[Tut] Changing the Packet Encryption
ThievingSix released a tutorial about changing the encryption on MRS files. Now, you all should know how to change the packet encryption on the client and server.
Please note that I am using July 2008 files as an example, however, the encryption barely changes.
You'll just need OllyDbg, it's easy to find.
--Wow, I just written this whole thing and remembered the easy way to do it
Go into your MatchServer with Olly, right click -> Search for all constants, type in "0F0" and search. It should look like this:
http://img87.imageshack.us/img87/9384/pic1w.png
http://img593.imageshack.us/img593/6708/pic2nr.png
(Please note I am using OllyDbg2.1, it may look a little different than yours)
Them four XOR <reg>, 0F0 are each part of the encryption and decryption.
The decryption is always underneath the encryption routine. There are 2 of them you need to change, hence the four "XOR <reg>, 0F0".
----Match Server----
Part1 of Encryption on MatchServer:
Code:
CPU Disasm
Address Hex dump Command Comments
0044E3C0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2] ; MatchServer.0044E3C0(guessed Arg1,Arg2,Arg3)
0044E3C4 |. 33D2 XOR EDX,EDX
0044E3C6 |. 85C0 TEST EAX,EAX
0044E3C8 |. 7E 3F JLE SHORT 0044E409
0044E3CA |. 55 PUSH EBP
0044E3CB |. 56 PUSH ESI
0044E3CC |. 8B7424 0C MOV ESI,DWORD PTR SS:[ARG.1]
0044E3D0 |. 57 PUSH EDI
0044E3D1 |. 8B7C24 18 MOV EDI,DWORD PTR SS:[ARG.3]
0044E3D5 |. 8BE8 MOV EBP,EAX
0044E3D7 |. EB 07 JMP SHORT 0044E3E0
0044E3D9 | 8DA424 000000 LEA ESP,[ESP]
0044E3E0 |> 8A043A /MOV AL,BYTE PTR DS:[EDI+EDX]
0044E3E3 |. 3206 |XOR AL,BYTE PTR DS:[ESI]
0044E3E5 |. 8B0D 24825900 |MOV ECX,DWORD PTR DS:[598224]
0044E3EB |. 66:0FB6C0 |MOVZX AX,AL
0044E3EF |. D3E0 |SHL EAX,CL
0044E3F1 |. 8ACC |MOV CL,AH
0044E3F3 |. 0AC8 |OR CL,AL
0044E3F5 |. 80F1 F0 |XOR CL,F0
0044E3F8 |. 42 |INC EDX
0044E3F9 |. 83FA 20 |CMP EDX,20
0044E3FC |. 880E |MOV BYTE PTR DS:[ESI],CL
0044E3FE |. 7C 02 |JL SHORT 0044E402
0044E400 |. 33D2 |XOR EDX,EDX
0044E402 |> 46 |INC ESI
0044E403 |. 4D |DEC EBP
0044E404 |.^ 75 DA \JNE SHORT 0044E3E0
0044E406 |. 5F POP EDI
0044E407 |. 5E POP ESI
0044E408 |. 5D POP EBP
0044E409 |> B0 01 MOV AL,1
0044E40B \. C3 RETN
Part 2 of Encryption on MatchServer:
Code:
CPU Disasm
Address Hex dump Command Comments
0044E4C0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2] ; MatchServer.0044E4C0(guessed Arg1,Arg2,Arg3,Arg4,Arg5)
0044E4C4 |. 33D2 XOR EDX,EDX
0044E4C6 |. 85C0 TEST EAX,EAX
0044E4C8 |. 7E 41 JLE SHORT 0044E50B
0044E4CA |. 53 PUSH EBX
0044E4CB |. 55 PUSH EBP
0044E4CC |. 8B6C24 1C MOV EBP,DWORD PTR SS:[ARG.5]
0044E4D0 |. 56 PUSH ESI
0044E4D1 |. 8B7424 18 MOV ESI,DWORD PTR SS:[ARG.3]
0044E4D5 |. 57 PUSH EDI
