[Not working]Overview of GameFort

Private server support - Only post connectivity issues in the subforum!

Moderator: Moderators

Message
Author
renjfk
Noob
Noob
Posts: 14
Joined: 17 Dec 2009, 06:28
Noob?: No

[Not working]Overview of GameFort

#1 Post by renjfk »

Aight, here's a short synopsis of what's going on inside of gamefort. It's somewhat alike vanguard (which is going to help writing plug-in ;o)

Note
These judgements are based on Angel-Ro gamefort so I'm not sure they'll work on other gamefort protected servers.

File Descriptions
GameFort.dll: Core protector, injecting to client. (packed with ASPack v2.12)
Shield.dll: Encrypted file which contains RipeMD-160 hash values of client and gamefort.dll

Encryption Definition
Basically it's using rijndael with 32 bytes key length 16 bytes block size. There are two different keys; one is for decrypting shield.dll and other's used for encrypting packet.

Key Extraction
Keys are a bit troublesome to extract. I might write an extractor program if I don't feel lazy later on. For now I'll extract on requests, you can use this format for asking.

Code: Select all

Server Name: blahblah
GameFort.dll: link
Shield.dll: link
(yeah link means you gonna upload those)
Packet encryption
This is a bit tricky. It's not encrypting all packets, it just encrypts one packet while connecting to map server. Yeah, it's called WantToConnection function on eathena. My version of gamefort was doing it like this;

Code: Select all

9B 00 36 00 13 FB 20 00 00 6D 21 05 00 62 34 65 00 85 D6 BC 6B 6D C2 93 01 00
skip first two bytes and encrypt only one block which means 16 bytes. It should be something like;

Code: Select all

9B 00 C7 A3 E3 70 06 06 1D 39 C9 4E 95 94 CD 32 B8 D9 D6 BC 6B 6D C2 93 01 00
and that's it. You are ready to play.

Angel-Ro Keys

Shield.dll key

Code: Select all

0xF0, 0x04, 0xC4, 0x5D, 0xFD, 0x97, 0x40, 0xD0, 0x69, 0x02, 0x8A, 0x33, 0xC3, 0x25, 0xAD, 0x3F, 0xC7, 0x50, 0xE0, 0x79, 0x0A, 0x92, 0x1B, 0xA3, 0x34, 0xBC, 0x45, 0xCD, 0x56, 0xFE, 0x87, 0x10
packet key

Code: Select all

0xA0, 0x49, 0xD9, 0x6A, 0xF2, 0x8B, 0x14, 0x94, 0x1D, 0xA5, 0x2E, 0xBE, 0x4F, 0x71, 0x02, 0x8A, 0x13, 0x9B, 0x24, 0xAC, 0x35, 0xB5, 0x46, 0xCE, 0x57, 0xDF, 0x60, 0xE8, 0x71, 0xB2, 0x43, 0xD3
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.

Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: Overview of GameFort

#2 Post by Technology »

yep, that did the trick. Well done once again! :o

EDIT:
oh yea, the svn link: https://openkore.svn.sourceforge.net/sv ... s/gamefort :twisted:
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!

like2learn
Noob
Noob
Posts: 17
Joined: 06 May 2008, 23:53
Noob?: Yes

Re: Overview of GameFort

#3 Post by like2learn »

Server Name: RoxinityRO
GameFort.dll: link
some*dll and files: link

I need some help to get those key and server information. what I get from wireshark wont really work
EDIT:

Code: Select all

[RoxinityRO]
ip roxinityro.servegame.org
port 6900
master_version 14
version 23
serverType 8_2
masterLogin_packet 0x2a
serverEncoding Western
charBlockSize 108
chatLangCode 1
private 1
recvpackets recvpackets-roxinity.txt
gamefort_key A049D96AF28B14941DA52EBE4F71028A139B24AC35B546CE57DF60E871B243D3
I got the server information already but kore said my password was wrong even my password is correct. I believe it something related to sendMasterLogin

BrianRockzYou
Human
Human
Posts: 21
Joined: 16 Aug 2009, 01:41
Noob?: No
Location: Brazil

Re: Overview of GameFort

#4 Post by BrianRockzYou »

If someone ask for the key of a server, you get to us?
Or the key is the same for all servers?

renjfk
Noob
Noob
Posts: 14
Joined: 17 Dec 2009, 06:28
Noob?: No

Re: Overview of GameFort

#5 Post by renjfk »

like2learn wrote:Server Name: RoxinityRO
GameFort.dll: link
some*dll and files: link

