Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[S.U.N Online] Encryption Algorithm

Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
I am currently trying to figure out S.U.N's encryption algorithm, so I can decode the packets. I believe I have figured out some important information to help crack the algorithm, but I would like to have some help.

The information below is how the server and client interact up to the point of login:

1. Three-way Handshake
2. Client sends RST, ACK packet to Server
3. Three-way Handshake

4. Server to Client (hello packet)
TCP 44405 -> (client port - random #) Size: 72 bytes

5. Client to Server (ip packet)
TCP (client port) -> 44405 Size: 39 bytes (size can vary)

6. Server to Client (accept packet)
TCP 44405 -> (client port) Size: 5 bytes

7. Client to Server (login packet)
TCP (client port) -> 44405 Size: 83 bytes
I have been studying the retail server's packets. The only thing that changes is the "hello packet" (4th step) and the login packet (7th step).
Here is the five connection trials from the retail server for the "hello packet":

Test 1:

ASCII:
F 3 :.

Hex:
0x46, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3a, 0x0f, 0x00, 0x00


Test 2:

ASCII:
F 3 <.

Hex:
0x46, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x3c, 0x0f, 0x00, 0x00


Test 3:

ASCII:
F 3 =.

Hex:
0x46, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x3d, 0x0f, 0x00, 0x00


Test 4:

ASCII:
F 3 >.

Hex:
0x46, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x3e, 0x0f, 0x00, 0x00


Test 5:

ASCII:
F 3 ?.

Hex:
0x46, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x3f, 0x0f, 0x00, 0x00
I noticed that the tail end of the "hello" packet changes very slightly every time you connect to the retail server. I believe it is a key of some sort, whether its an initialization vector, one key pair, and etc. Every time the key changes the login packets change dramatically, so instead, I made that "key" static on my server end to try and figure out the algorithm.

The information below is from my own server.

Interaction between my server and the client up to the point of login:

1. Three-way Handshake
2. Client sends RST, ACK packet to Server
3. Three-way Handshake

4. Server to Client (hello packet)
TCP 44405 -> (client port - random #) Size: 72 bytes

ASCII:
F 3 $H

Hex:
0x46, 0x00, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x24, 0x48, 0x00, 0x00

5. Client to Server (ip packet)
TCP (client port) -> 44405 Size: 39 bytes

6. Server to Client (accept packet)
TCP 44405 -> (client port) Size: 5 bytes

7. Client to Server (login packet)
TCP (client port) -> 44405 Size: 83 bytes
I kept the "key" on the "hello" packet to $H, so this is what the login packets look like:

Test 1:

Username: test
Password: test

ASCII:
Q 3. TEST .{. ..y .|. @.. 8.....w.......u...%@.. 8...-...ZK... .1neu...._..t

Hex:
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00,0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b,0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c,0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x38, 0xe4,0x15, 0x0a, 0xe9, 0x9c, 0xdb, 0x77, 0xfa, 0xff,0xff, 0x7f, 0x1f, 0x11, 0x8d, 0x75, 0x97, 0xe4,0xa7, 0x25, 0x40, 0x80, 0x19, 0x00, 0x38, 0xe4,0x15, 0x0a, 0x13, 0x2d, 0xc0, 0xa8, 0xd5, 0x5a,0x4b, 0x02, 0x0e, 0xf4, 0x09, 0xb4, 0x31, 0x6e,0x65, 0x75, 0x7f, 0x1d, 0x83, 0xd6, 0x5f, 0xca,0x06, 0x74, 0x0a


Test 2:

Username: test
Password: test

ASCII:
Q 3. TEST .{. ..y .|. @.. .( ....w.......u....@.. .( .2n...|.`......A....._..t

