Openkore.com

OpenKore Forums
It is currently 17 Dec 2014, 17:47

All times are UTC - 5 hours [ DST ]





Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 44 posts ]  Go to page 1, 2, 3, 4, 5  Next
Author Message
 Post subject: [Not working]Overview of GameFort
PostPosted: 29 Dec 2009, 20:31 
Offline
Noob
Noob
User avatar

Joined: 17 Dec 2009, 06:28
Posts: 14
Aight, here's a short synopsis of what's going on inside of gamefort. It's somewhat alike vanguard (which is going to help writing plug-in ;o)

Note
These judgements are based on Angel-Ro gamefort so I'm not sure they'll work on other gamefort protected servers.

File Descriptions
GameFort.dll: Core protector, injecting to client. (packed with ASPack v2.12)
Shield.dll: Encrypted file which contains RipeMD-160 hash values of client and gamefort.dll

Encryption Definition
Basically it's using rijndael with 32 bytes key length 16 bytes block size. There are two different keys; one is for decrypting shield.dll and other's used for encrypting packet.

Key Extraction
Keys are a bit troublesome to extract. I might write an extractor program if I don't feel lazy later on. For now I'll extract on requests, you can use this format for asking.

Code:
Server Name: blahblah
GameFort.dll: link
Shield.dll: link
(yeah link means you gonna upload those)


Packet encryption
This is a bit tricky. It's not encrypting all packets, it just encrypts one packet while connecting to map server. Yeah, it's called WantToConnection function on eathena. My version of gamefort was doing it like this;

Code:
9B 00 36 00 13 FB 20 00 00 6D 21 05 00 62 34 65 00 85 D6 BC 6B 6D C2 93 01 00


skip first two bytes and encrypt only one block which means 16 bytes. It should be something like;

Code:
9B 00 C7 A3 E3 70 06 06 1D 39 C9 4E 95 94 CD 32 B8 D9 D6 BC 6B 6D C2 93 01 00


and that's it. You are ready to play.

Angel-Ro Keys

Shield.dll key
Code:
0xF0, 0x04, 0xC4, 0x5D, 0xFD, 0x97, 0x40, 0xD0, 0x69, 0x02, 0x8A, 0x33, 0xC3, 0x25, 0xAD, 0x3F, 0xC7, 0x50, 0xE0, 0x79, 0x0A, 0x92, 0x1B, 0xA3, 0x34, 0xBC, 0x45, 0xCD, 0x56, 0xFE, 0x87, 0x10

packet key
Code:
0xA0, 0x49, 0xD9, 0x6A, 0xF2, 0x8B, 0x14, 0x94, 0x1D, 0xA5, 0x2E, 0xBE, 0x4F, 0x71, 0x02, 0x8A, 0x13, 0x9B, 0x24, 0xAC, 0x35, 0xB5, 0x46, 0xCE, 0x57, 0xDF, 0x60, 0xE8, 0x71, 0xB2, 0x43, 0xD3

_________________
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.


Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 30 Dec 2009, 00:34 
Offline
Super Moderators
Super Moderators
User avatar

Joined: 06 May 2008, 12:47
Posts: 801
yep, that did the trick. Well done once again! :o

EDIT:
oh yea, the svn link: https://openkore.svn.sourceforge.net/svnroot/openkore/plugins/gamefort :twisted:

_________________
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!


Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 31 Dec 2009, 20:28 
Offline
Noob
Noob

Joined: 06 May 2008, 23:53
Posts: 17
Server Name: RoxinityRO
GameFort.dll: link
some*dll and files: link

I need some help to get those key and server information. what I get from wireshark wont really work
EDIT:
Code:
[RoxinityRO]
ip roxinityro.servegame.org
port 6900
master_version 14
version 23
serverType 8_2
masterLogin_packet 0x2a
serverEncoding Western
charBlockSize 108
chatLangCode 1
private 1
recvpackets recvpackets-roxinity.txt
gamefort_key A049D96AF28B14941DA52EBE4F71028A139B24AC35B546CE57DF60E871B243D3


I got the server information already but kore said my password was wrong even my password is correct. I believe it something related to sendMasterLogin


Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 01 Jan 2010, 06:24 
Offline
Human
Human
User avatar

Joined: 16 Aug 2009, 01:41
Posts: 21
Location: Brazil
If someone ask for the key of a server, you get to us?
Or the key is the same for all servers?


Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 01 Jan 2010, 10:07 
Offline
Noob
Noob
User avatar

Joined: 17 Dec 2009, 06:28
Posts: 14
like2learn wrote:
Server Name: RoxinityRO
GameFort.dll: link
some*dll and files: link

I need some help to get those key and server information. what I get from wireshark wont really work


Hmm, your gamefort.dll was packed with VM Protect which was troublesome to unpack but mondai nai I already unpacked it however file structure seems a bit different than before. Can you send me the packet record with a test account from login to map server (also walk one cell in game) by using wireshark. (Sorry but I don't really want to install every client for each key >_>'')

BrianRockzYou wrote:
If someone ask for the key of a server, you get to us?
Or the key is the same for all servers?


