wolfteam encrypted packet

[Apolet]

first of all hello everyone. I'm trying to make a private server for (wolfteam).
I am using this project on server side. I tried various clients (2007(I couldn't run xtrap files are missing),2008,2010,2012(the version I'm working now),2014,2016), I unpack the wolf.xfs file (quickbms by aligui) and put it in the client directory and replace the original (wolf.xfs) I put the folder named (wolf.xfs).
I make the server ip settings, it connects to the server without any problems, but the incoming packets were completely random, so I examined cshell.dll and saw that it mixed the cs_br_chainlist_req package with srand(Gettickcount) before sending it, then I edited it, as a result I can get fixed packets, but they are still encrypted or the server cannot read the packets properly. If anyone knows how to fix this problem, I would be very grateful.
some packet data :

Code:

1-//move eax,2 (username:apolet ,Password:123123 ,Countrycode:200)
attemp-1:067653d8002482820019f6a4e77f66477b002e2907e548db
attemp-2:067653d8002482820019f6a4e77f66477b002e2907e548db //


2-//move eax,3 (username:apolet ,Password:123123 ,Countrycode:200)
attemp-1:036dc2e9e9c2095248ed730aea64c8e99b9f18834bfc494d
attemp-2:036dc2e9e9c2095248ed730aea64c8e99b9f18834bfc494d //
jnz short loc_340A0BF1 -> jz short loc_340A0BF1 = 
(        036dc2e9e9c2095205fb5a673e11b8c6589c2c45ed41f0e1)

edited code :

Code:

sub_340A0AF0    proc near               ; CODE XREF: sub_340A2430+1A5↓p
.text:340A0AF0
.text:340A0AF0 var_2060        = dword ptr -2060h
.text:340A0AF0 var_205C        = dword ptr -205Ch
.text:340A0AF0 var_2058        = byte ptr -2058h
.text:340A0AF0 var_2057        = word ptr -2057h
.text:340A0AF0 var_58          = dword ptr -58h
.text:340A0AF0 var_54          = dword ptr -54h
.text:340A0AF0 Src             = byte ptr -50h
.text:340A0AF0 var_4F          = byte ptr -4Fh
.text:340A0AF0 var_10          = dword ptr -10h
.text:340A0AF0 var_C           = dword ptr -0Ch
.text:340A0AF0 var_4           = dword ptr -4
.text:340A0AF0 arg_4           = dword ptr  0Ch
.text:340A0AF0
.text:340A0AF0 ; FUNCTION CHUNK AT .text:343F49D0 SIZE 00000036 BYTES
.text:340A0AF0
.text:340A0AF0 ; __unwind { // SEH_340A0AF0
.text:340A0AF0                 push    ebp
.text:340A0AF1                 mov     ebp, esp
.text:340A0AF3                 push    0FFFFFFFFh
.text:340A0AF5                 push    offset SEH_340A0AF0
.text:340A0AFA                 mov     eax, large fs:0
.text:340A0B00                 push    eax
.text:340A0B01                 mov     eax, 2054h
.text:340A0B06                 call    __alloca_probe
.text:340A0B0B                 mov     eax, ___security_cookie
.text:340A0B10                 xor     eax, ebp
.text:340A0B12                 mov     [ebp+var_10], eax
.text:340A0B15                 push    ebx
.text:340A0B16                 push    esi
.text:340A0B17                 push    edi
.text:340A0B18                 push    eax
.text:340A0B19                 lea     eax, [ebp+var_C]
.text:340A0B1C                 mov     large fs:0, eax
.text:340A0B22                 mov     esi, dword_346F2918
.text:340A0B28                 xor     ebx, ebx
.text:340A0B2A                 cmp     esi, 48773BAFh
.text:340A0B30                 jle     short loc_340A0B34
.text:340A0B32                 xor     esi, esi
.text:340A0B34
.text:340A0B34 loc_340A0B34:                           ; CODE XREF: sub_340A0AF0+40↑j
.text:340A0B34                 push    3Fh ; '?'       ; Size
.text:340A0B36                 lea     eax, [ebp+var_4F]
.text:340A0B39                 push    ebx             ; Val
.text:340A0B3A                 push    eax             ; void *
.text:340A0B3B                 mov     [ebp+Src], bl
.text:340A0B3E                 call    memset
.text:340A0B43                 add     esi, 2
.text:340A0B46                 add     esp, 0Ch
.text:340A0B49                 mov     dword_346F2918, esi
.text:340A0B4F                 mov     [ebp+var_205C], 40h ; '@'
.text:340A0B59                 mov     esi, 8
.text:340A0B5E                 cmp     dword_346F28E8, ebx
.text:340A0B64                 jnz     short loc_340A0BA1
.text:340A0B66                 push    esi             ; unsigned int
.text:340A0B67                 call    ??2@YAPAXI@Z    ; operator new(uint)
.text:340A0B6C                 add     esp, 4
.text:340A0B6F                 mov     [ebp+var_2060], eax
.text:340A0B75 ;   try {
.text:340A0B75                 mov     [ebp+var_4], ebx
.text:340A0B78                 cmp     eax, ebx
.text:340A0B7A                 jz      short loc_340A0B85
.text:340A0B7C                 mov     ecx, eax
.text:340A0B7E                 call    sub_3419B160
.text:340A0B83                 jmp     short loc_340A0B87
.text:340A0B85 ; ---------------------------------------------------------------------------
.text:340A0B85
.text:340A0B85 loc_340A0B85:                           ; CODE XREF: sub_340A0AF0+8A↑j
.text:340A0B85                 xor     eax, eax
.text:340A0B87
.text:340A0B87 loc_340A0B87:                           ; CODE XREF: sub_340A0AF0+93↑j
.text:340A0B87                 push    80h ; '€'
.text:340A0B8C                 push    eax
.text:340A0B8C ;   } // starts at 340A0B75
.text:340A0B8D                 mov     [ebp+var_4], 0FFFFFFFFh
.text:340A0B94                 mov     dword_346F28E8, eax
.text:340A0B99                 call    sub_3408E390
.text:340A0B9E                 add     esp, 8
.text:340A0BA1
.text:340A0BA1 loc_340A0BA1:                           ; CODE XREF: sub_340A0AF0+74↑j
.text:340A0BA1                 lea     ecx, [ebp+var_205C]
.text:340A0BA7                 push    ecx
.text:340A0BA8                 mov     ecx, dword_346F28E8
.text:340A0BAE                 lea     edx, [ebp+Src]
.text:340A0BB1                 push    edx
.text:340A0BB2                 push    ebx
.text:340A0BB3                 call    sub_3419B310
.text:340A0BB8                 mov     edi, 1
.text:340A0BBD                 cmp     [ebp+Src], bl
.text:340A0BC0                 jnz     short loc_340A0BF1
.text:340A0BC2                 call    ds:rand
.text:340A0BC8                 xor     edx, edx
.text:340A0BCA                 mov     ecx, 22h ; '"'
.text:340A0BCF                 div     ecx
.text:340A0BD1                 lea     ecx, [ebp+Src]
.text:340A0BD4                 mov     edx, off_346377F8[edx*4] ; "denoil"
.text:340A0BDB                 sub     ecx, edx
.text:340A0BDD                 lea     ecx, [ecx+0]
.text:340A0BE0
.text:340A0BE0 loc_340A0BE0:                           ; CODE XREF: sub_340A0AF0+F9↓j
.text:340A0BE0                 mov     al, [edx]
