Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Rappelz > Rappelz Private Server
You last visited: Today at 02:38

  • Please register to post and access all features, it's quick, easy and FREE!

 

[Collection] GameGuard Decrypt (GS)

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Dec 2012
Posts: 107
Received Thanks: 68
[Collection] GameGuard Decrypt (GS)

This is not a guide, these spoilers contain information that can make it possible for you to decrypt the GameGaurd packets.

It requires C++ and a good eye for to see what function does what.
i will not support any help, however i will answer questions if they arent too complex.

-Thebrain








These are raw-codes, or atleast thats how i call them.
please dont complain if you cant figure out how it works, if you do know how it works you'll have alot of pleasure around



TheBrain_ is offline  
Thanks
5 Users
Old   #2
 
elite*gold: 30
Join Date: Mar 2012
Posts: 626
Received Thanks: 280
means DO repeat it at home?


mongreldogg is offline  
Old   #3
 
elite*gold: 0
Join Date: Dec 2012
Posts: 107
Received Thanks: 68
Quote:
Originally Posted by mongreldogg View Post
means DO repeat it at home?
these are the packets for the GS, but i think it will work for a client aswell, as they both return the same values over the same network.

so yes.
TheBrain_ is offline  
Old   #4
 
elite*gold: 0
Join Date: Mar 2013
Posts: 75
Received Thanks: 5
thanks


hassuny is offline  
Old   #5
 
elite*gold: 0
Join Date: Dec 2012
Posts: 107
Received Thanks: 68
Here's an list how to use BlowFish_Decrypt method using my c# source code.

1.

2.

3.

4.

Source Code

Hopefully you understand it while starting to read it, i just cant explain it any better than that.
Tested it, it works. this is just a simple base i have recoded (partially rewritten since some things ware missing)
But, GameGuard accepts it, and works with it.

Have fun! and goodluck.
TheBrain_ is offline  
Thanks
2 Users
Old   #6
 
elite*gold: 0
Join Date: Apr 2012
Posts: 448
Received Thanks: 768
What I know so far:
The blowfish algorithm is used to encrypt several (4 ?) 32 bits integers, which are then used by gamemon.des to compute a response which sframe send to the GS. The gamemon.des algorithm is based on a small virtual machine to prevent easy decompilation. More in the pdf I found some months ago (in attachment)

You said "GameGuard accepts it, and works with it.", does this mean that you were able to send you decrypted data to client side gameguard ? Or send that back to the server ? (which would mean that the server just want the decrypted data ? + easy data manipulation) In this case, gamemon.des stuff and information in the pdf is not applicable for us.
Attached Files
File Type: pdf Defeating and Emulating INCA's nProtect GameGuard.pdf (120.4 KB, 184 views)
glandu2 is offline  
Old   #7
 
elite*gold: 0
Join Date: Dec 2012
Posts: 107
Received Thanks: 68
i used the decrypt for the encrypted packet,

after that i encrypted it, (with the response of my decrypted message)

^1st post contains encryption.

I only released the decryption.
TheBrain_ is offline  
Old   #8
 
elite*gold: 0
Join Date: Apr 2012
Posts: 448
Received Thanks: 768
between the decryption and the encryption, there is an algorithm to do on the packet's data right ?
You already implemented a program that receive these GG encrypted packets with blowfish that decrypt them, compute the response and send it back to the server ? Also, the pdb is used to compute the response ?
glandu2 is offline  
Old   #9
 
elite*gold: 0
Join Date: Dec 2012
Posts: 107
Received Thanks: 68
yes and partially yes,

the pdb does contain great information, but i also have GameGuard server files,
which means i can look into their c++ source anytime.

i've only made this topic to motivate people that they can decrypt and send it back if they put their minds on it or google.

anyway, ;

Proof - Pictures;






however, there's one rappelz file i do really want to look into (even tho its hackshield)

\Hackshield.crc


Algorithm for the packet's data;
Code:
void decryptGGString(char* cryptedStr) {
	if(cryptedStr[0] == 1) {
		int size, lastval ;

		cryptedStr[2] ^= 3 * cryptedStr[1] + 101;

		size = (cryptedStr[3] ^ (9 * cryptedStr[1] + 104)) & 0xFF | (cryptedStr[2] << 8);

		cryptedStr[3] ^= 9 * cryptedStr[1] + 104;
		lastval = 9 * cryptedStr[1] + 4;

		for(int i = 0; i < size; i++) {
			cryptedStr[i] = ((3 * lastval ) + 101) ^ cryptedStr[i + 4];
			lastval = 3 * lastval + 1;
		}
		cryptedStr[size] = 0;
	}
}

Decrypted Rappelz GameMon(INI) 3-2-2013

gameguard key(for decypting string)
Code:
#define GG_KEY "\x06\x02\x00\x00\x00\x24\x00\x00\x52\x53\x41\x31\x00\x02\x00\x00" \
                "\x01\x00\x01\x00\xFB\xE3\xFC\x09\xAF\xAE\x65\x8C\x96\x4C\xC5\x37" \
                "\xD2\xA4\x77\xE7\x4C\x41\xC2\xCF\xF2\xFE\x2D\x9C\x80\x94\x0C\x88" \
                "\x6D\xB3\x84\x9F\x8C\x22\xA0\xC9\xCD\xC0\xAB\x30\x65\x82\x42\x3C" \
                "\xEE\x3C\xA8\xB7\x11\xD6\x22\xFA\xFB\x23\xF7\x72\xCD\xE7\xD0\x6F" \
                "\x6A\x8E\x96\xE3"
@glandu, the pdf is from 2009, i have this too for a long time.
the thing is that gameguard did update alot since then
Attached Files
File Type: zip GGPUB.zip (439 Bytes, 89 views)
TheBrain_ is offline  
Old   #10
 
elite*gold: 0
Join Date: Apr 2012
Posts: 448
Received Thanks: 768
Replying here for your post in TSP map editor to avoid being offtopic.

