HandshakeRequest

Ksama_04 · 04/17/2019, 17:33

Hello !

I'm currently working on a Java emulator for the last client version for my personnal entertainment, I don't plan to sell it nor create a private server with it, this is just for the knowledge and the challenge.

I manage to go through the VersionRequest and ObfuscationRequest (by sending an abc.swf with empty encode/decode functions) but I've some struggle with and after the HandshakeRequest, here's what I understand:

* The HandshakeRequest and response are keys for ARC4 encoding.
* The ARC4 keys are RSA encoded.

Which, I guess, give something like this :
ARC4 plain key > RSA > abc ("by-passed" with empty functions).

So I manage to go through by sending the same packets that I found with Wireshark, to have an exemple of what's after that.

But I figured out that I can't go through HandshakeRequest without really understanding it.

This is where I'm asking for your help, could someone explain me how the Handshake keys work and if my understanding of HandshakeRequest is right? I'm not asking for code.

I tried to reproduce the PandorasBox encryption but I've struggle with the BigInteger class.

I can give more informations and samples of my code if needed !

I'll understand if nobody wants to help me but thank you very much anyway and have a nice day!

Best regards,
Ksama

Freshek · 04/22/2019, 23:59

You basically need to implement their asymmetrical encryption algorithm. I'd rather not bother with that and remove it from the client.

Ksama_04 · 04/23/2019, 12:01

Quote:

Originally Posted by Freshek

You basically need to implement their asymmetrical encryption algorithm. I'd rather not bother with that and remove it from the client.

Thank you for answer !

I understand the encryption better since my original post, but I struggle by sending a "valid" key to the client, it always give me the following error:

Code:

PKCS#1 unpad: i=1, expected b[i]==[0,1,2], got b[i]=xx

(where xx is a hexadecimal number)

I think that's because of the Java's encryption (using javax.crypto.Cipher) or my key generation method (which is the same that the client uses to send his key in the HandshakeRequest, but in Java) :

Code:

private BigInteger generateRandomBI() {
	int j = 0;
	String hex = new String();
	String code = new String();
	for(int i = 0; i < 128; i++) {
		j = (int)(new Random().nextFloat() * 256);
		hex = Integer.toHexString(j);

		if(hex.length() == 1)
			hex = "0" + hex;

		code = code + hex;
	}

	return new BigInteger(code, 16);
}

I like your idea to modify the main.swf, but won't it be harder to reobfusctate it properly to be read by the preloader, instead of implementing the encryption algorithm?

Anyway, thank you again for your answer and have a nice day!

Freshek · 04/23/2019, 13:44

Are you implementing the algorithm located in main.swf or in PandorasBox?

And no, modifying the preloader to load a decrypted version of main.swf is a matter of 5minutes and changing about 2 lines of code.

Ksama_04 · 04/23/2019, 15:57

The one in PandorasBox, which is, I guess, the one encoding the packets.

Okay thank you, I'm looking for this in the preloader.swf.
But after that, I think that I'll try to implement the algorithm anyway, I spent too much time to give up now

.

Thanks again!

MGL_Reload · 04/29/2019, 18:18

good luck