.text:340A0BE2                 mov     [ecx+edx], al
.text:340A0BE5                 add     edx, edi
.text:340A0BE7                 cmp     al, bl
.text:340A0BE9                 jnz     short loc_340A0BE0
.text:340A0BEB                 add     dword_346F2918, edi
.text:340A0BF1
.text:340A0BF1 loc_340A0BF1:                           ; CODE XREF: sub_340A0AF0+D0↑j
.text:340A0BF1                 lea     eax, [ebp+Src]
.text:340A0BF4                 lea     ecx, [eax+1]
.text:340A0BF7
.text:340A0BF7 loc_340A0BF7:                           ; CODE XREF: sub_340A0AF0+10C↓j
.text:340A0BF7                 mov     dl, [eax]
.text:340A0BF9                 inc     eax
.text:340A0BFA                 cmp     dl, bl
.text:340A0BFC                 jnz     short loc_340A0BF7
.text:340A0BFE                 add     dword_346F2918, edi
.text:340A0C04                 sub     eax, ecx
.text:340A0C06                 mov     edx, 1102h
.text:340A0C0B                 mov     ebx, eax
.text:340A0C0D                 mov     [ebp+var_58], esi
.text:340A0C10                 mov     [ebp+var_54], esi
.text:340A0C13                 mov     [ebp+var_2057], dx
.text:340A0C1A                 mov     eax, 64h ; 'd'  ; Keypatch modified this from:
.text:340A0C1A                                         ;   call ds:GetTickCount
.text:340A0C1A                                         ; Keypatch padded NOP to next boundary: 1 bytes
.text:340A0C1A                                         ; Keypatch modified this from:
.text:340A0C1A                                         ;   mov eax, 4
.text:340A0C1A                                         ; Keypatch modified this from:
.text:340A0C1A                                         ;   mov eax, 8
.text:340A0C1A                                         ; Keypatch modified this from:
.text:340A0C1A                                         ;   mov eax, 5
.text:340A0C1A                                         ; Keypatch modified this from:
.text:340A0C1A                                         ;   mov eax, 6
.text:340A0C1A                                         ; Keypatch modified this from:
.text:340A0C1A                                         ;   mov eax, 16h
.text:340A0C1A                                         ; Keypatch modified this from:
.text:340A0C1A                                         ;   mov eax, 22h ; '"'
.text:340A0C1F                 nop
.text:340A0C20                 push    eax             ; Seed
.text:340A0C21                 call    ds:srand
.text:340A0C27                 mov     eax, [ebp+var_58]
.text:340A0C2A                 mov     [ebp+eax+var_2058], bl
.text:340A0C31                 mov     eax, [ebp+var_58]
.text:340A0C34                 add     eax, edi
.text:340A0C36                 push    ebx             ; Size
.text:340A0C37                 lea     ecx, [ebp+Src]
.text:340A0C3A                 push    ecx             ; Src
.text:340A0C3B                 lea     edx, [ebp+eax+var_2058]
.text:340A0C42                 push    edx             ; void *
.text:340A0C43                 mov     [ebp+var_58], eax
.text:340A0C46                 call    memcpy
.text:340A0C4B                 mov     ecx, dword_346F2604
.text:340A0C51                 add     [ebp+var_58], ebx
.text:340A0C54                 add     dword_346F2918, 3
.text:340A0C5B                 mov     eax, [ecx]
.text:340A0C5D                 mov     eax, [eax+0FCh]
.text:340A0C63                 add     esp, 10h
.text:340A0C66                 lea     edx, [ebp+var_2058]
.text:340A0C6C                 push    edx
.text:340A0C6D                 call    eax
.text:340A0C6F                 mov     eax, dword_3468793C
.text:340A0C74                 add     dword_346F2918, edi
.text:340A0C7A                 mov     ecx, [eax]
.text:340A0C7C                 mov     edx, [ecx+18h]
.text:340A0C7F                 push    offset aCsBrChainlistR ; "CS_BR_CHAINLIST_REQ"
.text:340A0C84                 push    eax             ; ArgList
.text:340A0C85                 call    edx
.text:340A0C87                 mov     eax, dword_346F2604
.text:340A0C8C                 add     dword_346F2918, edi
.text:340A0C92                 push    offset aCsBrChainlistR_0 ; "CS_BR_CHAINLIST_REQ"
.text:340A0C97                 push    eax             ; int
.text:340A0C98                 call    sub_3406BA90
.text:340A0C9D                 add     esp, 10h
.text:340A0CA0                 add     dword_346F2918, edi
.text:340A0CA6                 mov     ecx, [ebp+var_C]
.text:340A0CA9                 mov     large fs:0, ecx
.text:340A0CB0                 pop     ecx
.text:340A0CB1                 pop     edi
.text:340A0CB2                 pop     esi
.text:340A0CB3                 pop     ebx
.text:340A0CB4                 mov     ecx, [ebp+var_10]
.text:340A0CB7                 xor     ecx, ebp        ; StackCookie
.text:340A0CB9                 call    [MENTION=3191854]__S[/MENTION]ecurity_check_cookie@4 ; __security_check_cookie(x)
.text:340A0CBE                 mov     esp, ebp
.text:340A0CC0                 pop     ebp
.text:340A0CC1                 retn
.text:340A0CC1 ; } // starts at 340A0AF0
.text:340A0CC1 sub_340A0AF0    endp

