[C/C++]GE authentication PoC

For everything that doesn't fall into the other categories
Post Reply
mayh3m
Posts: 1
Joined: Tue Sep 17, 2013 4:27 pm

[C/C++]GE authentication PoC

Post by mayh3m »

hello i was reversing the newest Granado espada client and i found how they encrypt the auth(login) packets(maybe its the same thing for the rest i havent cheked yet)

i will share my sources with you

Code: Select all

/*
                            code BY DarkInjection
*/
encryption.c

Code: Select all

#include "stdafx.h"

__declspec(naked)void ge4_007126D0(){
	__asm{
		PUSH EBP
		PUSH EBX
		MOV EBX, DWORD PTR SS : [ESP + 0xC]
		MOV EBP, DWORD PTR SS : [ESP + 0x10]
		PUSH ESI
		PUSH EDI
		MOV EDI, DWORD PTR DS : [EBX]
		MOV ESI, DWORD PTR DS : [EBX + 4]
		XOR EAX, EAX
		MOV EBX, DWORD PTR SS : [EBP]
		XOR ECX, ECX
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 4]
		MOV EBX, EDI
		XOR ESI, EDX
		SHR EBX, 0x10
		MOV EDX, EDI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR ESI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 8]
		MOV EBX, ESI
		XOR EDI, EDX
		SHR EBX, 0x10
		MOV EDX, ESI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0xC]
		MOV EBX, EDI
		XOR ESI, EDX
		SHR EBX, 0x10
		MOV EDX, EDI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR ESI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x10]
		MOV EBX, ESI
		XOR EDI, EDX
		SHR EBX, 0x10
		MOV EDX, ESI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x14]
		MOV EBX, EDI
		XOR ESI, EDX
		SHR EBX, 0x10
		MOV EDX, EDI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR ESI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x18]
		MOV EBX, ESI
		XOR EDI, EDX
		SHR EBX, 0x10
		MOV EDX, ESI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x1C]
		MOV EBX, EDI
		XOR ESI, EDX
		SHR EBX, 0x10
		MOV EDX, EDI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR ESI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x20]
		MOV EBX, ESI
		XOR EDI, EDX
		SHR EBX, 0x10
		MOV EDX, ESI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x24]
		MOV EBX, EDI
		XOR ESI, EDX
		SHR EBX, 0x10
		MOV EDX, EDI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR ESI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x28]
		MOV EBX, ESI
		XOR EDI, EDX
		SHR EBX, 0x10
		MOV EDX, ESI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x2C]
		MOV EBX, EDI
		XOR ESI, EDX
		SHR EBX, 0x10
		MOV EDX, EDI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR ESI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x30]
		MOV EBX, ESI
		XOR EDI, EDX
		SHR EBX, 0x10
		MOV EDX, ESI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x34]
		MOV EBX, EDI
		XOR ESI, EDX
		SHR EBX, 0x10
		MOV EDX, EDI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR ESI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x38]
		MOV EBX, ESI
		XOR EDI, EDX
		SHR EBX, 0x10
		MOV EDX, ESI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x3C]
		MOV EBX, EDI
		XOR ESI, EDX
		SHR EBX, 0x10
		MOV EDX, EDI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		XOR EAX, EAX
		XOR ESI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x40]
		MOV EBX, ESI
		XOR EDI, EDX
		SHR EBX, 0x10
		MOV EDX, ESI
		MOV AL, BH
		AND EBX, 0xFF
		MOV CL, DH
		AND EDX, 0xFF
		MOV EAX, DWORD PTR SS : [EBP + EAX * 4 + 0x48]
		MOV EBX, DWORD PTR SS : [EBP + EBX * 4 + 0x448]
		ADD EBX, EAX
		MOV EAX, DWORD PTR SS : [EBP + ECX * 4 + 0x848]
		XOR EBX, EAX
		MOV EDX, DWORD PTR SS : [EBP + EDX * 4 + 0xC48]
		ADD EBX, EDX
		MOV EAX, DWORD PTR SS : [ESP + 0x14]
		XOR EDI, EBX
		MOV EDX, DWORD PTR SS : [EBP + 0x44]
		XOR ESI, EDX
		MOV DWORD PTR DS : [EAX + 4], EDI
		MOV DWORD PTR DS : [EAX], ESI
		POP EDI
		POP ESI
		POP EBX
		POP EBP
		RETN; <= Procedure End
	}
}

