PDA

View Full Version : Tibia 11 - XTEA key



blackd
10-12-2016, 00:53
Ok, I am now working on this part, required for my proxy.
For now I found a method to locate it:
IMPORTANT: You should disable "Fast scan" and you should enable "Executable memory"

Just search the XTEA const called delta (please check XTEA C implementation at this wikipedia article: https://en.wikipedia.org/wiki/XTEA ).
Using Cheat Engine, just search 4 bytes HEX: 61C88647 in executable memory and you should find it in 2-5 places. You can do an initial bet for the second one. If xtea function is not there then just try the rest.

Go to Memory View > right click > Go to address > enter your choosen address.
If it is the correct address then it should point to client.exe + something.
If it is the correct address then you should be reading the function to cipher/decipher packets with XTEA. Right click, select current function and you will see it better:



client.exe+2E6A6D - 55 - push ebp
client.exe+2E6A6E - 8B EC - mov ebp,esp
client.exe+2E6A70 - 51 - push ecx
client.exe+2E6A71 - 51 - push ecx
client.exe+2E6A72 - 53 - push ebx
client.exe+2E6A73 - 56 - push esi
client.exe+2E6A74 - 8B 35 50030C01 - mov esi,[client.exe+330350]
client.exe+2E6A7A - 57 - push edi
client.exe+2E6A7B - 8B 7D 08 - mov edi,[ebp+08]
client.exe+2E6A7E - 89 4D FC - mov [ebp-04],ecx
client.exe+2E6A81 - FF 37 - push [edi]
client.exe+2E6A83 - FF D6 - call esi
client.exe+2E6A85 - FF 77 04 - push [edi+04]
client.exe+2E6A88 - 8B D8 - mov ebx,eax
client.exe+2E6A8A - FF D6 - call esi
client.exe+2E6A8C - 8B D0 - mov edx,eax
client.exe+2E6A8E - 33 F6 - xor esi,esi
client.exe+2E6A90 - 8B 45 FC - mov eax,[ebp-04]
client.exe+2E6A93 - 59 - pop ecx
client.exe+2E6A94 - 59 - pop ecx
client.exe+2E6A95 - 8B 48 2C - mov ecx,[eax+2C]
client.exe+2E6A98 - 89 4D 08 - mov [ebp+08],ecx
client.exe+2E6A9B - 85 C9 - test ecx,ecx
client.exe+2E6A9D - 74 49 - je client.exe+2E6AE8
client.exe+2E6A9F - 8B 78 28 - mov edi,[eax+28]
client.exe+2E6AA2 - 8B CA - mov ecx,edx
client.exe+2E6AA4 - 8B C2 - mov eax,edx
client.exe+2E6AA6 - C1 E0 04 - shl eax,04
client.exe+2E6AA9 - C1 E9 05 - shr ecx,05
client.exe+2E6AAC - 33 C8 - xor ecx,eax
client.exe+2E6AAE - 8B C6 - mov eax,esi
client.exe+2E6AB0 - 83 E0 03 - and eax,03
client.exe+2E6AB3 - 03 CA - add ecx,edx
client.exe+2E6AB5 - 8B 04 87 - mov eax,[edi+eax*4] << XTEA KEY HERE!
client.exe+2E6AB8 - 03 C6 - add eax,esi
client.exe+2E6ABA - 81 EE 4786C861 - sub esi,61C88647
client.exe+2E6AC0 - 33 C8 - xor ecx,eax
client.exe+2E6AC2 - 03 D9 - add ebx,ecx
client.exe+2E6AC4 - 8B CB - mov ecx,ebx
client.exe+2E6AC6 - 8B C3 - mov eax,ebx
client.exe+2E6AC8 - C1 E0 04 - shl eax,04
client.exe+2E6ACB - C1 E9 05 - shr ecx,05
client.exe+2E6ACE - 33 C8 - xor ecx,eax
client.exe+2E6AD0 - 8B C6 - mov eax,esi
client.exe+2E6AD2 - C1 E8 0B - shr eax,0B
client.exe+2E6AD5 - 03 CB - add ecx,ebx
client.exe+2E6AD7 - 83 E0 03 - and eax,03
client.exe+2E6ADA - 8B 04 87 - mov eax,[edi+eax*4]
client.exe+2E6ADD - 03 C6 - add eax,esi
client.exe+2E6ADF - 33 C8 - xor ecx,eax
client.exe+2E6AE1 - 03 D1 - add edx,ecx
client.exe+2E6AE3 - 3B 75 08 - cmp esi,[ebp+08]
client.exe+2E6AE6 - 75 BA - jne client.exe+2E6AA2
client.exe+2E6AE8 - 8B 45 0C - mov eax,[ebp+0C]
client.exe+2E6AEB - 8D 4D F8 - lea ecx,[ebp-08] : (float)18940.7500
client.exe+2E6AEE - 52 - push edx
client.exe+2E6AEF - 89 45 F8 - mov [ebp-08],eax
client.exe+2E6AF2 - 8B 45 10 - mov eax,[ebp+10]
client.exe+2E6AF5 - 53 - push ebx
client.exe+2E6AF6 - 89 45 FC - mov [ebp-04],eax
client.exe+2E6AF9 - E8 D2010000 - call client.exe+2E6CD0
client.exe+2E6AFE - 8B C8 - mov ecx,eax
client.exe+2E6B00 - E8 CB010000 - call client.exe+2E6CD0
client.exe+2E6B05 - 5F - pop edi
client.exe+2E6B06 - 5E - pop esi
client.exe+2E6B07 - 5B - pop ebx
client.exe+2E6B08 - 8B E5 - mov esp,ebp
client.exe+2E6B0A - 5D - pop ebp
client.exe+2E6B0B - C2 0C00 - ret 000C


