| Author | Message | Time |
|---|---|---|
| Fr3DBr | Hey, im trying to figure out, what could be the seed for the new RC4 keys... 1) Tryed using gamehash (this is the seed for the first keypair) 2) Tryed using 0x05 packet data Both didn't work to decode/encode the new packets, any hints ? :) Thanks. | January 25, 2010, 2:03 PM |
| Fr3DBr | Im using the following code lógic, just in case : [code] // Allocating New Key Buffers Byte[] bInKey = new Byte[0x102]; Byte[] bOutKey = new Byte[0x102]; // Extracting 0x05 RC4 Key Seed (Removing 0x05 opcode out of the array) Byte[] pKeySeed = new Byte[bWardenPkt.Length - 1]; Array.Copy(bWardenPkt, 1, pKeySeed, 0, bWardenPkt.Length - 1); // Generating RC4 Keys CD2Security.GenRC4Keys(pKeySeed, pKeySeed.Length); // Telling Warden to Generate the New RC4 Key Pair // Reading Keys from Warden Module CD2Security.GetRC4Keys(bInKey, bOutKey); // Getting The New Warden Module RC4 Key Pair // Sending the Packet to Warden Packet Handler Byte[] bOPCrypt = new Byte[1024]; // Warden Output Packet CD2Security.CryptWithKey(bWardenPkt, bInKey); // Cryping 0x05 w/ new 'in-key' CD2Security.WardenPacketHandler(bWardenPkt, bWardenPkt.Length, bOPCrypt); Int32 nOutSize = BitConverter.ToInt32(bOPCrypt, 0); Byte[] bOutPacket = new Byte[nOutSize]; Array.Copy(bOPCrypt, 4, bOutPacket, 0, nOutSize); // Decrypting 0x04 w/ new 'out-key' CD2Security.CryptWithKey(bOutPacket, bOutKey); // Crypting 0x04 w/ old 'out-key' // Sending 0x05->(0x04) Reply pkt.Opcode = 0x66; // Warden Response pkt.Write(bOutPacket, bOutPacket.Length); Send(pkt, 1); // Sending Warden Reply // Setting New In-Key CD2Security.SetRC4Key(0, bInKey); // Switching current 'in-key' by the new 'in-key' CD2Security.SetRC4Key(1, bOutKey); // Switching current 'out-key' by the new 'out-key' // Unloading Warden GlobalVars.d.WriteLog("UNLOADING WARDEN..."); CD2Security.Unload(); // Unloading Warden Module // Finishing Log GlobalVars.d.WriteLog("---------------------------------------------------------------------------"); [/code] | January 25, 2010, 4:01 PM |
| Fr3DBr | Follow me on twitter lol :P http://twitter.com/Fr3DBr | January 25, 2010, 4:06 PM |
| HdxBmx27 | The seed for the new keys is actually the data in 0x05 S->C, and the response is generated using a module specific MD5 function. AFAIK nobody has actually bothered to reverse all of them, so the general practice is to handle everything but 0x05 yourself, and send 0x05 to the module to be handled. Extracting the keys afterwords. | January 25, 2010, 9:46 PM |
| Fr3DBr | seems i got it to work lol, thanks HDX [code] [Log 25/01/2010 20:46:07]-> --------------------------------------------------------------------------- [Log 25/01/2010 20:46:07]-> WARDEN MODULE CHECK [Log 25/01/2010 20:46:07]-> MODULE NAME (MD5) : 76FF4DAFB4D153BD32B47C25A32D4CAB [Log 25/01/2010 20:46:07]-> MODULE KEY (RC4) : 777FC6A24FFF7089CBE0631BE8BF9A0D [Log 25/01/2010 20:46:07]-> MODULE SIZE : 17623 Bytes [Log 25/01/2010 20:46:07]-> --------------------------------------------------------------------------- [Log 25/01/2010 20:46:07]-> PREPARING MODULE... [Log 25/01/2010 20:46:07]-> MODULE STATUS : READY [Log 25/01/2010 20:46:07]-> INITIALIZING MODULE... [Log 25/01/2010 20:46:08]-> MODULE RUNNING... [Log 25/01/2010 20:46:08]-> STORING NEW RC4 (WARDEN MODULE) KEYS... [Log 25/01/2010 20:46:09]-> STORING NEW RC4 (WARDEN MODULE) KEYS... [Log 25/01/2010 20:46:09]-> UNLOADING WARDEN... [Log 25/01/2010 20:46:09]-> --------------------------------------------------------------------------- [D2GS S->C] [OPCODE : 0x03] [LENGTH : 000036 BYTES] OFFSET 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF -------------------------------------------------------------------------- 000000 1D 00 B6 2A 39 E6 01 00 01 09 53 74 6F 72 6D 2E ...*9.....Storm. 000010 64 6C 6C 00 22 01 00 B0 02 01 00 40 3C 01 00 D0 dll."......@<... 000020 17 01 00 ... -------------------------------------------------------------------------- [D2GS S->C] [OPCODE : 0x02] [LENGTH : 000154 BYTES] OFFSET 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF -------------------------------------------------------------------------- 000000 1C 64 61 74 61 5C 67 6C 6F 62 61 6C 5C 65 78 63 .data\global\exc 000010 65 6C 5C 73 6B 69 6C 6C 73 2E 74 78 74 00 FE 01 el\skills.txt... 000020 27 41 40 E7 BC 5A B0 96 F8 11 9D 54 47 A1 61 39 'A@..Z.....TG.a9 000030 D2 72 98 D5 E2 A6 36 BB DE 7C 37 01 00 0C 27 A8 .r....6..|7...'. 000040 62 BE 65 64 26 36 D7 8E 56 BC 54 0F CB 59 0D 07 b.ed&6..V.T..Y.. 000050 31 98 09 72 AB 51 7F FC FC 01 00 1F 27 66 E2 42 1..r.Q......'f.B 000060 46 C2 0F 51 E3 02 25 21 57 0E A3 98 0F CB 9C 6E F..Q..%!W......n 000070 2A 45 D8 78 BC D2 86 00 00 0F 27 73 A5 7A 8B 2B *E.x......'s.z.+ 000080 83 ED 68 4E 45 2F 5A 93 BC 07 80 77 E0 4B 72 A1 ..hNE/Z....w.Kr. 000090 92 CF A7 69 32 00 00 24 16 ...i2..$. -------------------------------------------------------------------------- [Log 25/01/2010 20:46:52]-> [D2GS] - Connection Interrupted. (0xB0) [/code] | January 25, 2010, 11:23 PM |