Out of bordom, I decided perhaps this may interest someone. I have no use for this knowlegde any longer as their is no Zone left, just a pathetic mess of a flash gaming site.

When the final update was applied a lot of things were changed. They added a protection scheme, which was identified as armadillo. Armadillo at the time was one of the most difficult schemes to defeat. Most information on the subject was closely gaurded, and there were no public "unpackers". For most of us, it was game over. But fuck that, I'm a stubborn basterd.

They also implemented a change in protocol in the previous update a few weeks (I think?) before. So, fortunately for us not much was changed internally and the files they provided us with earlier had much of what I needed. I may have been no longer able to debug the process easily, but that wasn't too much of an issue.

On to the good stuff!

In ZoneCli.dll there has always been a lot of debug strings. These pretty much highlight exactly what a function is for. Using this technique I was able to identify a number of new functions in the Recv and Send functions used for parsing.

( I'm guessing the scheme they use is some kind of widely used encyption scheme. I never looked into it too much, so I really have no idea. )

The old scheme was simple. (painfully simple psuedocode)

for each dword in packet dpacket = dpacket + (dword packet) XOR key next dword in packet

it''s just an XOR32 cryption scheme. (They actually only used an 8bit key)Anyway, the new scheme is something entirely more complex. It was a hash based encyption layer with a layer of psuedo random bytes using a base seed. I can't go into too much detail (unfortunately I don't remember a lot of it), but I can at least provide the meat and potatos of the implementation.

Psuedo random first layer (applied before the real encryption)
loop_start: imul eax, 343FDh add eax, 269EC3h mov ecx, eax shr ecx, 10h shr ecx, 2 xor [esi+ebx], cl inc esi cmp esi, 18h jb short loop_start

This roughly translates to .. //p is packet data, k is the key for(int i = 0; i < strlen(p); i++){ k = (k * 0x343FD) + 0x269EC3 >> 18; p[i] ^= (j & 0xff); }

At first, I figured this was *all* the new encyption. After decrypted packets looked just as obfuscated, I realized I was dealing with something more beastly. I then identified the following function being called in a loop.

Cryption Layer 2
mov ecx, [esp+8] mov eax, 0FFh mov dl, cl push ebx and edx, eax push esi shr ecx, 8 mov esi, edx mov dl, cl shr ecx, 8 mov ebx, ecx and edx, eax push edi mov edi, edx mov edx, [esp+10h] and ecx, eax shr ebx, 8 and ebx, eax mov eax, [edx+ebx*4+48h] add eax, [edx+ecx*4+448h] movzx ecx, di pop edi xor eax, [edx+ecx*4+848h] movzx ecx, si pop esi pop ebx add eax, [edx+ecx*4+0C48h] retn 8

This roughly translates to..
//k is the key table //p is the packet (dword) to be decrypted //d is the decrypted value d = k[(p >> 0x18) + (0x48 / 4)]; d += k[((p >> 0x10) & 0xff) + (0x448 / 4)]; d ^= k[((p >> 0x8) & 0xff) + (0x848 / 4)]; d += k[(p & 0xff) + (0xC48 / 4)];

As you can see above, a precomputed key/hash table is used for decrypting the packet data. Very annoying. Locating the function that builds the key table was fairly simple (key table location is passed to the client during every encryption and decryption call).

push ebp mov ebp, esp push ecx push ebx push esi push edi mov edi, [ebp+8] push 1000h ; Size push offset dwKeyTable ; Src lea eax, [edi+48h] push eax ; Dst call _memcpy mov esi, offset dwKeyTable2 add esp, 0Ch xor ecx, ecx mov eax, edi sub esi, edi mov dword ptr [ebp-4], 12h loc_1: xor edx, edx mov dword ptr [ebp+8], 4 loc_2: mov ebx, [ebp+0Ch] shl edx, 8 ovzx ebx, byte ptr [ecx+ebx] or edx, ebx inc ecx cmp ecx, [ebp+10h] jl shortloc_3 xor ecx, ecx loc_3: dec dword ptr [ebp+8] jnz shortloc_2 mov ebx, [esi+eax] xor ebx, edx mov [eax], ebx add eax, 4 dec dword ptr [ebp-4] jnz shortloc_1 and dword ptr [ebp+8], 0 and dword ptr [ebp-4], 0 push 9 mov esi, edi pop ebx loc_4: lea eax, [ebp-4] push eax lea eax, [ebp+8] push eax push edi call ZCryptLayer2 mov eax, [ebp+8] mov [esi], eax mov eax, [ebp-4] mov [esi+4], eax add esi, 8 dec ebx jnz shortloc_4 lea esi, [edi+76] mov dword ptr [ebp+0Ch], 4 loc_5: mov ebx, 80h loc_6: lea eax, [ebp-4] push eax lea eax, [ebp+8] push eax push edi call ZCryptLayer2 mov eax, [ebp+8] mov [esi-4], eax mov eax, [ebp-4] mov [esi], eax add esi, 8 dec ebx jnz shortloc_6 dec dword ptr [ebp+0Ch] jnz shortloc_5 pop edi pop esi pop ebx leave retn 0Ch

Andddd I'm not going to translate that one to something more readable for you. Sorry. Its not that hardest thing to break down and understand anyway. The only that that really merrits explaination are the calls to ZCryptLayer2. They are essentially calls to a function which calls the Cryption Layer 2 function against a char array.

Anyway, this was long and probably entirely unnecessary! I know a few EX- die hard zone coders were curious as hell about this, so hopefully you can finally let this one go and leave me alone!

Later.