- Joined
- Nov 21, 2006
- Messages
- 137
- Reaction score
- 39
Hi everyone, I am trying to decode GunBound WC Packets, but It seens to be a little bit confusing.
There is discussion here:
http://forum.ragezone.com/f173/gunbound-packet-structure-990131/
@phnx said that password is encrypted with SHA-1 modified algorithm, and for the other packets there will be another key, generate from the first packed exchanged between server and client.
@SheenBR, @Leo The Fox, @Aaron please check this post too
@phnx said:
I did not well understand witch cryptografy uses each packed!
Did you mean that login packet (two blocks of 16 bytes) uses SHA-1 modified? If yes, how could I decrypt it?
For what could I use the key sent by server (0x1001) ?
What about the key setup for AES?
How could I find the static key? and this key is for SHA-1 or AES?
Could you explain this question and maybe even something I should know to decrypt it?
THE WC PACKETS
The first packet client sends:
..and then receive the reply:
Second packet client sends:
.. and then receive something like this:
The way I got @phnx words, I think the key for AES decryption of the rest of the data will be generated from the FIRST REPLY from the server, in this case: *if true, how?
I think these bytes are not encrypted, but the nexts are, like this part:
The FIRST of ANY packet sent RIGHT AFTER LOGIN APPROVAL FOR GAMELAUNCHER is the World List witch seems to be NOT ENCRYPTED. WordList packet:
** this makes sense, since this is the FIRST of ALL packets exchanged between server and client and there is no key avaliable, I mean, not generated from the next packet yet.
I got nowhere to go from now on if I cant decrypt it
** Even with crypted packets, its possible to simulate some actions that are done when received a specific packet, just like BCM. (example a BCM *hack*, where any user could simulate the packet since its known). BCM Hack already exists in a gamehack dll called GunBad, version 3 not public. There are many hacks in the DLL that use Packets to hack the game. If you want to know a bit more about this DLL, I can share it with you since you showoff interested in helping me.
** I am not willing to create cheats/gamehacks, but build new server files (not broker, only servers like 8361)
Could someone help me to decrypt the packets? Somehow I could find the key to decrypt it with AES? and for WC, does it still be AES?
Thanks in advance.
There is discussion here:
http://forum.ragezone.com/f173/gunbound-packet-structure-990131/
@phnx said that password is encrypted with SHA-1 modified algorithm, and for the other packets there will be another key, generate from the first packed exchanged between server and client.
@SheenBR, @Leo The Fox, @Aaron please check this post too
@phnx said:
Some packets are encrypted completely (0x2010 channelchat for instance), but login is a special case. That one starts with two blocks of 16 bytes that represent crypted username and a block of data that includes packet signature and the session key (which was established with 0x1000 earlier). These use a static key for decrypting, and their values are used to setup a dynamic key schedule for AES.
After those 32 bytes is another encrypted blob that holds password, clientversion, local/external IP, etc., encrypted using the dynamic key scheme.
I did not well understand witch cryptografy uses each packed!
Did you mean that login packet (two blocks of 16 bytes) uses SHA-1 modified? If yes, how could I decrypt it?
For what could I use the key sent by server (0x1001) ?
What about the key setup for AES?
These use a static key for decrypting, and their values are used to setup a dynamic key schedule for AES.
How could I find the static key? and this key is for SHA-1 or AES?
Could you explain this question and maybe even something I should know to decrypt it?
THE WC PACKETS
The first packet client sends:
Code:
0A 00 A5 46 00 11 00 00 00 00 00 00 00 00 00 00 ...F............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00
..and then receive the reply:
Code:
0A 00 E5 53 01 10 7E 56 00 00 00 00 00 00 00 00 ...S..~V........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00
Second packet client sends:
Code:
06 00 B1 36 00 10 00 00 00 00 00 00 00 00 00 00 ...6............
00 00 00 00 00 00 00 00
.. and then receive something like this:
Code:
7F 00 68 0E 12 10 00 00 CA 5C 00 00 41 64 6D 69 .h......\..Admi
6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............
00 14 00 14 00 14 00 1C 00 00 00 01 00 00 00 01 ................
00 00 00 00 00 00 00 01 00 00 00 1A 00 00 00 5C ...............\
18 00 00 FA FF FF FF FA FF FF FF 37 0E A4 3B 00 ...........7..;.