sorry my bad english.

[Requiemz]

I can't wait. I have no coding knowledge, but when u need someones help i am here

[TrojanPoem]

Nice work, I suggest looking at CS_CH_LOGIN_REQ packet, and follow the entered data until you see it gets encrypted, then patch that function.

Request: client -> server
Acknowledge: server -> client

A list of packets with ordering based on sequence:

Login packets:
--------------------------
1. Chain list request (CS_BR_CHAINLIST_REQ).
2. Chain list Acknowledge ( CS_BR_CHAINLIST_ACK )
3. World list request (CS_BR_WORLDLIST_REQ)
4. World list acknowledge (CS_BR_WORLDLIST_ACK)
5. World info request (CS_BR_WORLDINFO_REQ)
6. World info acknowledge (CS_BR_WORLDINFO_ACK)
7. Relay list request (CS_BR_RELAYLIST_REQ)
8. Request the credentials (CS_CH_LOGIN_REQ)
9. Credentials acknowledge (CS_CH_LOGIN_ACK)


Other:
-----------
1. CS_CH_SNSACCOUNT_ACK
2. CS_CH_USERINFO_REQ
3. CS_CH_CRESTUSERINFO_REQ
4. CS_CN_EXIT_ACK
5. CS_IN_BUYNOW_ITEMLIST_ACK
6. CS_CN_ADVERTALL_ACK
7. CS_CN_ENTER_ACK
1. CS_IN_ITEMLIST_ACK
2. CS_IN_ITEMPRICE_VERSION_REQ
3. CS_IN_ITEMPRICE_INFO_ACK
4. CS_IN_EQUIPLIST_REQ
5. CS_IN_ITEMPRICE_NOTIFY_ACK
6. CS_IN_EVENT_REWARD_LIST_REQ
7. CS_IN_ITEM_LIMITED_REQ
8. CS_CH_EVENTSHOPINFO_REQ
9. CS_IN_PACKAGE_ITEM_LIST_REQ
10. CS_IN_CHARITEMLIST_ACK
11. CS_IN_CHARINFO_REQ
12. CS_IN_CHARINFO_ACK
13. CS_IN_CHARSAVE_REQ
14. CS_CH_GETEVENTGOLDINFO_REQ
15. CS_CH_GETMACROMESSAGE_REQ
16. CS_CH_GETPOWERUSERINFO_REQ
17. CS_CH_GETEVENTGOLDINFO_ACK
18. CS_CH_GETMACROMESSAGE_ACK
19. CS_CH_GETPOWERUSERINFO_ACK
20. CS_CH_SELECTCHAR_REQ
21. CS_CH_SELECTCHAR_ACK
22. ChangeSection - BATTLE
23. CS_IN_BUYNOW_ITEMLIST_REQ
24. CS_PR_GETCHANGEDINFO_REQ
25. CS_CN_ADVERTALL_REQ
26. CS_FD_FIELDLIST_REQ
27. CS_PR_BATTLERESULT_REQ
28. CS_FD_USEHACKTOOL_REQ
29. CS_FD_USEHACKTOOL_REQ
30. CS_FD_CRM_POPUP_REQ
31. CS_IN_DELETEDITEM_REQ
32. CS_GI_ITEM_COUNT_REQ
33. CS_GI_PERIOD_END_REQ
34. CS_CH_PCBANG_ITEMLIST_ACK
35. CS_IN_JACKPOT_BIGCHANCE_TIME_ACK
36. CS_CN_CHARS_ACK
37. CS_FD_FIELDLIST_ACK
38. CS_FD_CRM_POPUP_ACK
39. CS_GI_ITEM_COUNT_ACK
40. CS_GI_PERIOD_END_REQ
41. CS_GI_ITEM_COUNT_REQ
42. CS_PR_BATTLERESULT_ACK
43. CS_GI_ITEM_COUNT_ACK
44. CS_PR_GETCHANGEDINFO_REQ
45. CS_CH_LOGOUT_REQ

