Author |
Message |
ExplodyThingy Server Help Squatter
Age:37 Gender: Joined: Dec 15 2002 Posts: 528 Location: Washington DC Offline
|
Posted: Tue Jan 27, 2004 10:12 am Post maybe stupid Post subject: |
|
|
|
|
So go crack it. None of us have it. There is only two server platforms out there, and updating is not hard. Its done very easily and efficiently, updates do occur, after all. We're all aware of the details of the algs, we all know essentially how it functions, but none of us have cracked it, for want of motivation. SO get to it and impress us all. _________________ There are no stupid question, but there are many inquisitive idiots.
Loot
Dr Brain> I hate clean air and clean water. I'm a member of Evil Conservitive Industries
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 10:32 am Post maybe stupid Post subject: |
|
|
|
|
Quote: | we all know essentially how it functions |
So if you know how if works the only thing you need is the key which it uses to crypt.
_
For making it simple I will explain a simple algorithm here. The thing we know is that the server sends "10101010" as unencrypted data and the data and the key is combined using XOR operation and the result of the encryption is "01101001". Now I demonstrate how to get the key:
data(unencrypted) xor data(encryption)
10101010
01101001
-----------
11000011
Now we know the key is "11000011" and if we get the next encrypted packet and we know the data in it is "00111001" then we know that it's something like "xxxxxxxx" unencrypted:
00111001
11000011
-----------
11111010
And we know that the next data packet is "11111010" unencrypted. And a 16-bit-key shouldn't be too hard to crack.
And then we can calculate all the encrypted values of the data packets so we don't need to decrypt them one by one because we already use the decrypted values in our decoding-table.
And I know that the unencrypted value of the "encryption-key"-packet from client to server is 0x0001 and then it gets the Type-Of-The-Key and then the Key-Itself and then the Client-Version. The last one should be set to 038 so that the server knows: "Ah - it's a Continuum 38 client!"
And for the CHECKSUMS we need we only have to add every single byte of the application file "subspace.exe" together. Finished!
Last edited by Qndre on Tue Jan 27, 2004 11:05 am, edited 1 time in total |
|
Back to top |
|
|
ExplodyThingy Server Help Squatter
Age:37 Gender: Joined: Dec 15 2002 Posts: 528 Location: Washington DC Offline
|
Posted: Tue Jan 27, 2004 10:39 am Post maybe stupid Post subject: |
|
|
|
|
Dont yell at me you miserable fuck. Looks like youre smarter than me, and know more about what youre doing. So I guess Ill just stop posting here. Maybe you should go and figure it out. When youve got a client connecting and making the server think youre continuum, come back, Ill give you a cookie.
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 10:41 am Post maybe stupid Post subject: |
|
|
|
|
You will get the complete algorithm if I've put the information together.
|
|
Back to top |
|
|
Guest
Offline
|
Posted: Tue Jan 27, 2004 11:03 am Post maybe stupid Post subject: |
|
|
|
|
Now I know how the algorithm works: Quote: | The client sends the request of the key to the server. The server gives the client the key (the server uses a random but unique key) and every data which is send from the client to the server or from the server to the client is en-/decrypted using XOR operation and the key. | [/quote]
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 11:08 am Post maybe stupid Post subject: |
|
|
|
|
Quote: | You miserable fuck. Looks like youre smarter than me, and know more about what youre doing. |
I don't know if I am smarter than you because I don't really know you and I've never said anything like that or wouldn't even say anything like that even if it was true. I only wanted to get some extra information about Continuum. After the first replies (with the link to Explody-Thingy's server site) I've known enough to build a full client like Continuum38 is today. I'll shut up now if you don't want to hear how it works... and I don't think you really want because if you talk to me in this way you can't be really interested in my work. See you later. I won't tell you.