2 lines above we have the key, inside EDI. Just select that line, right click, Find out what addresses this instruction accesses.

client.exe+2E6AB5 - 8B 04 87 - mov eax,[edi+eax*4] << XTEA KEY HERE!
client.exe+2E6AB8 - 03 C6 - add eax,esi
client.exe+2E6ABA - 81 EE 4786C861 - sub esi,61C88647

And then you will see a window called "Changed Addresses" that will show a lot of activity in 4 addresses. It is really the same address (just split in 4 parts of 4 bytes each) That is, the lower address is the start of the XTEA key.

Now we only need to search path to this place.

We obtain several paths. The best looking one is this:
"Qt5Gui.dll"+00482EE4 > 28 > 0 > 1D8 > 2F0 > 7C > B8
And we know we can safely translate it to this shorter one:
"Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F0 > 7C > B8

That is:
(Tibia 11.00) adrConnectionKey="Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F0 > 7C > B8

(Tibia 11.01) adrConnectionKey="Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F8 > 7C > B8

blackd
10-12-2016, 12:22
Tested, working :cool:

https://blackdtools.com/images/tibia11beta.png

DiegoTV
10-20-2016, 05:06
Also, another method where you can obtain is through the login routine, the xtea is rsa encrypted sent right after you select the character, once decrypted you can just store it and use it as you please :)

The structure hasn't really changed since the Legacy client.



p.SkipHeaders();
Console.WriteLine("Packet Type: " + p.read_byte());
Console.WriteLine("Client Type: " + p.read_ushort());
Console.WriteLine("protocolVersion: " + p.read_ushort());
Console.WriteLine("Client Version: " + p.read_uint());
Console.WriteLine("contentRevision: " + p.read_ushort());
Console.WriteLine("Preview State: " + p.read_byte());

byte[] rsaBlock = p.PeekAt(p.position, 128);
Rsa.RsaOTDecrypt(ref rsaBlock, 0, 128, Tibia);
p.replace_bytes(rsaBlock);
if (p.read_byte() != 1) throw new Exception("Invalid RSA");

xtea_key[0] = p.read_uint();
xtea_key[1] = p.read_uint();
xtea_key[2] = p.read_uint();
xtea_key[3] = p.read_uint();

p.read_byte();
Console.WriteLine(p.read_string()); // token string
Console.WriteLine(p.read_string()); // character name

blackd
10-20-2016, 16:09
Yes, however you can't decipher it directly in real servers because the private rsa key of cipsoft is unknown.
The only solution would be doing a small modification to the client so it uses ot server rsa keys and then you can decipher using ot server private key and then cipher again using cipsoft public rsa key.

If you know where is XTEA key in memory then you can skip the whole RSA part.

Ashwalker
10-24-2016, 13:46
The only solution would be doing a small modification to the client

What about modifying it inside login packet?

blackd
10-24-2016, 23:52
In order to modify that initial login packet you would need to modify RSA key in first place. It requires a modification to the client executable -or- launching the client in frozen status, modify it in memory and then unfreeze it.

There is no way to modify a encrypted packet unless you are able to decipher it and cipher it again after that.
That is, you only can modify packets while they are not encrypted.