update new key for 2.8 (kazuha memory and islandflash) #27
Conversation
|
Thank you a lot |
|
Thanks a lot!!! |
|
Thanks a lot ! I will keep this PR open until all the keys are found (otherwise some people could open issues saying that some of the new cinematics aren't correctly extracted). Lately I didn't get much time to work on it (was developing a tool which can automatically extract a key) and I was stuck on the seed exchange. Could you enlighten me on that part since you managed to read the captures ? |
Since 2.7.50, hoyoverse had changed encrypt packets. A tool like Iridium doesn't work anymore. Because the seed was saved on mhy server. I used an akebi-gc packet sniffer (very high-risk because you need to disable mhyprot which can cause a ban). I suggest buying/grabbing a new account and don't use your main account. Akebi work because it hooks directly into the game after the game decrypts packet itself. I think we can find the key to decrypt somewhere inside game assembly (like pancake creator did before). But I can not confirm it has. I had thought of another solution since I found a proxy. We can override |
|
That's one way of doing it, but still very risky 👀. I hoped you were using some kind of Iridium but without the patching stuff (bruteforcing the seed generation on the client side), so that it could give me a hint for my problem. But that's interesting to know that the patching method works live and not only for private servers. |
Client has the ability to encrypt & decrypt packets so I think it must store the key somewhere in source. Just I don't know where, I'm not good at reverse engineering at all 😒 |
|
Finally done (Fischl domain made me crazy). @ToaHartor you can merge it and close #26 Btw I found that shinshin's enka use data that come from game packet. I think they can decrypt it. |
|
Thank you very much ! And about Enka, if their engine act like a dummy game client, then they can generate whichever client seed they want and therefore decrypt the rest of the packets. |
Basically, the first packet exchange is encrypted with the key generated from the Ec2b key of the region dispatch. Then, the client generates a seed which is encrypted with the RSA public key of the game servers, then receives from the server the second part of the seed. With those two seeds, the two sides can now generate the key that will be used to decrypt the following packets. The login sequence and key generation isn't really secret since all those "private" servers appeared on Github. |
|
@ToaHartor I will comment here because it is related to previous content. You can check out https://github.com/Sorapointa/MagicSniffer. It brute force xor key based on the original plaintext. You can visualize with Iridium frontend. |
Well, follow the old way, the field is
Unk2700_KHDDIJNOICKand it contains inside 2 packetsFinishedParentQuestNotifyandFinishedParentQuestUpdateNotify.I will try to update the other keys later. After I finished the quests (maybe late).