Last edited by Qndre on Tue Jan 27, 2004 12:06 pm, edited 1 time in total |
|
Back to top |
|
|
Smong Server Help Squatter
Joined: 1043048991 Posts: 0x91E Offline
|
Posted: Tue Jan 27, 2004 11:20 am Post maybe stupid Post subject: |
|
|
|
|
Shanky-Server/Continuum server what are they? shanky.com/server is just a place to download the latest server.zip. The current server is subgame2, it has been edited to work with fix.dll which contains all the anti-cheat stuff and new features since 134.
What you have written looks suspiciously like one of catid's docs, but re-phrased. And anyone writing encryption wouldn't do a simple XOR, they would throw some other tweaks in there as well.
As for no one knowing the workings of ctm encryption, no comment, if too much attention is drawn, it is not hard to change it. Don't cry wolf. Don't spoil a good game people have put lots of their free time into.
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 12:00 pm Post maybe stupid Post subject: |
|
|
|
|
Hi Smong. The "shanky-server" is a software package. It includes the "subbill.exe" (Subspace Billing Server) the "subgame2.exe" and all its components (Subgame 2), an LVZ-toolkit ("buildlev.exe") and the latest version of the MERVbot ("mervbot.exe").
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 12:02 pm Post maybe stupid Post subject: |
|
|
|
|
Smong wrote: | And anyone writing encryption wouldn't do a simple XOR, they would throw some other tweaks in there as well.
|
Every good encryption works with XOR statements. Even the almost-uncrackable MD5 (128-bit hashing - used for password encryption) works with XOR. It takes the data and rotates the next byte just one bit more to left and then XORs them all and finally XORs with a constant.
|
|
Back to top |
|
|
Smong Server Help Squatter
Joined: 1043048991 Posts: 0x91E Offline
|
Posted: Tue Jan 27, 2004 12:14 pm Post maybe stupid Post subject: |
|
|
|
|
Is English your first language? You seem to be having difficulty understanding what is written before you. I said "simple XOR". I hardly think encdata[i] = data[i] ^ table[(i++)%sizeof(table)]; for "almost-uncrackable MD5".
I just went to shanky.com/server and could not locate this elusive "shanky-server" package. I did however download server.zip, only to find the only new thing in there since I last checked is tracert.exe. I even dug around SSDL, nothing like "shanky-server" there.
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 12:19 pm Post maybe stupid Post subject: |
|
|
|
|
server.zip IS a part of the Shanky-Server. Just download the MERVbot and the LVZ-Toolkit, too and you have the package, which is called "shanky-server" (at example if they talk about it in the Zone DSB). It is no special file. Just download all the components and you have a "shanky-server". If you talk to one then if you say "I've got a shanky-server" it's much quicker than if you said: "I've got the subbill.exe and the subgame2 server and the MERVbot and the LVZ-Toolkit running on my server." Because this is a very common server-configuration it's called "shanky-server" so that you don't have to tell the components every time. That's all.
_
About my English: I am from Germany, sorry.
Last edited by Qndre on Tue Jan 27, 2004 12:24 pm, edited 1 time in total |
|
Back to top |
|
|
50% Packetloss Server Help Squatter
Age:39 Gender: Joined: Sep 09 2003 Posts: 561 Location: Santa Clarita, California Offline
|
Posted: Tue Jan 27, 2004 12:23 pm Post maybe stupid Post subject: |
|
|
|
|
<3
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 12:27 pm Post maybe stupid Post subject: |
|
|
|
|
I should reply to an empty reply?
*joke-around*
_
PS: Creating a full Continuum38-like client won't be simple. That's sure. But it's possible. And even if no one else had cracked the encryption yet someone has to be the first.
|
|
Back to top |
|
|
nintendo64 Seasoned Helper
Age:38 Gender: Joined: Dec 01 2002 Posts: 104 Location: Dominican Republic Offline
|
Posted: Tue Jan 27, 2004 12:37 pm Post maybe stupid Post subject: |
|
|
|
|
I will say this much, Continuum encryption has been cracked in the past (versions 0.35, 0.36 and 0.37), but i doubt you will crack, maybe if you showed some more code and talked a little less, you should take the advice i posted up.
