Jump to content

Recommended Posts

Posted

Hello,

I’m working on decrypting the Init packet that the server sends to the client during login. This packet is treated specially and contains the Blowfish keys used to encrypt and decrypt subsequent packets. Although it isn’t encrypted irreversibly and should be reversible, I haven’t succeeded yet.

My goal is to extract the Blowfish key to decrypt certain client packets without disrupting the normal session flow. I can inject a DLL to sniff the packets, and with that I plan to develop a module that extends the client’s functionality. For example, after logging in, this module would capture all the data the client receives (character data, etc.). Additionally, it could listen for real-time server events, enabling integrations with Discord SDKs or other systems, thereby expanding Lineage 2’s capabilities.


Init packet(0x00) LoginServer.

Currently in the java Cores I checked there is no decode function for this package, only encript.

Posted (edited)

 

https://github.com/gawric/Guide-L2Unity/blob/main/Guide/Pakets/Blowfish/General description.md

 

Perhaps you will find it useful

piece of encryption and decryption code from Acis Interlude

 

I transferred these methods to Unity c# and everything works fine

 

https://ibb.co/DHhP0JYr

 

I think the first 2 bytes are the packet size.
Third byte packet id
And then the information itself

 

It's all there in l2j servers

 

Edited by Gawric
Posted
8 hours ago, Gawric said:

 

https://github.com/gawric/Guide-L2Unity/blob/main/Guide/Pakets/Blowfish/Descripción general.md

 

Quizás te resulte útil

fragmento de código de cifrado y descifrado de Acis Interlude

 

Transferí estos métodos a Unity C# y todo funciona bien.

 

https://ibb.co/DHhP0JYr

 

Creo que los dos primeros bytes representan el tamaño del paquete.
El tercer byte, el ID del paquete.
Y luego, la información en sí.

 

Todo está ahí en los servidores l2j

 



 

Hello first of all thank you for your prompt response and the time you are taking to read this and answer, I am aware that not everyone takes the time and for that I thank you.


On the other hand the specific problem is when decrypting this package and being able to parse it, 

In some places it says that it is only encrypted with xor, in others that only a static blowfish is used and in others that both are used in the order of xor and then blowfish, this is the problem in spite of being able to see the encryption mechanisms of the servers, I can not put together the function that reverses this encryption to obtain the keys sent by the init packet.

 

Thanks for your time, hopefully the rest can contribute something because it is a super useful module to extend any functionality to the client and I will publish it in an opensource way when it is finished.

Posted (edited)
2 hours ago, rufi said:



 

Hello first of all thank you for your prompt response and the time you are taking to read this and answer, I am aware that not everyone takes the time and for that I thank you.


On the other hand the specific problem is when decrypting this package and being able to parse it, 

In some places it says that it is only encrypted with xor, in others that only a static blowfish is used and in others that both are used in the order of xor and then blowfish, this is the problem in spite of being able to see the encryption mechanisms of the servers, I can not put together the function that reverses this encryption to obtain the keys sent by the init packet.

 

Thanks for your time, hopefully the rest can contribute something because it is a super useful module to extend any functionality to the client and I will publish it in an opensource way when it is finished.

I open the l2j server and see

1. XOR->NewCrypt.encXORPass(raw, offset, size, Rnd.nextInt()); ---> XOR can also be taken from l2j
2. _staticCrypt.crypt(raw, offset, size);
----->
Quote

private void encryptBlock(byte[] src, int srcIndex, byte[] dst, int dstIndex)
{
    int xl = bytesTo32bits(src, srcIndex);
    int xr = bytesTo32bits(src, srcIndex + 4);
     xl ^= P[0];
    for (int i = 1; i < ROUNDS; i += 2)
    {
      xr ^= func(xl) ^ P[i];
      xl ^= func(xr) ^ P[i + 1];
    }
      xr ^= P[ROUNDS + 1];
      bits32ToBytes(xr, dst, dstIndex);
      bits32ToBytes(xl, dst, dstIndex + 4);
 }

 

 

I scroll down the code and see this code

 

