[Not working]Overview of GameFort

renjfk · **Joined:** 17 Dec 2009, 06:28 **Posts:** 14

Aight, here's a short synopsis of what's going on inside of gamefort. It's somewhat alike vanguard (which is going to help writing plug-in ;o)

Note
These judgements are based on Angel-Ro gamefort so I'm not sure they'll work on other gamefort protected servers.

File Descriptions
GameFort.dll: Core protector, injecting to client. (packed with ASPack v2.12)
Shield.dll: Encrypted file which contains RipeMD-160 hash values of client and gamefort.dll

Encryption Definition
Basically it's using rijndael with 32 bytes key length 16 bytes block size. There are two different keys; one is for decrypting shield.dll and other's used for encrypting packet.

Key Extraction
Keys are a bit troublesome to extract. I might write an extractor program if I don't feel lazy later on. For now I'll extract on requests, you can use this format for asking.

Code:

Server Name: blahblah
GameFort.dll: link
Shield.dll: link
(yeah link means you gonna upload those)

Packet encryption
This is a bit tricky. It's not encrypting all packets, it just encrypts one packet while connecting to map server. Yeah, it's called WantToConnection function on eathena. My version of gamefort was doing it like this;

Code:

9B 00 36 00 13 FB 20 00 00 6D 21 05 00 62 34 65 00 85 D6 BC 6B 6D C2 93 01 00

skip first two bytes and encrypt only one block which means 16 bytes. It should be something like;

Code:

9B 00 C7 A3 E3 70 06 06 1D 39 C9 4E 95 94 CD 32 B8 D9 D6 BC 6B 6D C2 93 01 00

and that's it. You are ready to play.

Angel-Ro Keys

Shield.dll key

Code:

0xF0, 0x04, 0xC4, 0x5D, 0xFD, 0x97, 0x40, 0xD0, 0x69, 0x02, 0x8A, 0x33, 0xC3, 0x25, 0xAD, 0x3F, 0xC7, 0x50, 0xE0, 0x79, 0x0A, 0x92, 0x1B, 0xA3, 0x34, 0xBC, 0x45, 0xCD, 0x56, 0xFE, 0x87, 0x10

packet key

Code:

0xA0, 0x49, 0xD9, 0x6A, 0xF2, 0x8B, 0x14, 0x94, 0x1D, 0xA5, 0x2E, 0xBE, 0x4F, 0x71, 0x02, 0x8A, 0x13, 0x9B, 0x24, 0xAC, 0x35, 0xB5, 0x46, 0xCE, 0x57, 0xDF, 0x60, 0xE8, 0x71, 0xB2, 0x43, 0xD3

Technology · **Joined:** 06 May 2008, 12:47 **Posts:** 806

yep, that did the trick. Well done once again!

EDIT:
oh yea, the svn link: https://openkore.svn.sourceforge.net/svnroot/openkore/plugins/gamefort :twisted:

like2learn · **Joined:** 06 May 2008, 23:53 **Posts:** 17

Server Name: RoxinityRO
GameFort.dll: link
some*dll and files: link

I need some help to get those key and server information. what I get from wireshark wont really work
EDIT:

Code:

[RoxinityRO]
ip roxinityro.servegame.org
port 6900
master_version 14
version 23
serverType 8_2
masterLogin_packet 0x2a
serverEncoding Western
charBlockSize 108
chatLangCode 1
private 1
recvpackets recvpackets-roxinity.txt
gamefort_key A049D96AF28B14941DA52EBE4F71028A139B24AC35B546CE57DF60E871B243D3

I got the server information already but kore said my password was wrong even my password is correct. I believe it something related to sendMasterLogin

BrianRockzYou · **Posted:** 01 Jan 2010, 06:24

If someone ask for the key of a server, you get to us?
Or the key is the same for all servers?

renjfk · **Joined:** 17 Dec 2009, 06:28 **Posts:** 14

like2learn wrote:

Server Name: RoxinityRO
GameFort.dll: link
some*dll and files: link

I need some help to get those key and server information. what I get from wireshark wont really work

Hmm, your gamefort.dll was packed with VM Protect which was troublesome to unpack but mondai nai I already unpacked it however file structure seems a bit different than before. Can you send me the packet record with a test account from login to map server (also walk one cell in game) by using wireshark. (Sorry but I don't really want to install every client for each key >_>'')

BrianRockzYou wrote:

If someone ask for the key of a server, you get to us?
Or the key is the same for all servers?

