|
You last visited: Today at 23:01
Advertisement
Reversing R5C Password Encryption on 4294 client
Discussion on Reversing R5C Password Encryption on 4294 client within the CO2 Programming forum part of the Conquer Online 2 category.
05/28/2024, 04:34
|
#1
|
elite*gold: 0 
Join Date: Sep 2010
Posts: 291
Received Thanks: 95
|
Reversing R5C Password Encryption on 4294 client
Hi Folks,
I've been teaching myself a bit of reverse engineering and been practicing on the conquer patch 4294 client. So far I've been able to reverse the packet encryption myself.
Currently I'm trying to reverse the Password Encryption used for the 1051 packet. From referencing other sources this is done using RC5?
I'm using Ghidra, x64dbg mostly. So far I've tried the following with no clear finds
- trying to trace back from when the send buffer is filled with the 1051 packet.
- found the address of the plaintext password in memory, traced read and write to that memory address and then debugged hits to try and find code that is reading, encrypting, and storing the value somewhere else.
I'm trying to learn so if anyone has any hints that would be great haha. One question I had was if the encryption is being done as characters are being entered? Or all at once when the login button is pressed.
Thanks!
|
|
|
|
05/28/2024, 16:33
|
#2
|
elite*gold: 0
Join Date: Jan 2008
Posts: 1,443
Received Thanks: 1,175
|
You may be able to find the RC5 functions by looking for the well known constants like 0xB7E15163 and 0x9E3779B9, assuming that you knew to look for RC5 :P Otherwise, look for where the MsgAccount is created and in that callstack you will have the encryption call.
|
|
|
|
|
05/29/2024, 05:37
|
#3
|
elite*gold: 0
Join Date: Sep 2010
Posts: 291
Received Thanks: 95
|
Quote:
Originally Posted by CptSky
You may be able to find the RC5 functions by looking for the well known constants like 0xB7E15163 and 0x9E3779B9, assuming that you knew to look for RC5 :P Otherwise, look for where the MsgAccount is created and in that callstack you will have the encryption call.
|
Thank you! I was able to find it. Did a scan for the (0x41B) 1051 and found a few methods that used the value. Then break pointed those and found one that hit when pressing the login button and then saw that it was building the login packet a expected. Then I just went up the call stack a bit and eventually found it.
I need to fully reverse it to get the keys and stuff and convert to Kotlin (language I'm working in these days). But here is the assembly+ raw decompiled code
Code:
*************************************************************
* FUNCTION
*************************************************************
undefined __thiscall PasswordEncryption (void * this , u
assume FS_OFFSET = 0xffdff000
undefined AL:1 <RETURN>
void * ECX:4 (auto) this
uint * Stack[0x4]:4 param_1 XREF[3]: 004f995b (R) ,
004f9978 (W) ,
004f99a7 (R W)
int * Stack[0x8]:4 param_2 XREF[5]: 004f993f (R) ,
004f9975 (W) ,
004f998a (R) ,
004f999b (R) ,
004f99a0 (R W)
undefined4 Stack[-0x8]:4 local_8 XREF[2]: 004f995f (W) ,
004f99b6 (R W)
undefined4 Stack[-0xc]:4 local_c XREF[2]: 004f9949 (W) ,
004f9964 (R)
PasswordEncryption XREF[1]: FUN_004daacc:004dab72 (c)
004f993a 55 PUSH EBP
004f993b 8b ec MOV EBP ,ESP
004f993d 51 PUSH this
004f993e 51 PUSH this
004f993f 8b 45 0c MOV EAX ,dword ptr [EBP + param_2 ]
004f9942 56 PUSH ESI
004f9943 99 CDQ
004f9944 6a 08 PUSH 0x8
004f9946 5e POP ESI
004f9947 f7 fe IDIV ESI
004f9949 89 4d f8 MOV dword ptr [EBP + local_c ],this
004f994c c1 e0 03 SHL EAX ,0x3
004f994f 85 c0 TEST EAX ,EAX
004f9951 7e 6a JLE LAB_004f99bd
004f9953 99 CDQ
004f9954 f7 fe IDIV ESI
004f9956 85 c0 TEST EAX ,EAX
004f9958 7e 63 JLE LAB_004f99bd
004f995a 53 PUSH EBX
004f995b 8b 5d 08 MOV EBX ,dword ptr [EBP + param_1 ]
004f995e 57 PUSH EDI
004f995f 89 45 fc MOV dword ptr [EBP + local_8 ],EAX
004f9962 eb 03 JMP LAB_004f9967
LAB_004f9964 XREF[1]: 004f99b9 (j)