Hex:
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00,0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b,0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c,0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0xd8, 0x28,0x00, 0x17, 0xe9, 0x9c, 0xdb, 0x77, 0xfa, 0xff,0xff, 0x7f, 0x1f, 0x11, 0x8d, 0x75, 0xad, 0xe6,0xfe, 0xaa, 0x40, 0x80, 0x19, 0x00, 0xd8, 0x28,0x00, 0x17, 0x32, 0x6e, 0x1f, 0xc4, 0xf8, 0x7c,0x87, 0x60, 0xc8, 0xc2, 0xbb, 0x87, 0x88, 0xc0,0x41, 0xbc, 0xf7, 0x1d, 0x83, 0xd6, 0x5f, 0xca,0x06, 0x74, 0x0a


Test 3:

Username: test
Password: test

ASCII:
Q 3. TEST .{. ..y .|. @.. .......w.......u.8..@.. .......1..~.UD.....Q,..._..t

Hex:
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00,0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b,0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c,0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x10, 0xaa,0x11, 0x16, 0xe9, 0x9c, 0xdb, 0x77, 0xfa, 0xff,0xff, 0x7f, 0x1f, 0x11, 0x8d, 0x75, 0xc5, 0x38,0xb2, 0xba, 0x40, 0x80, 0x19, 0x00, 0x10, 0xaa,0x11, 0x16, 0xab, 0x83, 0xcf, 0x31, 0xe1, 0xc3,0x7e, 0x99, 0x55, 0x44, 0x99, 0xd3, 0xc5, 0x9d,0x18, 0x51, 0x2c, 0x1d, 0x83, 0xd6, 0x5f, 0xca,0x06, 0x74, 0x0a


Test 4:
Username: test
Password: test

ASCII:
Q 3. TEST .{. ..y .|. @.. .y.....w.......uxT(.@.. .y....s.5o.Rdr...V|....._..t

Hex:
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00,0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b,0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c,0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0xd8, 0x79,0x13, 0x16, 0xe9, 0x9c, 0xdb, 0x77, 0xfa, 0xff,0xff, 0x7f, 0x1f, 0x11, 0x8d, 0x75, 0x78, 0x54,0x28, 0x83, 0x40, 0x80, 0x19, 0x00, 0xd8, 0x79,0x13, 0x16, 0xae, 0x88, 0x73, 0xf8, 0x35, 0x6f,0x9e, 0x52, 0x64, 0x72, 0x08, 0xa2, 0xe6, 0x56,0x7c, 0x0f, 0xed, 0x1d, 0x83, 0xd6, 0x5f, 0xca,0x06, 0x74, 0x0a


Test 5:

Username: test
Password: test

ASCII:
Q 3. TEST .{. ..y .|. @.. ..{....w.......u...H@.. ..{.dq....i.,. .Z...f..._..t

Hex:
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00,0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b,0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c,0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0xe0, 0xe6,0x7b, 0x16, 0xe9, 0x9c, 0xdb, 0x77, 0xfa, 0xff,0xff, 0x7f, 0x1f, 0x11, 0x8d, 0x75, 0xa7, 0xda,0x82, 0x48, 0x40, 0x80, 0x19, 0x00, 0xe0, 0xe6,0x7b, 0x16, 0x64, 0x71, 0xe4, 0x91, 0xda, 0xab,0x69, 0xb3, 0x2c, 0xa9, 0x00, 0xe2, 0x5a, 0xe8,0x11, 0x1a, 0x66, 0x1d, 0x83, 0xd6, 0x5f, 0xca,0x06, 0x74, 0x0a
All the older C++ S.U.N files use TEA (tiny encryption algorithm), Base64, MD5, and SHA1. I know this is not a hash algorithm because I wouldn't be able to reverse it. Then I noticed some of the other Webzen games have custom algorithms, so I am a bit confused.

Any help would be greatly appreciated.
 
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
I decided to run some more tests in the same session (which I didn't do before) with the same server key ("$H"). There is a lot of static information between all of the tests.

This is just my guess from what I have observed so far...

It looks like the algorithm's block size is 5 bytes or 40 bits...because a password from two ~ seven characters look the same. There is a special hex value (test 1 - 0xfd) separates all repetitive code and corresponds to something. I thought it corresponds to the character count from combining the server key and the password and subtract it from 255, but the hex value is slightly off.

