Reverse engineering encrypted buffer/packets of Growtopia

[randomnon]

I tried a lot but i couldn't reverse engineer second argument (buffer) of WSASendTo of this game, so then i can view unencrypted packet data and move on my way. Apparently it uses UDP.

Growtopia :

You must be registered to see links

The links of the stuff i've tried :

Do I Need to be good at Game Hacking to get into Server Emulation - RaGEZONE - MMO development community

http://forum.ragezone.com/f860/reversing-packets-emulator-server-scratch-1136480/

i will be really apprecited )

 

[randomnon]

Well i think i gotta add more since no one is really answering.
I am trying to make a server emulator so firstly i have to reverse packets but i am really stuck at reversing packet encryption. I am not talking about actually reversing encryption completely, i want to be able to read packets before encryption. people keep telling that encryp/decrypt functions are called before network functions but i don't really know what's that supposed to mean

 

[zipper20032]

"people keep telling that encryp/decrypt functions are called before network functions but i don't really know what's that supposed to mean"


So, the packet is sent using Winsock.h library, by WSASend().
Somewhere, before WSASend() there's the encryption function.

A little schema is like this for ONLY CLIENT:

Client to server:
Start game ---> Building packet to be send to server --> Encryption --> WSASend()

Server to client:
Server is sending packet ENCRYPTED --> Client WSARecv() --> Decryption --> Client is using the packet data

Somewhere, there must be a packet builder function, which will prepare the packet to be send to the server. The encryption/decryption keys could be dynamic. You need to find out how the keys are used/generated for decryption and encryption. IDA is offering a more-or-less readable C++ decompiled code from the generated ASM code.

Just use breakpointing a lot to jump in places when you run, then use step-by-step continue method from your debugger and see what's called, what's happening, take notes of memory addresses.

It's a huge process, so just trial and error the **** out of it.

 

[randomnon]

"people keep telling that encryp/decrypt functions are called before network functions but i don't really know what's that supposed to mean"


So, the packet is sent using Winsock.h library, by WSASend().
Somewhere, before WSASend() there's the encryption function.

A little schema is like this for ONLY CLIENT:

Client to server:
Start game ---> Building packet to be send to server --> Encryption --> WSASend()

Server to client:
Server is sending packet ENCRYPTED --> Client WSARecv() --> Decryption --> Client is using the packet data

Somewhere, there must be a packet builder function, which will prepare the packet to be send to the server. The encryption/decryption keys could be dynamic. You need to find out how the keys are used/generated for decryption and encryption. IDA is offering a more-or-less readable C++ decompiled code from the generated ASM code.

Look i know how networking works but the problem is to actually find where those encryption/decryption functions are, i tried dynamic debugging using x64dbg a lot but couldn't find any sh*t and there's literally zero resources on the internet about this topic

Just use breakpointing a lot to jump in places when you run, then use step-by-step continue method from your debugger and see what's called, what's happening, take notes of memory addresses.

It's a huge process, so just trial and error the **** out of it.
​

I've probably put over a million breakpoints through April-May after May i decided to give it a stop because i wasn't really going anywhere but i might start again

 

[ETTETT]

What have you found already? Does your breakpoint stops on send?

 

[randomnon]

What have you found already? Does your breakpoint stops on send?

Of course it does, i found a lot of stuff by going through call stack including login packet functions (i could see variables like tankid_name,tankid_password,server_port beta_port etc.) but after somewhere it starts to break when you click the game screen

 

[randomnon]

Yeah guys still struggling on finding unencrypted buffer/encryption&decryption functions, i feel like this isn't going anywhere sadly

 

[randomnon]

This forum is so dead man no one is helping

 

[zipper20032]

It's not dead, but I don't think you understand what Reverse Engineering means, like, the time and patience you need to have in order to succeed.

Also.. There's already the source code of the game server for Growtopia. Why are you trying to reinvent the wheel?

You must be registered to see links

.

The source code is fresh (3 months old).

It took me 30 seconds just to search a "tag" for these files.


Edit:

If you want to learn about REing, start with this server and see how the packets are encrypted and decrypted in these server files.

You will get help for REing the packet enc and dec functions if someone is really having an interest in the game and he's willing to share that or he's doing that just for fun.

REing is a pain in the butt by the way, but it can be fun.

 

[randomnon]

It's not dead, but I don't think you understand what Reverse Engineering means, like, the time and patience you need to have in order to succeed.

Also.. There's already the source code of the game server for Growtopia. Why are you trying to reinvent the wheel?

You must be registered to see links

.

The source code is fresh (3 months old).

It took me 30 seconds just to search a "tag" for these files.

I already gave my patience and time but as i said it's like going nowhere
Also i know there's already another sources but why wouldn't i make my own and custom source using java?

Edit:

If you want to learn about REing, start with this server and see how the packets are encrypted and decrypted in these server files.

You will get help for REing the packet enc and dec functions if someone is really having an interest in the game and he's willing to share that or he's doing that just for fun.

REing is a pain in the butt by the way, but it can be fun.

