I have managed to set up properly packet relay mechanism between client and server, so i am moving on to deciphering the packets. Right now i am stuck with the DH key packet sent by the server. I have read and re-read korvac's conquer wiki many times, but the codes are not documented, and is not self documenting to a java learner like myself, lol.
My understanding of CO cipher is that client receives DH key packet from server, client then performs initial cipher uses blowfish algorithm to decipher the packet to obtain the p,g,A keys. The key used for initial cipher is "DR654dt34trg4UI6". After obtaining p,g,A keys, a new shared public key is generated and will be used for future(starting from the second) packet ciphers.
[Problem description] Under the presumption that my understanding of the cipher is correct. I need THREE things to initialize my cipher object. (i) a key = "DR654dt34trg4UI6", (ii) an algorithm name = "Blowfish", (iii) an initial vector!!! Initial Vector is the problem i am having. combing through the codes on conquer wiki, (i might have overlooked)i have not seen the EncryptIV ever being initialized. Seems to me that it's always left as a new array of eight zeros.
[Request] May i know what the initial vector supposed to be, and i'd deeply appreciate if supporting knowledge is being shared.
[EDIT] Now i am wondering if my understanding is wrong or if i am using the wrong padding scheme or mode. Inferring from the wiki source("BF_cfb64_encrypt"), i believe CipherFeedBack mode is used, though i dont really understand what 64_encrypt means, but i am guessing it has something to do with 8bytes of data/IV.
Action speaks louder than words.. so i gave it a shot on by writing a little util tool that deciphers server key packet. here is a code snipplet in java
Code:
Cipher cipherOut = Cipher.getInstance("Blowfish/CFB/NoPadding");
byte[] key = "DR654dt34trg4UI6".getBytes();
byte[] encryptedData = inputTextArea.getText().trim().getBytes(); //get the encrypted string without trailing and leading white spaces
byte[] iv = new byte[8]; //never see iv being initialized in wiki sources, so i'll just follow
IvParameterSpec ivs = new IvParameterSpec(iv);
SecretKeySpec keySpec = new SecretKeySpec(key,"Blowfish");
cipherOut.init (Cipher.DECRYPT_MODE,keySpec,ivs); //set cipher mode
encryptedData = cipherOut.doFinal(encryptedData); //perform cipher
outputTextArea.setText(new String(encryptedData)); //output result
I have never had any prior knowledge of cryptography, so i am not too sure of the decryption mode and paddings. Logically speaking, since blowfish is a 64bit block cipher, and the sizes of p,g,A varies with every generation, some form of paddings has to be done. The output of the above piece of code is a complete mess. So i do ponder if there is an encryption or not, or where did i do wrong to obtain current wrong result?
[End of Edit]
The following is a sample of what i currently being getting. High lighted in green is the dh key packet from server. I have also noticed this packet size always varies.
While I respect you quite a bit for going through this all yourself.. there is a leaked 5200+ proxy posted in one of the threads where I was first working on getting a proxy working.
That being said... here's some snippets you might find useful ^^
Basically you want to edit the server/client packets to use for each side of the encryption. Then one is used to encrypt/decrypt server data and one for client data.
Code:
public class ClientDHPacket
{
public string Client_PubKey;
int JunkLength;
public ClientDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(7);//JUNK
BR.ReadUInt32();//Length
JunkLength = BR.ReadInt32();
BR.ReadBytes(JunkLength);
Client_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
public void Edit(byte[] Packet, string NewKey)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryWriter BW = new BinaryWriter(MS);
BW.Seek(19 + JunkLength, SeekOrigin.Current);
BW.Write(Encoding.ASCII.GetBytes(NewKey));
}
}
public class ServerDHPacket
{
public byte[] ServerIV;
public byte[] ClientIV;
public string P;
public string G;
public string Server_PubKey;
int JunkLength;
public ServerDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(11);//JUNK
BR.ReadUInt32();//Length - Like i care of it
JunkLength = BR.ReadInt32();
BR.ReadBytes(JunkLength);//JUNK
ServerIV = BR.ReadBytes(BR.ReadInt32());
ClientIV = BR.ReadBytes(BR.ReadInt32());
P = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
G = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
Server_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
public void Edit(byte[] Packet, string EditedPubKey)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryWriter BW = new BinaryWriter(MS);
BW.Seek(55 + JunkLength + P.Length + G.Length, SeekOrigin.Current);
BW.Write(Encoding.ASCII.GetBytes(EditedPubKey));
BW.Close();
MS.Close();
}
}
Credits for that go to Tannel seeing as it's his proxy that got leaked lol.