0044E4D6 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ARG.1]
0044E4DA |. 8BD8 MOV EBX,EAX
0044E4DC |. 8D6424 00 LEA ESP,[LOCAL.3]
0044E4E0 |> 8A042A /MOV AL,BYTE PTR DS:[EBP+EDX]
0044E4E3 |. 3207 |XOR AL,BYTE PTR DS:[EDI]
0044E4E5 |. 8B0D 24825900 |MOV ECX,DWORD PTR DS:[598224]
0044E4EB |. 66:0FB6C0 |MOVZX AX,AL
0044E4EF |. D3E0 |SHL EAX,CL
0044E4F1 |. 8ACC |MOV CL,AH
0044E4F3 |. 0AC8 |OR CL,AL
0044E4F5 |. 80F1 F0 |XOR CL,F0
0044E4F8 |. 42 |INC EDX
0044E4F9 |. 83FA 20 |CMP EDX,20
0044E4FC |. 880E |MOV BYTE PTR DS:[ESI],CL
0044E4FE |. 7C 02 |JL SHORT 0044E502
0044E500 |. 33D2 |XOR EDX,EDX
0044E502 |> 46 |INC ESI
0044E503 |. 47 |INC EDI
0044E504 |. 4B |DEC EBX
0044E505 |.^ 75 D9 \JNE SHORT 0044E4E0
0044E507 |. 5F POP EDI
0044E508 |. 5E POP ESI
0044E509 |. 5D POP EBP
0044E50A |. 5B POP EBX
0044E50B |> B0 01 MOV AL,1
0044E50D \. C3 RETN
Part 1 of Decryption on MatchServer:
Code:
CPU Disasm
Address Hex dump Command Comments
0044E410 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2] ; MatchServer.0044E410(guessed Arg1,Arg2,Arg3)
0044E414 |. 56 PUSH ESI
0044E415 |. 33F6 XOR ESI,ESI
0044E417 |. 85C0 TEST EAX,EAX
0044E419 |. 7E 52 JLE SHORT 0044E46D
0044E41B |. 53 PUSH EBX
0044E41C |. 55 PUSH EBP
0044E41D |. 8B6C24 18 MOV EBP,DWORD PTR SS:[ARG.3]
0044E421 |. 57 PUSH EDI
0044E422 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ARG.1]
0044E426 |. 894424 18 MOV DWORD PTR SS:[ARG.2],EAX
0044E42A |. 8D9B 00000000 LEA EBX,[EBX]
0044E430 |> 8A07 /MOV AL,BYTE PTR DS:[EDI]
0044E432 |. 8B1D 24825900 |MOV EBX,DWORD PTR DS:[598224]
0044E438 |. 8A15 9C9C6E00 |MOV DL,BYTE PTR DS:[6E9C9C]
0044E43E |. 34 F0 |XOR AL,F0
0044E440 |. 22D0 |AND DL,AL
0044E442 |. B9 08000000 |MOV ECX,8
0044E447 |. 2BCB |SUB ECX,EBX
0044E449 |. D2E2 |SHL DL,CL
0044E44B |. 8ACB |MOV CL,BL
0044E44D |. D2E8 |SHR AL,CL
0044E44F |. 0AD0 |OR DL,AL
0044E451 |. 32142E |XOR DL,BYTE PTR DS:[EBP+ESI]
0044E454 |. 46 |INC ESI
0044E455 |. 83FE 20 |CMP ESI,20
0044E458 |. 8817 |MOV BYTE PTR DS:[EDI],DL
0044E45A |. 7C 02 |JL SHORT 0044E45E
0044E45C |. 33F6 |XOR ESI,ESI
0044E45E |> 8B4424 18 |MOV EAX,DWORD PTR SS:[ARG.2]
0044E462 |. 47 |INC EDI
0044E463 |. 48 |DEC EAX
0044E464 |. 894424 18 |MOV DWORD PTR SS:[ARG.2],EAX
0044E468 |.^ 75 C6 \JNE SHORT 0044E430
0044E46A |. 5F POP EDI
0044E46B |. 5D POP EBP
0044E46C |. 5B POP EBX
0044E46D |> B0 01 MOV AL,1
0044E46F |. 5E POP ESI
0044E470 \. C3 RETN
Part 2 of Decryption on MatchServer:
Code:
CPU Disasm
Address Hex dump Command Comments
0044E510 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2]
0044E514 |. 56 PUSH ESI
0044E515 |. 33F6 XOR ESI,ESI
0044E517 |. 85C0 TEST EAX,EAX
0044E519 |. 7E 58 JLE SHORT 0044E573
0044E51B |. 53 PUSH EBX
