[S.U.N Online] Encryption Algorithm

Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24
  1. #16
    Breaker of Codes GoldenHeaven is online now
    True MemberRank
    Jan 2010 Join Date
    244Posts

    Re: [S.U.N Online] Encryption Algorithm

    Here is something that looks to me like it might help 0x51 0x00 is packet size minus the two bytes of size appearantly

  2. #17
    Developer nevS is online now
    True MemberRank
    Aug 2005 Join Date
    GermanyLocation
    444Posts

    Re: [S.U.N Online] Encryption Algorithm

    Quote Originally Posted by Ashime View Post
    Last night, I was going through the older C++ files and saw some code with the following information:

    Encrypting block size = 8
    Encrypted block size = 11
    Key size = 4

    If I can find the file again, I will post more of it, but I am still not sure how the encryption algorithm works to produce the outcome.
    Just a wild guess... If these numbers are correct, it might be the SimpleModulus Algorithm (or something similar), used by MU Online which is another Webzen game.
    I blogged about it recently: https://munique.net/a-closer-look-at...et-encryption/
    Do not follow where the path may lead. Go, instead, where there is no path and leave a trail. ~Ralph Waldo Emerson

    OpenMU Project: Blog - GitHub

  3. #18
    Hardcore Member Ashime is offline
    MemberRank
    Oct 2013 Join Date
    USALocation
    136Posts

    Re: [S.U.N Online] Encryption Algorithm

    @nevS
    Thank you. I will give it a try. I believe I have the code for the SimpleModulus Algorithm in C++. I will just have to convert to Java.

  4. #19
    Breaker of Codes GoldenHeaven is online now
    True MemberRank
    Jan 2010 Join Date
    244Posts

    Re: [S.U.N Online] Encryption Algorithm

    Quote Originally Posted by Ashime View Post
    @nevS
    Thank you. I will give it a try. I believe I have the code for the SimpleModulus Algorithm in C++. I will just have to convert to Java.
    Sorry for the long wait, themida was pissing me cuz of vbox so i had given up, today i decided to retry, cant promise its 100% unpacked but i trust the tools i used for it:

    SUN1

    Its the exe u sent, the exe from client chinese link and its unpacked version

  5. #20
    Hardcore Member Ashime is offline
    MemberRank
    Oct 2013 Join Date
    USALocation
    136Posts

    Re: [S.U.N Online] Encryption Algorithm

    I was going through some older source code that I found on my computer and found several encryption algorithms that were being used by SunEmu server files. In the Authentication server, it was using a built in algorithm that had no comments or context to it.

    Auth Server's login algorithm:
    Spoiler:
    void encode(void* src,DWORD key[])
    {
    DWORD dwCount = 32;
    DWORD eax = 0;
    DWORD ecx = 0;
    const DWORD key1 = key[0];
    const DWORD key2 = key[1];
    const DWORD key3 = key[3];
    const DWORD key4 = key[2];
    DWORD* psrc = (DWORD*)src;
    eax = *(DWORD*)psrc;
    ecx = *(DWORD*)(psrc+1);
    DWORD var_edx = 0;

    do
    {
    DWORD part1_shift_left = (ecx<<4)+key1;
    DWORD part1_shift_right = (ecx>>5)+key2;
    DWORD part1_xor = part1_shift_left^part1_shift_right;
    var_edx -= 0x61c88647;
    DWORD value = var_edx+ecx;
    DWORD part2_xor = part1_xor^value;
    eax = eax+part2_xor;
    DWORD var = (eax>>5)+key3;
    DWORD var_eax_1 = (eax<<4)+ key4;
    DWORD var_xor = var^var_eax_1;
    DWORD var_ebx = eax+var_edx;
    DWORD var_esi = var_xor^var_ebx;
    ecx = ecx+var_esi;
    dwCount--;
    }while(dwCount>0);

    *(DWORD*)psrc= eax;
    *(DWORD*)(psrc+1) = ecx;

    }

    Download link for the original files for Handler_CS in the AuthServer.
    This algorithm just looks like a simple XOR encryption.

    Let me know what you think.
    Last edited by Ashime; 07-10-18 at 11:01 PM. Reason: Added link to SunEmu and Handler_CS files.

  6. #21
    Breaker of Codes GoldenHeaven is online now
    True MemberRank
    Jan 2010 Join Date
    244Posts

    Re: [S.U.N Online] Encryption Algorithm

    Seems so but also looks like you don't have the key.

    From what i've gathered of it, it encrypts the first 8 bytes of void* src and passes those 8 bytes thru the encryption 32 times,then saves them.

