The login packet

[tnrh1]

Hi everyone,
I opened this thread so we can discuss about the login packet, if anyone has some details about it that would be nice if you would share it with us.

The protocol that used for the connection is TCP so the first packets of course would be the [SYN]-> <-[SYN,ACK] ->[ACK] conversation and then the client sends the packet with the id & pass data.

Here are few packets data, each line represent a packet data (edit: copy it to a notepad to see it better)

ID: AAA Password: AAA

5c000000  40  18  01801000296be9ea94fb1c1ad58f  6ab6395469d42e36d87eeac9bd86387855f43f366cb01633c00352cc7c12f5c7688d6d9f5e722219efc14d5636f0005faec7444537c37d80fb20e9bf3f77eb609538071ae88ce52d

5c000000  10  18  01801000296be9ea94fb1c1ad58f  a67ef19ca11ce6fe10b62201754ef0b09d3cf7fea478defb08cb9a04b4da3d0fa045a55796baead12709859efe38c897660f8c8dff0bb54833e82177f7bf23a85df0cfd220442de5

5c000000  51  18  01801000296be9ea94fb1c1ad58f  66bd325f62df253dd375e1c2b68d33735eff343d67bb1d38cb0859c77719fecc6386669455792912e4ca465d3dfb0b54a5cc4f4e3cc8768bf02be2b4347ce06b9e330c11e387ee26

5c000000  d0  18  01801000296be9ea94fb1c1ad58f  da0d82efd26f958d63c55172063d591835945f560cd07653a06332ac1c7295a708ed0dff3e1242798fa12d365690603fcea7242557a31de09b4089df5f178b00f558677a88ec854d

5c000000  57  18  01801000296be9ea94fb1c1ad58f  ee36b9d4e954aeb658fe6a493d062e634eef242d77ab0d28db1849d76709eedc7396768445693902f4da564d2deb1b44b5dc5f5e2cd8669be03bf2a4246cf07b8e231c01f397fe36

5c000000  38  18  01801000296be9ea94fb1c1ad58f  fa22adc0fd40baa24cea7e5d291203426fce050c568a2c09fa3968f64628cffd52b757a564481823d5fb776c0cca3a6594fd7e7f0df947bac11ad385054dd15aaf023d20d2b6df17

5c000000  23  19  01801000296be9ea94fb1c1ad58f  16cf402d10ad574fa10793b0c4ffeeaf8223e8e1bb67c1e417d4851babc52210bf5aba4889a5f5ce38169a81e127d78879109392e014aa572cf73e68e8a03cb742efd0cd3f5b32fa

5c000000  80  18  01801000296be9ea94fb1c1ad58f  b26ae588b508f2ea04a23615615a4b0a27864d441ec26441b27120be0e6087b51aff1fed2c00506b9db33f244482722ddcb5363745b10ff289529bcd4d059912e74a75689afe975f

5c000000  c5  17  01801000296be9ea94fb1c1ad58f  ca129df0cd708a927cda4e6d1922bff1dc7db6bfe5399fba498adb45f59b7c4ee104e416d7fbab906648c4dfbf7989d6274ecdccbe4af40972a96036b6fe62e91cb18e9361056ca4

5c000000  a5  17  01801000296be9ea94fb1c1ad58f  ea32bdd0ed50aab25cfa6e4d39029fd1fc5d969fc519bf9a69aafb65d5bb5c6ec124c436f7db8bb04668e4ff9f59a9f6076eedec9e6ad4295289401696de42c93c91aeb341254c84

5c000000  d9  17  01801000296be9ea94fb1c1ad58f  de0689e4d9649e8668ce5a790d36abe5c869a2abf12d8bae5d9ecf51e18f685af510f002c3efbf84725cd0cbab6d9dc2335ad9d8aa5ee01d66bd7422a2ea76fd08a59a87751178b0

5c000000  7a  18  01801000296be9ea94fb1c1ad58f  3aed620f328f756d8325b192e6dd400e238249401ac66045b67524ba0a6483b11efb1be92804546f99b73b2040867629d8b1323341b50bf68d569fc949019d16e34e716c9efa935b