__declspec(naked) void ge4_007125F0(char * in, char * out, char * key, int f){
	__asm{
		SUB ESP, 8
			MOV EAX, DWORD PTR SS : [ESP + 0xC]; packet buffer
			MOVZX ECX, BYTE PTR DS : [EAX]; first byte of packet buffer
			MOVZX EDX, BYTE PTR DS : [EAX + 1]; second byte of packet buffer
			ADD EAX, 1
			SHL EDX, 0x10
			SHL ECX, 0x18
			OR ECX, EDX
			XOR EDX, EDX
			MOV DH, BYTE PTR DS : [EAX + 1]
			ADD EAX, 1
			ADD EAX, 1
			ADD EAX, 1
			ADD EAX, 1
			ADD EAX, 1
			OR ECX, EDX
			MOVZX EDX, BYTE PTR DS : [EAX - 3]
			OR ECX, EDX
			MOVZX EDX, BYTE PTR DS : [EAX - 1]
			MOV DWORD PTR SS : [ESP], ECX
			MOVZX ECX, BYTE PTR DS : [EAX - 2]
			SHL EDX, 0x10
			SHL ECX, 0x18
			OR ECX, EDX
			XOR EDX, EDX
			MOV DH, BYTE PTR DS : [EAX]
			MOV DL, BYTE PTR DS : [EAX + 1]
			OR EDX, ECX
			CMP DWORD PTR SS : [ESP + 0x18], 0
			MOV DWORD PTR SS : [ESP + 4], EDX
			MOV EAX, DWORD PTR SS : [ESP + 0x14]
			PUSH EAX; key buffer
			LEA ECX, DWORD PTR SS : [ESP + 4]
			PUSH ECX; temp buffer ? ?
			CALL ge4_007126D0; <= Jump / Call Address Not Resolved
			MOV ECX, DWORD PTR SS : [ESP + 8]
			MOV EAX, DWORD PTR SS : [ESP + 0x18]
			MOV EDX, ECX
			SHR EDX, 0x18
			MOV BYTE PTR DS : [EAX], DL
			ADD EAX, 1
			MOV EDX, ECX
			SHR EDX, 0x10
			MOV BYTE PTR DS : [EAX], DL
			ADD EAX, 1
			MOV EDX, ECX
			SHR EDX, 8
			MOV BYTE PTR DS : [EAX], DL
			MOV BYTE PTR DS : [EAX + 1], CL
			MOV ECX, DWORD PTR SS : [ESP + 0xC]
			ADD EAX, 1
			ADD EAX, 1
			MOV EDX, ECX
			SHR EDX, 0x18
			MOV BYTE PTR DS : [EAX], DL
			ADD EAX, 1
			MOV EDX, ECX
			SHR EDX, 0x10
			MOV BYTE PTR DS : [EAX], DL
			ADD EAX, 1
			MOV EDX, ECX
			ADD ESP, 8
			SHR EDX, 8
			MOV BYTE PTR DS : [EAX], DL
			MOV BYTE PTR DS : [EAX + 1], CL
			ADD ESP, 8
			RETN; <= Procedure End
	}
}

void BeginPacketEncryption(char * in,char * out){
	for (int i = 0, num = 0; i < 0x0C; i++){ //0x0C hardcoded maybe but im sure its same
		ge4_007125F0((char*)(in + num), (char*)(out + num), (char*)KEY, 0x5b);//POC it works
		num += 0x08;
	}
}
packet_generator.c

Code: Select all

#include "stdafx.h"

__declspec(naked)WORD ge4_0041FBF0(char * packet_buffer,int a){
	__asm{
		MOV EDX, DWORD PTR SS : [ESP + 4]
		XOR EAX, EAX
		CMP EDX, EAX
		JNZ ge4_0041FBFB
		RETN
		ge4_0041FBFB :
			XOR ECX, ECX
			CMP DWORD PTR SS : [ESP + 8], EAX
			JLE ge4_0041FC27
			PUSH ESI

		ge4_0041FC04 :
			MOV ESI, ECX
			AND ESI, 0x80000001
			JNS ge4_0041FC13
			DEC ESI
			OR ESI, 0xFFFFFFFE
			INC ESI

		ge4_0041FC13 :
			MOVZX ESI, BYTE PTR DS : [ECX + EDX]
			JE ge4_0041FC1D
			ADD EAX, ESI
			JMP ge4_0041FC1F

		ge4_0041FC1D :
			XOR EAX, ESI
		ge4_0041FC1F :
			INC ECX
			CMP ECX, DWORD PTR SS : [ESP + 0xC]
			JL ge4_0041FC04
			POP ESI
		ge4_0041FC27 :
		RETN; <= Procedure End

	}

}

void generate_packet(char * username,char * hash_pass,char * packet_buffer){
	WORD d=0;
	unsigned char digest[MD5_DIGEST_LENGTH];
	MD5_CTX c;

	MD5_Init(&c);
	MD5_Update(&c, hash_pass, strlen(hash_pass));
	MD5_Final(digest, &c);

	memset(packet_buffer, 0x00, 100);

	*(BYTE*)packet_buffer = 0x04;
	*(BYTE*)(packet_buffer+0x0A) = 0x5B;

	memcpy(packet_buffer + 0x0C, username, strlen(username));
	memcpy(packet_buffer + 0x1D, digest, MD5_DIGEST_LENGTH);

	*(BYTE*)(packet_buffer + 0x2E) = 0x01; //realm id
	*(BYTE*)(packet_buffer + 0x30) = 0x65; 

	memcpy(packet_buffer + 0x34, "USA", 3);

	*(WORD*)(packet_buffer + 0x3C) = 0x0201;
	*(BYTE*)(packet_buffer + 0x59) = 0x74;
	
	d = ge4_0041FBF0(packet_buffer, 0x5B);

	*(WORD*)(packet_buffer + 6) = d;
}
this is how you generate an auth packet

Code: Select all

WORD OP_CODE = 0x0060;
char outp[102] = "\00";
generate_packet(username, password, (char*)outp + 2);
*(WORD*)outp = OP_CODE;
BeginPacketEncryption((char *)(outp + 2), (char *)(outp + 2));
hope that i helped someone

i will make also a multyclient patch and maybe an xtrap bypass in future

have fun
Post Reply