    Which at Handler_CS::OnSUN_C2S_ASK_AUTH would be:
    0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x00, 0x67, 0xa6, 0x53, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00 after copying password to passmask and the result would be:

    0x65, 0x96, 0x18, 0x92, 0xCE, 0x7B, 0x8A, 0x08, 0x39, 0x00, 0x67, 0xA6, 0x53, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00

    And i used this on c# to get the aboveresult and see if i could understand more of it:
    class Encode
    {
    unsafe public Encode(byte* source,int[] key)
    {
    int* sourcepointer = (int*)source;
    int firstfourbytes = *(int*)sourcepointer;
    int secondfourbytes = *(int*)(sourcepointer + 1);
    int key1 = key[0];
    int key2 = key[1];
    int key3 = key[3];
    int key4 = key[2];
    int var_edx = 0;

    for (int i = 0; i < 32; i++)
    {
    int part1_shift_left = (secondfourbytes << 4) + key1; // (ecx<<4)+key1;
    int part1_shift_right = (secondfourbytes >> 5) + key2; // (ecx>>5)+key2;
    int part1_xor = part1_shift_left ^ part1_shift_right; // part1_shift_left^part1_shift_right;

    var_edx -= 0x61c88647;
    int value = var_edx + secondfourbytes; // value = var_edx+ecx;
    int part2_xor = part1_xor ^ value;

    firstfourbytes = firstfourbytes + part2_xor; // eax = eax+part2_xor;
    int part2_shift_left = (firstfourbytes >> 5) + key3; // var = (eax>>5)+key3;
    int part2_shift_right = (firstfourbytes << 4) + key4; // var_eax_1 = (eax<<4)+ key4;
    int var_xor = part2_shift_left ^ part2_shift_right; // var_xor = var^var_eax_1;

    int var_ebx = firstfourbytes + var_edx; // var_ebx = eax+var_edx;
    int var_esi = var_xor ^ var_ebx;
    secondfourbytes = secondfourbytes + var_esi; // ecx = ecx+var_esi;
    }

    *(int*)sourcepointer = firstfourbytes; // *(DWORD*)psrc= eax;
    *(int*)(sourcepointer + 1) = secondfourbytes; // *(DWORD*)(psrc+1) = ecx;
    }
    }
    unsafe {
    fixed (byte* passMask = new byte[19] { 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x00, 0x67, 0xa6, 0x53, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00 }) // passMask with pwd in it.
    {
    int[] key = new int[4];
    Encode encode = new Encode(passMask, key);
    byte[] bytes = new byte[19];
    for (int i = 0; i < 19; ++i) {
    bytes[i] = Marshal.ReadByte((IntPtr)passMask, i);
    Console.Write(bytes[i].ToString("X2") + " ");
    }
    }
    }
    Console.ReadKey();
    Last edited by GoldenHeaven; 08-10-18 at 07:05 AM.

  7. #22
    Hardcore Member Ashime is offline
    MemberRank
    Oct 2013 Join Date
    USALocation
    136Posts

    Re: [S.U.N Online] Encryption Algorithm

    @GoldenHeaven

    Thank you for all the help. I really do appreciate it. After digging around some more, I found out that the encryption algorithm I posted was TEA. The parameters are the same data types in size, but one is unsigned and the other is signed. The Delta in the previous post (0x61C88647) is the twos complement of the original delta (0x9e3779b9). The rest of the algorithm looks very close to the one found online.

    Wiki
    Spoiler:
    #include <stdint.h>

    void encrypt (uint32_t* v, uint32_t* k)
    {
    // setup
    uint32_t v0=v[0], v1=v[1], sum=0, i;

    // a key schedule constant
    uint32_t delta=0x9e3779b9;

    // cache key
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];

    // basic cycle start
    for (i=0; i < 32; i++)
    {
    sum += delta;
    v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
    v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
    }
    v[0]=v0; v[1]=v1;
    }

    void decrypt (uint32_t* v, uint32_t* k)
    {
    //setup
    uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i;

    // a key schedule constant
    uint32_t delta=0x9e3779b9;

    // cache key
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];

    // basic cycle start
    for (i=0; i<32; i++)
    {
    v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
    v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
    sum -= delta;
    }
    v[0]=v0; v[1]=v1;
    }

    I found a CryptLibd.lib in the SunEmu project. I opened it up with 7-Zip and found .obj files for Base64, LZO, md5, minilzo, PacketCrypt, Seedx, sha1, and Tea. I opened up the PacketCrypt.obj file and looked at the files. The files references to Tea encryption and decryption and itself. I only have the header files for Tea and PacketCrypt. I know this information doesn't mean much in the long run since I can't rebuild it without the .cpp files.


    PacketCrypt.h
    Spoiler:
    namespace Crypt
    {
    bool PacketEncode( unsigned char* source, int sourceLen, unsigned char* output, int* outputLen, DWORD key );
    bool PacketDecode( unsigned char* source, int sourceLen, unsigned char* output, int* outputLen, DWORD key );
    }


    Tea.h
    Spoiler:
    namespace Crypt
    {
    void TeaEncode( DWORD* data, DWORD* key );
    void TeaDecode( DWORD* data, DWORD* key );
    }


    If TEA is being used as the main encryption algorithm, then how does the PacketCrypt prototypes work with the TEA algorithm. I was thinking double encryption, but that is just a thought. At the moment, I am looking for the key. Let me know what you think. Thanks!