ID: BBB Password: BBB

5c000000  62  18  01801000296be9ea94fb1c1ad58f  4e99167b46fb0119f451c6e591aa216f42e328217ba70124d71445db6b05e2d07f9a7a884965350efbd6594222e4144bbad3505123d76994ef34fdab2b63ff74812c130efc98f139

5c000000  da  17  01801000296be9ea94fb1c1ad58f  f621aec3fe43b9a14ce97e5d291299d7fa5b9099c31fb99c6facfd63d3bd5a68c722c230f1dd8db6436ee1fa9a5cacf3026be8e99b6fd12c578c451393db47cc3994abb644204981

5c000000  dd  17  01801000296be9ea94fb1c1ad58f  ce1699f4c9748e967bde496a1e25aee0cd6ca7aef4288eab589bca54e48a6d5ff015f507c6eaba817459d6cdad6b9bc4355cdfdeac58e61b60bb7224a4ec70fb0ea39c8173177eb6

I did manually the spaces to distinguish between diffrent/similiar bytes between the packets.

All the packets start with the same bytes "5c 00 00 00" then we got 2 bytes that has nothing to do with the id/password strings since they are created randomly or by something else that I would like to know.
Then again the bytes repeat "01801000296be9ea94fb1c1ad58f", since those bytes never change I guess we don't have to spend time on them.
After those bytes we have few bytes that always change even if we enter the same details, then looks like those bytes represent our login details.

I'm trying to collect information and to assemble the pazzle but I need more information to do that.
Btw setting the Xor key to 0 in the Korean clients won't produce the packet data as plain text (thanks bobsbol).

edit: why the data inside the code tags is in 2 lines instead of 1 with scroll bar to right and left as showed in my preview it's messy now

 

[bobsobol]

I would suggest that the two first bytes represent a "key" to decode the remaining garbage. Have you tried nullifying all the routines in the Protocol.dll release? (ie. don't just use a 0 key, but don't actually perform any encoding in any of those routines)
@edit: [strike]CSS paragraph line spacing. tt1:[/strike]Actually, it's not!

Spoiler

.bbcode_container div.bbcode_code,.bbcode_container pre.bbcode_code
{
	margin:0;
	padding:6px;
	border:1px inset;
	text-align:left;
	overflow:scroll;
	direction:ltr;
	background:#f0eee8 none;
	font-size:12px
}
.bbcode_container code.bbcode_code
{
	margin:0;
	text-align:left;
	direction:ltr;
	font-size:12px
}
.bbcode_container code.bbcode_code code
{
	white-space:nowrap
}

It seems you literally do have double line spaces in your code Imri.

