Friday, March 12, 2010

Monday, January 4, 2010

Overview of GameFart Part II

Hmm, this is going to be a bit long x.x...

Aight let's start with ini;

NOTE: All those values are byte hex value's which means they aren't regular string values. (for example 7865704D737A5233 means 0x78, 0x65, 0x70, 0x4D, 0x73, 0x7A, 0x52, 0x33)

When we decrypt Data0 value with our universal key (hard coded and probably won't change on different servers)
char key [] = {0x05, 0xDD, 0x9E, 0x47, 0xE7, 0xA0, 0x41, 0xF1, 0x9A, 0x4B, 0xEB, 0xA4, 0x4D, 0xD7, 0x88, 0x39,
0xD9, 0x82, 0x23, 0xCB, 0x6C, 0x15, 0xBD, 0x5E, 0xFE, 0xA7, 0x48, 0xE8, 0x91, 0x23, 0xC3, 0x74};

by using rijndael algorithm it's going to give us second rijndael key which is used for map packet encryption. (Check first part for it)

So we know how to encrypt map packet but login packet is the problem..

First I'll start with second hard coded value;

This is our second key but this isn't raw key, in order to obtain real key we need its SHA-1 hash value but what's it used for that's the problem. Anyways, we're going to use it in another encryption algorithm called RC4. So basically in order to decrypt Data2, Data3 and Data4 values (which is very important) we need RC4 but before decrypting we need a custom filter. Check the code below for that custom filter and RC4 algorithm.

Anyways when we decrypt Data2,3,4 values with this code we'll obtain three values which is going to be for this ini; 813638, 960477 and 224957. Yeah some numbers but written in string. Let's talk about login packet which is 6400. This version of gamefort's encrypting login packet with this routine; modify first two bytes to 2A00 then skip 29 bytes and encrypt 24 bytes (which is password field I assume..). And here's our special encryption algorithm:

Jeez as I thought that was long >_>''