Packet Decrypting.

[molotov_mb]

I remember in the ancients times of CO, Lowfyr posted an endlessly usefull thread. It was stickied I think. Anyone know where I can find it? And do they still use the same encrypting method?

[Real~Death]

use twistedilusions tool
its in the exploit section i belive
(save you the time of doing it by hand)
:EDIT:heres the link you asked for it was in the *HOT* list

[bone-you]

Code:

				for (register word b = 0; b < size; b++)
				{
					data[b] = (char)((data[b]) ^ 0xab);
					data[b] = (char)((data[b] << 4) & 0xf0) | ((data[b] >> 4) & 0x0f);
					data[b] = (char)((ScKey2[incounter >> 8]) ^ data[b]);
					data[b] = (char)(ScKey1[incounter & 0x00ff]) ^ data[b];
					incounter++;
				}

backwards etc.. that's the general idea :P and that's in c++. The guides all tell you how to do it, but my issue before was I needed to see it to understand it fully :P so this might help.

[Real~Death]

Quote:

Originally Posted by bone-you

Code:

				for (register word b = 0; b < size; b++)
				{
					data[b] = (char)((data[b]) ^ 0xab);
					data[b] = (char)((data[b] << 4) & 0xf0) | ((data[b] >> 4) & 0x0f);
					data[b] = (char)((ScKey2[incounter >> 8]) ^ data[b]);
					data[b] = (char)(ScKey1[incounter & 0x00ff]) ^ data[b];
					incounter++;
				}

backwards etc.. that's the general idea :P and that's in c++. The guides all tell you how to do it, but my issue before was I needed to see it to understand it fully :P so this might help.

huh 0.o
I still dont understand c++ lol,hopfuly molotov_mb will understand

[molotov_mb]

Wow, thanks alot!

EDIT: Where's the english translation?! I'm sure there was one, I remember reading it. The link for english doesn't seem to work.

[InfamousNoone]

This is what I have from the english translation, it was a bit shakey to understand however; so if you don't get it, I might explain it in my own words.

Quote:

1. The keys
a. General information
b. The first 2 keys
c. Creating the 3rd and 4th key

2. Encryption of packages
a. The counter
b. The encryption of incoming packages
c. The encryption of outgoing packages

3. The de- and encryption as a server

The keys

General information

There are 4 keys in the encryption of Conquer Online. Actually there are only 2. But this 2 keys will be encrypted, after the singup at the login server, by 2 additional keys sent by the server. This keys will be used as new keys for outgoing packages. So there are 4 keys.

The first 2 keys:

1st key

CODE
9D 90 83 8A D1 8C E7 F6 25 28 EB 82 99 64 8F 2E
2D 40 D3 FA E1 BC B7 E6 B5 D8 3B F2 A9 94 5F 1E
BD F0 23 6A F1 EC 87 D6 45 88 8B 62 B9 C4 2F 0E
4D A0 73 DA 01 1C 57 C6 D5 38 DB D2 C9 F4 FF FE
DD 50 C3 4A 11 4C 27 B6 65 E8 2B 42 D9 24 CF EE
6D 00 13 BA 21 7C F7 A6 F5 98 7B B2 E9 54 9F DE
FD B0 63 2A 31 AC C7 96 85 48 CB 22 F9 84 6F CE
8D 60 B3 9A 41 DC 97 86 15 F8 1B 92 09 B4 3F BE
1D 10 03 0A 51 0C 67 76 A5 A8 6B 02 19 E4 0F AE
AD C0 53 7A 61 3C 37 66 35 58 BB 72 29 14 DF 9E
3D 70 A3 EA 71 6C 07 56 C5 08 0B E2 39 44 AF 8E
CD 20 F3 5A 81 9C D7 46 55 B8 5B 52 49 74 7F 7E
5D D0 43 CA 91 CC A7 36 E5 68 AB C2 59 A4 4F 6E
ED 80 93 3A A1 FC 77 26 75 18 FB 32 69 D4 1F 5E
7D 30 E3 AA B1 2C 47 16 05 C8 4B A2 79 04 EF 4E
0D E0 33 1A C1 5C 17 06 95 78 9B 12 89 34 BF 3E



