Cafebabe   01-29-2015, 07:11 AM
#1
I am finally starting to reverse engineering this client and it has been quite fun so far Smile

As mentioned in the other thread b.o class handles the encryption/decryption and if you apply the string decryption method you get the following:

Code:
Class: b.o z[0] = CB13370FDC5197B54FA4D269D5A80ACD z[1] = AES/CBC/PKCS5Padding z[2] = AES z[3] = 747DA8F0024ABFE26AA49B6C3285CC47 z[4] = native z[5] = file z[6] = lib z[7] = .class

As you can see it is using AES encryption and AES/CBC/PKCS5Padding for the cipher stream. The values in z[0] and z[3] is really what interests me so i started working on them and i got them figured out:

z[3] = IvParameterSpec after DatatypeConverter.parseHexBinary (so z[3] is the IV for the aes decryption and is encoded with HexBinary as well.)
z[0] = SecretKeySpec this is the key for AES after DatatypeConverter.parseHexBinary (So z[0] is the actual key for the aes decryption it is just encoded with HexBinary sequence)

Basically to reproduce the information:
Code:
Cipher.getInstance("AES/CBC/PKCS5Padding").init(Cipher.DECRYPT_MODE, new SecretKeySpec(DatatypeConverter.parseHexBinary("CB13370FDC5197B54FA4D269D5A80ACD"), "AES"), new IvParameterSpec(DatatypeConverter.parseHexBinary("747DA8F0024ABFE26AA49B6C3285CC47")));
That is the Cipher stream you will use to decrypt the information.

Upon further inspection of the code i have learned that they are using Pack200 [java.util.jar packer] to unpack the jar file:
Code:
Pack200.newUnpacker().unpack(new GZipInputStream(data), JarOutputStream);

Code:
private static byte[] b(String s, byte abyte0[]) { byte abyte1[]; byte abyte2[]; s = new d(s.getBytes()); String s1; abyte1 = DatatypeConverter.parseHexBinary(s1 = z[3]); s.c(abyte1); abyte2 = DatatypeConverter.parseHexBinary(s1 = z[0]); s.c(abyte2); (s = Cipher.getInstance(z[1])).init(2, new SecretKeySpec(abyte2, z[2]), new IvParameterSpec(abyte1)); return s.doFinal(abyte0); JVM INSTR dup ; s; printStackTrace(); return null; }
This is the method in the b.o class that handles the decryption of information and where the information above comes from. Parameter abyte0[] is the encrypted information. abyte1 is the unencoded IV, abyte2 is the unencoded SecretKey.


I will keep working on this and see what else i can do. I will start working on dumping the actual jar from memory and hopefully i can find the method that will load the cache Smile.
Konloch   01-29-2015, 10:02 AM
#2
Good work on this! I'm currently messing with an 8BitMMO cheat client, so once I get bored with that I'll go back to toying with eldevin.
Cafebabe   01-29-2015, 12:35 PM
#3
(01-29-2015, 10:02 AM)Konloch Wrote: Good work on this! I'm currently messing with an 8BitMMO cheat client, so once I get bored with that I'll go back to toying with eldevin.

Boo, just work on eldevin Smile. I am 40% the way through the cache.
Konloch   01-30-2015, 09:06 AM
#4
(01-29-2015, 12:35 PM)Cafebabe Wrote:
(01-29-2015, 10:02 AM)Konloch Wrote: Good work on this! I'm currently messing with an 8BitMMO cheat client, so once I get bored with that I'll go back to toying with eldevin.

Boo, just work on eldevin Smile. I am 40% the way through the cache.

Haha do you have a Skype? If so I've PMed you mine.
  
Users browsing this thread: 2 Guest(s)
Konloch Software - Bytecode Viewer - Hack Log - Reverse Engineering Forum
Copyright © 2014-2026 The Bytecode Club. Powered By MyBB.
CC0 Unless Specified Otherwise.