5c000000  40  18  01801000296be9ea94fb1c1ad58f  6ab6395469d42e36d87eeac9bd86387855f43f366cb01633c00352cc7c12f5c7688d6d9f5e722219efc14d5636f0005faec7444537c37d80fb20e9bf3f77eb609538071ae88ce52d
5c000000  10  18  01801000296be9ea94fb1c1ad58f  a67ef19ca11ce6fe10b62201754ef0b09d3cf7fea478defb08cb9a04b4da3d0fa045a55796baead12709859efe38c897660f8c8dff0bb54833e82177f7bf23a85df0cfd220442de5
5c000000  51  18  01801000296be9ea94fb1c1ad58f  66bd325f62df253dd375e1c2b68d33735eff343d67bb1d38cb0859c77719fecc6386669455792912e4ca465d3dfb0b54a5cc4f4e3cc8768bf02be2b4347ce06b9e330c11e387ee26
5c000000  d0  18  01801000296be9ea94fb1c1ad58f  da0d82efd26f958d63c55172063d591835945f560cd07653a06332ac1c7295a708ed0dff3e1242798fa12d365690603fcea7242557a31de09b4089df5f178b00f558677a88ec854d
5c000000  57  18  01801000296be9ea94fb1c1ad58f  ee36b9d4e954aeb658fe6a493d062e634eef242d77ab0d28db1849d76709eedc7396768445693902f4da564d2deb1b44b5dc5f5e2cd8669be03bf2a4246cf07b8e231c01f397fe36
5c000000  38  18  01801000296be9ea94fb1c1ad58f  fa22adc0fd40baa24cea7e5d291203426fce050c568a2c09fa3968f64628cffd52b757a564481823d5fb776c0cca3a6594fd7e7f0df947bac11ad385054dd15aaf023d20d2b6df17
5c000000  23  19  01801000296be9ea94fb1c1ad58f  16cf402d10ad574fa10793b0c4ffeeaf8223e8e1bb67c1e417d4851babc52210bf5aba4889a5f5ce38169a81e127d78879109392e014aa572cf73e68e8a03cb742efd0cd3f5b32fa
5c000000  80  18  01801000296be9ea94fb1c1ad58f  b26ae588b508f2ea04a23615615a4b0a27864d441ec26441b27120be0e6087b51aff1fed2c00506b9db33f244482722ddcb5363745b10ff289529bcd4d059912e74a75689afe975f
5c000000  c5  17  01801000296be9ea94fb1c1ad58f  ca129df0cd708a927cda4e6d1922bff1dc7db6bfe5399fba498adb45f59b7c4ee104e416d7fbab906648c4dfbf7989d6274ecdccbe4af40972a96036b6fe62e91cb18e9361056ca4
5c000000  a5  17  01801000296be9ea94fb1c1ad58f  ea32bdd0ed50aab25cfa6e4d39029fd1fc5d969fc519bf9a69aafb65d5bb5c6ec124c436f7db8bb04668e4ff9f59a9f6076eedec9e6ad4295289401696de42c93c91aeb341254c84
5c000000  d9  17  01801000296be9ea94fb1c1ad58f  de0689e4d9649e8668ce5a790d36abe5c869a2abf12d8bae5d9ecf51e18f685af510f002c3efbf84725cd0cbab6d9dc2335ad9d8aa5ee01d66bd7422a2ea76fd08a59a87751178b0
5c000000  7a  18  01801000296be9ea94fb1c1ad58f  3aed620f328f756d8325b192e6dd400e238249401ac66045b67524ba0a6483b11efb1be92804546f99b73b2040867629d8b1323341b50bf68d569fc949019d16e34e716c9efa935b

See? :

 

[SheenBR]

Those packets are NOT decrypted, you wont see a thing of what is in it. the key bobsobol is talking about, making it to 0 WONT remove the encryption of the login packet, the xor is just an encryption of the next key to be used in the loop.

5C is the packet size.
0x04 is the encryption checksum

the real packet info starts at offset 0xC

 

[tnrh1]

Don't you know anything about the encryption algorithm?

 

[Piucco]

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace PTEmu
{
public class PacketReader
{
public byte[] Data;
public int position;

public PacketReader(byte[] data)
{
this.Data = data;
Decrypt();
}

public int ReadInt()
{
int temp = BitConverter.ToInt32(Data, position);
position += 4;
return temp;
}

public int ReadIntFromPosition(int pos)
{
int temp = BitConverter.ToInt32(Data, pos);
return temp;
}

public string ReadStringFromPosition(int pos)
{
StringBuilder sb = new StringBuilder();
for (int i = pos; i < Data.Length; i++)
{
if (Data == 0x00) break;
sb.Append((char)Data);
}
return sb.ToString();
}

public string ReadString(int skipBytes)
{
StringBuilder sb = new StringBuilder();
for (int i = position; i < Data.Length; i++)
{
if (Data == 0x00) break;
sb.Append((char)Data);
}
SkipBytes(skipBytes);
return sb.ToString();
}

public void SkipBytes(int number)
{
position += number;
}

#region Decrypt
private void Decrypt()
{
byte Key = 0x6E;

byte[] array = new byte[Data.Length];
uint CRC = (BitConverter.ToUInt32(Data, 0x4)) & 0xFFFF0000;

if (CRC != 0x80010000) return;

uint seed = BitConverter.ToUInt32(Data, 8);
byte state = (byte)((((seed >> 0x10) + (seed & 0xFF)) & 0xFF) & 0xFF);
int length = BitConverter.ToInt32(Data, 0);
byte carry = (byte)(((seed >> 0x04) + (length - 8)) & 0xFF);

for (int index = 4; index < Data.Length - 8; index++)
{
byte p = Data[index + 8];
array[index] = (byte)(carry ^ p ^ state);
state = (byte)(p ^ Key);
carry += (byte)(((index >> 1) * index) & 0xFF);
}
Data = array;
BitConverter.GetBytes(array.Length).CopyTo(Data, 0);
}
#endregion
}
}

public string Login;
public string Password;

public LoginRequestPacket(PacketReader reader)
{
reader.SkipBytes(12);
this.Login = reader.ReadString(32);
this.Password = reader.ReadString(32);
}