0044E51C |. 55 PUSH EBP
0044E51D |. 8B6C24 10 MOV EBP,DWORD PTR SS:[ARG.1]
0044E521 |. 57 PUSH EDI
0044E522 |. 8B7C24 1C MOV EDI,DWORD PTR SS:[ARG.3]
0044E526 |. 894424 18 MOV DWORD PTR SS:[ARG.2],EAX
0044E52A |. 8D9B 00000000 LEA EBX,[EBX]
0044E530 |> 8A45 00 /MOV AL,BYTE PTR SS:[EBP]
0044E533 |. 8B1D 24825900 |MOV EBX,DWORD PTR DS:[598224]
0044E539 |. 8A15 9C9C6E00 |MOV DL,BYTE PTR DS:[6E9C9C]
0044E53F |. 34 F0 |XOR AL,F0
0044E541 |. 22D0 |AND DL,AL
0044E543 |. B9 08000000 |MOV ECX,8
0044E548 |. 2BCB |SUB ECX,EBX
0044E54A |. D2E2 |SHL DL,CL
0044E54C |. 8ACB |MOV CL,BL
0044E54E |. D2E8 |SHR AL,CL
0044E550 |. 0AD0 |OR DL,AL
0044E552 |. 8B4424 24 |MOV EAX,DWORD PTR SS:[ARG.5]
0044E556 |. 321406 |XOR DL,BYTE PTR DS:[EAX+ESI]
0044E559 |. 46 |INC ESI
0044E55A |. 83FE 20 |CMP ESI,20
0044E55D |. 8817 |MOV BYTE PTR DS:[EDI],DL
0044E55F |. 7C 02 |JL SHORT 0044E563
0044E561 |. 33F6 |XOR ESI,ESI
0044E563 |> 8B4424 18 |MOV EAX,DWORD PTR SS:[ARG.2]
0044E567 |. 47 |INC EDI
0044E568 |. 45 |INC EBP
0044E569 |. 48 |DEC EAX
0044E56A |. 894424 18 |MOV DWORD PTR SS:[ARG.2],EAX
0044E56E |.^ 75 C0 \JNE SHORT 0044E530
0044E570 |. 5F POP EDI
0044E571 |. 5D POP EBP
0044E572 |. 5B POP EBX
0044E573 |> B0 01 MOV AL,1
0044E575 |. 5E POP ESI
0044E576 \. C3 RETN
----Match Agent----
Part1 of Encryption on MatchAgent:
Code:
CPU Disasm
Address Hex dump Command Comments
0041E8A0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2] ; MatchAgent.0041E8A0(guessed Arg1,Arg2,Arg3)
0041E8A4 |. 33D2 XOR EDX,EDX
0041E8A6 |. 85C0 TEST EAX,EAX
0041E8A8 |. 7E 3F JLE SHORT 0041E8E9
0041E8AA |. 55 PUSH EBP
0041E8AB |. 56 PUSH ESI
0041E8AC |. 8B7424 0C MOV ESI,DWORD PTR SS:[ARG.1]
0041E8B0 |. 57 PUSH EDI
0041E8B1 |. 8B7C24 18 MOV EDI,DWORD PTR SS:[ARG.3]
0041E8B5 |. 8BE8 MOV EBP,EAX
0041E8B7 |. EB 07 JMP SHORT 0041E8C0
0041E8B9 | 8DA424 000000 LEA ESP,[ESP]
0041E8C0 |> 8A043A /MOV AL,BYTE PTR DS:[EDI+EDX]
0041E8C3 |. 3206 |XOR AL,BYTE PTR DS:[ESI]
0041E8C5 |. B9 04000000 |MOV ECX,4
0041E8CA |. 90 |NOP
0041E8CB |. 66:0FB6C0 |MOVZX AX,AL
0041E8CF |. D3E0 |SHL EAX,CL
0041E8D1 |. 8ACC |MOV CL,AH
0041E8D3 |. 0AC8 |OR CL,AL
0041E8D5 |. 80F1 F0 |XOR CL,F0
0041E8D8 |. 42 |INC EDX
0041E8D9 |. 83FA 20 |CMP EDX,20
0041E8DC |. 880E |MOV BYTE PTR DS:[ESI],CL
0041E8DE |. 7C 02 |JL SHORT 0041E8E2
0041E8E0 |. 33D2 |XOR EDX,EDX
0041E8E2 |> 46 |INC ESI
0041E8E3 |. 4D |DEC EBP
0041E8E4 |.^ 75 DA \JNE SHORT 0041E8C0
0041E8E6 |. 5F POP EDI
0041E8E7 |. 5E POP ESI
0041E8E8 |. 5D POP EBP
0041E8E9 |> B0 01 MOV AL,1
0041E8EB \. C3 RETN
Part2 of Encryption on MatchAgent:
Code:
CPU Disasm
Address Hex dump Command Comments
0041E9A0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2] ; MatchAgent.0041E9A0(guessed Arg1,Arg2,Arg3,Arg4,Arg5)
