[Collection] GameGuard Decrypt (GS)

[TheBrain_]

This is not a guide, these spoilers contain information that can make it possible for you to decrypt the GameGaurd packets.

It requires C++ and a good eye for to see what function does what.
i will not support any help, however i will answer questions if they arent too complex.

-Thebrain

 Spoiler

Quote:

BlowFish Decrypt function

Code:

unsigned int *__cdecl Blowfish_Decrypt(int a1, int *a2, int *a3)
{
  int v3; // eax@1
  int v4; // ebx@1
  int v5; // edi@1
  int v6; // esi@1
  int v7; // ebp@2
  char v8; // zf@2
  unsigned int *result; // eax@3
  int v10; // ecx@3
  signed int v11; // [sp+14h] [bp+4h]@1

  v3 = *a2;
  v6 = *a3;
  v5 = a1;
  v11 = 16;
  v4 = v5 + 68;
  do
  {
    v7 = *(_DWORD *)v4 ^ v3;
    v3 = v6 ^ sub_59ED80(v5, v7);
    v4 -= 4;
    v8 = v11 == 1;
    v6 = v7;
    --v11;
  }
  while ( !v8 );
  v10 = v3 ^ *(_DWORD *)(v5 + 4);
  result = (unsigned int *)a2;
  *a2 = v7 ^ *(_DWORD *)v5;
  *a3 = v10;
  return result;
}

 Spoiler

Quote:

BlowFish Decrypt_!SECTION function

Code:

int __cdecl sub_59ED80(int a1, unsigned int a2)
{
  return *(_DWORD *)(a1 + 4 * (unsigned __int8)a2 + 3144)
       + (*(_DWORD *)(a1 + 4 * BYTE1(a2) + 2120) ^ (*(_DWORD *)(a1 + 4 * ((a2 >> 16) & 0xFF) + 1096)
                                                  + *(_DWORD *)(a1 + 4 * (a2 >> 24) + 72)));
}

 Spoiler

Quote:

BlowFish Init(When needed)

Code:

unsigned int __cdecl Blowfish_Init(char *a1, unsigned int a2, signed int a3)
{
  signed int v3; // eax@1
  char *v4; // ecx@1
  struct BLOWFISH_CTX *v5; // esi@1
  signed int v6; // edx@2
  int v7; // edi@3
  signed int v8; // eax@5
  unsigned int v9; // edx@5
  unsigned int v10; // ebp@5
  int v11; // ecx@6
  int v13; // ebx@10
  signed int v14; // edi@11
  struct BLOWFISH_CTX *v15; // esi@11
  unsigned int v16; // eax@12
  signed int v17; // ebp@13
  char *v18; // esi@13
  signed int v19; // edi@14
  unsigned int result; // eax@15
  unsigned int v21; // ecx@15
  signed int v22; // [sp+10h] [bp-4h]@5

  v5 = (struct BLOWFISH_CTX *)a1;
  v3 = (signed int)&unk_602954;
  v4 = a1 + 72;
  do
  {
    v6 = 256;
    do
    {
      v7 = *(_DWORD *)v3;
      v3 += 4;
      *(_DWORD *)v4 = v7;
      v4 += 4;
      --v6;
    }
    while ( v6 );
  }
  while ( v3 < (signed int)&unk_603954 );
  v10 = a3;
  v9 = a2;
  v8 = 0;
  v22 = 18;
  do
  {
    v11 = 0;
    a3 = 4;
    do
    {
      v11 = *(_BYTE *)(v8++ + v9) | (v11 << 8);
      if ( v8 >= (signed int)v10 )
        v8 = 0;
    }
    while ( a3-- != 1 );
    v13 = *(_DWORD *)((char *)v5 + &unk_60290C - (_UNKNOWN *)a1);
    v5 = (struct BLOWFISH_CTX *)((char *)v5 + 4);
    *((_DWORD *)v5 - 1) = v11 ^ v13;
    --v22;
  }
  while ( v22 );
  a3 = 0;
  a2 = 0;
  v15 = (struct BLOWFISH_CTX *)a1;
  v14 = 9;
  do
  {
    Blowfish_Encrypt((int)a1, &a3, (int *)&a2);
    v16 = a2;
    *(_DWORD *)v15 = a3;
    *((_DWORD *)v15 + 1) = v16;
    v15 = (struct BLOWFISH_CTX *)((char *)v15 + 8);
    --v14;
  }
  while ( v14 );
  v18 = a1 + 76;
  v17 = 4;
  do
  {
    v19 = 128;
    do
    {
      Blowfish_Encrypt((int)a1, &a3, (int *)&a2);
      result = a3;
      v21 = a2;
      *((_DWORD *)v18 - 1) = a3;
      *(_DWORD *)v18 = v21;
      v18 += 8;
      --v19;
    }
    while ( v19 );
    --v17;
  }
  while ( v17 );
  return result;
}