While I respect you quite a bit for going through this all yourself.. there is a leaked 5200+ proxy posted in one of the threads where I was first working on getting a proxy working.
That being said... here's some snippets you might find useful ^^
Basically you want to edit the server/client packets to use for each side of the encryption. Then one is used to encrypt/decrypt server data and one for client data.
Code:
public class ClientDHPacket
{
public string Client_PubKey;
int JunkLength;
public ClientDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(7);//JUNK
BR.ReadUInt32();//Length
JunkLength = BR.ReadInt32();
BR.ReadBytes(JunkLength);
Client_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
public void Edit(byte[] Packet, string NewKey)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryWriter BW = new BinaryWriter(MS);
BW.Seek(19 + JunkLength, SeekOrigin.Current);
BW.Write(Encoding.ASCII.GetBytes(NewKey));
}
}
public class ServerDHPacket
{
public byte[] ServerIV;
public byte[] ClientIV;
public string P;
public string G;
public string Server_PubKey;
int JunkLength;
public ServerDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(11);//JUNK
BR.ReadUInt32();//Length - Like i care of it
JunkLength = BR.ReadInt32();
BR.ReadBytes(JunkLength);//JUNK
ServerIV = BR.ReadBytes(BR.ReadInt32());
ClientIV = BR.ReadBytes(BR.ReadInt32());
P = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
G = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
Server_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
public void Edit(byte[] Packet, string EditedPubKey)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryWriter BW = new BinaryWriter(MS);
BW.Seek(55 + JunkLength + P.Length + G.Length, SeekOrigin.Current);
BW.Write(Encoding.ASCII.GetBytes(EditedPubKey));
BW.Close();
MS.Close();
}
}
Credits for that go to Tannel seeing as it's his proxy that got leaked lol.
Wow... that is a really valuable piece of reference you gave me. That instantly defeated my 2nd hurdle. But that still left me with my initial question: the server DH packet is encrypted using blowfish with "DR654dt34trg4UI6" as the key right? The reason for this question is that i immediately set up my tool based on the methodology of the the above ServerDHPacket class and found out the out put of junklength is ridiculously large/unreal, thus i suspect it is encrypted; By contrapositive reasoning. if the logic for dh exchange is to establish a shared key for client and server's blowfish, why is there a need for the initial DR.....UI6 key?
While I respect you quite a bit for going through this all yourself.. there is a leaked 5200+ proxy posted in one of the threads where I was first working on getting a proxy working.
That being said... here's some snippets you might find useful ^^
Basically you want to edit the server/client packets to use for each side of the encryption. Then one is used to encrypt/decrypt server data and one for client data.