0041E9A4 |. 33D2 XOR EDX,EDX
0041E9A6 |. 85C0 TEST EAX,EAX
0041E9A8 |. 7E 41 JLE SHORT 0041E9EB
0041E9AA |. 53 PUSH EBX
0041E9AB |. 55 PUSH EBP
0041E9AC |. 8B6C24 1C MOV EBP,DWORD PTR SS:[ARG.5]
0041E9B0 |. 56 PUSH ESI
0041E9B1 |. 8B7424 18 MOV ESI,DWORD PTR SS:[ARG.3]
0041E9B5 |. 57 PUSH EDI
0041E9B6 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ARG.1]
0041E9BA |. 8BD8 MOV EBX,EAX
0041E9BC |. 8D6424 00 LEA ESP,[LOCAL.3]
0041E9C0 |> 8A042A /MOV AL,BYTE PTR DS:[EBP+EDX]
0041E9C3 |. 3207 |XOR AL,BYTE PTR DS:[EDI]
0041E9C5 |. B9 04000000 |MOV ECX,4
0041E9CA |. 90 |NOP
0041E9CB |. 66:0FB6C0 |MOVZX AX,AL
0041E9CF |. D3E0 |SHL EAX,CL
0041E9D1 |. 8ACC |MOV CL,AH
0041E9D3 |. 0AC8 |OR CL,AL
0041E9D5 |. 80F1 F0 |XOR CL,F0
0041E9D8 |. 42 |INC EDX
0041E9D9 |. 83FA 20 |CMP EDX,20
0041E9DC |. 880E |MOV BYTE PTR DS:[ESI],CL
0041E9DE |. 7C 02 |JL SHORT 0041E9E2
0041E9E0 |. 33D2 |XOR EDX,EDX
0041E9E2 |> 46 |INC ESI
0041E9E3 |. 47 |INC EDI
0041E9E4 |. 4B |DEC EBX
0041E9E5 |.^ 75 D9 \JNE SHORT 0041E9C0
0041E9E7 |. 5F POP EDI
0041E9E8 |. 5E POP ESI
0041E9E9 |. 5D POP EBP
0041E9EA |. 5B POP EBX
0041E9EB |> B0 01 MOV AL,1
0041E9ED \. C3 RETN
Part1 of Decryption on MatchAgent:
Code:
CPU Disasm
Address Hex dump Command Comments
0041E8F0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2]
0041E8F4 |. 56 PUSH ESI
0041E8F5 |. 33F6 XOR ESI,ESI
0041E8F7 |. 85C0 TEST EAX,EAX
0041E8F9 |. 7E 52 JLE SHORT 0041E94D
0041E8FB |. 53 PUSH EBX
0041E8FC |. 55 PUSH EBP
0041E8FD |. 8B6C24 18 MOV EBP,DWORD PTR SS:[ARG.3]
0041E901 |. 57 PUSH EDI
0041E902 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ARG.1]
0041E906 |. 894424 18 MOV DWORD PTR SS:[ARG.2],EAX
0041E90A |. 8D9B 00000000 LEA EBX,[EBX]
0041E910 |> 8A07 /MOV AL,BYTE PTR DS:[EDI]
0041E912 |. BB 04000000 |MOV EBX,4
0041E917 |. 90 |NOP
0041E918 |. B2 0F |MOV DL,0F
0041E91A |. EB 02 |JMP SHORT 0041E91E
0041E91C | 90 |NOP
0041E91D | 90 |NOP
0041E91E |> 34 F0 |XOR AL,F0
0041E920 |. 22D0 |AND DL,AL
0041E922 |. B9 08000000 |MOV ECX,8
0041E927 |. 2BCB |SUB ECX,EBX
0041E929 |. D2E2 |SHL DL,CL
0041E92B |. 8ACB |MOV CL,BL
0041E92D |. D2E8 |SHR AL,CL
0041E92F |. 0AD0 |OR DL,AL
0041E931 |. 32142E |XOR DL,BYTE PTR DS:[EBP+ESI]
0041E934 |. 46 |INC ESI
0041E935 |. 83FE 20 |CMP ESI,20
0041E938 |. 8817 |MOV BYTE PTR DS:[EDI],DL
0041E93A |. 7C 02 |JL SHORT 0041E93E
0041E93C |. 33F6 |XOR ESI,ESI
0041E93E |> 8B4424 18 |MOV EAX,DWORD PTR SS:[ARG.2]
0041E942 |. 47 |INC EDI
0041E943 |. 48 |DEC EAX
0041E944 |. 894424 18 |MOV DWORD PTR SS:[ARG.2],EAX
0041E948 |.^ 75 C6 \JNE SHORT 0041E910
0041E94A |. 5F POP EDI
0041E94B |. 5D POP EBP
0041E94C |. 5B POP EBX
0041E94D |> B0 01 MOV AL,1
0041E94F |. 5E POP ESI
0041E950 \. C3 RETN
