Warrock XOR Keys

SosaMan · 03/12/2022, 19:58

Where can I find the latest warrock XOR Keys? Do I need to use WireShark? Any info would be great, thanks!

~~qhuongli~~ · 03/12/2022, 21:05

Xor means if you know the original key, you can get the latest key. Just xor the last received byte with 0x0A and you'll get the xor key of that specific packet.

SosaMan · 03/12/2022, 22:25

Quote:

Originally Posted by qhuongli

Xor means if you know the original key, you can get the latest key. Just xor the last received byte with 0x0A and you'll get the xor key of that specific packet.

Could you perhaps explain with a simple example? Like what exactly is the last byte of the packet, and how do you xor it with 0x0A ( i find basic xor encryption/decryption but not specifically what u say)

Taiga on *forum* explained it like this:

Quote:

byte xorKey = packetBuffer[packteBuffer.Length -1] ^ 0x0A;

However i don't exactly know how to work this out in practise.

Thanks!

~~qhuongli~~ · 03/12/2022, 22:50

The WarRock packet structure is a string that is encrypted by a XOR cipher but since private servers where created nonstop they are forced to changed the structure. The As we know, keys are always the same for the login server. But in the newer versions of WarRock the keys of the game server change every update.

The packet it self is a string that has been all the data concatenated by a character. Every packet ends with an end line character (0xA). You should decoded the packet immediately when you receive any data and split them by the end line character Once you have made that you can parse the packet by separating them into blocks by splitting the packet on it's spaces.

An example packet send by the server to the launcher:
1234567 4112 0 25 40 100 0 0

The first data block is the time stamp of the packet, this one is used to indicate when the packet was sent by the client. The value of this packet is the amount of ticks since the computer has been started.

1234567 4112 0 25 40 100 0 0

The second block indicates the packet (ID) to tell the server what the rest of the data is. Packets can only contain an ID to ask the server for a certain response. It's easier to remember the packet IDs if you convert them to hexadecimal.

1234567 4112 0 25 40 100 0 0

All the other data blocks are data for the client or server.
1234567 4112 0 25 40 100 0 0

Start of a new connection

Every connection of all the servers start with a basic handshake. The server sends out the packet 4608(0x1200) with a random integer that has a length of 8 numbers as data block. The client responds with it's next packet after this packet was received.

I'll remove the time stamp from the packets since it isn't important and makes it easier to read the packets.

4608 50039730

Hope it helps.

SosaMan · 03/12/2022, 23:57

Quote:

Originally Posted by qhuongli

The WarRock packet structure is a string that is encrypted by a XOR cipher but since private servers where created nonstop they are forced to changed the structure. The As we know, keys are always the same for the login server. But in the newer versions of WarRock the keys of the game server change every update.

The packet it self is a string that has been all the data concatenated by a character. Every packet ends with an end line character (0xA). You should decoded the packet immediately when you receive any data and split them by the end line character Once you have made that you can parse the packet by separating them into blocks by splitting the packet on it's spaces.

An example packet send by the server to the launcher:
1234567 4112 0 25 40 100 0 0

The first data block is the time stamp of the packet, this one is used to indicate when the packet was sent by the client. The value of this packet is the amount of ticks since the computer has been started.

1234567 4112 0 25 40 100 0 0
The second block indicates the packet (ID) to tell the server what the rest of the data is. Packets can only contain an ID to ask the server for a certain response. It's easier to remember the packet IDs if you convert them to hexadecimal.

1234567 4112 0 25 40 100 0 0

All the other data blocks are data for the client or server.
1234567 4112 0 25 40 100 0 0
Start of a new connection

Every connection of all the servers start with a basic handshake. The server sends out the packet 4608(0x1200) with a random integer that has a length of 8 numbers as data block. The client responds with it's next packet after this packet was received.

I'll remove the time stamp from the packets since it isn't important and makes it easier to read the packets.

4608 50039730

Hope it helps.

Thank you very much for your detailed explaination, I will try to get a better understanding. We'll have a chat if you don't mind

~~qhuongli~~ · 03/13/2022, 02:05

Beware of this guy. You have been warned!

SosaMan · 03/13/2022, 10:10

Quote:

Originally Posted by qhuongli

Beware of this guy. You have been warned!