Uh yeah that's what im trying to do it and no, every server has different key (high possibility) plus they might even have different encryption structure.

like2learn · **Joined:** 06 May 2008, 23:53 **Posts:** 17

I dont know how to save packet by using wireshark for that server.
by I have save all those packet that send and receive from my TCP.

renjfk · **Joined:** 17 Dec 2009, 06:28 **Posts:** 14

No need for this post delete sometime x.x

renjfk · **Joined:** 17 Dec 2009, 06:28 **Posts:** 14

Hmm, this is going to be a bit long x.x...

Aight let's start with ini;

Code:

[GameFort]
Open=RoxinityRO.bin
Exe=4464D6275A611BF5BF822EDBE66A8DF6
DLL=2A3F6E32BEEFD0C026D52E98D00641CC
Server=4B554C42304868774767514E306E726C7243383D
[Data]
0=92DECAED277BAA1F7F27956007A37A77DADBFAE0E9334B441F7AC30D030FF699
1=73726B522F305141562F57414B7A6372356761486230474231686B69756558487A6D7A63696E6B47716F633D
2=7865704D737A5233
3=784F315073544234
4=7A2B6C4C76444A34

NOTE: All those values are byte hex value's which means they aren't regular string values. (for example 7865704D737A5233 means 0x78, 0x65, 0x70, 0x4D, 0x73, 0x7A, 0x52, 0x33)

When we decrypt Data0 value with our universal key (hard coded and probably won't change on different servers)

Code:

char key [] = {0x05, 0xDD, 0x9E, 0x47, 0xE7, 0xA0, 0x41, 0xF1, 0x9A, 0x4B, 0xEB, 0xA4, 0x4D, 0xD7, 0x88, 0x39,
               0xD9, 0x82, 0x23, 0xCB, 0x6C, 0x15, 0xBD, 0x5E, 0xFE, 0xA7, 0x48, 0xE8, 0x91, 0x23, 0xC3, 0x74};

by using rijndael algorithm it's going to give us second rijndael key which is used for map packet encryption. (Check first post for it)

So we know how to encrypt map packet but login packet is the problem..

First I'll start with second hard coded value;

Code:

hsjshd783738ysucy87gb7vggxgfghf345\QW7E9BCIUYW8W786Jghjgu

This is our second key but this isn't raw key, in order to obtain real key we need its SHA-1 hash value but what's it used for that's the problem. Anyways, we're going to use it in another encryption algorithm called RC4. So basically in order to decrypt Data2, Data3 and Data4 values (which is very important) we need RC4 but before decrypting we need a custom filter. Check the code below for that custom filter and RC4 algorithm.

https://sourceforge.net/projects/client ... p/download

Anyways when we decrypt Data2,3,4 values with this code we'll obtain three values which is going to be for this ini; 813638, 960477 and 224957. Yeah some numbers but written in string. Let's talk about login packet which is 6400. This version of gamefort's encrypting login packet with this routine; modify first two bytes to 2A00 then skip 29 bytes and encrypt 24 bytes (which is password field I assume.. oh btw @like2learn don't worry I won't reveal your password =P). And here's our special encryption algorithm:

https://sourceforge.net/projects/client ... p/download

Jeez as I thought that was long >_>''

survivorsavior · **Joined:** 31 Dec 2009, 12:56 **Posts:** 23

Server Name: LuminaRO
GameFort.dll:

Attachment:

GameFort.rar [430.22 KiB]
Downloaded 581 times

Shield.dll: not found

renjfk · **Joined:** 17 Dec 2009, 06:28 **Posts:** 14

survivorsavior wrote:

Server Name: LuminaRO
GameFort.dll:

Attachment:

GameFort.rar

Shield.dll: not found

It's same with RoxinityRO so you have to wait for Technology to update his plug-in.

Openkore.com

[Not working]Overview of GameFort

Who is online