So, does anyone still need to know the decryption method? I took a look in TibiCAM it and understood how it decrypts the files, and turned it into a Python script:
Encrypted:
Code:
$ hexdump -C 118_dies.rec | head
00000000 04 02 e7 00 00 00 0b 1c 00 00 00 00 19 4c 5a 7b |.............LZ{|
00000010 56 4d d8 2a 18 38 bc 03 20 1f 5d 04 6f 52 c3 8e |VM.*.8.. .].oR..|
00000020 a8 c7 8b 19 8e 5a 68 87 53 e1 58 22 96 5e 70 8f |.....Zh.S.X".^p.|
Decrypted: (Note that it's the login packet, length: 0x1C09 and login packet id 0x0A)
Code:
$ ./dump.py -f 118_dies.rec | head
'118_dies.rec': Version: 516 Length: 128750ms Number of packets: 174
'118_dies.rec': Packet: 0 Time: 0 Length: 7179
09 1C 0A 0B BE 95 00 32 00 00 64 8B 80 5F 7D 04 |.......2..d.._}.|
4F 12 63 0E 00 FF A3 11 66 12 00 FF A3 11 68 12 |O.c.....f.....h.|
66 0E 00 FF 87 12 10 05 00 FF 52 12 00 FF A5 11 |f.........R.....|
66 12 00 FF A3 11 62 12 00 FF A3 11 64 12 00 FF |f.....b.....d...|
A3 11 61 12 10 05 00 FF A3 11 61 12 00 FF A3 11 |..a.......a.....|
62 12 10 05 00 FF A9 11 65 12 EC 06 00 FF A3 11 |b.......e.......|
69 12 65 0E 00 FF 51 12 67 0E 00 FF 83 12 00 FF |i.e...Q.g.......|
A3 11 5E 12 00 FF A9 11 64 12 72 0E 00 FF AA 11 |..^.....d.r.....|
Strings are visible as well:
Code:
$ ./dump.py -f 118_dies.rec | grep -n3 "Your last"
0A D7 0B 41 A0 7C 01 7C 01 A9 01 1B 00 02 00 15 |...A.|.|........|
00 4F 1E 00 64 00 03 4C 64 82 FF D7 8D 0B BE 95 |.O..d..Ld.......|
00 00 00 A1 0A 16 0A 32 0B 62 32 4E 0A 00 2E 61 |.......2.b2N...a|
13 52 B4 14 35 00 59 6F 75 72 20 6C 61 73 74 20 |.R..5.Your last |
76 69 73 69 74 20 69 6E 20 54 69 62 69 61 3A 20 |visit in Tibia: |
30 37 2E 20 4A 75 6E 20 32 30 30 36 20 31 34 3A |07. Jun 2006 14:|
33 34 3A 34 34 20 43 45 53 54 2E |34:44 CEST. |