I need some help to get those key and server information. what I get from wireshark wont really work
Hmm, your gamefort.dll was packed with VM Protect which was troublesome to unpack but mondai nai I already unpacked it however file structure seems a bit different than before. Can you send me the packet record with a test account from login to map server (also walk one cell in game) by using wireshark. (Sorry but I don't really want to install every client for each key >_>'')
BrianRockzYou wrote:If someone ask for the key of a server, you get to us?
Or the key is the same for all servers?
Uh yeah that's what im trying to do it and no, every server has different key (high possibility) plus they might even have different encryption structure.
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.

like2learn
Noob
Noob
Posts: 17
Joined: 06 May 2008, 23:53
Noob?: Yes

Re: Overview of GameFort

#6 Post by like2learn »

I dont know how to save packet by using wireshark for that server.
by I have save all those packet that send and receive from my TCP.
Attachments
packet.rar
(191.55 KiB) Downloaded 613 times

renjfk
Noob
Noob
Posts: 14
Joined: 17 Dec 2009, 06:28
Noob?: No

Re: Overview of GameFort

#7 Post by renjfk »

No need for this post delete sometime x.x
Last edited by renjfk on 03 Jan 2010, 20:09, edited 1 time in total.
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.

renjfk
Noob
Noob
Posts: 14
Joined: 17 Dec 2009, 06:28
Noob?: No

Re: Overview of GameFort

#8 Post by renjfk »

Hmm, this is going to be a bit long x.x...

Aight let's start with ini;

Code: Select all

[GameFort]
Open=RoxinityRO.bin
Exe=4464D6275A611BF5BF822EDBE66A8DF6
DLL=2A3F6E32BEEFD0C026D52E98D00641CC
Server=4B554C42304868774767514E306E726C7243383D
[Data]
0=92DECAED277BAA1F7F27956007A37A77DADBFAE0E9334B441F7AC30D030FF699
1=73726B522F305141562F57414B7A6372356761486230474231686B69756558487A6D7A63696E6B47716F633D
2=7865704D737A5233
3=784F315073544234
4=7A2B6C4C76444A34
NOTE: All those values are byte hex value's which means they aren't regular string values. (for example 7865704D737A5233 means 0x78, 0x65, 0x70, 0x4D, 0x73, 0x7A, 0x52, 0x33)

When we decrypt Data0 value with our universal key (hard coded and probably won't change on different servers)

Code: Select all

char key [] = {0x05, 0xDD, 0x9E, 0x47, 0xE7, 0xA0, 0x41, 0xF1, 0x9A, 0x4B, 0xEB, 0xA4, 0x4D, 0xD7, 0x88, 0x39,
               0xD9, 0x82, 0x23, 0xCB, 0x6C, 0x15, 0xBD, 0x5E, 0xFE, 0xA7, 0x48, 0xE8, 0x91, 0x23, 0xC3, 0x74};
by using rijndael algorithm it's going to give us second rijndael key which is used for map packet encryption. (Check first post for it)

So we know how to encrypt map packet but login packet is the problem..

First I'll start with second hard coded value;

Code: Select all

hsjshd783738ysucy87gb7vggxgfghf345\QW7E9BCIUYW8W786Jghjgu
This is our second key but this isn't raw key, in order to obtain real key we need its SHA-1 hash value but what's it used for that's the problem. Anyways, we're going to use it in another encryption algorithm called RC4. So basically in order to decrypt Data2, Data3 and Data4 values (which is very important) we need RC4 but before decrypting we need a custom filter. Check the code below for that custom filter and RC4 algorithm.

https://sourceforge.net/projects/client ... p/download

Anyways when we decrypt Data2,3,4 values with this code we'll obtain three values which is going to be for this ini; 813638, 960477 and 224957. Yeah some numbers but written in string. Let's talk about login packet which is 6400. This version of gamefort's encrypting login packet with this routine; modify first two bytes to 2A00 then skip 29 bytes and encrypt 24 bytes (which is password field I assume.. oh btw @like2learn don't worry I won't reveal your password =P). And here's our special encryption algorithm:

https://sourceforge.net/projects/client ... p/download

Jeez as I thought that was long >_>''
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.

survivorsavior
Human
Human
Posts: 29
Joined: 31 Dec 2009, 12:56
Noob?: No

Re: Overview of GameFort

#9 Post by survivorsavior »

Server Name: LuminaRO
GameFort.dll:
GameFort.rar
(430.22 KiB) Downloaded 921 times
Shield.dll: not found

renjfk
Noob
Noob
Posts: 14
Joined: 17 Dec 2009, 06:28
Noob?: No

Re: Overview of GameFort

#10 Post by renjfk »

survivorsavior wrote:Server Name: LuminaRO
GameFort.dll:
GameFort.rar
Shield.dll: not found
It's same with RoxinityRO so you have to wait for Technology to update his plug-in.
ffs stop mailing, sending message on youtube, da or whatever, ill crack vanguard when i feel like it also got enough time for it.

Locked