----->

Quote

/**
     * Decrypt the given input starting at the given offset and place the result in the provided buffer starting at the given offset. The input will be an exact multiple of our blocksize.
     * @param src
     * @param srcIndex
     * @param dst
     * @param dstIndex
     */
    private void decryptBlock(byte[] src, int srcIndex, byte[] dst, int dstIndex)
    {
        int xl = bytesTo32bits(src, srcIndex);
        int xr = bytesTo32bits(src, srcIndex + 4);
        xl ^= P[ROUNDS + 1];
        for (int i = ROUNDS; i > 0; i -= 2)
        {
            xr ^= func(xl) ^ P[i];
            xl ^= func(xr) ^ P[i - 1];
        }
        xr ^= P[0];
        bits32ToBytes(xr, dst, dstIndex);
        bits32ToBytes(xl, dst, dstIndex + 4);
    }

 

===================================================

 

I'm transferring this code to C#

Quote

private void decryptBlock(byte[] src, uint srcIndex, byte[] dst, uint dstIndex)
   {
       uint xl = BytesTo32bits(src, srcIndex);
       uint xr = BytesTo32bits(src, srcIndex + 4);
       xl ^= P[ROUNDS + 1];
       for (int i = ROUNDS; i > 0; i -= 2)
       {
           xr ^= F(xl) ^ P[i];
           xl ^= F(xr) ^ P[i - 1];
       }
       xr ^= P[0];
       Bits32ToBytes(xr, dst, dstIndex);
       Bits32ToBytes(xl, dst, dstIndex + 4);
   }

 

And in c# I first do decryptBlock and then XOR and everything works, I get the package

and the first 2 bytes have already been removed as far as I remember

 

loginXor.png

This only works for the login server.

The blowfish encryption key is used static, it can be found in the l2j server

 

Edited by Gawric

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



  • Posts

    • its not imagination we skip that on this topic my offer still stands i am accepting a house Mr. @ERROR501 for more information please contact me
    • Sell ready interlude server files, with all popular features and tested, stable source + fully functional premium geodata for free.   Features include: Events: DM CTF TVT LM Dressme system Custom Buffer GM Shop Custom community board Donation manager  Auto Farm   Album: sell c6 — ImgBB   Test Server online: Patch link: https://drive.google.com/file/d/1mvEbv9XESsvfWwc638xFyyzyESeE2U95/view?usp=drive_link Auto acc create and auto admin   Price: 300$. Discord: l2retro
    • Faltan demasiados archivos,  y lógicas en clases claves como L2pcInstance, entre otras. si bien muchas cosas están y el flujo es valorable.  Gracias por tu esfuerzo es bastante... pero realmente no esta completo el código, falta que subas todas las modificaciones en clases colaterales... podrías intentar subir un diff de todo el mod  completo de tu pack y bueno ahí si que cada uno adapte... pero faltan muchas cosas, dudo que haya gente que lo haya echo funcionar con esto... 
    • I know people who have fully bypassed and reversed AAC. One day, they might even release the full source code, but for now, they’re still making money off it. I won’t name anyone, but it’s clear that there aren’t any truly solid anticheats for Lineage2. As I’ve said before, kernel level anticheats are the only real solution. Anything that runs as Internal and injects gets flagged, and your account ends up getting kicked or banned. That’s just how most games handle it nowadays. To TL;DR the whole thing cheating will always exist because there are people out there smart enough to bypass any protection and run private cheats. Public cheats are always detected eventually, so I don’t see any point in buying AAC, especially when they claim it blocks adr, which simply isn’t true.
    • 🌐 Website: https://l2adonis.com 📅 GRAND OPENING: July 18, 2025 – 20:00 (UTC+2) 💬 Discord: https://discord.com/invite/tZBj8JxAwx 🚫 No auto-farm • No auto-macro • No pay-to-win • No custom   Some Basic Info's (More detalied info's on website)  EXP/SP: x25  Adena: x15  Drop: x15  Spoil: x15  Seal Stones: x15  Raid Boss Drop: x10  Epic Boss Drop: x1  Manor: x10  Safe Enchant: +4  Max Enchant: +16  Normal Scroll Chance: 50%  Blessed Scroll Chance: 66% (If enchant fail item remain +4)  Buff Slots (30+4 extra with Divine Inspiration)  Dances/Songs Slots 14  Auto-learn skills  ⚔️ Real PvP • Real Progression • Retail-like experience JOIN NOW and relive the real L2 experience!
  • Topics

×
×
  • Create New...

AdBlock Extension Detected!

Our website is made possible by displaying online advertisements to our members.

Please disable AdBlock browser extension first, to be able to use our community.

I've Disabled AdBlock