Code:
public class ClientDHPacket
{
public string Client_PubKey;
int JunkLength;
public ClientDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(7);//JUNK
BR.ReadUInt32();//Length
JunkLength = BR.ReadInt32();
BR.ReadBytes(JunkLength);
Client_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
public void Edit(byte[] Packet, string NewKey)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryWriter BW = new BinaryWriter(MS);
BW.Seek(19 + JunkLength, SeekOrigin.Current);
BW.Write(Encoding.ASCII.GetBytes(NewKey));
}
}
public class ServerDHPacket
{
public byte[] ServerIV;
public byte[] ClientIV;
public string P;
public string G;
public string Server_PubKey;
int JunkLength;
public ServerDHPacket(byte[] Packet)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryReader BR = new BinaryReader(MS);
BR.ReadBytes(11);//JUNK
BR.ReadUInt32();//Length - Like i care of it
JunkLength = BR.ReadInt32();
BR.ReadBytes(JunkLength);//JUNK
ServerIV = BR.ReadBytes(BR.ReadInt32());
ClientIV = BR.ReadBytes(BR.ReadInt32());
P = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
G = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
Server_PubKey = Encoding.ASCII.GetString(BR.ReadBytes(BR.ReadInt32()));
BR.Close();
MS.Close();
}
public void Edit(byte[] Packet, string EditedPubKey)
{
MemoryStream MS = new MemoryStream(Packet);
BinaryWriter BW = new BinaryWriter(MS);
BW.Seek(55 + JunkLength + P.Length + G.Length, SeekOrigin.Current);
BW.Write(Encoding.ASCII.GetBytes(EditedPubKey));
BW.Close();
MS.Close();
}
}
Credits for that go to Tannel seeing as it's his proxy that got leaked lol.
I was looking @ read at least 10 times and for me looks like it was incomplete?
I mean, Class DH inherits Base (base class doesnt exists)? BigNumber type? and what about this?
base(Base.ExpectNonNull(DH_new()), true)... from where this came from? Theres no base class, at least on the wiki.
pro4never, not that I would like that my job would be leaked but do you have a link for that proxy? just want to take a look.
I was looking @ read at least 10 times and for me looks like it was incomplete?
I mean, Class DH inherits Base (base class doesnt exists)? BigNumber type? and what about this?
base(Base.ExpectNonNull(DH_new()), true)... from where this came from? Theres no base class, at least on the wiki.
pro4never, not that I would like that my job would be leaked but do you have a link for that proxy? just want to take a look.
Thanks u/korvacs for the support.
Even though it's already leaked, here's the 5228 proxy, rar'd and password'd.
Actually, that piece of code only serves as a reference. When you speak of DH.cs, that inheritance, imo, is not important. You should be able to find implementations of blowfish and dh on the web. All that's important to you right now is probably how the skeleton is like.
Actually, that piece of code only serves as a reference. When you speak of DH.cs, that inheritance, imo, is not important. You should be able to find implementations of blowfish and dh on the web. All that's important to you right now is probably how the skeleton is like.
Thanks pro4never and kiyono for your help. Now i am pretty sure i was and am on the right track. I revisited my codes and realized i made a mistake when converting "string representation of packet" into byte[] thus getting wrong output with cipher. After correcting that mistake i suppose this should be a valid serverDH packet after blowfish. It's validity is proven by the TQserver signature in Red.
Play sound via Packet Send?? [Question String Packet] 07/14/2010 - CO2 Private Server - 5 Replies Yow im trying to figure out why i cant play music with the string packet
What im doin is;
MyChar.Client.SendPacket(Game.Packet.String(MyCha r.UID, 20, Splitter));
My Packet is:
public byte String(long CharId, byte Type, string name)
[Question] Packet data , packet editing ?? 10/13/2009 - 9Dragons - 2 Replies I would like to know :
What is packet data?
How do i get the address for hacking a item in game?
How to use it ??
Packet Logger/Proxy 11/24/2007 - CO2 Exploits, Hacks & Tools - 81 Replies After seeing many "proxy" programs abuse trust and/or disappear I decided to make my own. I figured I might as well release it. Use it if you'd like. It runs off a similar system as my Emu I'm working on so you can get a general idea for it's power :o :P
The setup is simple. The config file is filled out as such:
proxy-address = yourip
server-address = 69.59.142.13
proxy-port = 9958
;ignore-id = 1010
;special-id = 1011
ignore-id ignores certain packets (both directions) from being...
new packet structure?proxy=dead? 08/19/2007 - Conquer Online 2 - 2 Replies I'm hearing that the server.dat has been cracked,and the chat commands are not valid anymore?is it true?Is anyone planing on realeasing the server fix?even without the proxies the are still some uses for it.If some one knows hows can you tell us how to crack it.My hex skills are weak,I know java and trying to learn more on VB,but by the time i crack it the next patch will be out lol :(