Test 1
Username: test
Password: 0

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB. .....Y;.....~ C..._..t

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xfd, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0x8e, 0x0e, 0x02, 0x17, 0xd5, 0x59, 0x0a, 0x3b, 0xa8, 0xbe, 0xb3, 0xc4, 0x1d, 0x7e, 0x0c, 0x43, 0x1d, 0x83, 0xd6, 0x5f, 0xca, 0x06, 0x74, 0x0a



Test 2
Username: test
Password: 00

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@.].k*m..A...\.JMzF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xfc, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0xc8, 0x5d, 0xad, 0x6b, 0x2a, 0x6d, 0x84, 0xbd, 0x41, 0x1d, 0x02, 0xd8, 0x5c, 0x12, 0x4a, 0x4d, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 3
Username: test
Password: 000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@.r3.%.(.A...\.JMzF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xfb, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0x90, 0x72, 0x33, 0xcf, 0x25, 0xd8, 0x28, 0x15, 0x41, 0x1d, 0x02, 0xd8, 0x5c, 0x12, 0x4a, 0x4d, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 4
Username: test
Password: 0000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@..&.....A...\.JMzF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xfa, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0xd0, 0x17, 0x26, 0xff, 0x0b, 0x80, 0xef, 0xf5, 0x41, 0x1d, 0x02, 0xd8, 0x5c, 0x12, 0x4a, 0x4d, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 5
Username: test
Password: 00000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@..Z.a...A...\.JMzF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xf9, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0xdb, 0x14, 0x5a, 0xfc, 0x61, 0xc9, 0x8d, 0xec, 0x41, 0x1d, 0x02, 0xd8, 0x5c, 0x12, 0x4a, 0x4d, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 6
Username: test
Password: 000000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@@..V..q.A...\.JMzF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xf8, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0x40, 0xf0, 0x1c, 0x56, 0xff, 0x8e, 0x71, 0xe2, 0x41, 0x1d, 0x02, 0xd8, 0x5c, 0x12, 0x4a, 0x4d, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 7
Username: test
Password: 0000000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@.U.7.'.[A...\.JMzF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xf7, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0xac, 0x55, 0xb9, 0x37, 0xc3, 0x27, 0xdd, 0x5b, 0x41, 0x1d, 0x02, 0xd8, 0x5c, 0x12, 0x4a, 0x4d, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 8
Username: test
Password: 00000000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@E6... .^...&.M..zF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xf6, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0x45, 0x36, 0xa5, 0x97, 0xae, 0x0c, 0x12, 0x5e, 0xb5, 0xae, 0xff, 0x26, 0xcb, 0x4d, 0x0e, 0xbc, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 9
Username: test
Password: 000000000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@E6... .^{....._.zF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xf5, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0x45, 0x36, 0xa5, 0x97, 0xae, 0x0c, 0x12, 0x5e, 0x7b, 0xa0, 0xe3, 0xcd, 0xcc, 0xec, 0x5f, 0xd1, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 10
Username: test
Password: 0000000000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@E6... .^6N......zF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xf4, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0x45, 0x36, 0xa5, 0x97, 0xae, 0x0c, 0x12, 0x5e, 0x36, 0x4e, 0x9c, 0xc7, 0x1b, 0xb1, 0xf3, 0xc5, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 11
Username: test
Password: 00000000000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@E6... .^f.[g..t.zF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xf3, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0x45, 0x36, 0xa5, 0x97, 0xae, 0x0c, 0x12, 0x5e, 0x66, 0x97, 0x5b, 0x67, 0xe2, 0x96, 0x74, 0xca, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab



Test 12
Username: test
Password: 000000000000

ASCII
Q 3. TEST .{. ..y .|. @.. PB.....w.......t..L.@.. PB..@E6... .^..m4....zF. ....