Part2 of Decryption on MatchAgent:
Code:
CPU Disasm
Address Hex dump Command Comments
0041E9F0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2]
0041E9F4 |. 56 PUSH ESI
0041E9F5 |. 33F6 XOR ESI,ESI
0041E9F7 |. 85C0 TEST EAX,EAX
0041E9F9 |. 7E 58 JLE SHORT 0041EA53
0041E9FB |. 53 PUSH EBX
0041E9FC |. 55 PUSH EBP
0041E9FD |. 8B6C24 10 MOV EBP,DWORD PTR SS:[ARG.1]
0041EA01 |. 57 PUSH EDI
0041EA02 |. 8B7C24 1C MOV EDI,DWORD PTR SS:[ARG.3]
0041EA06 |. 894424 18 MOV DWORD PTR SS:[ARG.2],EAX
0041EA0A |. 8D9B 00000000 LEA EBX,[EBX]
0041EA10 |> 8A45 00 /MOV AL,BYTE PTR SS:[EBP]
0041EA13 |. BB 04000000 |MOV EBX,4
0041EA18 |. 90 |NOP
0041EA19 |. B2 0F |MOV DL,0F
0041EA1B |. EB 02 |JMP SHORT 0041EA1F
0041EA1D | 90 |NOP
0041EA1E | 90 |NOP
0041EA1F |> 34 F0 |XOR AL,F0
0041EA21 |. 22D0 |AND DL,AL
0041EA23 |. B9 08000000 |MOV ECX,8
0041EA28 |. 2BCB |SUB ECX,EBX
0041EA2A |. D2E2 |SHL DL,CL
0041EA2C |. 8ACB |MOV CL,BL
0041EA2E |. D2E8 |SHR AL,CL
0041EA30 |. 0AD0 |OR DL,AL
0041EA32 |. 8B4424 24 |MOV EAX,DWORD PTR SS:[ARG.5]
0041EA36 |. 321406 |XOR DL,BYTE PTR DS:[EAX+ESI]
0041EA39 |. 46 |INC ESI
0041EA3A |. 83FE 20 |CMP ESI,20
0041EA3D |. 8817 |MOV BYTE PTR DS:[EDI],DL
0041EA3F |. 7C 02 |JL SHORT 0041EA43
0041EA41 |. 33F6 |XOR ESI,ESI
0041EA43 |> 8B4424 18 |MOV EAX,DWORD PTR SS:[ARG.2]
0041EA47 |. 47 |INC EDI
0041EA48 |. 45 |INC EBP
0041EA49 |. 48 |DEC EAX
0041EA4A |. 894424 18 |MOV DWORD PTR SS:[ARG.2],EAX
0041EA4E |.^ 75 C0 \JNE SHORT 0041EA10
0041EA50 |. 5F POP EDI
0041EA51 |. 5D POP EBP
0041EA52 |. 5B POP EBX
0041EA53 |> B0 01 MOV AL,1
0041EA55 |. 5E POP ESI
0041EA56 \. C3 RETN
---Gunz.exe----
Part1 of Encryption on Gunz.exe:
Code:
CPU Disasm
Address Hex dump Command Comments
0051E750 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2]
0051E754 |. 33D2 XOR EDX,EDX
0051E756 |. 85C0 TEST EAX,EAX
0051E758 |. 7E 3F JLE SHORT 0051E799
0051E75A |. 55 PUSH EBP
0051E75B |. 56 PUSH ESI
0051E75C |. 8B7424 0C MOV ESI,DWORD PTR SS:[ARG.1]
0051E760 |. 57 PUSH EDI
0051E761 |. 8B7C24 18 MOV EDI,DWORD PTR SS:[ARG.3]
0051E765 |. 8BE8 MOV EBP,EAX
0051E767 |. EB 07 JMP SHORT 0051E770
0051E769 | 8DA424 000000 LEA ESP,[ESP]
0051E770 |> 8A043A /MOV AL,BYTE PTR DS:[EDI+EDX]
0051E773 |. 3206 |XOR AL,BYTE PTR DS:[ESI]
0051E775 |. 8B0D 508F6800 |MOV ECX,DWORD PTR DS:[688F50]
0051E77B |. 66:0FB6C0 |MOVZX AX,AL
0051E77F |. D3E0 |SHL EAX,CL
0051E781 |. 8ACC |MOV CL,AH
0051E783 |. 0AC8 |OR CL,AL
0051E785 |. 80F1 F0 |XOR CL,F0
0051E788 |. 42 |INC EDX
0051E789 |. 83FA 20 |CMP EDX,20
0051E78C |. 880E |MOV BYTE PTR DS:[ESI],CL
0051E78E |. 7C 02 |JL SHORT 0051E792
0051E790 |. 33D2 |XOR EDX,EDX
0051E792 |> 46 |INC ESI
0051E793 |. 4D |DEC EBP
0051E794 |.^ 75 DA \JNE SHORT 0051E770
0051E796 |. 5F POP EDI
