Hello,
I am trying to decrypt the packets of a MMO game. The encryption doesn't look really complex, but I am having problems since I don't have much experience. I would appreciate the help.
I will try to explain what I have found out so far. I am mostly looking at the login packets, because I can send different data via username/pass. First of all the hex dumps of some packets :
-aaar
0000 00 00 46 00 01 55 18 cf 57 78 c6 36 19 a7 57 6b ..F..U..Wx.6..Wk
0010 c6 57 10 c6 36 19 a7 57 78 c6 25 19 c6 74 19 82 .W..6..Wx.%..t..
0020 57 2d c6 7a 19 f5 57 5d c6 7a 19 f1 57 5c c6 7a W-.z ..W].z..W\.z
0030 19 f3 57 2d c6 7a 19 f1 57 5f c6 7a 19 82 57 5a ..W-.z..W_.z..WZ
0040 c6 57 1b c7 fa c7 .W....
-bbbr
0000 00 00 46 00 01 55 18 cf 57 7b c6 35 19 a4 57 6b ..F..U..W{.5..Wk
0010 c6 57 10 c6 35 19 a4 57 7b c6 25 19 c6 74 19 82 .W..5..W{.%..t..
0020 57 2d c6 7a 19 f5 57 5d c6 7a 19 f1 57 5c c6 7a W-.z..W].z..W\.z
0030 19 f3 57 2d c6 7a 19 f1 57 5f c6 7a 19 82 57 5a ..W-.z..W_.z..WZ
0040 c6 57 1b c7 fa c7 .W....
-cccr
0000 00 00 46 00 01 55 18 cf 57 7a c6 34 19 a5 57 6b ..F..U..Wz.4..Wk
0010 c6 57 10 c6 34 19 a5 57 7a c6 25 19 c6 74 19 82 .W..4..Wz.%..t..
0020 57 2d c6 7a 19 f5 57 5d c6 7a 19 f1 57 5c c6 7a W-.z..W].z..W\.z
0030 19 f3 57 2d c6 7a 19 f1 57 5f c6 7a 19 82 57 5a ..W-.z..W_.z..WZ
0040 c6 57 1b c7 fa c7 .W....
So these are login packets sent from client to server. I am sending aaar, bbbr etc. as username/pass. Looking at the differences in packets, I have found out that the username/pass are encrypted like this (offset = 9) :
-aaar
78 c6 (a) 36 19 (a) a7 57 (a) 6b c6 (r)
-bbbr
7b c6 (b) 35 19 (b) a4 57 (b) 6b c6 (r)
So 2 bytes to represent each character, and it looks like 3 characters are used in circle to encrypt the letters. 57, c6 and 19 are repeated throughout the packet, in places related to username/pass. I came to the conclusion that they are somewhat used as keys to encrypt data.
For a start I looked at how can the letters be encrypted using c6. After some trial and error I think the byte is XORed with c6.
a : 78 XOR c6 = 190
b : 7b XOR c6 = 189
c : 7a XOR c6 = 188
It seemed like a sequence so I think it really has something to do with XOR.
Now for 19, there is also a visible sequence :
a : 36 19
b : 35 19
c : 34 19
After 30 which is the letter 'g', it goes to 3f and continues until 3a. After that it is 29 and goes on decrementing. The problem is that I couldn't figure out what kind of bitwise operation this is. I mean the relation between this sequence and 19.
I have no idea for 57. I couldn't see a pattern or relation.
I hope you can help me with this. Thank you in advance.