Discussion Support for interlude decoding Init package to create module

[rufi]

Hello,

I’m working on decrypting the Init packet that the server sends to the client during login. This packet is treated specially and contains the Blowfish keys used to encrypt and decrypt subsequent packets. Although it isn’t encrypted irreversibly and should be reversible, I haven’t succeeded yet.

My goal is to extract the Blowfish key to decrypt certain client packets without disrupting the normal session flow. I can inject a DLL to sniff the packets, and with that I plan to develop a module that extends the client’s functionality. For example, after logging in, this module would capture all the data the client receives (character data, etc.). Additionally, it could listen for real-time server events, enabling integrations with Discord SDKs or other systems, thereby expanding Lineage 2’s capabilities.


Init packet(0x00) LoginServer.

Currently in the java Cores I checked there is no decode function for this package, only encript.

[Gawric]

 

https://github.com/gawric/Guide-L2Unity/blob/main/Guide/Pakets/Blowfish/General description.md

 

Perhaps you will find it useful

piece of encryption and decryption code from Acis Interlude

 

I transferred these methods to Unity c# and everything works fine

 

https://ibb.co/DHhP0JYr

 

I think the first 2 bytes are the packet size.
Third byte packet id
And then the information itself

 

It's all there in l2j servers

 

Edited May 8 by Gawric

[rufi]

8 hours ago, Gawric said:

 

https://github.com/gawric/Guide-L2Unity/blob/main/Guide/Pakets/Blowfish/Descripción general.md

 

Quizás te resulte útil

fragmento de código de cifrado y descifrado de Acis Interlude

 

Transferí estos métodos a Unity C# y todo funciona bien.

 

https://ibb.co/DHhP0JYr

 

Creo que los dos primeros bytes representan el tamaño del paquete.
El tercer byte, el ID del paquete.
Y luego, la información en sí.

 

Todo está ahí en los servidores l2j

 

 

Hello first of all thank you for your prompt response and the time you are taking to read this and answer, I am aware that not everyone takes the time and for that I thank you.

On the other hand the specific problem is when decrypting this package and being able to parse it, 

In some places it says that it is only encrypted with xor, in others that only a static blowfish is used and in others that both are used in the order of xor and then blowfish, this is the problem in spite of being able to see the encryption mechanisms of the servers, I can not put together the function that reverses this encryption to obtain the keys sent by the init packet.

 

Thanks for your time, hopefully the rest can contribute something because it is a super useful module to extend any functionality to the client and I will publish it in an opensource way when it is finished.

[Gawric]

2 hours ago, rufi said:

 

Hello first of all thank you for your prompt response and the time you are taking to read this and answer, I am aware that not everyone takes the time and for that I thank you.

On the other hand the specific problem is when decrypting this package and being able to parse it, 

In some places it says that it is only encrypted with xor, in others that only a static blowfish is used and in others that both are used in the order of xor and then blowfish, this is the problem in spite of being able to see the encryption mechanisms of the servers, I can not put together the function that reverses this encryption to obtain the keys sent by the init packet.

 

Thanks for your time, hopefully the rest can contribute something because it is a super useful module to extend any functionality to the client and I will publish it in an opensource way when it is finished.

I open the l2j server and see

1. XOR->NewCrypt.encXORPass(raw, offset, size, Rnd.nextInt()); ---> XOR can also be taken from l2j
2. _staticCrypt.crypt(raw, offset, size);

----->

Quote

private void encryptBlock(byte[] src, int srcIndex, byte[] dst, int dstIndex)
{
    int xl = bytesTo32bits(src, srcIndex);
    int xr = bytesTo32bits(src, srcIndex + 4);
     xl ^= P[0];
    for (int i = 1; i < ROUNDS; i += 2)
    {
      xr ^= func(xl) ^ P[i];
      xl ^= func(xr) ^ P[i + 1];
    }
      xr ^= P[ROUNDS + 1];
      bits32ToBytes(xr, dst, dstIndex);
      bits32ToBytes(xl, dst, dstIndex + 4);
 }

 

 

I scroll down the code and see this code

 

----->

Quote

/**
     * Decrypt the given input starting at the given offset and place the result in the provided buffer starting at the given offset. The input will be an exact multiple of our blocksize.
     * @param src
     * @param srcIndex
     * @param dst
     * @param dstIndex
     */
    private void decryptBlock(byte[] src, int srcIndex, byte[] dst, int dstIndex)
    {
        int xl = bytesTo32bits(src, srcIndex);
        int xr = bytesTo32bits(src, srcIndex + 4);
        xl ^= P[ROUNDS + 1];
        for (int i = ROUNDS; i > 0; i -= 2)
        {
            xr ^= func(xl) ^ P[i];
            xl ^= func(xr) ^ P[i - 1];
        }
        xr ^= P[0];
        bits32ToBytes(xr, dst, dstIndex);
        bits32ToBytes(xl, dst, dstIndex + 4);
    }

 

===================================================

 

I'm transferring this code to C#

Quote

private void decryptBlock(byte[] src, uint srcIndex, byte[] dst, uint dstIndex)
   {
       uint xl = BytesTo32bits(src, srcIndex);
       uint xr = BytesTo32bits(src, srcIndex + 4);
       xl ^= P[ROUNDS + 1];
       for (int i = ROUNDS; i > 0; i -= 2)
       {
           xr ^= F(xl) ^ P[i];
           xl ^= F(xr) ^ P[i - 1];
       }
       xr ^= P[0];
       Bits32ToBytes(xr, dst, dstIndex);
       Bits32ToBytes(xl, dst, dstIndex + 4);
   }

 

And in c# I first do decryptBlock and then XOR and everything works, I get the package

and the first 2 bytes have already been removed as far as I remember

 

This only works for the login server.

The blowfish encryption key is used static, it can be found in the l2j server

 

Edited May 8 by Gawric