HEX
0x51, 0x00, 0x33, 0x03, 0x00, 0x00, 0x00, 0x00, 0x54, 0x45, 0x53, 0x54, 0x00, 0x00, 0xd4, 0x7b, 0x19, 0x00, 0xe0, 0x8a, 0x79, 0x00, 0x04, 0x7c, 0x19, 0x00, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0xe9, 0x9c, 0x84, 0x77, 0xf2, 0xff, 0xff, 0x7f, 0x1f, 0x11, 0x80, 0x74, 0xf1, 0xff, 0x4c, 0xab, 0x40, 0x80, 0x19, 0x00, 0x50, 0x42, 0xdf, 0x18, 0x40, 0x45, 0x36, 0xa5, 0x97, 0xae, 0x0c, 0x12, 0x5e, 0xe1, 0xe2, 0x6d, 0x34, 0xde, 0x8f, 0xf5, 0xe0, 0x7a, 0x46, 0xb4, 0x0c, 0xb9, 0xcd, 0xbc, 0xab
I will have to say, I have never reversed engineered an encryption algorithm like I am trying to, so I will gladly accept any feedback or advise. Thank you!
 
Upvote 0
Junior Spellweaver
Joined
Dec 30, 2008
Messages
193
Reaction score
45
What I can recommend is to start organizing your stuff, and if you understand some parts of your packets identify then in some kind of grammar.

I'm working on a game and I'm logging the login server packets as well, and I'm trying to identify everything as I can... so this is what I've got so far, when the GameServer sends me the servers info. this is how I have identified them.

RZeJBJh - [S.U.N Online] Encryption Algorithm - RaGEZONE Forums



this way i can easily identify them when I write them to emulate the game server...
f3OM41s - [S.U.N Online] Encryption Algorithm - RaGEZONE Forums
 

Attachments

You must be registered for see attachments list
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
I know about packet identification and etc. because the older server files have that and I understand how certain parts correspond to the incoming packets. The older C++ files have category and op codes...then packet structures from and to the client. My issue is that I am working in Java and don't have access to the header information unless I download a 3rd party library. Another thing to mention is that I'm trying to figure out the encryption algorithm. Where I am at in this process is where the client sends the username and encrypted password. None of the older C++ projects have .cpp files for any of the encryption/decryption algorithms.

Truthfully, the body has the category and op code, the category is based on the first letter and the following number is the op code for the corresponding server. The authentication server is 3, where as game server is 2, and chat server is 1. I realize that the username comes after that and then its all encrypted.
 
Upvote 0
Junior Spellweaver
Joined
Dec 30, 2008
Messages
193
Reaction score
45
I tried helping but the client is protected with Themida, and it's also protected with XIGNCODE, I don't know how to continue any further with those two in play. My reverse engineering skills are extremely rusty on native, because I went from native to managed reversing a long time ago... and now I can barely do nothing xD
 
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
The client is protected with XIGNCODE and Themida? Which client are you talking about? The one Im working on is protected with GameGuard (some version of it, have to look again), then again, Im working on an Episode 1 version of the game. Anyway, thank you for your help.
 
Upvote 0
Initiate Mage
Joined
Jul 24, 2013
Messages
3
Reaction score
0
What I can recommend is to start organizing your stuff, and if you understand some parts of your packets identify then in some kind of grammar.

I'm working on a game and I'm logging the login server packets as well, and I'm trying to identify everything as I can... so this is what I've got so far, when the GameServer sends me the servers info. this is how I have identified them.

RZeJBJh - [S.U.N Online] Encryption Algorithm - RaGEZONE Forums



this way i can easily identify them when I write them to emulate the game server...
f3OM41s - [S.U.N Online] Encryption Algorithm - RaGEZONE Forums

You coded the program of the first screenshot for the specific game you're working on or is a public one?

-- Edit

I searched and found it: 010 Editor.
 

Attachments

You must be registered for see attachments list
Last edited:
Upvote 0
Junior Spellweaver
Joined
Dec 30, 2008
Messages
193
Reaction score
45
The client is protected with XIGNCODE and Themida? Which client are you talking about? The one Im working on is protected with GameGuard (some version of it, have to look again), then again, Im working on an Episode 1 version of the game. Anyway, thank you for your help.

?
 