Anti hack packets:
--------------------
1. Antihack client info request (CS_CK_SEND_ANTI_HACK_CLIENTINFO_REQ)
2. Antihack server info ack (CS_CK_SEND_ANTI_HACK_SERVERINFO_ACK)

[Neptune1998]

what's the progress? add me on discord atem4833

[xHennnoo]

Steps to Determine the Encryption Type:

Look for Repeating Patterns (XOR Cipher Test)

If the same input (username/password) produces the same encrypted packet, it suggests a static XOR key.
You can XOR two packets of the same login attempt to check for a static key.
Check If It's RC4 or Another Stream Cipher

If the encryption key is seeded using srand(), then it might be RC4-like.
If each packet differs even with the same input, a stream cipher is likely.
Decryption Function (XOR Based)
If encryption is a simple XOR cipher, we can attempt to brute-force the key by analyzing known plaintext (username: apolet, password: 123123, country code: 200).

python
def xor_decrypt(packet, key):
decrypted = bytearray()
key_len = len(key)

for i, byte in enumerate(packet):
decrypted.append(byte ^ key[i % key_len]) # XOR with repeating key

return decrypted

# Example usage
cipher_packet = bytes.fromhex("067653d8002482820019f6a4e77f66477b0 02e2907e548db") # Example hex packet
possible_key = b"\x01\x02\x03\x04" # Try to find this through analysis

decrypted = xor_decrypt(cipher_packet, possible_key)
print(decrypted)
If RC4 is Used
If srand(GetTickCount()) influences packet data, the encryption might be RC4. You can try RC4 decryption:

python
from Crypto.Cipher import ARC4

def rc4_decrypt(packet, key):
cipher = ARC4.new(key)
return cipher.decrypt(packet)

# Try different keys, possibly extracted from memory dumps.
key = b'suspected_key'
cipher_packet = bytes.fromhex("067653d8002482820019f6a4e77f66477b0 02e2907e548db")
decrypted = rc4_decrypt(cipher_packet, key)
print(decrypted)

Find the Real Key

Set a breakpoint at srand and rand to inspect key generation.
Use IDA Pro/OllyDbg to trace how sub_3419B310 processes the data.
Check If It's XOR or RC4

XOR encryption is easy to spot: the same key is used cyclically.
If the same login attempt produces different packets, it’s likely RC4.
Brute-force the Key If Needed

Use known plaintext (apolet123123200) to derive an XOR key.

