[HELP] Encryption Type for packet sniffing

[tjdal0827c]

Hi all,

I've recently decided to take a look at the insides of RedFox's RF Online. I've been using a packet sniffer but haven't made much headway in understanding the packets. I think they're encrypted, but I'm a bit of a newbie at reverse engineering. Does anybody know what encryption method they use? I've been thinking its either md5 or SHA-1, but if anybody is able to help i'll be eternally grateful!

 

[likertuban]

Not sure about redfox,
But, by default in rf server released here,
The packet is encrypted when u activate fireguard = TRUE/FG_CB = 1
It's using xor,
Where you loop your packet byte n xor ing with a xor key n plus key.
CMIIW

 

[tjdal0827c]

Hey @likertuban! Thanks for taking the time to answer.

I did initially think it might have been XOR. I wasn't sure if it was XOR because the packets looked so different.

Take for example when I write the text "ThisIsATestString" in the chat window, it sent out this packet:

23 00 09 42 5A 84 D1 A2 CA 5D 4B AD 14 94 26 9B 59 0D 45 78 7E A9 17 4C 31 E5 9D D7 EA 70 A1 C2 F7 6B E2

However with a nearly identical string, "ThisIsATestString2", the packet looked completely different.

23 00 08 B3 DE 85 6B 1D 18 93 93 06 6E 0F F0 39 53 F9 4E 96 E4 89 F8 64 E3 4F C5 A5 80 90 E7 7D 55 C8 DF

I'm not good at XOR, but I would assume that if they're both using the same key there would be more similarities between the two. I guess its possible they're using one-time keys?

I'm not sure I understand what method you're describing to use to decrypt. Are you saying the key is just a byte long? What's a plus key?

Sorry for the newb questions. Thanks again for your time!

 

[likertuban]

not so sure about redfox, but the server in here only use 1 key that generated only once when you login to the world (CMIIW)
if you are talking about send text, it might occured due to the structure, or you have exit the game and login again, which generate new key,
when you send text, it's possible that the packet contain word length, your rank, your location, etc which i'm not sure.
you could also test to sniff your packet, then send a text, and resend the packet, if the result is the same, then it's the same,
but if you are to ask me,
your packet seem odd,
if you send different text and different length word, how come it have the same packet size 0x23? 23 00 09 42
the second text should be 0x24,
and 0x09 0x42 with 0x08 0xB3 from 23 00 08 B3
seem odd, so i think, you have posted wrong packet thinking that both packet is from your text, i think both packet is different packet.