 Spoiler

Quote:

GameGaurd Decrypt Packet(s)

Code:

unsigned int __cdecl GGDecryptPacket(unsigned int *a1)
{
  unsigned int result; // eax@1
  unsigned int *v2; // esi@1
  unsigned int v3; // edx@1

  v2 = a1;
  Blowfish_Decrypt((int)&ctx, (int *)a1 + 1, (int *)a1 + 3);
  v3 = a1[3] ^ 0xF674C8B9;
  v2[2] ^= 0xB64D24Au;
  a1[3] = v3;
  Blowfish_Decrypt((int)&ctx, (int *)v2, (int *)v2 + 2);
  result = a1[1] ^ 0x9D28B918;
  *v2 ^= 0xAFD349Du;
  a1[1] = result;
  return result;
}

These are raw-codes, or atleast thats how i call them.
please dont complain if you cant figure out how it works, if you do know how it works you'll have alot of pleasure around

[mongreldogg]

means DO repeat it at home?

[TheBrain_]

Quote:

Originally Posted by mongreldogg

means DO repeat it at home?

these are the packets for the GS, but i think it will work for a client aswell, as they both return the same values over the same network.

so yes.

[hassuny]

thanks

[TheBrain_]

Here's an list how to use BlowFish_Decrypt method using my c# source code.

1.

 Spoiler

Lets Explain the methods.

Code:

            /* Packet Example < 06 56 43 20 93 64 02 > */
            Console.WriteLine(BlowFish_Decrypt(0, 0, 128)); //<----- Example decryption on 128bits 
            Console.WriteLine(BlowFish_Decrypt(0, 0, 256)); //<----- Example decryption on 256bits
            Console.WriteLine(BlowFish_Decrypt(0, 0, 0));   //<----- Example decryption on ITRN
            Console.ReadLine();

Packet Example, this is a real packet i have fetched while updating my US client.
1. Grab the packet in eitherway text or if available HEX.
2. Now we have to use some math to get us the information we need to decompile the return values.
3. (Example)
{06 56 43 20 93 64 02}
Lets make them blocks, okay here we go.

06 * 56 + 43 = our first value (block1)
20 + 93 = our second value (block2)
64 * 02 = our third value (block3)

2.

 Spoiler

Lets Deconstruct the values

Code:

            Console.WriteLine(BlowFish_Decrypt(0, 0, 128)); //<----- Example decryption on 128bits 
            Console.WriteLine(BlowFish_Decrypt(0, 0, 256)); //<----- Example decryption on 256bits
            Console.WriteLine(BlowFish_Decrypt(0, 0, 0));   //<----- Example decryption on ITRN

#! You Can Use this ONLY for 128-bit or 256-bit encryptions !#

As seen above, There's 128 and 256. These are filled according to (block3)
If your (block3) is 128 or 256, set these to their values.

In our case, we have an packet that we wanna deconstruct. To make an respond send back in values ofc.
So we take our (Blocks) that we have calculated before and fill them in.

128; BlowFish_Decrypt(Block1, Block2, Block3) (Also Known As) BlowFish_Decrypt(379, 113, 128)

Once we did that, we run our program and check the outcome.
Program has returned ; 8063 Which we have to put a space in every 2 characters.
so it actually is ; 80 63

Now this is not the real values, these are a respond on the confirmation GameGuard asks you
( This case, our Confirmation is the Example Packet ), now we will return to him ' 8063 '.

