Genshin Impact Private Server

[Ochi]

I have found out that they are using a variation of KCP (seemed to be some modified version of asio_kcp, see mihoyonet.dll) with an additional "session id/conv" (32bits) at the front. This article has a good overview of the kcp header: link. The kcp header itself is not encrypted, but the data part is with some xor based encryption. The data segment has yet another protocol header in it, but I'm still working on figuring out a reliable way to decrypt it.

Example:

Code:

AA AA AA AA BB BB BB BB CC DD EE EE FF FF FF FF GG GG GG GG HH HH HH HH II II II II DATA

A = conv (session id 1)
B = conv (session id 2)
C = cmd (command PUSH=0x81, ACK=0x82, WASK=0x83, WINS=0x84)
D = frg (fragment number)
E = wnd (window size)
F = ts (timestamp)
G = sn (serial number, count)
H = una (ack number, count)
I = len (data length)

Before connecting, there is some handshake process that goes on. These packets are 20 bytes long and follow the format:

Code:

AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD EE EE EE EE

A = Special Value 1
B = SessionId 1
C = SessionId 2
D = Enet*
E = Special Value 2

Here are all the values for Enet*

Code:

EnetTimeout = 0
EnetClientClose = 1
EnetClientRebindFail = 2
EnetClientShutdown = 3
EnetServerRelogin = 4
EnetServerKick = 5
EnetServerShutdown = 6
EnetNotFoundSession = 7
EnetLoginUnfinished = 8
EnetPacketFreqTooHigh = 9
EnetPingTimeout = 10
EnetTranferFailed = 11
EnetServerKillClient = 12
EnetCheckMoveSpeed = 13
EnetAccountPasswordChange = 14
EnetClientEditorConnectKey = 987654321
EnetClientConnectKey = 1234567890

Special Value 1/2 are used to determine what type of packet it is.

• When connecting, SV1=0x145 (325) and SV2=0x14514545 (340870469).
• When disconnecting, SV1=0x194 (404) and SV2=0x19419494 (423728276).

Example Connect (As Client):

Code:

SEND 00 00 00 FF 00 00 00 00 00 00 00 00 49 96 02 D2 FF FF FF FF
RECV 00 00 01 45 XX XX XX XX YY YY YY YY 49 96 02 D2 14 51 45 45

Example Disconnect (As Client):

Code:

RECV 00 00 01 94 XX XX XX XX YY YY YY YY 00 00 00 01 19 41 94 94
SEND 00 00 01 94 XX XX XX XX YY YY YY YY 00 00 00 01 19 41 94 94

[BurnGemios3643]

Small update; There is a select group working on a private server. It hasn't been dropped but people have lives so things take time.

Hi, im actually searching to understand packet structure of the game, did you think it would be possible to contact them? thx ^^

[Ochi]

Spent some more time and was able to figure out decryption. For those who are still looking, the decrypt function is MPOPONDMPGP_LJIKGPHDBNA (0x1815AF400) for v2.0 and is just a simple XOR based on a key.

There are two keys: GFFCHKDELNC +0x00, ALHLOPIEDNI +0x08 being used for decryption which are static fields of MPOPONDMPGP. The key to be used is determined by a bool BLNKMJCJNMP +0x10. Note that these are all obfuscated names and will change in future versions.

GFFCHKDELNC is used until ALHLOPIEDNI gets seeded, at which point BLNKMJCJNMP becomes false. This happens early in the communications. (only a couple packets are encrypted with GFFCHKDELNC)

GFFCHKDELNC is set by a call to UnityEngine.Application::ResetDispatchData(System.Byte[])
ALHLOPIEDNI is set using mt19937_64 based on a seed.

