|
You last visited: Today at 13:19
Advertisement
[Question] Proxy - deciphering server key packet
Discussion on [Question] Proxy - deciphering server key packet within the CO2 Programming forum part of the Conquer Online 2 category.
11/22/2010, 01:43
|
#31
|
elite*gold: 0 
Join Date: Aug 2010
Posts: 951
Received Thanks: 76
|
I`m sure the password for the rar is "Send"
|
|
|
|
11/22/2010, 02:35
|
#32
|
elite*gold: 0
Join Date: Jun 2006
Posts: 457
Received Thanks: 67
|
Quote:
Originally Posted by pro4never
So you know... all packets for game server are decrypted/encrypted even before the exchange is complete.
Not all values are initiated yet. That could be some of the problems you are having with setting up the keys.
@ bad image exception. I'm fairly sure that had to do with the loading method of the native calls or possibly it referencing x84 vs x64 files... I forget which (usually when I've seen that error it has to do with needing to change the dllloader settings or use a different dll)
|
For some reason i am still having a bit of issues with server DH packet. I logged a few of my decrypted DH packets and realized an astonishing pattern ( which should not be happening) that is, all the readable spectrum of the packet are exactly the same for all packets logged. See quote
Quote:
[Sun Nov 21 21:33:22 2010]�l"��3x�!�^ ( ( "�v
��ܟ|��l��J)�%��b�d˔Y�`Ǐ�[� ��p+1� S�T-��}ـ A320A85EDD79171C341459E94807D71D39BB3B3F3B5161CA84 894F3AC3FC7FEC317A2DDEC83B66D30C29261C6492643061AE CFCF4A051816D7C359A6A7B7D8FB 05� 660811FF745F03973DE6DA19F81BC651A6B09C7B1816A2937C 6BDADBE78E9FB9A66C6F98873B3CA49DB3E8F47E1E8DC860EB 941E3A6D9FF13A613A5A603053E2TQServer
[Sun Nov 21 21:33:49 2010]����[=>�`X " ��g��?c)�Z%�b�,�2K���T��- s�m�̅!� �0W�U��� A320A85EDD79171C341459E94807D71D39BB3B3F3B5161CA84 894F3AC3FC7FEC317A2DDEC83B66D30C29261C6492643061AE CFCF4A051816D7C359A6A7B7D8FB 05� 660811FF745F03973DE6DA19F81BC651A6B09C7B1816A2937C 6BDADBE78E9FB9A66C6F98873B3CA49DB3E8F47E1E8DC860EB 941E3A6D9FF13A613A5A603053E2TQServer
[Sun Nov 21 21:34:36 2010]|G ��ޫ&ĆF j�}�\3A@
^�"~ �6f�1�� ᕃ���Gπ A320A85EDD79171C341459E94807D71D39BB3B3F3B5161CA84 894F3AC3FC7FEC317A2DDEC83B66D30C29261C6492643061AE CFCF4A051816D7C359A6A7B7D8FB 05� 660811FF745F03973DE6DA19F81BC651A6B09C7B1816A2937C 6BDADBE78E9FB9A66C6F98873B3CA49DB3E8F47E1E8DC860EB 941E3A6D9FF13A613A5A603053E2TQServer
[Sun Nov 21 21:35:04 2010]������q��B ���r�;�,��� ��9� �Q��,6�p� A320A85EDD79171C341459E94807D71D39BB3B3F3B5161CA84 894F3AC3FC7FEC317A2DDEC83B66D30C29261C6492643061AE CFCF4A051816D7C359A6A7B7D8FB 05� 660811FF745F03973DE6DA19F81BC651A6B09C7B1816A2937C 6BDADBE78E9FB9A66C6F98873B3CA49DB3E8F47E1E8DC860EB 941E3A6D9FF13A613A5A603053E2TQServer
[Sun Nov 21 21:35:40 2010]�����m�"/�D @ �-� n���� CJl(��8 %.Dӝ�� A320A85EDD79171C341459E94807D71D39BB3B3F3B5161CA84 894F3AC3FC7FEC317A2DDEC83B66D30C29261C6492643061AE CFCF4A051816D7C359A6A7B7D8FB 05� 660811FF745F03973DE6DA19F81BC651A6B09C7B1816A2937C 6BDADBE78E9FB9A66C6F98873B3CA49DB3E8F47E1E8DC860EB 941E3A6D9FF13A613A5A603053E2TQServer
[Sun Nov 21 21:36:14 2010]L9��|�=@�@
3
�5q:̓ ��
