Game packets blowfish only?

princeofpain · 06/02/2010, 11:18

Does anyone know if in-game packets (like move or magic) are encrypted with blowfish only or if there is also a DHkeyexchange? Thanks.

Warlax · 06/02/2010, 12:32

there is a dhkey exchange to set up the blow fish, and also magic has an extra encryption

Ian* · 06/03/2010, 09:59

Only the game server connection packet is blowfish as far as i know.

Encrypted with blowfish, then uses a dh key exchange to pass the data to the server

princeofpain · 06/03/2010, 10:10

Hmm, so then what are the other packets like move or attack encrypted with?

~~.Summer~~ · 06/03/2010, 14:27

blowfish is for 5018+

Ian* · 06/04/2010, 01:51

Quote:

Originally Posted by .Summer

blowfish is for 5018+

I'm pretty sure he knows that? Conquer's up to what? 5260 or something now?
You're post was totally irrelevant.

Anyways... move/ attack aren't encrypted at all. Just send them straight threw.
Auth server is encrypted with RC5, the keys are public, if you can get a hold of a copy of qoproxy just use a java decompiler and check it out for the keys.

I believe there are spell packet encryption/ decryption algo's around somewhere.
Just use the search button, may not be any on this site however.

EDIT: and .Summer I can't believe you already have more posts than me and you just signed up this month! hahaha.
******* incredible.

princeofpain · 06/04/2010, 06:48

Thanks Ian, what about the incoming move/attack packets that the server sends to me. Are those encrypted or raw?

Warlax · 06/04/2010, 08:44

prince i think ur in way over ur head

princeofpain · 06/04/2010, 11:05

Haha thanks for the warning but I'm not giving up. I just want to be able to decrypt the packets being sent back and forth so I can figure out the packet structures.

Right now my packets don't have any consistent form at all... the first short doesn't give me the size and the next short doesn't give me the type. If move/attack packets aren't encrypted then why are my packets all structureless =[

Thanks for the help, everyone. Really appreciate it.

s.bat · 06/04/2010, 18:52

Quote:

Originally Posted by princeofpain

Right now my packets don't have any consistent form at all... the first short doesn't give me the size and the next short doesn't give me the type. If move/attack packets aren't encrypted then why are my packets all structureless =[

After you have successfully decrypted an incoming packet. How are you forming those shorts? Conquer Online uses the Little Endian byte order. Most classes in Java only offer Big Endian.

The packets themselves are encrypted using the Blowfish encryption, but the data in those packets are not encrypted any further, AFAIK. However, after decrypting the magic packet, the spell type still needs to be decrypted further by use of another algorithm.

Could someone clear a few things up for me?
Doesn't TQ use a modified version of RC5 in order to cipher the passwords, and don't they use a cipher built in-house in order to encrypt and decrypt the (edit: AUTH) packets? I didn't think it was entirely RC5, or perhaps I misread Ian*'s post.
Thanks for your time.

princeofpain · 06/04/2010, 22:40

Quote:

Originally Posted by s.bat

The packets themselves are encrypted using the Blowfish encryption

Thanks s.bat. This was the problem. I got everything worked out now.

Ian* · 06/06/2010, 07:47

Eh.. im logging packets i receive after decryption and packets i send are before encryption, so I couldn't be totally sure on the whole blowfish thing.

But yeah, they could be.
The packets should follow a structure pattern.

For example a General Data packet... 0x271A, it's used for lots of different things,
attacking, using portals, umm.. idk there are like 20 or more subtypes to just that one packet.
A lot of packet id's are used for the same things. just check for subtypes, remember that

Warlax · 06/06/2010, 15:43

Quote:

Originally Posted by Ian*

Eh.. im logging packets i receive after decryption and packets i send are before encryption, so I couldn't be totally sure on the whole blowfish thing.

But yeah, they could be.
The packets should follow a structure pattern.

For example a General Data packet... 0x271A, it's used for lots of different things,
attacking, using portals, umm.. idk there are like 20 or more subtypes to just that one packet.
A lot of packet id's are used for the same things. just check for subtypes, remember that

lol memory proxy ftw eh?

Ian* · 06/06/2010, 19:27

Quote:

Originally Posted by Warlax

lol memory proxy ftw eh?

Yeah. Way the hell easier to test **** out on, the constant logging in and out on a full proxy is irritating and not only is it a longer process to set up, but there's no benefits besides the possibility of going clientless.

I don't really even bot, I just like exploits and such :>