0051E797 |. 5E POP ESI
0051E798 |. 5D POP EBP
0051E799 |> B0 01 MOV AL,1
0051E79B \. C3 RETN
Part2 of Encryption on Gunz.exe:
Code:
CPU Disasm
Address Hex dump Command Comments
0051E850 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2]
0051E854 |. 33D2 XOR EDX,EDX
0051E856 |. 85C0 TEST EAX,EAX
0051E858 |. 7E 41 JLE SHORT 0051E89B
0051E85A |. 53 PUSH EBX
0051E85B |. 55 PUSH EBP
0051E85C |. 8B6C24 1C MOV EBP,DWORD PTR SS:[ARG.5]
0051E860 |. 56 PUSH ESI
0051E861 |. 8B7424 18 MOV ESI,DWORD PTR SS:[ARG.3]
0051E865 |. 57 PUSH EDI
0051E866 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ARG.1]
0051E86A |. 8BD8 MOV EBX,EAX
0051E86C |. 8D6424 00 LEA ESP,[LOCAL.3]
0051E870 |> 8A042A /MOV AL,BYTE PTR DS:[EBP+EDX]
0051E873 |. 3207 |XOR AL,BYTE PTR DS:[EDI]
0051E875 |. 8B0D 508F6800 |MOV ECX,DWORD PTR DS:[688F50]
0051E87B |. 66:0FB6C0 |MOVZX AX,AL
0051E87F |. D3E0 |SHL EAX,CL
0051E881 |. 8ACC |MOV CL,AH
0051E883 |. 0AC8 |OR CL,AL
0051E885 |. 80F1 F0 |XOR CL,F0
0051E888 |. 42 |INC EDX
0051E889 |. 83FA 20 |CMP EDX,20
0051E88C |. 880E |MOV BYTE PTR DS:[ESI],CL
0051E88E |. 7C 02 |JL SHORT 0051E892
0051E890 |. 33D2 |XOR EDX,EDX
0051E892 |> 46 |INC ESI
0051E893 |. 47 |INC EDI
0051E894 |. 4B |DEC EBX
0051E895 |.^ 75 D9 \JNE SHORT 0051E870
0051E897 |. 5F POP EDI
0051E898 |. 5E POP ESI
0051E899 |. 5D POP EBP
0051E89A |. 5B POP EBX
0051E89B |> B0 01 MOV AL,1
0051E89D \. C3 RETN
Part1 of Decryption on Gunz.exe:
Code:
CPU Disasm
Address Hex dump Command Comments
0051E7A0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2]
0051E7A4 |. 56 PUSH ESI
0051E7A5 |. 33F6 XOR ESI,ESI
0051E7A7 |. 85C0 TEST EAX,EAX
0051E7A9 |. 7E 52 JLE SHORT 0051E7FD
0051E7AB |. 53 PUSH EBX
0051E7AC |. 55 PUSH EBP
0051E7AD |. 8B6C24 18 MOV EBP,DWORD PTR SS:[ARG.3]
0051E7B1 |. 57 PUSH EDI
0051E7B2 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ARG.1]
0051E7B6 |. 894424 18 MOV DWORD PTR SS:[ARG.2],EAX
0051E7BA |. 8D9B 00000000 LEA EBX,[EBX]
0051E7C0 |> 8A07 /MOV AL,BYTE PTR DS:[EDI]
0051E7C2 |. 8B1D 508F6800 |MOV EBX,DWORD PTR DS:[688F50]
0051E7C8 |. 8A15 D8F0DD01 |MOV DL,BYTE PTR DS:[1DDF0D8]
0051E7CE |. 34 F0 |XOR AL,F0
0051E7D0 |. 22D0 |AND DL,AL
0051E7D2 |. B9 08000000 |MOV ECX,8
0051E7D7 |. 2BCB |SUB ECX,EBX
0051E7D9 |. D2E2 |SHL DL,CL
0051E7DB |. 8ACB |MOV CL,BL
0051E7DD |. D2E8 |SHR AL,CL
0051E7DF |. 0AD0 |OR DL,AL
0051E7E1 |. 32142E |XOR DL,BYTE PTR DS:[EBP+ESI]
0051E7E4 |. 46 |INC ESI
0051E7E5 |. 83FE 20 |CMP ESI,20
0051E7E8 |. 8817 |MOV BYTE PTR DS:[EDI],DL
0051E7EA |. 7C 02 |JL SHORT 0051E7EE
0051E7EC |. 33F6 |XOR ESI,ESI
0051E7EE |> 8B4424 18 |MOV EAX,DWORD PTR SS:[ARG.2]
0051E7F2 |. 47 |INC EDI
0051E7F3 |. 48 |DEC EAX
0051E7F4 |. 894424 18 |MOV DWORD PTR SS:[ARG.2],EAX
