Monday, January 4, 2010

Overview of GameFart Part II

Hmm, this is going to be a bit long x.x...

Aight let's start with ini;
[GameFort]
Open=RoxinityRO.bin
Exe=4464D6275A611BF5BF822EDBE66A8DF6
DLL=2A3F6E32BEEFD0C026D52E98D00641CC
Server=4B554C42304868774767514E306E726C7243383D
[Data]
0=92DECAED277BAA1F7F27956007A37A77DADBFAE0E9334B441F7AC30D030FF699
1=73726B522F305141562F57414B7A6372356761486230474231686B69756558487A6D7A63696E6B47716F633D
2=7865704D737A5233
3=784F315073544234
4=7A2B6C4C76444A34


NOTE: All those values are byte hex value's which means they aren't regular string values. (for example 7865704D737A5233 means 0x78, 0x65, 0x70, 0x4D, 0x73, 0x7A, 0x52, 0x33)

When we decrypt Data0 value with our universal key (hard coded and probably won't change on different servers)
char key [] = {0x05, 0xDD, 0x9E, 0x47, 0xE7, 0xA0, 0x41, 0xF1, 0x9A, 0x4B, 0xEB, 0xA4, 0x4D, 0xD7, 0x88, 0x39,
0xD9, 0x82, 0x23, 0xCB, 0x6C, 0x15, 0xBD, 0x5E, 0xFE, 0xA7, 0x48, 0xE8, 0x91, 0x23, 0xC3, 0x74};


by using rijndael algorithm it's going to give us second rijndael key which is used for map packet encryption. (Check first part for it)

So we know how to encrypt map packet but login packet is the problem..

First I'll start with second hard coded value;
hsjshd783738ysucy87gb7vggxgfghf345\QW7E9BCIUYW8W786Jghjgu

This is our second key but this isn't raw key, in order to obtain real key we need its SHA-1 hash value but what's it used for that's the problem. Anyways, we're going to use it in another encryption algorithm called RC4. So basically in order to decrypt Data2, Data3 and Data4 values (which is very important) we need RC4 but before decrypting we need a custom filter. Check the code below for that custom filter and RC4 algorithm.

https://sourceforge.net/projects/clientpatcher/files/Miscellaneous/GameFort/RC4.cpp/download
  

Anyways when we decrypt Data2,3,4 values with this code we'll obtain three values which is going to be for this ini; 813638, 960477 and 224957. Yeah some numbers but written in string. Let's talk about login packet which is 6400. This version of gamefort's encrypting login packet with this routine; modify first two bytes to 2A00 then skip 29 bytes and encrypt 24 bytes (which is password field I assume..). And here's our special encryption algorithm:  

https://sourceforge.net/projects/clientpatcher/files/Miscellaneous/GameFort/LOGIN_CRYPT.cpp/download

Jeez as I thought that was long >_>''