Code:

void __stdcall MPOPONDMPGP_LJIKGPHDBNA(void *this, Byte__Array **LKANOGJKKDA, int32_t MHNBJBBPFGM, MethodInfo *method)

Code:

if ( v6->static_fields->BLNKMJCJNMP )
{
    if ( (*(&v6->_1 + 90) & 1) != 0 && !v6->_1.cctor_finished )
    {
        il2cpp_runtime_class_init_0(v6);
        v6 = MPOPONDMPGP__TypeInfo;
    }
    v10 = &v6->static_fields->GFFCHKDELNC;
}
else
{
    if ( (*(&v6->_1 + 90) & 1) != 0 && !v6->_1.cctor_finished )
    {
        il2cpp_runtime_class_init_0(v6);
        v6 = MPOPONDMPGP__TypeInfo;
    }
    v10 = &v6->static_fields->ALHLOPIEDNI;
}
v11 = *v10;
if ( v11 )
{
    if ( *(v11 + 6) )
    {
        v12 = *(v11 + 6);
        for ( i = 0i64; i < MHNBJBBPFGM; v15[32] ^= v11[v17 + 32] )
        {
            v14 = *LKANOGJKKDA;
            if ( !*LKANOGJKKDA )
            sub_187F51300(i);
            if ( i >= LODWORD(v14->max_length) )
            {
                v21 = sub_187F50B10(i, i);
                sub_187F51220(v21, 0i64); // Exception
            }
            v15 = v14 + i;
            v16 = (i >> 31);
            v17 = i % v12;
            if ( v17 >= *(v11 + 6) )
            {
                LODWORD(v16) = i % v12;
                v20 = sub_187F50B10(i, v16);
                sub_187F51220(v20, 0i64); // Exception
            }
            i = (i + 1);
        }
    }
}

Credits to Il2CppInspector which helped a lot in finding this.

[pong]

Spent some more time and was able to figure out decryption. For those who are still looking, the decrypt function is MPOPONDMPGP_LJIKGPHDBNA (0x1815AF400) for v2.0 and is just a simple XOR based on a key.

There are two keys: GFFCHKDELNC +0x00, ALHLOPIEDNI +0x08 being used for decryption which are static fields of MPOPONDMPGP. The key to be used is determined by a bool BLNKMJCJNMP +0x10. Note that these are all obfuscated names and will change in future versions.

Code:

void __stdcall MPOPONDMPGP_LJIKGPHDBNA(void *this, Byte__Array **LKANOGJKKDA, int32_t MHNBJBBPFGM, MethodInfo *method)

Code:

if ( v6->static_fields->BLNKMJCJNMP )
{
    if ( (*(&v6->_1 + 90) & 1) != 0 && !v6->_1.cctor_finished )
    {
        il2cpp_runtime_class_init_0(v6);
        v6 = MPOPONDMPGP__TypeInfo;
    }
    v10 = &v6->static_fields->GFFCHKDELNC;
}
else
{
    if ( (*(&v6->_1 + 90) & 1) != 0 && !v6->_1.cctor_finished )
    {
        il2cpp_runtime_class_init_0(v6);
        v6 = MPOPONDMPGP__TypeInfo;
    }
    v10 = &v6->static_fields->ALHLOPIEDNI;
}
v11 = *v10;
if ( v11 )
{
    if ( *(v11 + 6) )
    {
        v12 = *(v11 + 6);
        for ( i = 0i64; i < MHNBJBBPFGM; v15[32] ^= v11[v17 + 32] )
        {
            v14 = *LKANOGJKKDA;
            if ( !*LKANOGJKKDA )
            sub_187F51300(i);
            if ( i >= LODWORD(v14->max_length) )
            {
                v21 = sub_187F50B10(i, i);
                sub_187F51220(v21, 0i64); // Exception
            }
            v15 = v14 + i;
            v16 = (i >> 31);
            v17 = i % v12;
            if ( v17 >= *(v11 + 6) )
            {
                LODWORD(v16) = i % v12;
                v20 = sub_187F50B10(i, v16);
                sub_187F51220(v20, 0i64); // Exception
            }
            i = (i + 1);
        }
    }
}

Credits to Il2CppInspector which helped a lot in finding this.

i dont know much but packet encryption are XOR & mt19937_64

[Ochi]

i dont know much but packet encryption are XOR & mt19937_64

Thanks, HGHNILEBHMN seems to be mt19937_64 and is used for generating the key.

[pong]

Thanks, HGHNILEBHMN seems to be mt19937_64 and is used for generating the key.

what version you going to base on 1.4 or 1.6?

[Ochi]

I don't have any plans to make a server, I just wanted to decrypt packets so I can see data from the game. Why not 2.0 though, seems like going with the latest version is the best.

