Additional Information - Printable Version

Additional Information - Printable Version

+- The Bytecode Club - Reverse Engineering Forum (https://the.bytecode.club)
+-- Forum: Lobby (https://the.bytecode.club/forumdisplay.php?fid=1)
+--- Forum: Game Cheating, Botting & Reverse Engineering (https://the.bytecode.club/forumdisplay.php?fid=97)
+--- Thread: Additional Information (/showthread.php?tid=475)

Additional Information - Cafebabe - 01-29-2015

I am finally starting to reverse engineering this client and it has been quite fun so far Smile

As mentioned in the other thread b.o class handles the encryption/decryption and if you apply the string decryption method you get the following:

Code:
Class: b.o

z[0] = CB13370FDC5197B54FA4D269D5A80ACD

z[1] = AES/CBC/PKCS5Padding

z[2] = AES

z[3] = 747DA8F0024ABFE26AA49B6C3285CC47

z[4] = native

z[5] = file

z[6] = lib

z[7] = .class

As you can see it is using AES encryption and AES/CBC/PKCS5Padding for the cipher stream. The values in z[0] and z[3] is really what interests me so i started working on them and i got them figured out:

z[3] = IvParameterSpec after DatatypeConverter.parseHexBinary (so z[3] is the IV for the aes decryption and is encoded with HexBinary as well.)
z[0] = SecretKeySpec this is the key for AES after DatatypeConverter.parseHexBinary (So z[0] is the actual key for the aes decryption it is just encoded with HexBinary sequence)

Basically to reproduce the information:

Code:
Cipher.getInstance("AES/CBC/PKCS5Padding").init(Cipher.DECRYPT_MODE, new SecretKeySpec(DatatypeConverter.parseHexBinary("CB13370FDC5197B54FA4D269D5A80ACD"), "AES"), new IvParameterSpec(DatatypeConverter.parseHexBinary("747DA8F0024ABFE26AA49B6C3285CC47")));

That is the Cipher stream you will use to decrypt the information.

Upon further inspection of the code i have learned that they are using Pack200 [java.util.jar packer] to unpack the jar file:

Code:
Pack200.newUnpacker().unpack(new GZipInputStream(data), JarOutputStream);

Code:
private static byte[] b(String s, byte abyte0[])

    {

        byte abyte1[];

        byte abyte2[];

        s = new d(s.getBytes());

        String s1;

        abyte1 = DatatypeConverter.parseHexBinary(s1 = z[3]);

        s.c(abyte1);

        abyte2 = DatatypeConverter.parseHexBinary(s1 = z[0]);

        s.c(abyte2);

        (s = Cipher.getInstance(z[1])).init(2, new SecretKeySpec(abyte2, z[2]), new IvParameterSpec(abyte1));

        return s.doFinal(abyte0);

        JVM INSTR dup ;

        s;

        printStackTrace();

        return null;

    }

This is the method in the b.o class that handles the decryption of information and where the information above comes from. Parameter abyte0[] is the encrypted information. abyte1 is the unencoded IV, abyte2 is the unencoded SecretKey.

I will keep working on this and see what else i can do. I will start working on dumping the actual jar from memory and hopefully i can find the method that will load the cache Smile

RE: Additional Information - Konloch - 01-29-2015

Good work on this! I'm currently messing with an 8BitMMO cheat client, so once I get bored with that I'll go back to toying with eldevin.

RE: Additional Information - Cafebabe - 01-29-2015

(01-29-2015, 10:02 AM)Konloch Wrote: Good work on this! I'm currently messing with an 8BitMMO cheat client, so once I get bored with that I'll go back to toying with eldevin.

Boo, just work on eldevin Smile

. I am 40% the way through the cache.

RE: Additional Information - Konloch - 01-30-2015

(01-29-2015, 12:35 PM)Cafebabe Wrote:
(01-29-2015, 10:02 AM)Konloch Wrote: Good work on this! I'm currently messing with an 8BitMMO cheat client, so once I get bored with that I'll go back to toying with eldevin.

Boo, just work on eldevin . I am 40% the way through the cache.

Haha do you have a Skype? If so I've PMed you mine.