. The concept is nice, and I don't think I'm trying to kid someone into thinking one way or another. I'm simply displaying my opinion, which is my appreciation of his work. Sorry if you took it another way.
Just a minor correction:
RC5/MD5/SRP aren't "encryptions" per say, they're hashing algorithms.
Although, I did forget about Cast (because of how similar it is to Blowfish), so we have Legacy -> Blowfish -> Cast -> Cast Modified at best.
Also, the source indicates this is patch-specific (well the "concept" isn't, in fact this isn't the first of it's kind; but the constants are).
Of course it's patch-specific. I guess you could scan the memory for certain patterns to automatically find the encryption/decryption routines - but what about patches below 5065 (I think?) that only use TQ's custom encryption and not the CAST 5 or Blowfish? I guess you could make a tool with the option to select which of the encryption routines your target client uses and have it scan for those routines and patch them. That's a little overkill in my view though.
Just a minor correction:
RC5/MD5/SRP aren't "encryptions" per say, they're hashing algorithms.
Although, I did forget about Cast (because of how similar it is to Blowfish), so we have Legacy -> Blowfish -> Cast -> Cast Modified at best.
RC5 is block cipher, not a hash algorithm. And there has been two legacy ciphers.
(I'm not against your point, just correcting facts)
Packet encryption 02/20/2013 - DarkOrbit - 37 Replies Hi guys, i know that some of you know the packet encryption mechanism used by DarkOrbit, so I was wondering if you might share it.
I am trying to figure it out but with no luck whatsoever :/ ...
I know that they use RC4 to encrypt their data, but i can't find the key. I have an idea, that they are sending the key over the connection, where the unique ID = 9098 , but i am not sure. the code decrypted by SWF Decompiler is so hard to understand ...
Any ideas here?
Thanks.
BOI Packet Encryption 09/28/2011 - Battle of the Immortals - 13 Replies I've made some research about the packet encryption used in this game and I thought I'd share them.
BOI uses a simple XOR-Algorithm. Each byte of a packet is being XORed with the value of the previous byte. The first byte of every packet indicates its length. Furthermore the first byte of the very first packet sent after the connection was established is being XORed with the value 0xCD.
Example:
Let's say the client sends this packet right after connecting to the server.
0x06 0xA7 0x57...
Packet encryption. 06/22/2009 - Shaiya - 2 Replies Not sure if anyone has tried making a proxy yet, other than the one that is stickied (which is injected and I imagine directly hooks the games send function bypassing the need for encryption?).
Anyway, just curious if anyone knows what sort of encryption is being used on packets?
US server for the record.
Help with Packet Encryption? 04/16/2009 - General Coding - 9 Replies can someone help with these packets? im completely lost lol.i typed in A,B,ABC aand recorded the 3 packets
A
2C 35 52 66 BF 66 15 E1 2C 3A D6 AD E3 29 82 A9 BC C5 EE F5 90 A9 1A 71 0C CD 06 3D FC 3A F6 5C A7 A1 4C 30 63 CD 03 AE 12 A6 20 88 1E C0 E8 95 19 F3 3D A7 42 3A 09 22
B
A7 9E F9 6D D4 5D 9E 6A F7 81 0D D6 B8 22 D9 52 57 8E E5 9E 9B 92 31 9A 97 F6 DD 46 A7 11 ED A7 6C 8A E7 7B 08 F6 48 65 09 EE C8 80 76 78 00 1D 81 8B 85 BF 79 F2 D1 BA
Removing shadows completely 04/13/2006 - Conquer Online 2 - 11 Replies ok, i am trying to make an auto clicker script to level.. i can edit monster.dat and change the monsters size, but sometimes i will click on their shadows ("You can't jump here")... even if i set ShadowRecord to 0 in the setup.ini for my character, the shadows are gone but i can't click there. how can i make them disappear? or at least be able to click through them...
![[Delphi source][5770 +/-] Completely removing packet encryption from the client](https://www.elitepvpers.com/forum/iconimages/co2-programming/delphi-source-5770-completely-removing-packet-encryption-client_ltr.gif){kind=small}
.
