Shaiya Packet Encryption ( Infos )

[wurstbrot123]

Ive just taken a look at the Shaiya Packet Encryption
and the encryption itself is fairly simple. The encryption
itself is a simple Xor routine and ill show you how you
can use that. However, i dont know yet how the
client currently is Creating the Xortable. Luckily
the Xortable is always at the same address
you can find the base Address in the Function call one
Call above the Send call. The start of that Function
looks like this ( Shaiya Encryption function ):

Code:

CMP BYTE PTR DS:[2242E21],0
E SHORT game.004010DF
CMP DWORD PTR DS:[2242E18],0
JNZ SHORT game.004010CA
MOV EAX,DWORD PTR SS:[ESP+8] 
PUSH ESI
PUSH EAX
MOV EAX,DWORD PTR SS:[ESP+C]
MOV ECX,EAX
MOV ESI,game.02242E28
CALL game.004051B0

MOV ESI,game.02242E28

This line is currently intresting for us. It moves the
base Address of the Xortable into ESI. So 0x2242E28 would
be the address. This Address + 0x104 is currently a
Packetcounter. This Counter is also used for the Encryption.
The Xortable starts at Xortable base address + 0x108.

So we have the following Addresses for our Encryption function:

0x2242F2C = Packetcounter
0x2242F30 = Xortable start

Now we can use the following function to
Encrypt our Packets:

Code:

int packetcounter = 0x2242F2C;
int Xortable = 0x2242F30;

char* encryptpacket( char * packet )
{
	int encryptcounter = *(int*)packetcounter;
        // ( how many packets have been encrypted yet )
	for( int i = 0; i < packetsize; ++i )
	{
		packet[i] ^= *(char*)( XorTable + i + 108 + encryptcounter );
	}
	encryptcounter += 1;
	*(int*)packetcounter = encryptcounter;
        return packet;
}

PS:

You can only use this Function after you have at least send
one Loginpacket ( this are the first Packets that gets encryted ).
Simply because when the First Packet is to be sent but the
Xortable isnt created yet, the Client will create it and encrypt the
Packet. I might be wrong at any point, i did not test this yet,
i was just bored and took a look at it with OllyDBG

regards
Wurstbrot123

[zargon05]

I could find that the function at 0x00404770 was writing to the Xortable memory address address that you had mentioned.

[wurstbrot123]

I know where the function itself is ( it is currently in the same
big call for sending Packets ). But its a pretty big Routine
its probly a hell lot of work to reverse it completly.
Not sure if ill ever take a look at it. Anyway thank you
for Sharing

[warekurt]

@wurstbrot123 Have you found out how encryption works from the start? I see with WireShark when we first open the game, the server sends us a packet and the client sends another one back. They both have the same OP Codes I think, "01 a1". Could these packets be how the XorTable is created?

[shikosan]

Im not sure if its the same, but the ingame encryption algorithm (client side) contains 3 parts
XOR-Table (176 byte)
and two 128 bit XOR-Keys

the second key is used to actually encrypt the packet.
After the key is "consumed" (encryption counter is equal to key size), a new key is generated using the first key and the xor-table. At the end, the first key will be modified by adding 1 to it.

On which client version are your memory addresses based on?

hope that was helpful in any kind

,shiko

[wurstbrot123]

When you look at the date i looked at it quiet a while
ago ( 2011 ) so i cant tell much about the current clients
and i dont remember what client Version it was back than

[warekurt]

Thanks, just wanted to know if you recorded any progress afterwards.

[shikosan]

whops, didnt look at the date hehe...

i got a working implementation of the ingame encryption/decryption algorithm. What im missing is the xor table creation part. im willing to trade my part for the xor table part.

[warekurt]

Well did you try the first 2 packets client and server exchanges? If you know every detail about encryption you could share and I'll see if I can find any relation with those 2 packets.