GunBound WC Packet Structure and Encryption

[TheMarKs]

Hi everyone, I am trying to decode GunBound WC Packets, but It seens to be a little bit confusing.

There is discussion here:
http://forum.ragezone.com/f173/gunbound-packet-structure-990131/

@phnx said that password is encrypted with SHA-1 modified algorithm, and for the other packets there will be another key, generate from the first packed exchanged between server and client.
@SheenBR, @Leo The Fox, @Aaron please check this post too
@phnx said:

Some packets are encrypted completely (0x2010 channelchat for instance), but login is a special case. That one starts with two blocks of 16 bytes that represent crypted username and a block of data that includes packet signature and the session key (which was established with 0x1000 earlier). These use a static key for decrypting, and their values are used to setup a dynamic key schedule for AES.

After those 32 bytes is another encrypted blob that holds password, clientversion, local/external IP, etc., encrypted using the dynamic key scheme.

I did not well understand witch cryptografy uses each packed!

Did you mean that login packet (two blocks of 16 bytes) uses SHA-1 modified? If yes, how could I decrypt it?
For what could I use the key sent by server (0x1001) ?
What about the key setup for AES?

These use a static key for decrypting, and their values are used to setup a dynamic key schedule for AES.

How could I find the static key? and this key is for SHA-1 or AES?


Could you explain this question and maybe even something I should know to decrypt it?

THE WC PACKETS

The first packet client sends:

0A 00 A5 46 00 11 00 00 00 00 00 00 00 00 00 00         ...F............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00

..and then receive the reply:

0A 00 E5 53 01 10 7E 56 00 00 00 00 00 00 00 00         ...S..~V........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00

Second packet client sends:

06 00 B1 36 00 10 00 00 00 00 00 00 00 00 00 00         ...6............
    00 00 00 00 00 00 00 00

.. and then receive something like this:

7F 00 68 0E 12 10 00 00 CA 5C 00 00 41 64 6D 69         .h......\..Admi
    6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         n...............
    00 14 00 14 00 14 00 1C 00 00 00 01 00 00 00 01         ................
    00 00 00 00 00 00 00 01 00 00 00 1A 00 00 00 5C         ...............\
    18 00 00 FA FF FF FF FA FF FF FF 37 0E A4 3B 00         ...........7..;.

The way I got @phnx words, I think the key for AES decryption of the rest of the data will be generated from the FIRST REPLY from the server, in this case: *if true, how?

0A 00 E5 53 01 10 7E 56 00 00 00 00 00 00 00 00         ...S..~V........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00

I think these bytes are not encrypted, but the nexts are, like this part:

***********************TCP Packet*************************


IP Header
   |-IP Version        : 8
   |-IP Header Length  : 32 Bytes
   |-Type Of Service   : 0
   |-IP Total Length   : 38701  Bytes(Size of Packet)
   |-Identification    : 32
   |-TTL      : 151
   |-Protocol : 188
   |-Checksum : 36026
   |-Source IP        : 200.37.15.70
   |-Destination IP   : 78.247.134.67


TCP Header
   |-Source Port      : 42535
   |-Destination Port : 8566
   |-Sequence Number    : 1865186537
   |-Acknowledge Number : 2300963988
   |-Header Length      : 130 DWORDS or 520 BYTES
   |-Window         : 46275
   |-Checksum       : 41846
   |-Urgent Pointer : 61410


                        DATA Dump                         
IP Header
    08 00 97 2D 00 20 FF FF 97 BC 8C BA C8 25 0F 46         ...-. .......%.F
    4E F7 86 43 89 74 CB 74 45 18 99 A6 93 83 62 AB         N..C.t.tE.....b.
TCP Header
    A6 27 21 76 6F 2C 7C E9 89 25 EC 94 82 8A B4 C3         .'!vo,|..%......
    A3 76 E2 EF A2 19 34 1B 0C 0D BB 6E 22 98 80 97         .v....4....n".€.
    91 B0 28 F3 1B 45 1C A6 43 7D EE F1 4A 2B 95 26         ..(..E..C}..J+.&
    06 32 D3 5F EE 8E 00 00 00 00 00 00 00 00 00 00         .2._............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00                                 ........
Data Payload


###########################################################

The FIRST of ANY packet sent RIGHT AFTER LOGIN APPROVAL FOR GAMELAUNCHER is the World List witch seems to be NOT ENCRYPTED. WordList packet:

** this makes sense, since this is the FIRST of ALL packets exchanged between server and client and there is no key avaliable, I mean, not generated from the next packet yet.