2nd key

CODE
62 4F E8 15 DE EB 04 91 1A C7 E0 4D 16 E3 7C 49
D2 3F D8 85 4E DB F4 01 8A B7 D0 BD 86 D3 6C B9
42 2F C8 F5 BE CB E4 71 FA A7 C0 2D F6 C3 5C 29
B2 1F B8 65 2E BB D4 E1 6A 97 B0 9D 66 B3 4C 99
22 0F A8 D5 9E AB C4 51 DA 87 A0 0D D6 A3 3C 09
92 FF 98 45 0E 9B B4 C1 4A 77 90 7D 46 93 2C 79
02 EF 88 B5 7E 8B A4 31 BA 67 80 ED B6 83 1C E9
72 DF 78 25 EE 7B 94 A1 2A 57 70 5D 26 73 0C 59
E2 CF 68 95 5E 6B 84 11 9A 47 60 CD 96 63 FC C9
52 BF 58 05 CE 5B 74 81 0A 37 50 3D 06 53 EC 39
C2 AF 48 75 3E 4B 64 F1 7A 27 40 AD 76 43 DC A9
32 9F 38 E5 AE 3B 54 61 EA 17 30 1D E6 33 CC 19
A2 8F 28 55 1E 2B 44 D1 5A 07 20 8D 56 23 BC 89
12 7F 18 C5 8E 1B 34 41 CA F7 10 FD C6 13 AC F9
82 6F 08 35 FE 0B 24 B1 3A E7 00 6D 36 03 9C 69
F2 5F F8 A5 6E FB 14 21 AA D7 F0 DD A6 F3 8C D9


Creating the 3rd and 4th key:

You'll receive the 3rd and 4th key by encrypting the the 1st and 2nd key with the keys sent by the server to the client. The key for it is in the 1st package you receive from the server. This is exactly the 2nd package at all.

The package with the key looks like this one:

CODE
*** RECV - size: 28
1C 00 1C 04 2E A6 44 00 F4 48 5C 20 36 34 2E 31 ...¦D.ôH 64.1
35 31 2E 38 31 2E 32 30 34 00 00 00 51.81.204...


The key in the incoming package is the 11th + 10th + 9th + 8th byte from startup.
In this example: 20 5C 48 F4

The 2nd key is the 7th + 6th + 5th + 4th byte in the package.
In this example: 00 44 A6 2E

And now, to get the 3rd and 4th key, you need to do this:

1.) Add key 1 with key 2 205C48F4 + 0044A62E = 20A0EF22
2.) XOR result of 1.) with 4321 XOR 20A0EF22, 4321 = 20A0AC03
3.) XOR Key 1 with result of 2.) XOR 205C48F4, 20A0AC03 = 00FCE4F7
4.) IMUL result 3.) with result 3.) IMUL FCE4F7, FCE4F7 = F9D39310E651
(logical multiplication // result is only 4 byte long -> 9310E651)

And now, to create the 3rd and 4th key correctly, you need to do this:
Always use the first 4 bytes of the 1st key with the result of 3.) and produce it with XOR:

The 1st 4 bytes of the 1st key (vice versa, originally: 9D 90 83 8A):
8A 83 90 9D

With the result of 3.):
00 FC E4 F7

The result:
8A 7F 74 6A

The result must also be rated the other way round. Thus, the first four bytes of the key now are:
6A 74 7F 8A


Repeat that until you converted the complete 1st key.

The 2nd key has to be converted the same way, but with the difference that you need to use the result of 4.), not 3.).

The 1st 4 bytes of the 2nd key (vice versa, originally: 62 4F E8 15):
15 E8 4F 62

With the result of 4.):
93 10 E6 51

The result:
86 F8 A9 33

The result must also be rated the other way round. Thus, the first four bytes of the key now are:
33 A9 F8 86

Now you have the 3rd and 4th key you need to have to send packages.