n�? ��x;k:�� A320A85EDD79171C341459E94807D71D39BB3B3F3B5161CA84 894F3AC3FC7FEC317A2DDEC83B66D30C29261C6492643061AE CFCF4A051816D7C359A6A7B7D8FB 05� 660811FF745F03973DE6DA19F81BC651A6B09C7B1816A2937C 6BDADBE78E9FB9A66C6F98873B3CA49DB3E8F47E1E8DC860EB 941E3A6D9FF13A613A5A603053E2TQServer
[Sun Nov 21 21:36:37 2010]�����ڛ�<��F j o�6l��-T�A�cp ��'�Ȁ� -�)�*׀ A320A85EDD79171C341459E94807D71D39BB3B3F3B5161CA84 894F3AC3FC7FEC317A2DDEC83B66D30C29261C6492643061AE CFCF4A051816D7C359A6A7B7D8FB 05� 660811FF745F03973DE6DA19F81BC651A6B09C7B1816A2937C 6BDADBE78E9FB9A66C6F98873B3CA49DB3E8F47E1E8DC860EB 941E3A6D9FF13A613A5A603053E2TQServer
|
This puzzles me because after seeing the trailing stamp - TQServer, i am certain that this packet has been successfully decrypted. yet i am seeing weird headers and repeating body. The packet should theoractically include clientIV, serverIV, p, g, ServerPublicKey. At the very minimum, it makes sense for the first 4 fields to be constant, but ServerPublicKey has to be a variant.
I tried to perceive the occurrences of 05 as the g field of the packet. but when compared to tannel's source, g should be of an Int32, but 05 is only 1 byte, that leads me to wonder if the other empty bytes contributes to the weird chars around 05. Similarly, On conquerwiki, clientIV and serverIV are supposely 8 bytes, which is algorithmically true. However in tannel's source,
Code:
ServerIV = BR.ReadBytes(BR.ReadInt32());
ClientIV = BR.ReadBytes(BR.ReadInt32());
P = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
G = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
Server_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
ServerIV and clientIv are only 4bytes? I am really confused. Well, up to this stage, everything is deduced from observations.
Am i missing something ? Are these packets really valid?
|
|
|
|
|
11/22/2010, 13:18
|
#33
|
elite*gold: 21
Join Date: Jul 2005
Posts: 9,193
Received Thanks: 5,380
|
Quote:
Originally Posted by vDrag0n
Has anything changed till then? Thought it wasnt
|
It consists of like 5 minutes of packet changes to make it work again lol...
|
|
|
|
|
11/22/2010, 13:54
|
#34
|
elite*gold: 20
Join Date: Jun 2006
Posts: 3,296
Received Thanks: 925
|
Quote:
Originally Posted by pro4never
It consists of like 5 minutes of packet changes to make it work again lol...
|
But how are you supposed to log the packets you need without a working proxy in the first place?
|
|
|
|
|
11/23/2010, 06:57
|
#35
|
elite*gold: 21
Join Date: Jul 2005
Posts: 9,193
Received Thanks: 5,380
|
Quote:
Originally Posted by Kiyono
But how are you supposed to log the packets you need without a working proxy in the first place?
|
The proxy works just fine. It simply needs its handling of packets updated. AKA log what the server is sending and then change a few lines of code in the proxy.
|
|
|
|
|
11/23/2010, 10:03
|
#36
|
elite*gold: 0
Join Date: Jan 2007
Posts: 118
Received Thanks: 20
|
p,g, clientIV, serverIV and Server Public were already on that packet. You can use binary reader to get those values. I forgot the number of junk bytes but that is where you are going to start on reading your known(p,g,etc..) data.