Now GameGuard Asks okay, what kind of connection do you want? with what interval?
<See Step3>

#! You Can Use this ONLY for 128-bit or 256-bit encryptions !#

3.

 Spoiler

GameGuard Asks you things... What now!?

Code:

In <Step2> You have got 80 63, which is a responce to make an 'handshake' <an quick 'ARE YOU THERE?'>

After that 'handshake' has been taken place, GameGuard will now ask you Alright your there.
Lets startup our program engine, and see what values need to do what.

I called these values (ITRN) Internal Terminal Read assigNment

So above, <Step1> You'll find ITRN, now lets set it with our values we returned.
Console.WriteLine(BlowFish_Decrypt(80, 63, 0)); We do not need an encryption for ITRN.

So lets see, Ah! here we go. we got ; 4364 (Which actually is 43 64)
This means, 
GameGuard will now run task: 43
With an Renew Interval of : 64 Seconds <refreshes the whole packet method we just did every 64seconds.>

4.

 Spoiler

Now, How Do I Get Rid of MY GameGuard?

Code:

You have to reloop these function list above, and fetch the packets and make a simple calculator.
Than you simply add timers, or backgroundworkers to do the things we want it to do.

Your Done with the packets, now lets get you the source code after reading all this.

Source Code

 Spoiler

Code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Linq.Expressions;

namespace ConsoleApplication2
{
    class Program
    {
        [STAThread]
        public static void Main(string[] args)
        {
            /* Packet Example < 06 56 43 20 93 64 02 > */
            Console.WriteLine(BlowFish_Decrypt(379, 113, 128)); //<----- Example decryption on 128bits 
            Console.WriteLine(BlowFish_Decrypt(0, 0, 256)); //<----- Example decryption on 256bits
            Console.WriteLine(BlowFish_Decrypt(80, 63, 0));   //<----- Example decryption on ITRN
            Console.ReadLine();
        }

        public static int BlowFish_Decrypt(int block1, int block2, int block3)
        {
            #region Define Stuff
            int result;
            int v7;
            Boolean v8;
            int A = 2;
            int B = 3;
            int v5 = 68;  /*<------ Define block(1) as a interval aswell as decryption main*/
            int v3 = 0;   /*<------ no entry for the second block is needed, except just the packet ITRN*/
            int v6 = 256; /*<------ Decryption Bytes, Rappelz may use 128 or 256. */
            result = block1 + block2 * v5;
            block1 = block1 + v5* v5 *block2 -0xB4 +0x54A60;
            block2 = block2 + v3* v6;
            block3 = block3 + v6;

            int v11 = 16;
            int v4 = v5 + 68;
            #endregion

            #region code start
            if (result == 384)
            {
                result = v3 + v6 + v11 - A * v4 ^ block2;
            }

            if (result == 256)
            {
                result = v3 + v6 - A * v11 ^ block2 ^ block1;
            }

            do
            {
                v7 = A * v4 ^ v3;
                v3 = v6 / A + 4 * 80 + 3144 + A + 4 * Convert.ToByte(B) + 2120 + B * A + 2120 / 4 * 0xFF + 1096 + A + 4 * 24 + 72;
                v4 = -4;
                v8 = v11 == 1;
                --v11;
            }
            while (!v8);
            {
                int v10 = v3 / v5 + 4;
                block2 = v7 / v5;
                block3 = v10;
            }
            return result;
            #endregion code stop
        }
        
    }
}

Hopefully you understand it while starting to read it, i just cant explain it any better than that.
Tested it, it works. this is just a simple base i have recoded (partially rewritten since some things ware missing)
But, GameGuard accepts it, and works with it.

Have fun! and goodluck.