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
@0x90

Nexon.to or amzsun.com are private servers and use Episode 2 clients. I am currently working on an Episode 1 client from Zhaouc ( ) the official Chinese server.
 
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
@jonnybravo

Here is the for the Sungame.exe (Chinese version). If there is anyway I can help, please let me know. I am still working on figuring out the encryption algorithm. I am not very good at assembly, nor do I know what programs are recommended, but I will at least try to help to the best of my knowledge.
 
Last edited:
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
@jonnybravo

I am looking at tutorials for ollydbg with scripts. As bad as this may sound, but I didn't know you could run scripts with ollydbg. I will let you know if I find something or anything by posting it here. Thank you for all your help. I appreciate it.
 
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
Last night, I was going through the older C++ files and saw some code with the following information:

Encrypting block size = 8
Encrypted block size = 11
Key size = 4

If I can find the file again, I will post more of it, but I am still not sure how the encryption algorithm works to produce the outcome.
 
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
I have came up with some more conclusions about the encryption.

Login Packet Analysis - [S.U.N Online] Encryption Algorithm - RaGEZONE Forums

The other option I thought about was the possibilities of the "key" being an IV for a stream cipher.
 

Attachments

You must be registered for see attachments list
Upvote 0
Joined
Aug 6, 2005
Messages
550
Reaction score
296
Last night, I was going through the older C++ files and saw some code with the following information:

Encrypting block size = 8
Encrypted block size = 11
Key size = 4

If I can find the file again, I will post more of it, but I am still not sure how the encryption algorithm works to produce the outcome.
Just a wild guess... If these numbers are correct, it might be the SimpleModulus Algorithm (or something similar), used by MU Online which is another Webzen game.
I blogged about it recently:
 
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
@nevS
Thank you. I will give it a try. I believe I have the code for the SimpleModulus Algorithm in C++. I will just have to convert to Java.
 
Upvote 0
Experienced Elementalist
Joined
Jan 30, 2010
Messages
267
Reaction score
129
nevS
Thank you. I will give it a try. I believe I have the code for the SimpleModulus Algorithm in C++. I will just have to convert to Java.

Sorry for the long wait, themida was pissing me cuz of vbox so i had given up, today i decided to retry, cant promise its 100% unpacked but i trust the tools i used for it:



Its the exe u sent, the exe from client chinese link and its unpacked version
 
Upvote 0
Junior Spellweaver
Joined
Oct 20, 2013
Messages
193
Reaction score
56
I was going through some older source code that I found on my computer and found several encryption algorithms that were being used by SunEmu server files. In the Authentication server, it was using a built in algorithm that had no comments or context to it.

Auth Server's login algorithm:
void encode(void* src,DWORD key[])
{
DWORD dwCount = 32;
DWORD eax = 0;
DWORD ecx = 0;
const DWORD key1 = key[0];
const DWORD key2 = key[1];
const DWORD key3 = key[3];
const DWORD key4 = key[2];
DWORD* psrc = (DWORD*)src;
eax = *(DWORD*)psrc;
ecx = *(DWORD*)(psrc+1);
DWORD var_edx = 0;

do
{
DWORD part1_shift_left = (ecx<<4)+key1;
DWORD part1_shift_right = (ecx>>5)+key2;
DWORD part1_xor = part1_shift_left^part1_shift_right;
var_edx -= 0x61c88647;
DWORD value = var_edx+ecx;
DWORD part2_xor = part1_xor^value;
eax = eax+part2_xor;
DWORD var = (eax>>5)+key3;
DWORD var_eax_1 = (eax<<4)+ key4;
DWORD var_xor = var^var_eax_1;
DWORD var_ebx = eax+var_edx;
DWORD var_esi = var_xor^var_ebx;
ecx = ecx+var_esi;
dwCount--;
}while(dwCount>0);

*(DWORD*)psrc= eax;
*(DWORD*)(psrc+1) = ecx;

}
for the original files for Handler_CS in the AuthServer.
This algorithm just looks like a simple XOR encryption.

Let me know what you think.
 
Last edited:
Upvote 0
Back
Top