When Coconut Emulator cracked the SS encryption he didn't say it on a board and he didn't even said he would, why? because he wasn't sure he could do it, now SS encryption is not that hard (it was a scheme with a 4 byte key, that's why there were some extra security like the Position Checksum and the Securiry Checksums), but CTM is another case.
Here is a sample of the CTM Login Sequence.
Note the 00 01 Core Packet.
After this everything becomes blurry, even Packet headers are encypted.
0000 00 01 4F DA 77 97 11 00 ..O.w...
0000 00 10 00 00 DA 7F A9 6F BA EA 01 00 .......o....
0000 00 11 00 00 DA 7F 01 00 ........
0000 5C 14 BC 78 85 F6 74 EA \..x..t.
0000 7F 63 30 .c0
You catch what i mean?
-nintendo64
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 12:42 pm Post maybe stupid Post subject: |
|
|
|
|
Yes, I will shut up and tell you if I've done it.
nintendo64 wrote: | INote the 00 01 Core Packet.
0000 00 01 4F DA 77 97 11 00 ..O.w...
|
If I knew a bit more about network protocols...
|
|
Back to top |
|
|
Smong Server Help Squatter
Joined: 1043048991 Posts: 0x91E Offline
|
Posted: Tue Jan 27, 2004 12:59 pm Post maybe stupid Post subject: Re: Spectate-Only-Client |
|
|
|
|
Qndre wrote: | I can understand if the server sends 010111010100010011101010000101101010101000010101110101111010001011010 this means "the bomb level 2 is fired with 200 pixels/second speed and proximity bombs into direction with 45° |
Taken out of context a bit ... heh
|
|
Back to top |
|
|
Guest
Offline
|
Posted: Tue Jan 27, 2004 1:01 pm Post maybe stupid Post subject: |
|
|
|
|
*laugh*
It was just an example.
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 1:16 pm Post maybe stupid Post subject: |
|
|
|
|
Quote: | even packet headers are encrypted |
How can you see that the headers of the packets are encrypted? I only see a hash of hex-numbers at my screen. I tried to track the login sequence of C38 client but I don't know much about networking protocols. And if I can't decrypt the Continuum packets, how can I generate a VIE-checksum to write a VIE-client? Quote: | open sourced everywhere | (searched Google after "VIE Checksum" or "VIE Source Code" or "Subspace Source Code" or "VIE Subspace Source Code" - not the wanted results) And if I was able to fake VIE-Checksums... Will this client still be able to use features of Continuum (like LVZ at example) or will the server act like "this is no continuum client so it doesn't need the LVZ"?[/quote]
|
|
Back to top |
|
|
ExplodyThingy Server Help Squatter
Age:37 Gender: Joined: Dec 15 2002 Posts: 528 Location: Washington DC Offline
|
Posted: Tue Jan 27, 2004 2:00 pm Post maybe stupid Post subject: |
|
|
|
|
The VIE Client itself is not open source. But there are many bots that use the VIE scheme, as I posted earlier. I dont think you quite understand that VIE used a diferent system than what is now in use in Continuum. When n64 said that the packet headers are encrypted, he meant the first bytes, the ones that signify what type of packet it is. This would be the hex value at the very start, and you can see these in the doc I provided you.
In all of the bots there is a fully functioning VIE checksum ripoff, this does the checksums against a VIE client. However, continuum is not subspace.exe. Also in all of these bots is the entire encryption method, so start from there.
All clients that login fully will recieve the object control data, and other "recently" added data. Older clients simply discard them or throw some kind of error. You can see this because bots can recieve object data even though they are on a older encryption.
|
|
Back to top |
|
|
ExplodyThingy Server Help Squatter
Age:37 Gender: Joined: Dec 15 2002 Posts: 528 Location: Washington DC Offline
|
|
Back to top |
|
|
Guest
Offline
|
Posted: Tue Jan 27, 2004 2:49 pm Post maybe stupid Post subject: |
|
|
|
|
ExplodyThingy wrote: | All clients that login fully will recieve the object control data, and other "recently" added data. Older clients simply discard them or throw some kind of error. You can see this because bots can recieve object data even though they are on a older encryption. |
So I can log in to a Continuum-Zone with the VIE-client. But how does the VIE-encryption work? And WHY do they ENCRYPT game data??