0051E7F8 |.^ 75 C6 \JNE SHORT 0051E7C0
0051E7FA |. 5F POP EDI
0051E7FB |. 5D POP EBP
0051E7FC |. 5B POP EBX
0051E7FD |> B0 01 MOV AL,1
0051E7FF |. 5E POP ESI
0051E800 \. C3 RETN
Part2 of Decryption on Gunz.exe:
Code:
CPU Disasm
Address Hex dump Command Comments
0051E8A0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2]
0051E8A4 |. 56 PUSH ESI
0051E8A5 |. 33F6 XOR ESI,ESI
0051E8A7 |. 85C0 TEST EAX,EAX
0051E8A9 |. 7E 58 JLE SHORT 0051E903
0051E8AB |. 53 PUSH EBX
0051E8AC |. 55 PUSH EBP
0051E8AD |. 8B6C24 10 MOV EBP,DWORD PTR SS:[ARG.1]
0051E8B1 |. 57 PUSH EDI
0051E8B2 |. 8B7C24 1C MOV EDI,DWORD PTR SS:[ARG.3]
0051E8B6 |. 894424 18 MOV DWORD PTR SS:[ARG.2],EAX
0051E8BA |. 8D9B 00000000 LEA EBX,[EBX]
0051E8C0 |> 8A45 00 /MOV AL,BYTE PTR SS:[EBP]
0051E8C3 |. 8B1D 508F6800 |MOV EBX,DWORD PTR DS:[688F50]
0051E8C9 |. 8A15 D8F0DD01 |MOV DL,BYTE PTR DS:[1DDF0D8]
0051E8CF |. 34 F0 |XOR AL,F0
0051E8D1 |. 22D0 |AND DL,AL
0051E8D3 |. B9 08000000 |MOV ECX,8
0051E8D8 |. 2BCB |SUB ECX,EBX
0051E8DA |. D2E2 |SHL DL,CL
0051E8DC |. 8ACB |MOV CL,BL
0051E8DE |. D2E8 |SHR AL,CL
0051E8E0 |. 0AD0 |OR DL,AL
0051E8E2 |. 8B4424 24 |MOV EAX,DWORD PTR SS:[ARG.5]
0051E8E6 |. 321406 |XOR DL,BYTE PTR DS:[EAX+ESI]
0051E8E9 |. 46 |INC ESI
0051E8EA |. 83FE 20 |CMP ESI,20
0051E8ED |. 8817 |MOV BYTE PTR DS:[EDI],DL
0051E8EF |. 7C 02 |JL SHORT 0051E8F3
0051E8F1 |. 33F6 |XOR ESI,ESI
0051E8F3 |> 8B4424 18 |MOV EAX,DWORD PTR SS:[ARG.2]
0051E8F7 |. 47 |INC EDI
0051E8F8 |. 45 |INC EBP
0051E8F9 |. 48 |DEC EAX
0051E8FA |. 894424 18 |MOV DWORD PTR SS:[ARG.2],EAX
0051E8FE |.^ 75 C0 \JNE SHORT 0051E8C0
0051E900 |. 5F POP EDI
0051E901 |. 5D POP EBP
0051E902 |. 5B POP EBX
0051E903 |> B0 01 MOV AL,1
0051E905 |. 5E POP ESI
0051E906 \. C3 RETN
THIS IS IMPORTANT, FUCKING READ
You MUST do the same on MatchAgent, MatchServer and your runnable! It is EXACTLY the same as doing it on MatchServer, as I just did. EXACTLY the same.
Locator does NOT need anything changed.
This was short lol. I'll leave with a few tips.
1) The regular decryption routine will always have this:
Code:
0044E543 |. B9 08000000 |MOV ECX,8
; (I'm talking about the MOV ECX, 8)
2) As said above, their are 2 functions you need to change on both, the encryption and decryption routine, on each .EXE.
3) The first XOR <reg>, 0F0 will be the first ENCRYPTION routine, the second XOR <reg>, 0F0 will be the first DECRYPTION routine, the third XOR <reg>, 0F0 will the the second ENCRYPTION routine, and the last XOR <reg>, 0F0 will the second DECRYPTION routine. (As shown in the picture)
I did not make any changes, I just shown what you need to find and change. I may release a patcher that will change it automatically, but don't hold your breath.