Decrypt function credits to PTEmu by Sheen. This code is part of my version of PTemu. Ff you are interested in finalizing the emulator: gustavopiucco@live.com (MSN)

 

[bobsobol]

Does yours work with a regular (unaltered) client Piucco? (last one Sheen released still needed that minor modification IMS)

Some thoughts from reading this code. (I've never managed to find it in Sheens project)

uint CRC = (BitConverter.ToUInt32(Data, 0x4)) & 0xFFFF0000;

if (CRC != 0x80010000) return;

Should this not be more like:-

ushort CRC = (BitConverter.ToUInt16(Data, 0x4));

if (CRC != 0x8001) return;

Also this

byte state = (byte)((((seed >> 0x10) + (seed & 0xFF)) & 0xFF) & 0xFF);

is using & 0xFF to clip results to a byte each time, yea? Surely if you keep a ubyte ubseed, copy the seed typecast to ubyte and replaced both seed tokens with ubseed this would become redundant? (does seed even need to be declared as uint?)

There's other stuff that looks nasty in there, but I'm not convinced that C# doesn't consider that "nasty" to be beautiful, (read, elegant) so I won't mention.

 

[Piucco]

SheenBR that has to answer for his terrible code.

About the client, I used a private server client.exe that uses the oficial server files... I believe that there is no change. I remember that one year ago had to modify the encrypt function in client.exe. I think SheenBR has already fixed...

 

[bobsobol]

Awesome.

In all fairness, what his code achieves is fantastic, and he knows C# and object oriented design principals far better than I do. But I've always had trouble navigating OOP code. (sometimes, even classic VB, which is only partially OOP) I've heard, from people who do know C# well, that the project organisation was far from straight-forward when it was last open to others.

That doesn't surprise me, and I'm afraid I'm quite pedantic about things being in the right place in code. My earliest experiences of programming often required variable names to be no longer than one character long, and case unspecific, or even limited to 8 8-bit registers with a maximum 4 16-bit register pairs. So variables called Pizza and Doughnut which are nothing to do with Pizzas and Doughnuts don't bother me anywhere near as much as prototypes not declared in the correct shared header or bits of a unit in multiple files spread around different project groups and... IDK, just code which doesn't appear logically grouped, or have any documentation to explain whatever weird logic inspired the grouping they do have.

I know it happens. And the more rapidly you develop the worse it gets. (RAD IDEs are bahd, m'kay ) But I usually take some time out of actually coding to comment and document stuff up, and it's usually at that point that I notice where I've grouped stuff in strange places, and make a note of that and what, if anything, I may have been thinking when I did it.

 

[gzuz]

Private Sub Decrypt(ByVal data() As Byte)
Dim Key As Byte = 100


Dim array As Byte() = New Byte(data.Length - 1) {}
Dim CRC As UInteger = (BitConverter.ToUInt32(data, &H4)) And &H80010000UI
MsgBox(CRC)

If CRC <> &H80010000UI Then
Return
End If

Dim seed As UInteger = BitConverter.ToUInt32(data, 8)
Dim state As Byte = CByte((((seed >> &H10) + (seed And &HFF)) And &HFF) And &HFF)
Dim length As Integer = BitConverter.ToInt32(data, 0)
Dim carry As Byte = CByte(((seed >> &H4) + (length - 8)) And &HFF)

For index As Integer = 4 To data.Length - 9
Dim p As Byte = data(index + 8)
array(index) = CByte(carry Xor p Xor state)
state = CByte(p Xor Key)
carry += CByte(((index >> 1) * index) And &HFF)
Next
data = array
My.Computer.FileSystem.WriteAllBytes("C:\decrypt.txt", data, True)

BitConverter.GetBytes(array.Length).CopyTo(data, 0)
'ListBox1.Items.Add(data)

End Sub