Hello,

I am trying to decrypt the packets of a MMO game. The encryption doesn't look really complex, but I am having problems since I don't have much experience. I would appreciate the help.

I will try to explain what I have found out so far. I am mostly looking at the login packets, because I can send different data via username/pass. First of all the hex dumps of some packets : 

-aaar
0000   00 00 46 00 01 55 18 cf 57 78 c6 36 19 a7 57 6b  ..F..U..Wx.6..Wk
0010   c6 57 10 c6 36 19 a7 57 78 c6 25 19 c6 74 19 82  .W..6..Wx.%..t..
0020   57 2d c6 7a 19 f5 57 5d c6 7a 19 f1 57 5c c6 7a  W-.z ..W].z..W\.z
0030   19 f3 57 2d c6 7a 19 f1 57 5f c6 7a 19 82 57 5a  ..W-.z..W_.z..WZ
0040   c6 57 1b c7 fa c7                                .W....

-bbbr
0000   00 00 46 00 01 55 18 cf 57 7b c6 35 19 a4 57 6b  ..F..U..W{.5..Wk
0010   c6 57 10 c6 35 19 a4 57 7b c6 25 19 c6 74 19 82  .W..5..W{.%..t..
0020   57 2d c6 7a 19 f5 57 5d c6 7a 19 f1 57 5c c6 7a  W-.z..W].z..W\.z
0030   19 f3 57 2d c6 7a 19 f1 57 5f c6 7a 19 82 57 5a  ..W-.z..W_.z..WZ
0040   c6 57 1b c7 fa c7                                .W....

-cccr
0000   00 00 46 00 01 55 18 cf 57 7a c6 34 19 a5 57 6b  ..F..U..Wz.4..Wk
0010   c6 57 10 c6 34 19 a5 57 7a c6 25 19 c6 74 19 82  .W..4..Wz.%..t..
0020   57 2d c6 7a 19 f5 57 5d c6 7a 19 f1 57 5c c6 7a  W-.z..W].z..W\.z
0030   19 f3 57 2d c6 7a 19 f1 57 5f c6 7a 19 82 57 5a  ..W-.z..W_.z..WZ
0040   c6 57 1b c7 fa c7                                .W....

So these are login packets sent from client to server. I am sending aaar, bbbr etc. as username/pass. Looking at the differences in packets, I have found out that the username/pass are encrypted like this (offset = 9) :

-aaar

78 c6 (a) 36 19 (a) a7 57 (a) 6b c6 (r)

-bbbr

7b c6 (b) 35 19 (b) a4 57 (b) 6b c6 (r)

So 2 bytes to represent each character, and it looks like 3 characters are used in circle to encrypt the letters. 57, c6 and 19 are repeated throughout the packet, in places related to username/pass. I came to the conclusion that they are somewhat used as keys to encrypt data.

For a start I looked at how can the letters be encrypted using c6. After some trial and error I think the byte is XORed with c6.

a : 78 XOR c6 = 190

b : 7b XOR c6 = 189

c : 7a XOR c6  = 188

It seemed like a sequence so I think it really has something to do with XOR.

Now for 19, there is also a visible sequence :

a : 36 19

b : 35 19

c : 34 19

After 30 which is the letter 'g', it goes to  3f and continues until 3a. After that it is 29 and goes on decrementing. The problem is that I couldn't figure out what kind of bitwise operation this is. I mean the relation between this sequence and 19.

I have no idea for 57. I couldn't see a pattern or relation.

I hope you can help me with this. Thank you in advance.

5 hours ago, hplus0603 said:

So, either they are uppercasing the username, or they additional XOR with 0x20 (so, instead of 0xff, 0xdf)

Wow, you are right. There is an additional XOR with 0x20. I tried sending uppercase AAAR but the packet came out different than the lowercase one : 

-AAAR
0000   00 00 46 00 01 55 18 cf 57 58 c6 16 19 87 57 4b  ..F..U..WX....WK
0010   c6 57 10 c6 16 19 87 57 58 c6 05 19 c6 74 19 82  .W.....WX....t..
0020   57 2d c6 7a 19 f5 57 5d c6 7a 19 f1 57 5c c6 7a  W-.z..W].z..W\.z
0030   19 f3 57 2d c6 7a 19 f1 57 5f c6 7a 19 82 57 5a  ..W-.z..W_.z..WZ
0040   c6 57 1b c7 fa c7                                .W....

So I tried the XOR you mentioned next and I got the proper ascii value of 'a'. Of course it worked for other characters too.

Using the same idea, it looks like the ones with 0x19 are XORed with 0x4e, and ones with 0x57 are XORed with 0x91.

I just have to figure the rest of the package now :D.

Thank you very much for your help.