Packet MsgTick (1012) and its encryption

AhmedZero · 01/20/2015, 16:17

Hello,
the encryption of packet ,it's very simple.
from server to client.
there's no encryption it's some junks only

PHP Code:


			
Byte Length = 44
(ushort)36
(ushort)1012
(int)timegettime
(uint)UIDPlayer
(uint)0
byte[16] Random Numbers
(uint)0

from client to server there's encryption and some junks

PHP Code:


			
Byte Length = 44
(ushort)36
(ushort)1012
(uint)timegettime
(uint)UIDPlayer
(uint)(timegettime ^ UIDPlayer)
byte[16] Random Numbers
(int)if (lengthofname < 4) {return -1656006909} else {return NamePlayerBytes[0] ^ 0x23 + (NamePlayerBytes[1] ^ 0x98) << 8}

The importance of packet depends on your used of it

.
Done

.

MrCaSpR · 01/20/2015, 16:28

Wow Good Thread bro

Ponquer · 01/20/2015, 17:56

thank you ♥

~~wolf20100~~ · 01/20/2015, 18:44

Awesome Thread Thx

InfamousNoone · 01/20/2015, 23:57

this isn't true at all, unless it's changed you could compute the "expected" junk and thus this packet could be used to test for forgery/stand alone bots which is what it was originally used for

AhmedZero · 01/21/2015, 07:23

InfamousNoone
see that pics.

InfamousNoone · 01/22/2015, 01:24

RandGet (the function being called there) is previously seeded to this packets creation with timeGetTime(), so, like I stated you could test for predictability, given you tested +1/-1 tgt.

{ Angelius } · 01/22/2015, 04:00

Quote:

Originally Posted by InfamousNoone

RandGet (the function being called there) is previously seeded to this packets creation with timeGetTime(), so, like I stated you could test for predictability, given you tested +1/-1 tgt.

Actually it is not seeded at all.
Here is the actual function

PHP Code:


			
00656EC8   CMP DWORD PTR SS:[ARG.1],0
00656ECD   JNE SHORT 00656ED2
00656ECF   XOR EAX,EAX
00656ED1   RETN
//ARG 2 is 0 so it naturally jumps to 
//00656EE6 ignoring timeGetTime and srand.
00656ED2   CMP DWORD PTR SS:[ARG.2],0
00656ED7   JE SHORT 00656EE6
00656ED9   CALL <JMP.&WINMM.timeGetTime>                         
00656EDE   PUSH EAX                                               
00656EDF   CALL DWORD PTR DS:[<&MSVCR90.srand>]                
00656EE5   POP ECX
00656EE6   CALL DWORD PTR DS:[<&MSVCR90.rand>]
00656EEC   CDQ
00656EED   IDIV DWORD PTR SS:[ARG.1]
00656EF1   MOV EAX,EDX
00656EF3   RETN

However he is just copying what he sees in that little window and has no clue what goes on at run time so don't waste your time.

On a second thought lets waste my time too

.

Here is how the client responds.

PHP Code:


			
TQPacket Packet(1012, 36);
WriteUInt32(timeGetTime(), 4);
WriteUInt32(UID, 8);
WriteUInt32(UID ^ timeGetTime(), 12);
WriteUInt32(Name.length() > 4 ? ((Name[1] ^ 0x98) << 0x8) + (Name[0] ^ 0x23) : 0x9D4B5703, 32);

for (byte i = 16; i < 32; i += 4)
{
    int RAND = 0;
    __asm
    {
        PUSH 0xFFFF;
        CALL rand;
        CDQ;
        IDIV DWORD PTR SS:[ESP];//0xFFFF
        MOV RAND, EDX;
        SHL RAND, 0x10;
        CALL rand;
        CDQ;
        IDIV DWORD PTR SS:[ESP];//0xFFFF
        ADD RAND, EDX;
        ADD ESP, 0x4;
    }
    WriteUInt32(RAND, i);
}

To sum it all up its just ((rand / 0xFFFF) << 0x10) + (rand / 0xFFFF).

AhmedZero · 01/23/2015, 14:12

there's no seed.
if you see the pics you will see sub_656EC8(0xFFFF,0)
0 is mean false
then it ignore timegettime to be its rand seed.
anyway it's stupid packet

.
but i use it in private server for other things

.

InfamousNoone · 01/26/2015, 22:55

ya you're right i dont know why but i thought i recalled an srand being there back when i looked into it a very long time ago, haha