[Apolet]

Quote:

Originally Posted by xHennnoo

Steps to Determine the Encryption Type:

Look for Repeating Patterns (XOR Cipher Test)

If the same input (username/password) produces the same encrypted packet, it suggests a static XOR key.
You can XOR two packets of the same login attempt to check for a static key.
Check If It's RC4 or Another Stream Cipher

If the encryption key is seeded using srand(), then it might be RC4-like.
If each packet differs even with the same input, a stream cipher is likely.
Decryption Function (XOR Based)
If encryption is a simple XOR cipher, we can attempt to brute-force the key by analyzing known plaintext (username: apolet, password: 123123, country code: 200).

python
def xor_decrypt(packet, key):
decrypted = bytearray()
key_len = len(key)

for i, byte in enumerate(packet):
decrypted.append(byte ^ key[i % key_len]) # XOR with repeating key

return decrypted

# Example usage
cipher_packet = bytes.fromhex("067653d8002482820019f6a4e77f66477b0 02e2907e548db") # Example hex packet
possible_key = b"\x01\x02\x03\x04" # Try to find this through analysis

decrypted = xor_decrypt(cipher_packet, possible_key)
print(decrypted)
If RC4 is Used
If srand(GetTickCount()) influences packet data, the encryption might be RC4. You can try RC4 decryption:

python
from Crypto.Cipher import ARC4

def rc4_decrypt(packet, key):
cipher = ARC4.new(key)
return cipher.decrypt(packet)

# Try different keys, possibly extracted from memory dumps.
key = b'suspected_key'
cipher_packet = bytes.fromhex("067653d8002482820019f6a4e77f66477b0 02e2907e548db")
decrypted = rc4_decrypt(cipher_packet, key)
print(decrypted)

Find the Real Key

Set a breakpoint at srand and rand to inspect key generation.
Use IDA Pro/OllyDbg to trace how sub_3419B310 processes the data.
Check If It's XOR or RC4

XOR encryption is easy to spot: the same key is used cyclically.
If the same login attempt produces different packets, it’s likely RC4.
Brute-force the Key If Needed

Use known plaintext (apolet123123200) to derive an XOR key.

it was a question from 2 years ago, this has nothing to do with encryption, what I'm talking about in this regard is just used to randomize the first byte of the packet Srand().wolfteam uses an edited blowfish algorithm for encryption. thank you for your comment.

[xHennnoo]

Quote:

Originally Posted by Apolet

it was a question from 2 years ago, this has nothing to do with encryption, what I'm talking about in this regard is just used to randomize the first byte of the packet Srand().wolfteam uses an edited blowfish algorithm for encryption. thank you for your comment.

Sounds like the first byte of the packet is randomized using srand(GetTickCount()). You might need to reverse that first to get a consistent value.

WolfTeam uses a modified Blowfish for encryption, so you’ll have to figure out what they changed. The encryption function is probabaly near the network functions in cshell.dll. You can look for Blowfish patterns like s-boxes and p-arrays.

The key is important too—try setting a breakpoint when the game encrypts data and see what key it uses. Since it’s a modified version, they might have changed the block size, padding, or chaining mode. If you can find those changes, you should be able to decrypt the packets properly.

If you have an encrypted packet and know what it should look like decrypted, that would help a lot. Let me know what you find

[Apolet]

Quote:

Originally Posted by xHennnoo

Sounds like the first byte of the packet is randomized using srand(GetTickCount()). You might need to reverse that first to get a consistent value.

WolfTeam uses a modified Blowfish for encryption, so you’ll have to figure out what they changed. The encryption function is probabaly near the network functions in cshell.dll. You can look for Blowfish patterns like s-boxes and p-arrays.

The key is important too—try setting a breakpoint when the game encrypts data and see what key it uses. Since it’s a modified version, they might have changed the block size, padding, or chaining mode. If you can find those changes, you should be able to decrypt the packets properly.

If you have an encrypted packet and know what it should look like decrypted, that would help a lot. Let me know what you find

I have already prepared a blowfish algorithm, there is also one in aeonlucid's github project, see https://github.com/AeonLucid/WolfteamRE

[C0RE']

Quote:

Originally Posted by Apolet

I have already prepared a blowfish algorithm, there is also one in aeonlucid's github project, see

Lol the link is down

[Apolet]

Quote:

Originally Posted by C0RE'

Lol the link is down

yes he got DMCA