Alright imma check it but i am not really familiar with c++ or c and i know that RE is hard but i gotta make that server emulator hope someone's gonna help soon

 

[zipper20032]

If you know how the packets are encrypted and decrypted server side wise, then you're good to go with ANY PROGRAMMING LANGUAGES.

Also, you need Assembly machine language in order to understand the machine code of the decompiled exe/dll you are trying to debug.

Start learning ASM and C++.

I guess the above source code can offer you a reference on how the packets are obtained/decrypted/encrypted/sent/received from the client and also how the packets should be used in your server.

You're trying to do what others already did. My advice, don't do that if you wanna have a Java server developed faster.
REing a game means TONS AND TONS of time allocated only in debugger and trial and error, and by time I mean years of RE in some cases. If you already lost your patience, that's very bad. I don't think you're gonna succeed even with this forum's help if you don't have patience. RE = Repetitive Trial And Error that can take even years for a single project.

Maybe you're new or something, but, no one's gonna waste time here on this forum with already made things (I'm not mean, but I just wanna help you to save time in an overwhelming process)


Anyway, you can understand the encryption/decryption from the server source code. Just get the packet you desire with a packet sniffer, get that packet through the decryption process, see the result of your decrypted packet. C++ to Java can be interpreted.

I'm suggesting you the most easiest way for a kickstart of your Java server.

 

[randomnon]

If you know how the packets are encrypted and decrypted server side wise, then you're good to go with ANY PROGRAMMING LANGUAGES.

Also, you need Assembly machine language in order to understand the machine code of the decompiled exe/dll you are trying to debug.

Start learning ASM and C++.

I guess the above source code can offer you a reference on how the packets are obtained/decrypted/encrypted/sent/received from the client and also how the packets should be used in your server.

You're trying to do what others already did. My advice, don't do that if you wanna have a Java server developed faster.
REing a game means TONS AND TONS of time allocated only in debugger and trial and error, and by time I mean years of RE in some cases. If you already lost your patience, that's very bad. I don't think you're gonna succeed even with this forum's help if you don't have patience. RE = Repetitive Trial And Error that can take even years for a single project.

Maybe you're new or something, but, no one's gonna waste time here on this forum with already made things (I'm not mean, but I just wanna help you to save time in an overwhelming process)

I know x86 Assembly but i am not really looking forward to learn C++ because i am not really interested on that
Also you're right i lost my patience because i think i am not going anywhere but i found login packet function and a lot of references to it maybe that's where should i continue

Anyway, you can understand the encryption/decryption from the server source code. Just get the packet you desire with a packet sniffer, get that packet through the decryption process, see the result of your decrypted packet. C++ to Java can be interpreted.

I'm suggesting you the most easiest way for a kickstart of your Java server.

Thanks i am gonna try that

edit : also that's poop amount of code how am i supposed to find enc/dec functions

 

[zipper20032]

Check core.h

I spent 1 minute with a "Find" text to find how the packets were sent.

inline void [B]sendData[/B](ENetPeer* peer, int num, char* data, const int len)
{

  const auto packet = enet_packet_create(nullptr, len + 5, ENET_PACKET_FLAG_RELIABLE);
  memcpy(packet->data, &num, 4);

  if (data != nullptr)
  {
  memcpy(packet->data + 2, data, len);
  }

  char zero = 0;
  memcpy(packet->data + 2 + len, &zero, 1);

  enet_peer_send(peer, 0, packet);    //enet_host_flush(server);

}

inline void [B]send_packet_proxy[/B](ENetPeer* peer, string data, int iop = 2)
{
  ENetPacket* v3 = enet_packet_create(nullptr, data.length() + 5, 1);

  memcpy(v3->data, &iop, 4);    memcpy((v3->data) + 4, data.c_str(), data.length());

  enet_peer_send(peer, 0, v3);
}

It's based on some kind of network library called ENet.

Good luck.

Edit: By the way, for finding methods and classes references and functions faster, open the project with Visual Studio 2019.

 

[randomnon]

Check core.h

I spent 1 minute with a "Find" text to find how the packets were sent.

inline void [B]sendData[/B](ENetPeer* peer, int num, char* data, const int len)
{

  const auto packet = enet_packet_create(nullptr, len + 5, ENET_PACKET_FLAG_RELIABLE);
  memcpy(packet->data, &num, 4);

  if (data != nullptr)
  {
  memcpy(packet->data + 2, data, len);
  }

  char zero = 0;
  memcpy(packet->data + 2 + len, &zero, 1);

  enet_peer_send(peer, 0, packet);    //enet_host_flush(server);

}

inline void [B]send_packet_proxy[/B](ENetPeer* peer, string data, int iop = 2)
{
  ENetPacket* v3 = enet_packet_create(nullptr, data.length() + 5, 1);

  memcpy(v3->data, &iop, 4);    memcpy((v3->data) + 4, data.c_str(), data.length());

  enet_peer_send(peer, 0, v3);
}

It's based on some kind of network library called ENet.

Good luck.

Edit: By the way, for finding methods and classes references and functions faster, open the project with Visual Studio 2019.

Thank you so much

 

[zipper20032]

No problem. You're welcome xD