004f9964 8b 4d f8 MOV this ,dword ptr [EBP + local_c ]
LAB_004f9967 XREF[1]: 004f9962 (j)
004f9967 8b 79 14 MOV EDI ,dword ptr [this + 0x14 ]
004f996a 8b 33 MOV ESI ,dword ptr [EBX ]
004f996c 03 71 10 ADD ESI ,dword ptr [this + 0x10 ]
004f996f 03 7b 04 ADD EDI ,dword ptr [EBX + 0x4 ]
004f9972 83 c1 1c ADD this ,0x1c
004f9975 89 4d 0c MOV dword ptr [EBP + param_2 ],this
004f9978 c7 45 08 MOV dword ptr [EBP + param_1 ],0xc
0c 00 00
00
LAB_004f997f XREF[1]: 004f99ac (j)
004f997f 8b c7 MOV EAX ,EDI
004f9981 33 c6 XOR EAX ,ESI
004f9983 57 PUSH EDI
004f9984 50 PUSH EAX
004f9985 e8 38 00 CALL FUN_004f99c2 uint FUN_004f99c2(uint param_1,
00 00
004f998a 8b 4d 0c MOV this ,dword ptr [EBP + param_2 ]
004f998d 03 41 fc ADD EAX ,dword ptr [this + -0x4 ]
004f9990 8b f0 MOV ESI ,EAX
004f9992 56 PUSH ESI
004f9993 33 fe XOR EDI ,ESI
004f9995 57 PUSH EDI
004f9996 e8 27 00 CALL FUN_004f99c2 uint FUN_004f99c2(uint param_1,
00 00
004f999b 8b 4d 0c MOV this ,dword ptr [EBP + param_2 ]
004f999e 03 01 ADD EAX ,dword ptr [this ]
004f99a0 83 45 0c ADD dword ptr [EBP + param_2 ],0x8
08
004f99a4 83 c4 10 ADD ESP ,0x10
004f99a7 ff 4d 08 DEC dword ptr [EBP + param_1 ]
004f99aa 8b f8 MOV EDI ,EAX
004f99ac 75 d1 JNZ LAB_004f997f
004f99ae 89 33 MOV dword ptr [EBX ],ESI
004f99b0 89 7b 04 MOV dword ptr [EBX + 0x4 ],EDI
004f99b3 83 c3 08 ADD EBX ,0x8
004f99b6 ff 4d fc DEC dword ptr [EBP + local_8 ]
004f99b9 75 a9 JNZ LAB_004f9964
004f99bb 5f POP EDI
004f99bc 5b POP EBX
LAB_004f99bd XREF[2]: 004f9951 (j) , 004f9958 (j)
004f99bd 5e POP ESI
004f99be c9 LEAVE
004f99bf c2 08 00 RET 0x8
Code:
void __thiscall PasswordEncryption(void *this,uint *param_1,int *param_2)
{
uint *puVar1;
uint uVar2;
uint uVar3;
int local_8;
local_8 = (int)param_2 / 8 << 3;
if ((0 < local_8) && (local_8 = local_8 / 8, puVar1 = param_1, 0 < local_8)) {
do {
uVar2 = *puVar1 + *(int *)((int)this + 0x10);
uVar3 = *(int *)((int)this + 0x14) + puVar1[1];
param_2 = (int *)((int)this + 0x1c);
param_1 = (uint *)0xc;
do {
uVar2 = FUN_004f99c2(uVar3 ^ uVar2,(byte)uVar3);
uVar2 = uVar2 + param_2[-1];
uVar3 = FUN_004f99c2(uVar3 ^ uVar2,(byte)uVar2);
uVar3 = uVar3 + *param_2;
param_2 = param_2 + 2;
param_1 = (uint *)((int)param_1 + -1);
} while (param_1 != (uint *)0x0);
*puVar1 = uVar2;
puVar1[1] = uVar3;
puVar1 = puVar1 + 2;
local_8 = local_8 + -1;
} while (local_8 != 0);
}
return;
}
uint __cdecl FUN_004f99c2(uint param_1,byte param_2)
{
return param_1 >> (0x20 - (param_2 & 0x1f) & 0x1f) | param_1 << (param_2 & 0x1f);
}
|
|
|
|
 |
Similar Threads
|
[Tutorial] Reversing Spell Encryption
06/15/2014 - CO2 Programming - 1 Replies
It has been quite a while since I last wrote a tutorial related to Conquer. This is mostly useless because as far as I know the spell encryption has already been reversed long time ago. The purpose of this post / tutorials is to help people understand how it's possible to find functions and implement them in desired language by reverse engineering. This will also be kind of log for me on how I approach reversing.
This reverse engineering was performed on a unnamed private server so I'm not...
|
Client Password Encryption Method
12/30/2010 - General Gaming Discussion - 2 Replies
Does anyone has any information on how the client encrypts the login id and password?
Anyone know the address of the sub in the disassembly where it is encrypted?
|
COPartner working patch 4294
04/05/2006 - CO2 Bots & Macros - 30 Replies
this is not a cracked version work only 60minutes
Link 1: http://rapidshare.de/files/11220874/COPart...r_429 4.zip.html
Link 2: http://www.megaupload.com/?d=MK0VQS7S
Link 3: http://d.turboupload.com/d/286695/COPartne...r_429 4.zip.html
|
Patch 4294
02/05/2006 - Conquer Online 2 - 3 Replies
Its been a little while since all the old multi patches were made (a few patches back) and they no longer work. Are there any mining bots/client patches working for the latest patch?
|
All times are GMT +1. The time now is 23:02.
|
|