[Raeyn]

I don't have any plans to make a server, I just wanted to decrypt packets so I can see data from the game. Why not 2.0 though, seems like going with the latest version is the best.

Not sure what the scope of your goals is, but if you wind up writing an API of some kind for working with the packets I would be willing to work on a server emulator that sits on top of it. Unfortunately I'm entry level at best for native reversing and packet reversing so I really wouldn't be useful for much beyond that.

[Jayishh]

Hey everyone, I have been lurking this thread for a while, I dont understand anything to do with the code stuff since im not much of a tech savvy guy but I just want to know.. Is there alot of progress done?

[Ochi]

Last update from me, I was able to figure out how both keys are derived. First time I've ever reversed something on my own, so it was quite the challenge. For purposes of keeping things simple, GFFCHKDELNC = Key1, ALHLOPIEDNI = Key2. Both keys are 4096 bytes, and if the packet is over this length, it will just cycle back. Encryption and decryption are the same as XOR is symmetric. I'm not going to spoon feed here, but hopefully this helps people out.

Code:

for (int i = 0; i < data_length; i++) {
  data[i] ^= key[i % key_length];
}

Key1 is constant, if you get it from memory you can keep using it. However, if you are interested in figuring out how it is derived, the function is found in UnityPlayer.dll (sub_180C9B9C0). It was a real pain to trace this one, for no real gain, so I suggest you just dump the key from memory. (It's a static variable so you can find it pretty easily) Not sure how this changes between updates, but we'll see once 2.1 is out.

You can also dump Key2 from memory, but it changes every session, so it's better to figure out how it is derived. You will need Key1 to decrypt the first few packets, one of which contains the seed for Key2.

Both keys are generated by mt19937_64 (mostly)



The decrypted packet should follow this structure. Note that I haven't really dissected any packets yet, but this is what I see:

Code:

45 67 AA AA BB BB CC CC CC CC XX YY 89 AB

45 67 = Constant
AA AA = OpCode?
BB BB = X Length
CC CC CC CC = Y Length
XX = Data
YY = Data
89 AB = Constant

[pong]

Last update from me, I was able to figure out how both keys are derived. First time I've ever reversed something on my own, so it was quite the challenge. For purposes of keeping things simple, GFFCHKDELNC = Key1, ALHLOPIEDNI = Key2. Both keys are 4096 bytes, and if the packet is over this length, it will just cycle back. Encryption and decryption are the same as XOR is symmetric. I'm not going to spoon feed here, but hopefully this helps people out.

Code:

for (int i = 0; i < data_length; i++) {
  data[i] ^= key[i % key_length];
}

Key1 is constant, if you get it from memory you can keep using it. However, if you are interested in figuring out how it is derived, the function is found in UnityPlayer.dll (sub_180C9B9C0). It was a real pain to trace this one, for no real gain, so I suggest you just dump the key from memory. (It's a static variable so you can find it pretty easily) Not sure how this changes between updates, but we'll see once 2.1 is out.

You can also dump Key2 from memory, but it changes every session, so it's better to figure out how it is derived. You will need Key1 to decrypt the first few packets, one of which contains the seed for Key2.

Both keys are generated by mt19937_64 (mostly)



The decrypted packet should follow this structure. Note that I haven't really dissected any packets yet, but this is what I see:

Code:

45 67 AA AA BB BB CC CC CC CC XX YY 89 AB

45 67 = Constant
AA AA = OpCode?
BB BB = X Length
CC CC CC CC = Y Length
XX = Data
YY = Data
89 AB = Constant

i can just share 1.4 packet decryption algorithm but i cannot share 2.0 one so are you ok with 1.4

[Ochi]

i can just share 1.4 packet decryption algorithm but i cannot share 2.0 one so are you ok with 1.4

Sure, I think it can be helpful.

[Pizzabazinga]

I figure I should make a post checking in on how things are going, as the thread seems to be somewhat dead. How goes the progress if any?

[Fondelli]

you can do this guys!
with the game being so big now this could potentially be the biggest middle finger to gacha games ever. i'm with you!

[Fyyre]

https://otx.alienvault.com/indicator...n/yuanshen.com