  8. #23
    Breaker of Codes GoldenHeaven is online now
    True MemberRank
    Jan 2010 Join Date
    244Posts

    Re: [S.U.N Online] Encryption Algorithm

    If you notice it appears to allow size specification which TEA doesn't care about possibly to allow only partial packet encryption.
    That would be my guess as to why they didnt use TEA directly.

  9. #24
    Hardcore Member Ashime is offline
    MemberRank
    Oct 2013 Join Date
    USALocation
    136Posts

    Re: [S.U.N Online] Encryption Algorithm

    Packet Information

    All of the packet information is in decimal and not hexadecimal, so please remember that. This all I have currently figured out at this time. Sorry if this is a little repetitive.

    Step 1-2: Handshake and Hello packet
    Spoiler:
    1. Recieve active connection from client.
    -> 3-way handshake

    2. Server sends hello packet (Size: 72).

    public byte[] helloPacket =
    {70, 00, 51, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 36, 72, 00, 00};

    -> F 3 $H.
    -> F (70) is the packet ID, 3 (51) is the server ID, and $H (36, 72) changes every time on retail server when you connect. I thought it was the key for the encryption algorithm, but it could be a session ID.


    Step 3-4: Server IP and Acceptation packet
    Spoiler:
    3. Client sends packet with IP.
    -> IP is of the server the client is trying to connect to.

    -> packet data: % 3 127.0.0.1 (37 51 01 03 04 06 49 50 55 46 48 46 48 46 49)
    -> % (37) is packet ID, 3 (51) is server ID, (01), (03), (04), and (06) are unknown.

    4. Send accept packet (Size: 5).

    public byte[] acceptPacket = {03, 00, 51, 02, 00};
    -> (03) is the packetID, 3 (51) is the server ID, and (02) is unknown.


    Step 5-6: Encrypted Login and Login Status
    Spoiler:
    5. Client will send packet with Username and Password (encrypted).

    // --> TODO: Figure out the encryption algorithm.
    // --> TODO: Decrypt packet data and compare account info.

    6. Send packet back with login status. Size: 71. Fifth byte determines whether login was correct or not. (00 - correct, 01 - incorrect).

    // successful login packet

    public byte[] loginPacket =
    {69, 00, 51, 14, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00};

    -> (69) is packetID, 3 (51) is the serverID, the fourth byte changes and is unknown.

    // incorrect password packet.

    public byte[] loginPacket1 =
    {69, 00, 51, 14, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00};


    Step 7-8: Confirmation and Server Selection packet
    Spoiler:
    7. Client will send a confirmation packet.
    -> (02, 00, 51, 15)
    -> (02) is packet ID, 3 (51) is server ID, (15) is unknown

    8. Send server list packet. Size: 83.

    Server Name: Global (71, 108, 111, 98, 97, 108)
    Channel Name: Channel 1 (67, 104, 97, 110, 110, 101, 108, 32, 49)

    public byte[] serverListPacket =
    {39, 00, 51, 17, 01, 71, 108, 111, 98, 97, 108, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 51, 18, 01, 67, 104,
    97, 110, 110, 101, 108, 32, 49, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01,
    01, 01, 01};

    -> (39) is the packetID, 3 (51) is the serverID, fourth byte changes and is unknown, (01) is unknown but possibly starter and ender headers.


    Step 9-10: Selected Server and Game Server Transfer packets
    Spoiler:
    9. Client will send a server selection packet.

    -> (04 00 51 19 01 01)
    -> (04) is packet ID, 3 (51) is server ID, fourth byte changes and is unknown, and (01) are unknown.


    10. Send Game Server IP to client. Size: 86

    -> Data is partially encrypted.
    -> Need further analysis on the retail packets.

    public byte[] gsTransferPacket =
    {84, 00, 51, 26, 00, 30, 85, 77, 24, 48, 72, 96, 120, 00, 00, 00,
    00, 00, 8, 32, 56, 80, 104, 00, 00, 00, 00, 00, 00, 10, 40, 64,
    88, 112, 00, 00, 00, 00, 00, 00, 49, 50, 55, 46, 48, 46, 48, 46,
    49, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,
    00, 00, 00, 00, 00, 00, 00, 00, 34, 78, 00, 00, 00, 55, 110, 54,
    103, 55, 55, 110, 107, 00};


    Login Server and Client Download

    Please visit here for more information.
    Last edited by Ashime; 6 Days Ago at 08:20 PM. Reason: Add links



Page 2 of 2 FirstFirst 12

Advertisement