After you figured out that one you can start setting up your DH key exchange for both the server-proxy and proxy-client connection.
And finally you will go to korvacs wiki for packet information.
|
|
|
|
|
11/23/2010, 16:53
|
#37
|
elite*gold: 0
Join Date: Aug 2010
Posts: 951
Received Thanks: 76
|
Code:
AKA log what the server is sending and then change a few lines of code in the proxy.
By using the proxy to log what the server sends?
|
|
|
|
|
11/23/2010, 21:54
|
#38
|
elite*gold: 0
Join Date: Jun 2006
Posts: 457
Received Thanks: 67
|
Quote:
Originally Posted by xmen01235
p,g, clientIV, serverIV and Server Public were already on that packet. You can use binary reader to get those values. I forgot the number of junk bytes but that is where you are going to start on reading your known(p,g,etc..) data.
After you figured out that one you can start setting up your DH key exchange for both the server-proxy and proxy-client connection.
And finally you will go to korvacs wiki for packet information.
|
Awesome ... This is what i need to solve my problem. On first page pro4never posted tannel's codes, which suggests 11 bytes of junk data.
Test result. packet_size - packet_data_size is always 11 -> junk size.
Also, i have correctly obtained all the information.
However just a side track, why is it that p,g,A always the same? are we going to solely rely on the clientiv and serveriv for encryption/decryption? I have yet to verify if clientiv and serveriv is varying or constant.
|
|
|
|
|
11/24/2010, 09:10
|
#39
|
elite*gold: 0
Join Date: Jan 2007
Posts: 118
Received Thanks: 20
|
Quote:
Originally Posted by shitboi
Awesome ... This is what i need to solve my problem. On first page pro4never posted tannel's codes, which suggests 11 bytes of junk data.
Test result. packet_size - packet_data_size is always 11 -> junk size.
Also, i have correctly obtained all the information.
However just a side track, why is it that p,g,A always the same? are we going to solely rely on the clientiv and serveriv for encryption/decryption? I have yet to verify if clientiv and serveriv is varying or constant.
|
Check your PM ....
|
|
|
|
|
11/24/2010, 11:28
|
#40
|
elite*gold: 0
Join Date: Feb 2006
Posts: 550
Received Thanks: 81
|
strip tanels C# proxy and when they log in, after packet gets decrypted send the whole decrypted packet to your java proxy, do what you want, then send it back to the C# proxy to get encrypted and sent.
throwing the options out there.
|
|
|
|
|
11/24/2010, 14:16
|
#41
|
elite*gold: 0
Join Date: Jun 2006
Posts: 457
Received Thanks: 67
|
Quote:
Originally Posted by xmen01235
Last time I check
...
...
The code snippet above is just for example purposes and you may need to debug it if you want to use it.
Goodluck...
|
Wow, that was comprehensive.. That actually make me wonder. did you have a similar post like this on c@deXpl0si0n? I think you even used the exact same forumname, lol. But this time it is alot more clearer.
However i do have another question. If i remembered correctly every blowfish decrypts or encrypts something, it only requires ONE initial vector.
so. in the case of Server-Client interaction ...
client initialize blowfish with serverIV to decrypt packets?
eg: Blowfish clientBlow = new BlowFish();
clientBlow.initialize(key, serverIV);
clientBlow.decrypt(packet);
client initialize blowfish with clientIB to encrypt packet?
eg: clientBlow.initialize(key, clientIV);
clientBlow.encrypt(packet);
Are above what is really happening? I have not really checked if btoh IV are the same (shouldn't be) and I thought this is sensible because there is no reason to send 2 IV to client if client doesn't need to use them both.
|
|
|
|
|
11/25/2010, 01:36
|
#42
|
elite*gold: 0
Join Date: Jan 2007
Posts: 118
Received Thanks: 20
|
Quote:
Originally Posted by shitboi
Wow, that was comprehensive.. That actually make me wonder. did you have a similar post like this on c@deXpl0si0n? I think you even used the exact same forumname, lol. But this time it is alot more clearer.