[glandu2]

What I know so far:
The blowfish algorithm is used to encrypt several (4 ?) 32 bits integers, which are then used by gamemon.des to compute a response which sframe send to the GS. The gamemon.des algorithm is based on a small virtual machine to prevent easy decompilation. More in the pdf I found some months ago (in attachment)

You said "GameGuard accepts it, and works with it.", does this mean that you were able to send you decrypted data to client side gameguard ? Or send that back to the server ? (which would mean that the server just want the decrypted data ? + easy data manipulation) In this case, gamemon.des stuff and information in the pdf is not applicable for us.

[TheBrain_]

i used the decrypt for the encrypted packet,

after that i encrypted it, (with the response of my decrypted message)

^1st post contains encryption.

I only released the decryption.

[glandu2]

between the decryption and the encryption, there is an algorithm to do on the packet's data right ?
You already implemented a program that receive these GG encrypted packets with blowfish that decrypt them, compute the response and send it back to the server ? Also, the pdb is used to compute the response ?

[TheBrain_]

yes and partially yes,

the pdb does contain great information, but i also have GameGuard server files,
which means i can look into their c++ source anytime.

i've only made this topic to motivate people that they can decrypt and send it back if they put their minds on it or google.

anyway, ;

Proof - Pictures;






however, there's one rappelz file i do really want to look into (even tho its hackshield)

\Hackshield.crc


Algorithm for the packet's data;

Code:

void decryptGGString(char* cryptedStr) {
	if(cryptedStr[0] == 1) {
		int size, lastval ;

		cryptedStr[2] ^= 3 * cryptedStr[1] + 101;

		size = (cryptedStr[3] ^ (9 * cryptedStr[1] + 104)) & 0xFF | (cryptedStr[2] << 8);

		cryptedStr[3] ^= 9 * cryptedStr[1] + 104;
		lastval = 9 * cryptedStr[1] + 4;

		for(int i = 0; i < size; i++) {
			cryptedStr[i] = ((3 * lastval ) + 101) ^ cryptedStr[i + 4];
			lastval = 3 * lastval + 1;
		}
		cryptedStr[size] = 0;
	}
}

Decrypted Rappelz GameMon(INI) 3-2-2013

 Spoiler

Code:

[GAMEMON]
GAME_NAME=RappelzUS
UPDATE_SERVER=patch.gameguard.gpotato.com
UPDATE_PATH=/RappelzUS/RealServer/
BACKUP_SERVER=
BACKUP_PATH=
OPTION_VALUE=0
SPEEDCHECK_INTERVAL=1000
USE_GGSCAN=1
GAMECRC=1
SENDERRLOG=3
LOG_SERVER=211.215.21.138
NO_USE_CSVM=1
NO_USE_DRV64=1
USE_IHMON=1
BWTSERVER=bwt.nprotect2.net
BWT_OPTION=1

gameguard key(for decypting string)

Code:

#define GG_KEY "\x06\x02\x00\x00\x00\x24\x00\x00\x52\x53\x41\x31\x00\x02\x00\x00" \
                "\x01\x00\x01\x00\xFB\xE3\xFC\x09\xAF\xAE\x65\x8C\x96\x4C\xC5\x37" \
                "\xD2\xA4\x77\xE7\x4C\x41\xC2\xCF\xF2\xFE\x2D\x9C\x80\x94\x0C\x88" \
                "\x6D\xB3\x84\x9F\x8C\x22\xA0\xC9\xCD\xC0\xAB\x30\x65\x82\x42\x3C" \
                "\xEE\x3C\xA8\xB7\x11\xD6\x22\xFA\xFB\x23\xF7\x72\xCD\xE7\xD0\x6F" \
                "\x6A\x8E\x96\xE3"

@glandu, the pdf is from 2009, i have this too for a long time.
the thing is that gameguard did update alot since then

[glandu2]

Replying here for your post in TSP map editor to avoid being offtopic.

Quote:

Originally Posted by TheBrain_

i recoded a piece of the GG, which is litteraly the only piece u need to make it work and the only piece u need to make a bypass.

further more; i released the source in c++ and c#.

