[Question] Sending data

RunzelEier · 02/26/2013, 16:49

but bakabug's source only decrypts the first 16 bytes (?)

meak1 · 02/26/2013, 16:57

@Runzel cause first 16 bytes are not used for AES crypt.
Bakabug added the AESkey pointer wrong or idk, if u add it manually it works well.

Just use the AESkey pointer from bakabug and make a Dumb every week.

PHP Code:


			
char *TEST = (char*)*((DWORD*)(SendPacketMain+0xA5));

if u get the 0x2A packet, dumb it.

0x01 is Encrypt
0x02 is Decrypt, at the End. its the AESKey expanded into 2 parts 0x01 and 0x02 at the End.

iszoPL · 02/26/2013, 18:02

I have to get straight some info because it's chaos in my head right now xDD

This is captured packet 0x2a

Code:

 57 0 2A [U][COLOR="Red"]73 2B DD 9 3E[/COLOR][/U] 32 6D 25 51 36 8A 25 51 61 F6 F7 27 0 4 0 0 0
 22 0 0 2 12 2 18 3C A 1E 18 96 B9 80 AB AC B6 B4 A6 96 8A A2 8A B5
 9D 9F 8A A7 A9 94 A2 86 F8 D7 EA EE C2 D8 FC DA F8 E4 E6 CC DB F3 D7 F1
 C9 C7 CA FA E8 A8 8C BA F4 F2 D3 E8 8 0

This part is changing. I got the pointer to decryption table and i swapped it with baka's table.

Now what for is DecryptTable function of his because is says that is takes index buf and len. Ok buf and len i get but u are passing RecvKey as index. WTF xD Is it just for decrypting type of packet/first 3 bytes? And when u do it u just use decryptPacketAES? I don't get this cryptography stuff right now so a bit explanation would be great

Ps. And this pointer u gave SendEngine + 0xA5 it's pointing to some table(unknown) full of 0 bytes. Actually start of this table is at SendEngine + 0xA4 according to my dump and ida

Well not start but push ;p

Code:

.text:005A01A4                 push    offset unk_8B6300

meak1 · 02/26/2013, 18:38

if 0x2A comes in, u can dumb at the address SendEngine + 0xA5. The AESkey is created in runtime, expanded into 2 parts 0x01 0x02

i got RecvKey cause clientless u need to decrypt Recv...
in Engine.exe the Recv is called twice. first for encrypt and secound is the Real Recv
but it goes over the same function, its to hard to explain, if u hook recv at engine u get the Real recv data.

Index is the Tablekey i guess, KalOnline routine ->

under 16 bytes u didnt need the 2 AESKey's, it gets only crypted by Tablekey(Xoring with the Tablekey) and XorKey at the End.

For what u need now the Decrypt part? i would say its to difficult to explain
U see at the SendFunc how its decrypted, there are 2 calls, one for Tablkey Xoring and one for AES crypt

And bakabug just copied those functions with IDA.

EDIT: Someone know about VEH hooking? its hooking over exceptions, its still undetected hook in all Games, cause it cant get detected i guess, its smth new

iszoPL · 02/26/2013, 18:58

Well i want to have a look at encrypted send packets so i can learn more about them.

So AES key is this 540 bytes long unknown table in baka code?

Basically i have to dump this table, swap it with original. Swap decrypt/encryp tables. And everytime at the start when 0x2a comes i have to save sendKey so i can later use it to decrypt header + data of send packets? (Edit. Scratch that ;p As this table is static i can save the key and dump table at first use then at the start of app just compare first key and if it differs then make new dump and replace with old).

so I did this

Code:

sendKey = (BYTE*)*((DWORD*)(sendAdd+0xA5));
LogTextBox("Send key captured: 0x%X ",*sendKey);
for(int i=0;i<540;i++)
{
	dumptable byte by byte
}

I got updated decryptTable.

so can I now do this?

Code:

if(KalTools::getSendKey() != 0)
{
DecryptTable(*KalTools::getSendKey(),(unsigned char*)packet+2,len-2);
DecryptPacket((char*)packet);
}

sendKey is BYTE* so it's first cell of aes table 0x3A i guess.

meak1 · 02/26/2013, 21:05

AESkey != Tablekey....

the aeskey is for AES cryption(UNKNOWN), and TableKey is just an Xor cryption
and bakabug have a pointer to the Tablekey... u just can use it.

Tablekey is 0x1-0x3F - Tablekey+an hex 0x25, then it using the Tablekey from encrypttable to encrypt it with Xor.. idk how to explain <,<

iszoPL · 02/26/2013, 21:19

You mean that there are 2 seperate pointers for aes key and table key?

The one u gave is to table with aes data and

BYTE *TKey = (BYTE*)*((DWORD*)(PacketSendMain+0xCA));

this is for table key?

then i should do this

TableKey = ((*TKey)-1) & 0x3F;

and then i can use it?

meak1 · 02/26/2013, 21:31

y

iszoPL · 02/26/2013, 21:38

Ok then what's this for in ur code? Because i'm now a little confused xD

Code:

if(buf[2] == 0x2A){
SendKey=*(BYTE*)&buf[7];

is this pointer the same data?

meak1 · 02/26/2013, 21:43

isnt a pointer, u dont have a client on clientless, u cant doing a pointer on memory, cause the game isnt opened. 0x2A is welcome packet, and buf[7] is the first sendkey.

so with Client u just use the Pointer from tablekey. *Tkey

best way to learn, is by doing. Now watching a movie and going to sleep after ;E

iszoPL · 02/26/2013, 21:51

heh have a nice evening

i'll try to code this now. I hope it'll work xD

Edit.

Ok thank you very much for help. I did all u told me to and it works like a charm xDD

captured chat send packet

[C 0] 0x0E F3 1B 0 0 41 42 43 44 0

41-44 ABCD in hex

awesome! thank you again. Now i can try to do autologin ;p

So there is a weird thing xD I found ptr to maxHP,maxMP,curMP but in memory there is no curHP stored lol xD i was even searching for array of bytes and i did not found it. Stupid xD However i found that 0x45 state packet got the current mp when it's 0x07 - hp changed.

Well this is not my question Anyone has idea how can i find minichat address? I was looking somewhere near normal chat function address and trying to trace some calls but i found nothing. It would be useful feature.