ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax
It is currently Fri Dec 02, 2022 4:19 pm

All times are UTC




Post new topic  Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sat Oct 08, 2022 3:23 am 
User avatar

Joined: Mon Oct 09, 2017 11:13 pm
Posts: 16
I am looking for a method that allows me to read Yu-Gi-Oh! Cross Duel's traffic in plaintext format. I'll link 1 example of encrypted traffic at the bottom of this post, for reference. Ideally, you would produce a way, show me an example of some plaintext traffic you get, then I would ask you to go through a couple of scenarios to confirm your method is working, and then I'd pay and you'd give me the method.

I prefer Paypal for payment, but if you can't use it, I'll see what we can do.

If you need further information/resources to help you produce the script, PM me here and I'll see what I can provide. I can also produce more examples of encrypted traffic for you to work with, if it helps.

--------------------------
Some background info:

Konami has another app that's relevant here: Yu-Gi-Oh! Duel Links. It's been around for awhile, and it used to have unencrypted traffic. After a certain update, Duel Links started using encrypted traffic (using lz4 compression, and I think a character offset?). I previously hired someone on Zenhax to produce a usable Python script to decrypt this traffic into comprehendable text. This worked for a few years, but then another update was released that rendered the traffic unreadable for me - Duel Links probably uses different encryption as a result of that update.

I believe Cross Duel uses the same new encryption that the first app currently uses. The reason I think this? I've been using Charles Proxy to read the apps' traffic; currently, Charles can only decipher bits of text from the apps' traffic, and both of them share certain unique, key text in common, which Duel Links never had in its traffic until the most recent update.

Why is this background info relevant? It's just a possibility that maybe lz4 compression is involved here, and/or a character offset. I'm unsure.

------------------------------------------------------------------------------------------------------------------

Encrypted traffic example: Pastebin link
* This data was output by Charles Proxy. If you scroll down to line 772 in Pastebin (or line 00003030 in the data), you'll see I have the hex data by itself, in a 2nd section. The only reason I kept the first section, is because Charles Proxy partially deciphers some of the encryption, which you can see in the right column.

If decrypted successfully, there will probably be a section that has a list of various numbers, whose values can range from 4000 to more than 10000 (but never reaching 20000). The list will probably consist of 20 numbers (possibly with very small subsections / accompanying data). And I think there might be at least 4 of these lists in this particular example.
It is also possible that those numbers will actually be names instead, in which case, there would be lists with 20 names.

_________________
If I'm absent and don't respond to a message here, I can be found on Yugipedia, where you can leave a message to refer me back to here.


Last edited by UltimateKuriboh on Wed Oct 12, 2022 2:50 am, edited 3 times in total.

Top
   
PostPosted: Sun Oct 09, 2022 1:04 am 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 247
Do you need to actually implement the encryption yourself? Or are you just solely interested in the decrypted traffic?

Does this target have a means of anti-cheat or protection? (Is the main game exe/dll packed or protected at all?)

If you don't need to manually decrypt the traffic for any reason, then it can often times be better to just hook onto the games functions that handle the encryption/decryption and dump the data then. (This can also give you a point of entry to inject packets and alter data.)

For client to server packets, you would want to hook onto the client just before it compresses/encrypts the data.
For server to client packets, you would want to hook onto the client after it decompresses/decrypts the data and before its handled by any packet handlers.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Sun Oct 09, 2022 5:52 am 
User avatar

Joined: Mon Oct 09, 2017 11:13 pm
Posts: 16
atom0s wrote:
Do you need to actually implement the encryption yourself? Or are you just solely interested in the decrypted traffic?


I am solely interested in the decrypted traffic. If there are other methods that I can use to understand the traffic (without needing to ask another person each time), that'd be fine with me. Although being able to modify the traffic would be a major plus.

atom0s wrote:
Does this target have a means of anti-cheat or protection? (Is the main game exe/dll packed or protected at all?)


I'm clueless. Um, as far as I know, there aren't any measures implemented to push back on illegal modding - in the first app, the developers only crack down on individual players if they enter PvP with those mods. If you tweak a certain value, you don't need to do anything else; the change is reflected in-game. (Though there are some things that are impossible to change, such as a player's personal assets - you can't grant yourself free currency, but you can temporarily change your assets during each game). In the past, I've been able to change some game settings by editing the traffic directly via the Fiddler app (but not too much, as the data was still compressed and the game spat out corrupted null values if you changed too many values). I think the only barrier is reaching into the app and making the changes yourself. Though it's possible things may have changed since I've last done this.

Note: Apparently 1 cheat engine (for the first app) uses a "DLL injection", but this cheat engine only exists for the Steam platform. The owner told me that it has 0 protections at all.

atom0s wrote:
If you don't need to manually decrypt the traffic for any reason, then it can often times be better to just hook onto the games functions that handle the encryption/decryption and dump the data then. (This can also give you a point of entry to inject packets and alter data.)

For client to server packets, you would want to hook onto the client just before it compresses/encrypts the data.
For server to client packets, you would want to hook onto the client after it decompresses/decrypts the data and before its handled by any packet handlers.


I don't have the know-how to do that sort of thing myself. If you do, would really appreciate if you could help. I'm adaptable.

There's no time-limit on this request, but if it could be fulfilled in under 2 weeks from this post, that'd be very convenient for me.

P.S. At least with the method of manually decrypting traffic, I didn't need to update anything - it took years for a change to actually affect my method. However with that 1 cheat engine for Steam, I see it constantly needing updates each time the app's version updates, so I hope any alternative traffic-understanding method wouldn't require similar constant updates.

_________________
If I'm absent and don't respond to a message here, I can be found on Yugipedia, where you can leave a message to refer me back to here.


Last edited by UltimateKuriboh on Sun Oct 09, 2022 4:00 pm, edited 1 time in total.

Top
   
PostPosted: Sun Oct 09, 2022 12:53 pm 

Joined: Fri Sep 16, 2022 8:34 am
Posts: 2
the example traffic you posted looks like a tls session

if a 3rd party could decrypt it from a transcript of a session it would mean all of ecommerce and online banking are fundamentally broken


Top
   
PostPosted: Wed Oct 12, 2022 2:46 am 
User avatar

Joined: Mon Oct 09, 2017 11:13 pm
Posts: 16
I edited the topic title and the first paragraph in my post. The app is Yu-Gi-Oh! Cross Duel, and I don't care about the method used to produce readable plaintext results, so long as it is reliable and re-usable. But, I do use Android, so I'd prefer a method that doesn't involve Apple.

Please let me know if there is a viable way(s) to fulfill my request, and then we can go from there.

Warning: Yu-Gi-Oh! Cross Duel has some high-tech phone requirements, so you may not be able to install it. Here's a link to the APK, but idk if that'll work as a sufficient workaround. It'll possibly work if:
  1. you download the latest version of Bluestacks, an Android emulator
  2. launch the Bluestacks Multi-Instance Manager from the desktop
  3. at the bottom of the program, click the "Instance" button and click "fresh instance"
  4. select Pie 64-bit (beta)
  5. the game will run slowly, but it should work at least

P.S. Maybe attempting this with Yu-Gi-Oh! Duel Links would be better, as it does not have high-end phone requirements, and I believe it is very similar to Cross Duel in how it handles its traffic.

_________________
If I'm absent and don't respond to a message here, I can be found on Yugipedia, where you can leave a message to refer me back to here.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 5 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited