Hello TP!
Today I've tried to decrypt Tibia packets captured with Wireshark, aldoh, it doesn't seem to work as intended.
I've captured a packet (walk one step left)
Code:
No. Time Source Destination Protocol Length Info
181 1.633712000 192.168.1.7 xx.xxx.xxx.xxx TCP 64 49166 > metalbend [PSH, ACK] Seq=1 Ack=1 Win=253 Len=10
Frame 181: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 2, 2014 20:46:38.948987000 W. Europe Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1414957598.948987000 seconds
[Time delta from previous captured frame: 0.010896000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 1.633712000 seconds]
Frame Number: 181
Frame Length: 64 bytes (512 bits)
Capture Length: 64 bytes (512 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp:data]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Vmware_f3:81:de (00:0c:29:f3:81:de), Dst: 6c:b0:ce:e5:15:17 (6c:b0:ce:e5:15:17)
Internet Protocol Version 4, Src: 192.168.1.7 (192.168.1.7), Dst: XX.XX.XXX.XXX
Transmission Control Protocol, Src Port: 49166 (49166), Dst Port: metalbend (7172), Seq: 1, Ack: 1, Len: 10
Source port: 49166 (49166)
Destination port: metalbend (7172)
[Stream index: 1]
Sequence number: 1 (relative sequence number)
[Next sequence number: 11 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x018 (PSH, ACK)
Window size value: 253
[Calculated window size: 253]
[Window size scaling factor: -1 (unknown)]
Checksum: 0xbd8d [validation disabled]
[SEQ/ACK analysis]
Data (10 bytes)
0000 08 00 94 34 91 65 67 94 4b 31 ...4.eg.K1
Data: 08009434916567944b31
[Length: 10]
From this I guess the Data (the 10 bytes is the actual encrypted packet)
"08 00 94 34 91 65 67 94 4b 31"
And with this I read the memory of the client for the XTEA address: (I read it as 16 bytes)
35F6EB95682B21B01B447BF0B9935645
Then I used the TibiaAPI's XTEA Decrypt function to decrypt it, which gave me - "67 94 4B 31 00 00"
That doesnt seem correct for a single move left packet.
As I would and should, I tried encrypting the result again with the same xtea key, but I got something totally different
"0c00b503460f2bf221586c777ac1"
Enc and Dec functions
Code:
public static byte[] Decrypt(byte[] packet, byte[] key, bool hasAdler)
{
if (packet.Length == 0)
return packet;
byte[] packet_ready;
if (hasAdler)
{
packet_ready = new byte[packet.Length - 4];
Array.Copy(RemoveAdlerChecksum(packet), 0, packet_ready, 0, packet_ready.Length);
}
else
{
packet_ready = new byte[packet.Length];
Array.Copy(packet, 0, packet_ready, 0, packet.Length);
}
// The first two bytes are the length
byte[] payload = new byte[packet_ready.Length - 2];
Array.Copy(packet_ready, 2, payload, 0, payload.Length);
uint[] payloadprep = payload.ToUintArray();
uint[] keyprep = key.ToUintArray();
for (int i = 0; i < payloadprep.Length; i += 2)
{
Decode(payloadprep, i, keyprep);
}
// Remove the junk bytes
byte[] decrypted = payloadprep.ToByteArray();
//int length = BitConverter.ToInt16(decrypted, 0) + 2;
int length = decrypted.Length + 2;
byte[] decryptedprep = new byte[length];
//Console.WriteLine("Decrypted: " + decrypted.Length + ", decryptprep: " + decryptedprep.Length);
Array.Copy(decrypted, decryptedprep, length -2);
return decryptedprep;
//return decrypted;
}
/// <summary>
/// Encrypt a packet using XTEA.
/// </summary>
/// <param name="packet"></param>
/// <param name="key"></param>
public static byte[] Encrypt(byte[] packet, byte[] key, bool addAdler)
{
if (packet.Length == 0)
return packet;
uint[] keyprep = key.ToUintArray();
// Pad the packet with extra bytes for encryption
int pad = packet.Length % 8;
byte[] packetprep;
if (pad == 0)
packetprep = new byte[packet.Length];
else
packetprep = new byte[packet.Length + (8 - pad)];
Array.Copy(packet, packetprep, packet.Length);
uint[] payloadprep = packetprep.ToUintArray();
for (int i = 0; i < payloadprep.Length; i += 2)
{
Encode(payloadprep, i, keyprep);
}
byte[] encrypted = new byte[packetprep.Length + 2];
Array.Copy(payloadprep.ToByteArray(), 0, encrypted, 2, packetprep.Length);
Array.Copy(BitConverter.GetBytes((short)packetprep.Length), 0, encrypted, 0, 2);
if (addAdler)
{
byte[] encrypted_ready = new byte[encrypted.Length + 4];
Array.Copy(AddAdlerChecksum(encrypted), 0, encrypted_ready, 0, encrypted_ready.Length);
return encrypted_ready;
}
else
return encrypted;
}
Tested encrypting "aabbccddeeff", the result was "0800a005a6904fa21897"
when decrypting that it gets "aabbccddeeff00000000"
so it adds a bunch of 0's?
Anyone got any idea, please let me know. <3