Quote:
Originally Posted by TheBrain_ View Post
i recoded a piece of the GG, which is litteraly the only piece u need to make it work and the only piece u need to make a bypass.

further more; i released the source in c++ and c#.

I was going to release the source once i completed the other files, but now people like '' you '' jumping on people like '' me '' makes me not releasing to anything to epvpers at all.

want to be fair winner? start by c1ph3r and these russian devs and some others., they have more than i have for sure and iam quite sure they have even more files you might enjoy.

it seems to be its the '' developers '' choise to eitherway share it or not.
all this negative attitude on epvpers makes me just not wanna do it at all.

its the same old team who keeps '' thanking '' each other, and if anyone else makes a attempt to give people a shot they just wanna grab your hole hand, geuss what. u just grabbed my hole hand and i dropped it all together.

besides, if i ask for help to other developers, (not all of them luckily) i get ignored, now iam not sure if you '' developers '' are known with the word and meanings of Community.
GG is not blowfish, you released how rappelz decrypt blowfish encrypted message, but the source code is available here: (and your released source is not usable, blowfish_decrypt use another function, sub_59ED80 which name depends on the binary you used), or online here , we can see that sub_59ED80 is function "F".

You released how rappelz use blowfish and the xor some numbers, that's ok (even if we don't know what's these variables are (like ctx which should be something like BLOWFISH_CTX, xor values might still be useful, especially true considering how difficult is digging in a .exe without the pdb file).

Your example of using these functions can't work, ctx is 0 (ctx contains the context of the algorithm, like the used key). For information about how to use blowfish,

I don't know what really do your blowfish functions you wrote in c#, but unlikely a blowfish encryption, will provide all encryption algorithms someone wants (including blowfish)

You said "the pdb does contain great information, but i also have GameGuard server files,"
Indeed the pdb help alot and with it it's almost like having source of rappelz servers (but it take more time than really having it when trying to understand something).

But concerning the other statement (and now I saw ismokedrow's comment), no there is no GG sources here (or at most the xor done by sframe just after blowfish decryption)

About decryptGGString, the author is me ( from sframe) and it decrypt gameguard strings when they are used (and using other functions it reencrypt them when another string is decrypted so only one gameguard string is decrypted at any time) These strings are client side only. This function is not used for packets

For the decryption of the .ini file, the source code is available here:
Code:
http://forum.rage zone.com/f197/delphi-source-decrypt-gameguard-ini-805362/
(remove space between rage and zone to get the correct name, epvp has banned it for some reason), also in wisp66's thread. And for the key, it's the GG public key used by the .ini decrypter (and also, it's impossible to encrypt a .ini file with modified content)

All that is not really a release as they are already released

About the hackshield.crc, it's probably the crc of one of hackshield's files and is available here

Part of files you shown as screenshot: but you have more according to your screenshots (provided it's yours as we only have small part of your screen).

If you really have GG's source code, then good job to get them, as I wasn't able to find something interesting (but some files that require to have an account and upload files).

But for now, as a epvp user, I consider you don't have it (or that GG stuff will never land anywhere) as about rappelz resurrection: I never saw any thread about that later (but maybe you've done it but just not released as I know many dev have at least a home made auth emu, but as a epvp user I don't care what people do if nothing not even an small unknown information about rappelz is released here).

So don't tell me that because of people like me you will never release what you was about to release because I don't think you would release something anyway.

About C1ph3r and other devs that might have more than you, the difference is that they don't talk about what they don't want to release, at least they don't post screenshot to prove they have something that they will not release, so maybe they have all rappelz, gameguard, whatever sources, but I don't think the solution is begging them to get these source.

So about sharing, indeed you share what you want, but don't expect to have no negative replies when posting screenshots of something you won't release. If you don't want to release something, then don't post on epvp that you have it (posting screenshots of an incomplete thing you made that will be released is still ok, like ismokedrow's client modifications, preparation of a new private server or a new incomplete tool)

About "groups" that thanks each others, when I began, Xijezu told me (with other devs) that opensource is not good and I will just null every release because of leechers that just ask for more tools and then say that released tools are bads and/or re-release these tools as their own. Well, when something is opensource, you can prove by date that you are the author of that source. Anyway, my way of thinking might not be good, but that should not be sufficient to discourage you if you really want to do something there ...

But anyway, that's your choices (and beside that, I still agree with your first post, also because it allow to gain time instead of working on something already done especially for algorithms and files layouts)


glandu2 is offline  
Thanks
5 Users
Reply



« Previous Thread | Next Thread »

Similar Threads
C++ Text Decrypt Function + Programm Encrypt to Decrypt
http://desmond.imageshack.us/Himg233/scaled.php?server=233&filename=icevisionzxencrypttodec.png&res=medium Download: uploaded.to - where your...
19 Replies - WarRock Hacks, Bots, Cheats & Exploits



All times are GMT +2. The time now is 02:38.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2017 elitepvpers All Rights Reserved.