***********************TCP Packet*************************


IP Header
   |-IP Version        : 96
   |-IP Header Length  : 384 Bytes
   |-Type Of Service   : 0
   |-IP Total Length   : 58154  Bytes(Size of Packet)
   |-Identification    : 529
   |-TTL      : 1
   |-Protocol : 2
   |-Checksum : 0
   |-Source IP        : 0.12.71.117
   |-Destination IP   : 110.66.111.117


TCP Header
   |-Source Port      : 0
   |-Destination Port : 0
   |-Sequence Number    : 0
   |-Acknowledge Number : 0
   |-Header Length      : 0 DWORDS or 0 BYTES
   |-Window         : 0
   |-Checksum       : 0
   |-Urgent Pointer : 0


                        DATA Dump                         
IP Header
    60 00 E3 2A 02 11 00 00 01 02 00 00 00 0C 47 75         `..*..........Gu
    6E 42 6F 75 6E 64 20 57 61 72 0A 53 65 72 76 69         nBound War.Servi
    64 6F 72 20 31 4A 3F DA 8B 20 D1 00 00 00 00 C8         dor 1J?.. ......
    00 FB 13 00 01 01 00 00 0C 47 75 6E 42 6F 75 6E         .........GunBoun
    64 20 57 61 72 0A 53 65 72 76 69 64 6F 72 20 32         d War.Servidor 2
    4A 3F DA 8B 20 D2 00 00 00 00 C8 00 FB 13 01 01         J?.. ...........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
TCP Header
Data Payload


###########################################################

I got nowhere to go from now on if I cant decrypt it

** Even with crypted packets, its possible to simulate some actions that are done when received a specific packet, just like BCM. (example a BCM *hack*, where any user could simulate the packet since its known). BCM Hack already exists in a gamehack dll called GunBad, version 3 not public. There are many hacks in the DLL that use Packets to hack the game. If you want to know a bit more about this DLL, I can share it with you since you showoff interested in helping me.

** I am not willing to create cheats/gamehacks, but build new server files (not broker, only servers like 8361)

Could someone help me to decrypt the packets? Somehow I could find the key to decrypt it with AES? and for WC, does it still be AES?

Thanks in advance.

 

[Leo The Fox]

I simply came to wish you the best of luck with your project. Wish I had more to contribute.

And yeah, there should be no reason to create a broker when you've got a fully-functional one as-is and there's not a whole lot you can add to it, unless you wanted to do custom things in the back-end such as IP verification, or logging certain things or whatever.

 

[TheMarKs]

Thanks Leo!


I will keep trying!


and wait for phnx!

 

[TheMarKs]

So now he have a deal. I got the packets from the server and then checked that 0x2010 is probably TWICE encrypted. I am very confused with that holy poop. I will keep trying.

The buffer, when intercepted, pass throug a encryption routine and then we can read the TEXT sent to the Channel. But the next bytes are not TEXT like Nickname, Channel Number, or something like that.




FIRST BYTE = TEXT LENGTH. In this case 2E is 46 characters.

I deleted the LAST 6 BYTES, because that is the HEADER of the packet. Also, the bytes after text seens to be inverted, ou something like that.

I supose that these bytes are re-encrypted and could not be filtered by the first routine and still be non-sense bytes for a human. I tried inverting then, reverting, but still not find channel number, or maybe NickName..This probably pass through another decryption routine.

If you are interested in help, talk to me at skype: themarks2

 

[TheMarKs]

Well, time is such a witch. Now I master every single byte and encryption poop about this game. Greetings from 2014. 7 years f***ing ago.

 

[23icaro]

Well, time is such a witch. Now I master every single byte and encryption poop about this game. Greetings from 2014. 7 years f***ing ago.

Can you help me how to understand the encryption ?

 

[TheMarKs]

Can you help me how to understand the encryption ?

Sure, what exactly you want to know?

 

[ChoVinisTa]

You could shed light on how the dynamic key is generated, and how to find it in the login packet

 

[TheMarKs]

You could shed light on how the dynamic key is generated, and how to find it in the login packet

A long time have passed, right? Thanks for your 7 years late reply.

 

[garsia]

portion of code of my proyect connet to gameserver login and send admin command

You must be registered to see links

 

[TheMarKs]

Thank you. Why not the whole project?