Uh yeah that's what im trying to do it and no, every server has different key (high possibility) plus they might even have different encryption structure.

_________________
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.


Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 01 Jan 2010, 12:04 
Offline
Noob
Noob

Joined: 06 May 2008, 23:53
Posts: 17
I dont know how to save packet by using wireshark for that server.
by I have save all those packet that send and receive from my TCP.


Attachments:
packet.rar [191.55 KiB]
Downloaded 278 times
Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 02 Jan 2010, 10:24 
Offline
Noob
Noob
User avatar

Joined: 17 Dec 2009, 06:28
Posts: 14
No need for this post delete sometime x.x

_________________
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.


Last edited by renjfk on 03 Jan 2010, 20:09, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 03 Jan 2010, 19:18 
Offline
Noob
Noob
User avatar

Joined: 17 Dec 2009, 06:28
Posts: 14
Hmm, this is going to be a bit long x.x...

Aight let's start with ini;
Code:
[GameFort]
Open=RoxinityRO.bin
Exe=4464D6275A611BF5BF822EDBE66A8DF6
DLL=2A3F6E32BEEFD0C026D52E98D00641CC
Server=4B554C42304868774767514E306E726C7243383D
[Data]
0=92DECAED277BAA1F7F27956007A37A77DADBFAE0E9334B441F7AC30D030FF699
1=73726B522F305141562F57414B7A6372356761486230474231686B69756558487A6D7A63696E6B47716F633D
2=7865704D737A5233
3=784F315073544234
4=7A2B6C4C76444A34


NOTE: All those values are byte hex value's which means they aren't regular string values. (for example 7865704D737A5233 means 0x78, 0x65, 0x70, 0x4D, 0x73, 0x7A, 0x52, 0x33)

When we decrypt Data0 value with our universal key (hard coded and probably won't change on different servers)
Code:
char key [] = {0x05, 0xDD, 0x9E, 0x47, 0xE7, 0xA0, 0x41, 0xF1, 0x9A, 0x4B, 0xEB, 0xA4, 0x4D, 0xD7, 0x88, 0x39,
               0xD9, 0x82, 0x23, 0xCB, 0x6C, 0x15, 0xBD, 0x5E, 0xFE, 0xA7, 0x48, 0xE8, 0x91, 0x23, 0xC3, 0x74};

by using rijndael algorithm it's going to give us second rijndael key which is used for map packet encryption. (Check first post for it)

So we know how to encrypt map packet but login packet is the problem..

First I'll start with second hard coded value;
Code:
hsjshd783738ysucy87gb7vggxgfghf345\QW7E9BCIUYW8W786Jghjgu

This is our second key but this isn't raw key, in order to obtain real key we need its SHA-1 hash value but what's it used for that's the problem. Anyways, we're going to use it in another encryption algorithm called RC4. So basically in order to decrypt Data2, Data3 and Data4 values (which is very important) we need RC4 but before decrypting we need a custom filter. Check the code below for that custom filter and RC4 algorithm.

https://sourceforge.net/projects/client ... p/download

Anyways when we decrypt Data2,3,4 values with this code we'll obtain three values which is going to be for this ini; 813638, 960477 and 224957. Yeah some numbers but written in string. Let's talk about login packet which is 6400. This version of gamefort's encrypting login packet with this routine; modify first two bytes to 2A00 then skip 29 bytes and encrypt 24 bytes (which is password field I assume.. oh btw @like2learn don't worry I won't reveal your password =P). And here's our special encryption algorithm:

https://sourceforge.net/projects/client ... p/download

Jeez as I thought that was long >_>''

_________________
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.


Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 04 Jan 2010, 05:16 
Offline
Human
Human

Joined: 31 Dec 2009, 12:56
Posts: 27
Server Name: LuminaRO
GameFort.dll:
Attachment:
GameFort.rar [430.22 KiB]
Downloaded 637 times

Shield.dll: not found


Top
 Profile  
 
 Post subject: Re: Overview of GameFort
PostPosted: 04 Jan 2010, 06:10 
Offline
Noob
Noob
User avatar

Joined: 17 Dec 2009, 06:28
Posts: 14
survivorsavior wrote:
Server Name: LuminaRO
GameFort.dll:
Attachment:
GameFort.rar

Shield.dll: not found


It's same with RoxinityRO so you have to wait for Technology to update his plug-in.

_________________
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 44 posts ]  Go to page 1, 2, 3, 4, 5  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
[ Time : 0.062s | 17 Queries | GZIP : On ]