I was going to release the source once i completed the other files, but now people like '' you '' jumping on people like '' me '' makes me not releasing to anything to epvpers at all.

want to be fair winner? start by c1ph3r and these russian devs and some others., they have more than i have for sure and iam quite sure they have even more files you might enjoy.

it seems to be its the '' developers '' choise to eitherway share it or not.
all this negative attitude on epvpers makes me just not wanna do it at all.

its the same old team who keeps '' thanking '' each other, and if anyone else makes a attempt to give people a shot they just wanna grab your hole hand, geuss what. u just grabbed my hole hand and i dropped it all together.

besides, if i ask for help to other developers, (not all of them luckily) i get ignored, now iam not sure if you '' developers '' are known with the word and meanings of Community.

GG is not blowfish, you released how rappelz decrypt blowfish encrypted message, but the source code is available here: (and your released source is not usable, blowfish_decrypt use another function, sub_59ED80 which name depends on the binary you used), or online here , we can see that sub_59ED80 is function "F".

You released how rappelz use blowfish and the xor some numbers, that's ok (even if we don't know what's these variables are (like ctx which should be something like BLOWFISH_CTX, xor values might still be useful, especially true considering how difficult is digging in a .exe without the pdb file).

Your example of using these functions can't work, ctx is 0 (ctx contains the context of the algorithm, like the used key). For information about how to use blowfish,

I don't know what really do your blowfish functions you wrote in c#, but unlikely a blowfish encryption, will provide all encryption algorithms someone wants (including blowfish)

You said "the pdb does contain great information, but i also have GameGuard server files,"
Indeed the pdb help alot and with it it's almost like having source of rappelz servers (but it take more time than really having it when trying to understand something).

But concerning the other statement (and now I saw ismokedrow's comment), no there is no GG sources here (or at most the xor done by sframe just after blowfish decryption)

About decryptGGString, the author is me ( from sframe) and it decrypt gameguard strings when they are used (and using other functions it reencrypt them when another string is decrypted so only one gameguard string is decrypted at any time) These strings are client side only. This function is not used for packets

For the decryption of the .ini file, the source code is available here:

Code:

http://forum.rage zone.com/f197/delphi-source-decrypt-gameguard-ini-805362/

(remove space between rage and zone to get the correct name, epvp has banned it for some reason), also in wisp66's thread. And for the key, it's the GG public key used by the .ini decrypter (and also, it's impossible to encrypt a .ini file with modified content)

All that is not really a release as they are already released

About the hackshield.crc, it's probably the crc of one of hackshield's files and is available here

Part of files you shown as screenshot: but you have more according to your screenshots (provided it's yours as we only have small part of your screen).

If you really have GG's source code, then good job to get them, as I wasn't able to find something interesting (but some files that require to have an account and upload files).

But for now, as a epvp user, I consider you don't have it (or that GG stuff will never land anywhere) as about rappelz resurrection: I never saw any thread about that later (but maybe you've done it but just not released as I know many dev have at least a home made auth emu, but as a epvp user I don't care what people do if nothing not even an small unknown information about rappelz is released here).

So don't tell me that because of people like me you will never release what you was about to release because I don't think you would release something anyway.

About C1ph3r and other devs that might have more than you, the difference is that they don't talk about what they don't want to release, at least they don't post screenshot to prove they have something that they will not release, so maybe they have all rappelz, gameguard, whatever sources, but I don't think the solution is begging them to get these source.

So about sharing, indeed you share what you want, but don't expect to have no negative replies when posting screenshots of something you won't release. If you don't want to release something, then don't post on epvp that you have it (posting screenshots of an incomplete thing you made that will be released is still ok, like ismokedrow's client modifications, preparation of a new private server or a new incomplete tool)

About "groups" that thanks each others, when I began, Xijezu told me (with other devs) that opensource is not good and I will just null every release because of leechers that just ask for more tools and then say that released tools are bads and/or re-release these tools as their own. Well, when something is opensource, you can prove by date that you are the author of that source. Anyway, my way of thinking might not be good, but that should not be sufficient to discourage you if you really want to do something there ...

But anyway, that's your choices (and beside that, I still agree with your first post, also because it allow to gain time instead of working on something already done especially for algorithms and files layouts)