I asked this guy for some proof of his work. Tries to ask me 50% in front without showing 1 working tool.

If i want to buy something from any of you I need to see some kind of working demo (through screenshare for example).

lllllllillllllllll · 03/13/2022, 14:04

Quote:

Originally Posted by SosaMan

Where can I find the latest warrock XOR Keys? Do I need to use WireShark? Any info would be great, thanks!

Actually, the packets on Port 10375 are not encrypted.
So you dont need any XOR-Key for them.

SosaMan · 03/13/2022, 17:42

Quote:

Originally Posted by lllllllillllllllll

Actually, the packets on Port 10375 are not encrypted.
So you dont need any XOR-Key for them.

I tried using the WR packet sniffer by phantom (i think) created back in 2014 and it only shows login server packets (as that xor key doesn't change) it also allows me to enter 2 xor keys for the game server (with the current xor keys its holding it does not work)

When using wireshark i can only see encrypted packets (as far as I know)

Could you ellaborate on how to sniff those game server packets?

bigheadwr · 03/14/2022, 21:19

are decrypted all packets with wireshark, use HxD to read it better them

here an example to a packet to create room khali 32 players bighead ghosts
DE 64 00 00 00 73 05 00 45 56 45 4E 54 00 00 00 00 04 00 4E 55 4C 4C 04 00 00 00 17 00 00 00 00 00 00 00 FF FF FF FF 03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ED

SosaMan · 03/15/2022, 19:54

Quote:

Originally Posted by bigheadwr

are decrypted all packets with wireshark, use HxD to read it better them

here an example to a packet to create room khali 32 players bighead ghosts
DE 64 00 00 00 73 05 00 45 56 45 4E 54 00 00 00 00 04 00 4E 55 4C 4C 04 00 00 00 17 00 00 00 00 00 00 00 FF FF FF FF 03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ED

HxD editor gives me the same output as wireshark (in text ). only publicly stuff like room names and usernames are visible but other stuff looks encrypted to me

lllllllillllllllll · 05/07/2022, 11:35

Quote:

Originally Posted by SosaMan

HxD editor gives me the same output as wireshark (in text ). only publicly stuff like room names and usernames are visible but other stuff looks encrypted to me

its not, you just dont know how to read it i guess^^

Its binary... so read it in HEX.

Also notice its little endian not big endian..

bigheadwr · 05/10/2022, 21:27

yup

SosaMan · 05/21/2022, 19:15

Quote:

Originally Posted by lllllllillllllllll

its not, you just dont know how to read it i guess^^

Its binary... so read it in HEX.

Also notice its little endian not big endian..

Can you explain reading it in HEX?
Like, in the end there's a way to get a text result right?
I tried XOR'ing the last byte with 0x0A and i got 237 as a result. tried to use this to decrypt the whole packet but that did not work ( useless result )

Could you perhaps use one packet as an example and decrypt it? that would be great.

DroomOne · 05/25/2022, 18:22

My old account is gone... somehow i cannot post images

Warrock received an update on its networking a couple of months ago. It only applies to the gameservers, as far as i know, the loginserver xor has not been changed (and still is 0x96 for sending 0xC3 receiving).

Warrock switched from ASCII 'blocks' to using serialized network packets. The content of the data, the order of the blocks, and the type of packets they used to send are still the same. Instead, 'raw' bytes are now sent, and not the ASCII representation.

An example:

I know this packet has id `24823` -> hex: `0x6100` aka le `00 61`

Timestamp (green) + packetid (red)

With some knowledge about the content of the packets (which you can learn from opensource private servers), the full packet can be reconstructed, and created to send a response:

Random tool build to easy decode packets

Clientless Bots
I have built a clientless bot or two for warrock, recently I have tried to 'update' it for fun. To quickly get started I have used the structs library in python to 'decode' the packets. Interpret them and send responses, all work fine... until you get kicked by the lack of a anticheat-heartbeat....

However, if someone knows a trick to delay the anticheat-heartbeat, a clientless bot can still be possible. Creating/joining a room (private with two bots, don't wanna bother anyone), starting, running and leaving the server, could be done easily with < 20/30s.

I would be interested in trading working Invisible cheat code (nothing fancy, just serverpointer+magicoffset = magicvalue) for a trick/bug to delay the anticheat-heartbeat kick

Quick and dirty script emulating packets