WARNING
This is now public, however, it was extremely easy to find and change. Beware of people attempting to hack your server, they can know your new ecryption to by this tutorial. This isn't for hacking, it's for Gunz development. But since it's just like the MRS tutorial, hackers can just use that tutorial, oh well. Enjoy
(To the smart asses, I knew this for a few months. My first attempt to changing the packet encryption/decryption routine succeeded, and it only took 20 minutes)
Re: [Tut] Changing the Packet Encryption
Re: [Tut] Changing the Packet Encryption
Re: [Tut] Changing the Packet Encryption
Thanks for the tutorial , I love you(homo indeed).
Re: [Tut] Changing the Packet Encryption
Thanks man.
It's a good thing you used July 2008 instead of October 2008 as an example!
Re: [Tut] Changing the Packet Encryption
yahoo thanks allot this can be help to us
Re: [Tut] Changing the Packet Encryption
Guys, in extremely simple terms, you just need to edit this much:
Code:
July 08 MatchServer (Encryption):
0044E3F5 XOR CL,F6
0044E4F5 XOR CL,F6
July 08 MatchServer (Decryption):
0044E43E XOR AL,F6
0044E53F XOR AL,F6
July 08 MatchAgent (Encryption):
0041E8D5 XOR CL,F6
0041E9D5 XOR CL,F6
July 08 MatchAgent (Decryption):
0041E91E XOR AL,F6
0041EA1F XOR AL,F6
July 08 Runnable (Encryption):
0051E785 XOR CL,F6
0051E885 XOR CL,F6
July 08 Runnable (Decryption):
0051E7CE XOR AL,F6
0051E8CF XOR AL,F6
The long codes Penguin posted are to show you and explain the things. If you want to change the packet encryption without breaking your head with this, just edit what I posted above. The other lines are there by default in the July 08 files.
Note: Penguin has shown us the 'F0' Encryption/Decryption routine which is used by default in the July 2008 files. You should have something custom like 'F6' or any other valid hex value before 'F9' since anything above that, say '3C7' which is 967, won't work because of the maximum limit of the data type.
You can choose anything before F9 like F6 or E1 or A2 etc.
Just edit 4 lines each in the server, agent and client and you're done.
Credits to Penguin.
Re: [Tut] Changing the Packet Encryption
Wouldn't be surprised if Phoenix got more likes than PenguinGuy haha.
Re: [Tut] Changing the Packet Encryption
Thanks to Your Master a.k.a Penguin for releasing this great stuff out here! and Phoenix for making it look way easy...
Re: [Tut] Changing the Packet Encryption
hello friends, what benefit to using this method?
Re: [Tut] Changing the Packet Encryption
Quote:
Originally Posted by
SPAIKE
hello friends, what benefit to using this method?
Helps prevent people from using bots / sending malicious, malformed packets from a external program (known as a bot, to an extent). And it also helps against people from using a different runnable (theduel.exe / gunz.exe) than the one you make.
Re: [Tut] Changing the Packet Encryption
Quote:
Originally Posted by
Your Master
Helps prevent people from using bots / sending malicious, malformed packets from a external program (known as a bot, to an extent). And it also helps against people from using a different runnable (theduel.exe / gunz.exe) than the one you make.
thaks for contributing,
btw, you got married?! :O
gz dude =)
Re: [Tut] Changing the Packet Encryption
Quote:
Originally Posted by
Aiona
thaks for contributing,
btw, you got married?! :O
gz dude =)
No problem. Nah, I didn't. Me and my girl are waiting another year.
Re: [Tut] Changing the Packet Encryption
Good day, I wonder if I do this method anyone down with me kore?
I do look like this:
no encript:
"0044E3C0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2] "
encript:
"XOR CL,F0"?
tranks
Re: [Tut] Changing the Packet Encryption
Quote:
Originally Posted by
fuincon1sejs
Good day, I wonder if I do this method anyone down with me kore?
I do look like this:
no encript:
"0044E3C0 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ARG.2] "
encript:
"XOR CL,F0"?
tranks
I'm sorry, I can not understand your English.
Re: [Tut] Changing the Packet Encryption
Travis, look into changing the login packet it's self too ^.~ it doesn't require any changes to the matchagent, only server+client and it's just another layer of protection I don't have the address off the top of my head but it's fairly simple.
Re: [Tut] Changing the Packet Encryption
Thanks for the tutorial dude.
Re: [Tut] Changing the Packet Encryption
Nice tutorial, thanks man!