However i do have another question. If i remembered correctly every blowfish decrypts or encrypts something, it only requires ONE initial vector.
so. in the case of Server-Client interaction ...
client initialize blowfish with serverIV to decrypt packets?
eg: Blowfish clientBlow = new BlowFish();
clientBlow.initialize(key, serverIV);
clientBlow.decrypt(packet);
client initialize blowfish with clientIB to encrypt packet?
eg: clientBlow.initialize(key, clientIV);
clientBlow.encrypt(packet);
Are above what is really happening? I have not really checked if btoh IV are the same (shouldn't be) and I thought this is sensible because there is no reason to send 2 IV to client if client doesn't need to use them both.
|
Yep I am using same forum ID here in epvp and cxp. There is much more comprehensive posting there in cxp which was created by Zaad but nonetheless the posting above will just summarized as exactly same with him.
You don't need to initialize the vectors for each blowfish crypthographer in the pre-handshaking stage but you will use and update these blowfish vectors after the handshaking where you have computed already the shared key for both connections.
|
|
|
|
|
11/26/2010, 06:09
|
#43
|
elite*gold: 0
Join Date: Aug 2010
Posts: 951
Received Thanks: 76
|
Ok I now have a 64bit PC and libeay32 doesn`t seem to want to get rid of the bad image thing >.< Where should I put the libeay32.dll? Or will I need a libeay64.dll o.0?
|
|
|
|
|
11/26/2010, 15:12
|
#44
|
elite*gold: 0
Join Date: Jan 2006
Posts: 158
Received Thanks: 20
|
:)
im try to start a proxy but work with memory is more easy
if is possible can i have the password of rad' ,... isn t SEND
thx
|
|
|
|
|
11/27/2010, 01:15
|
#45
|
elite*gold: 0
Join Date: Aug 2010
Posts: 951
Received Thanks: 76
|
No it isnt SEND it`s Send lol. Password is case sensitive.
|
|
|
|
 |
|
Similar Threads
|
Play sound via Packet Send?? [Question String Packet]
07/14/2010 - CO2 Private Server - 5 Replies
Yow im trying to figure out why i cant play music with the string packet
What im doin is;
MyChar.Client.SendPacket(Game.Packet.String(MyCha r.UID, 20, Splitter));
My Packet is:
public byte String(long CharId, byte Type, string name)
|
[Question] Packet data , packet editing ??
10/13/2009 - 9Dragons - 2 Replies
I would like to know :
What is packet data?
How do i get the address for hacking a item in game?
How to use it ??
|
Packet Logger/Proxy
11/24/2007 - CO2 Exploits, Hacks & Tools - 81 Replies
After seeing many "proxy" programs abuse trust and/or disappear I decided to make my own. I figured I might as well release it. Use it if you'd like. It runs off a similar system as my Emu I'm working on so you can get a general idea for it's power :o :P
The setup is simple. The config file is filled out as such:
proxy-address = yourip
server-address = 69.59.142.13
proxy-port = 9958
;ignore-id = 1010
;special-id = 1011
ignore-id ignores certain packets (both directions) from being...
|
new packet structure?proxy=dead?
08/19/2007 - Conquer Online 2 - 2 Replies
I'm hearing that the server.dat has been cracked,and the chat commands are not valid anymore?is it true?Is anyone planing on realeasing the server fix?even without the proxies the are still some uses for it.If some one knows hows can you tell us how to crack it.My hex skills are weak,I know java and trying to learn more on VB,but by the time i crack it the next patch will be out lol :(
|
All times are GMT +1. The time now is 13:20.
|
|
![[Question] Proxy - deciphering server key packet](https://www.elitepvpers.com/forum/iconimages/co2-programming/question-proxy-deciphering-server-key-packet_ltr.gif){kind=small}