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 2:50 pm Post maybe stupid Post subject: |
|
|
|
|
Thanks ExplodyThingy - the most important parts:
Quote: | There are some ways to disable encryption:
Send a KK field of 0. 00 01 00 00 00 00 01 00
The server must respond with a NULL key (no encryption).
Custom SubSpace stacks may ignore this.
Encryption may be disabled server-side if the key you send
is the same as the key you get back.
|
Quote: |
This method of encryption is very weak...
If you know PLAINTEXT
then PLAINTEXT ^ CIPHERTEXT = SECRETKEY. (^ = xor) In short, do not trust any
personal data on a logged connection to SubSpace.
|
Quote: | Continuum key exchange:
00 10 - Server keys
00 10 <Key1(4)> <Key2(4)>
00 11 - Client acknowledgement
00 11 <Key1(4)>
|
Quote: |
-=Security checksums=-
These have been hacked for SubSpace. You may find pretty C++ classes that do the nitty-gritty in
MERVBot's encrypt.cpp and checksum.cpp files.
|
Thanks to ExplodyThingy
|
|
Back to top |
|
|
Smong Server Help Squatter
Joined: 1043048991 Posts: 0x91E Offline
|
Posted: Tue Jan 27, 2004 3:18 pm Post maybe stupid Post subject: |
|
|
|
|
You yourself said encryption was a simple XOR, isn't that how VIE-enc works?
Stuff is encrypted so that people cannot play through a proxy that conveniently inserts packets on certain keystrokes, for example requesting all the flags.
I think there are 3 server options regarding VIE-enc, either allow it to connect and play, allow to connect but spec only, or dissallow the client from entering the zone completely.
If you happend to be on the VIP then I think you can use any encryption, but you must return correct checksums still. I read somewhere the the recent server releases no longer support 'no encryption', unlike the subgame.exe found on the SS CD (available at SSDL). When I was making my bot I used the old server as I didn't want to mess with encryption. Another thing is the reliable packet stack, cluster packets and chunked packets, those can be just as hard to clone as encryption.
|
|
Back to top |
|
|
Qndre Server Help Squatter
Gender: Joined: Jan 25 2004 Posts: 295 Offline
|
Posted: Tue Jan 27, 2004 3:27 pm Post maybe stupid Post subject: |
|
|
|
|
No one in this forum has to argue about if I've got enough skills to do it or not. I also don't know it. I want to try so I'll try. At the moment I am very busy so I'll begin this project on the weekend. I'll start simple. Create a VIE-session on my own shanky-server and destroy it. Then I can try to download the LVL and convert it to an image,... I'll try it step by step. Then I'll see if there are any problems. (I expect there are because there always are problems if you're writing a program) Thank you all very much.
Quote: | You must return correct checksums still. Another thing is the reliable packet stack, cluster packets and chunked packets, those can be just as hard to clone as encryption. |
How can I generate these checksums? Out of the file "subspace.exe"? What's a "reliable packet stack"? I know what "clustered packets" are, but what are "chunked packets"? Isn't is the same?
Last edited by Qndre on Wed Jan 28, 2004 6:57 am, edited 1 time in total |
|
Back to top |
|
|
Mine GO BOOM Hunch Hunch What What
Age:40 Gender: Joined: Aug 01 2002 Posts: 3614 Location: Las Vegas Offline
|
Posted: Tue Jan 27, 2004 3:42 pm Post maybe stupid Post subject: |
|
|
|
|
There is only one emoticon in which can express what I feel when I'm reading this thread:
rollbarf.gif - 80.15 KB
File downloaded or viewed 28 time(s)
|
|
Back to top |
|
|
|