Decrypt Wireshark captured packet manually..

[Tony32]

Hello TP!
Today I've tried to decrypt Tibia packets captured with Wireshark, aldoh, it doesn't seem to work as intended.

I've captured a packet (walk one step left)

Code:

 
No.     Time           Source                Destination           Protocol Length Info
    181 1.633712000    192.168.1.7           xx.xxx.xxx.xxx         TCP      64     49166 > metalbend [PSH, ACK] Seq=1 Ack=1 Win=253 Len=10

Frame 181: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    Interface id: 0
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov  2, 2014 20:46:38.948987000 W. Europe Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1414957598.948987000 seconds
    [Time delta from previous captured frame: 0.010896000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 1.633712000 seconds]
    Frame Number: 181
    Frame Length: 64 bytes (512 bits)
    Capture Length: 64 bytes (512 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:data]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: Vmware_f3:81:de (00:0c:29:f3:81:de), Dst: 6c:b0:ce:e5:15:17 (6c:b0:ce:e5:15:17)
Internet Protocol Version 4, Src: 192.168.1.7 (192.168.1.7), Dst: XX.XX.XXX.XXX
Transmission Control Protocol, Src Port: 49166 (49166), Dst Port: metalbend (7172), Seq: 1, Ack: 1, Len: 10
    Source port: 49166 (49166)
    Destination port: metalbend (7172)
    [Stream index: 1]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 11    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x018 (PSH, ACK)
    Window size value: 253
    [Calculated window size: 253]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0xbd8d [validation disabled]
    [SEQ/ACK analysis]
Data (10 bytes)

0000  08 00 94 34 91 65 67 94 4b 31                     ...4.eg.K1
    Data: 08009434916567944b31
    [Length: 10]

From this I guess the Data (the 10 bytes is the actual encrypted packet)
"08 00 94 34 91 65 67 94 4b 31"

And with this I read the memory of the client for the XTEA address: (I read it as 16 bytes)
35F6EB95682B21B01B447BF0B9935645

Then I used the TibiaAPI's XTEA Decrypt function to decrypt it, which gave me - "67 94 4B 31 00 00"

That doesnt seem correct for a single move left packet.

As I would and should, I tried encrypting the result again with the same xtea key, but I got something totally different

"0c00b503460f2bf221586c777ac1"


Enc and Dec functions

Code:

        public static byte[] Decrypt(byte[] packet, byte[] key, bool hasAdler)
        {
            if (packet.Length == 0)
                return packet;

            byte[] packet_ready;
            if (hasAdler)
            {
                packet_ready = new byte[packet.Length - 4];
                Array.Copy(RemoveAdlerChecksum(packet), 0, packet_ready, 0, packet_ready.Length);
            }
            else
            {
                packet_ready = new byte[packet.Length];
                Array.Copy(packet, 0, packet_ready, 0, packet.Length);
            }

            // The first two bytes are the length
            byte[] payload = new byte[packet_ready.Length - 2];

            Array.Copy(packet_ready, 2, payload, 0, payload.Length);

            uint[] payloadprep = payload.ToUintArray();
            uint[] keyprep = key.ToUintArray();

            for (int i = 0; i < payloadprep.Length; i += 2)
            {
                Decode(payloadprep, i, keyprep);
            }

            // Remove the junk bytes
                byte[] decrypted = payloadprep.ToByteArray();
                //int length = BitConverter.ToInt16(decrypted, 0) + 2;
                int length = decrypted.Length + 2;
                byte[] decryptedprep = new byte[length];
                //Console.WriteLine("Decrypted: " + decrypted.Length + ", decryptprep: " + decryptedprep.Length);
                Array.Copy(decrypted, decryptedprep, length -2);
                return decryptedprep;
            
            //return decrypted;
        }

        /// <summary>
        /// Encrypt a packet using XTEA.
        /// </summary>
        /// <param name="packet"></param>
        /// <param name="key"></param>
        public static byte[] Encrypt(byte[] packet, byte[] key, bool addAdler)
        {
            if (packet.Length == 0)
                return packet;

            uint[] keyprep = key.ToUintArray();

            // Pad the packet with extra bytes for encryption
            int pad = packet.Length % 8;

            byte[] packetprep;

            if (pad == 0)
                packetprep = new byte[packet.Length];
            else
                packetprep = new byte[packet.Length + (8 - pad)];

            Array.Copy(packet, packetprep, packet.Length);

            uint[] payloadprep = packetprep.ToUintArray();

            for (int i = 0; i < payloadprep.Length; i += 2)
            {
                Encode(payloadprep, i, keyprep);
            }

            byte[] encrypted = new byte[packetprep.Length + 2];

            Array.Copy(payloadprep.ToByteArray(), 0, encrypted, 2, packetprep.Length);

            Array.Copy(BitConverter.GetBytes((short)packetprep.Length), 0, encrypted, 0, 2);

            if (addAdler)
            {

                byte[] encrypted_ready = new byte[encrypted.Length + 4];
                Array.Copy(AddAdlerChecksum(encrypted), 0, encrypted_ready, 0, encrypted_ready.Length);
                return encrypted_ready;
            }
            else
                return encrypted;
        }

Tested encrypting "aabbccddeeff", the result was "0800a005a6904fa21897"
when decrypting that it gets "aabbccddeeff00000000"
so it adds a bunch of 0's?

Anyone got any idea, please let me know. <3

[Dark Pallys]

From this I guess the Data (the 10 bytes is the actual encrypted packet)
"08 00 94 34 91 65 67 94 4b 31"

And with this I read the memory of the client for the XTEA address: (I read it as 16 bytes)
35F6EB95682B21B01B447BF0B9935645

Then I used the TibiaAPI's XTEA Decrypt function to decrypt it, which gave me - "67 94 4B 31 00 00"

Seems like it's not decrypting at all.. only removing the first 6 bytes o.o

[Tony32]

Hm, weird! :/ Can you see anything wrong with the code?

[Sketchy]

I assume you captured this packet from a pre-8.3 client? It's missing the Adler32 checksum from the header which suggests so. My guess for the problem is you are passing true for the hasAdler argument for the function which will cause it to remove 4 bytes from the packet where the checksum should be (byte 3 to 6), since your packet doesn't have a checksum it instead removes the first 4 bytes of the actual encrypted data. The first 2 bytes, which is the encrypted data size, are also removed before decrypting leaving you with only the last 4 bytes of your packet. This poses a problem with XTEA which works on 8-byte blocks but since you only have 4 bytes the Decode function will fail with an out-of-bounds exception which I assume is catching itself and gracefully returning without doing anything to the block.

So long story short make sure you are passing false for hasAdler if you are on a pre-8.3 client and it should decrypt fine, and do the same for the addAdler argument for Encrypt.

[jo3bingham]

Dark Pallys and Sketchy posting in the same thread on the same day.

[Tony32]

Up^ Haha,
Thanks guys, I am working on the 7.72 client and I will check it out later tonight when I get back home. Will report back!
Much appreciated!

[Tony32]

Havent bothered testing yet and I dont think I will cause I don't need to be able to this anymore as I found a work around Thanks anyway guys ^^

[Dark Pallys]

Dark Pallys and Sketchy posting in the same thread on the same day.

Lol this is brilliant..