Decryption of packages:

The counter

To decrypt the encrypted packets, you need the four 256 byte keys that I have introduced above.

- To decrypt the packets wich you get from the server you need the 1st and the 2nd key.

- You need the 3rd and 4th Key for the packets they're sent from your client.

Check the differences between the login and the game server, the encryption is the same but there 4 Counters overall (Two Counters for the sent packets and another two Counters for the received packets)

All the four Counters are set to 00 for each new session. The packets are de/encrypted always byte wise. After each de/encrypted byte the counter increases by 1, if one of the two counters hits FF it will roll back to 00 and the other counter will be increased by 1. If the other counter hits FF both counters will get a "rollback" to 00.

There are 4 counters for each server (Login- and Gameserver).


Encrypt the received Packets

There are four steps to encrypt the packets:

For Example we're using the Login packet that is sent from the client to the login Server

Decrypted Packet:
CODE
34 00 1B 04 54 65 73 74 54 65 73 74 00 00 00 00 00 00 00 00 51 15 EE 1B 19 45 2C 6E 5C 01 5C 41 56 25 F6 D7 45 61 67 6C 65 00 00 00 00 00 00 00 00 00 00 00


Encrypted Packet:

CODE
17 84 04 65 D5 13 C4 A5 9A 59 04 E2 14 CB 75 6F 5F 89 B0 22 86 17 18 52 47 54 FC 44 D2 D4 BD 78 33 D0 D0 56 C6 55 83 26 8F 05 35 AB 16 C1 7F 6D 59 87 BA 20



step 1

XOR the encrypted byte and the X. byte from the key (X = 1st Counter)

XOR 34, 9D ---> A9

step 2
Encrypt (XOR) the result with the N. byte from the 2nd key (N = 2nd Counter)

XOR A9, 62 ---> CB

step 3

now you have to invert our new result

CB is now BC (CB -> BC)

step 4

finally you have to encrypt (XOR) the result from step 3 with AB.

XOR ESI, 0AB ---> 17

Repeat that with the hole Packet.

- After each encrypted byte the first counter will be increased.

- After 256 bytes the second Counter will be increased by 1

- After 65536 bytes both counters will get a "rollback" to 00 (and the same procedure will start again (00/00)

After you're connected to the Gameserver the Counters are set to 00.


Encrypt the "Client sent" packets

To decrypt the packets they are sent by the client to the Server you must use the same Routine that I've introduced above (just invert the hole Client-Encrypt/Decrypt Process).

so:

1. XOR byte Packet, AB

2. invert E1

3. XOR E2, 62

4. XOR E3, 9D


(E1, E2, E3 = result from 1., 2. and 3.)


Encrypt and Decrypt as Server

To start a Server, you must use the same Routine that I've introduced above (just invert the hole Client-Encrypt/Decrypt Process), the Keys are the same.

Every Player becomes a individual key. The client is using this key for the encryption routine before he sends the informations to the Server

[lolex]

ol

[Lowfyr]

you can also use this direct link to view the eng guide with bb codes

[andalos]

Quote:

Originally Posted by Lowfyr

you can also use this direct link to view the eng guide with bb codes

sorry ... but i have used this method but the encrypt of data is worng any body have a testing code here

[unknownone]

try harder.

Alsom that encryption only applies to the login now. Connection to the game server uses a different encryption. Check sticky in pserver section for that.

[Huseby]

Look date lol.

Dont bump.

[unknownone]

Date matters not if the topic is still relevant.

Infact, some important posts need bumping occasionally or they'll be gone for good.

[John Dread]

Quote:

Originally Posted by unknownone

Date matters not if the topic is still relevant.

Infact, some important posts need bumping occasionally or they'll be gone for good.

Yes I agree with that. Please dont report bumps if the thread is still relevant.

Thanks