The way I got @phnx words, I think the key for AES decryption of the rest of the data will be generated from the FIRST REPLY from the server, in this case: *if true, how?
Code:
0A 00 E5 53 01 10 7E 56 00 00 00 00 00 00 00 00 ...S..~V........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00
I think these bytes are not encrypted, but the nexts are, like this part:
Code:
***********************TCP Packet*************************
IP Header
|-IP Version : 8
|-IP Header Length : 32 Bytes
|-Type Of Service : 0
|-IP Total Length : 38701 Bytes(Size of Packet)
|-Identification : 32
|-TTL : 151
|-Protocol : 188
|-Checksum : 36026
|-Source IP : 200.37.15.70
|-Destination IP : 78.247.134.67
TCP Header
|-Source Port : 42535
|-Destination Port : 8566
|-Sequence Number : 1865186537
|-Acknowledge Number : 2300963988
|-Header Length : 130 DWORDS or 520 BYTES
|-Window : 46275
|-Checksum : 41846
|-Urgent Pointer : 61410
DATA Dump
IP Header
08 00 97 2D 00 20 FF FF 97 BC 8C BA C8 25 0F 46 ...-. .......%.F
4E F7 86 43 89 74 CB 74 45 18 99 A6 93 83 62 AB N..C.t.tE.....b.
TCP Header
A6 27 21 76 6F 2C 7C E9 89 25 EC 94 82 8A B4 C3 .'!vo,|..%......
A3 76 E2 EF A2 19 34 1B 0C 0D BB 6E 22 98 80 97 .v....4....n".€.
91 B0 28 F3 1B 45 1C A6 43 7D EE F1 4A 2B 95 26 ..(..E..C}..J+.&
06 32 D3 5F EE 8E 00 00 00 00 00 00 00 00 00 00 .2._............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ........
Data Payload
###########################################################
The FIRST of ANY packet sent RIGHT AFTER LOGIN APPROVAL FOR GAMELAUNCHER is the World List witch seems to be NOT ENCRYPTED. WordList packet:
** this makes sense, since this is the FIRST of ALL packets exchanged between server and client and there is no key avaliable, I mean, not generated from the next packet yet.
Code:
***********************TCP Packet*************************
IP Header
|-IP Version : 96
|-IP Header Length : 384 Bytes
|-Type Of Service : 0
|-IP Total Length : 58154 Bytes(Size of Packet)
|-Identification : 529
|-TTL : 1
|-Protocol : 2
|-Checksum : 0
|-Source IP : 0.12.71.117
|-Destination IP : 110.66.111.117
TCP Header
|-Source Port : 0
|-Destination Port : 0
|-Sequence Number : 0
|-Acknowledge Number : 0
|-Header Length : 0 DWORDS or 0 BYTES
|-Window : 0
|-Checksum : 0
|-Urgent Pointer : 0
DATA Dump
IP Header
60 00 E3 2A 02 11 00 00 01 02 00 00 00 0C 47 75 `..*..........Gu
6E 42 6F 75 6E 64 20 57 61 72 0A 53 65 72 76 69 nBound War.Servi
64 6F 72 20 31 4A 3F DA 8B 20 D1 00 00 00 00 C8 dor 1J?.. ......
00 FB 13 00 01 01 00 00 0C 47 75 6E 42 6F 75 6E .........GunBoun
64 20 57 61 72 0A 53 65 72 76 69 64 6F 72 20 32 d War.Servidor 2
4A 3F DA 8B 20 D2 00 00 00 00 C8 00 FB 13 01 01 J?.. ...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
TCP Header
Data Payload
###########################################################
I got nowhere to go from now on if I cant decrypt it
** Even with crypted packets, its possible to simulate some actions that are done when received a specific packet, just like BCM. (example a BCM *hack*, where any user could simulate the packet since its known). BCM Hack already exists in a gamehack dll called GunBad, version 3 not public. There are many hacks in the DLL that use Packets to hack the game. If you want to know a bit more about this DLL, I can share it with you since you showoff interested in helping me.
** I am not willing to create cheats/gamehacks, but build new server files (not broker, only servers like 8361)
Could someone help me to decrypt the packets? Somehow I could find the key to decrypt it with AES? and for WC, does it still be AES?
Thanks in advance.
Last edited: