Protocol 20

[Barbosik]

Protocol 20 is just rolled out. Looks that there is no significant difference with protocol 19.

Discovered changes:

1) server version string is moved from Border Update message (0x40) to Cipher Key message (0xF1)

2) Replaced client side encryption key generator, now it depends on server host and server version.

Still under investigation, if you have any info about it, you're welcome.

[Barbosik]

F1 = CIPHER KEY

Offset	Size	Description
0	byte	=0xF1
1	uint32	decryption key
5	string	server version (zero terminated string)

server version and server host name are used to generate client side encryption key

[Barbosik]

Today I discovered botter who used some kind of cell mass hack. His bots spawned with extrahigh mass. Does anybody knows how it works? Just interesting how this hack works. It will be nice if you share it before it will be fixed. Thanks

[SuperOP535]

@Barbosik https://www.youtube.com/watch?time_continue=120&v=kkxhIdXPbTI

In the comments the guy says there's some special packets or whatever

[NuclearC]

@Barbosik The hack is about spamming ActivateUserBoost or whatever it's called proto packet before spawn, here is the code:

core.sendNick("asdafd"); for(let i = 0; i < 300; i++) {
let bytes = [8, 1, 18, 23, 8, 112, 130, 7, 18, 10, 16];
let massBoostName = "mass_boost_3x_1h";
for(let i = 0; i < massBoostName.length; i++) {
    bytes.push(massBoostName.charCodeAt(i));
}
core.proxyMobileData(bytes);
}

[Barbosik]

as I understand it will utilize all available mass_boost_3x_1h boosts. Usually I'm using my custom console commands to emit proto messages, for example: proto_activateBoostRequest mass_boost_3x_1h

Unfortunately I have no account with empty boosts to check that behavior. I have limited accounts for tests and all they contains a lot of boosts, so I don't want to lose it :)

[q3wzeck]

as I understand it will utilize all available mass_boost_3x_1h boosts. Usually I'm using my custom console commands to emit proto messages, for example: proto_activateBoostRequest mass_boost_3x_1h

Unfortunately I have no account with empty boosts to check that behavior. I have limited accounts for tests and all they contains a lot of boosts, so I don't want to lose it :)

if your theory is right, i should have unlimited boosts cuz every spawn i can have mass 5-30k

[NuclearC]

@q3wzeck I think with these packets its just adding the mass, but not pushing the boosts into the player's shop info

[Barbosik]

just tested, if you don't have mass boost it will be pushed, but the next packets is succeeded with strange result:

I think this feature was added intentionally, just to make some fun and attract players :)

[Barbosik]

they fixed that in the server v,2.22.1. Servers with old version is still running but will be restarted soon.

[SuperOP535]

rip, I did not even get to try it out :(

[NuclearC]

@Barbosik have you tested if amount of responses sent back is related to the start mass? Like let's say 2x boost adds 40 mass to your start mass, and after using the hack you get e.g. 12040 mass, so amount of responses must be ( 12040 - 40 (normal start mass when logged in) ) / 40 (addition to start mass when using 2x mass boost) = 300 packets being sent back

[Barbosik]

@SuperOP535 some party servers still working on version 2.22.0 (with that bug). So you can test it. :) For example: https://agar.io/?sip=live-arena-1xao4kr.agar.io

@NuclearC yes, I tested it with different amount of packets. It looks that mass grow works just for first 120 game ticks (3 seconds). At this time period there is need send a lot of packets (probably to overload server queue). And then the mass grows with random pulses. After 120 ticks server still sends respond for the packets, but the mass stops to grow.

I think it may be thread concurrency issue due to missing correct thread synchronization, And such behavior will leads to process player join operation from several threads in parallel. We know that player get mass smoothly on join the game. And I think this mass increment is processed a lot of times from parallel threads. Because one thread cannot handle it in time due to a lot of requests.

[mahirozdin]

Today I discovered botter who used some kind of cell mass hack. His bots spawned with extrahigh mass. Does anybody knows how it works? Just interesting how this hack works. It will be nice if you share it before it will be fixed. Thanks

I got protocol 18 of agario bots included facebook bots but i dont know how to change it to protocol 20. Contact me please ozdinmt@gmail.com We can maybe help each other.

[Barbosik]

protocol 20 difference in encryption key. Now it's value calculated from the string concatenated from server host name (exclude protocol prefix and port suffix) and server version transmitted in the message 0xF1:

                case 0xF1:   // [241] Decryption key
                    {
                        var key = reader.ReadUInt32();
                        _isDecryptNeeded = true;
                        _decryptKey = key;
                        //Logger.Trace("DKEY: 0x{0:X8}", key);
                        if (reader.BaseStream.Position < reader.BaseStream.Length)
                        {
                            // since protocol 20
                            var server = EncodingHelper.ReadStringUtf8(reader);
                            Logger.Trace("Server: {0}", server);
                            if (Protocol >= 20)
                            {
                                _encryptKey = CryptoHelper.HostToKey(Host, server);   // protocol 20
                                IsInitialized = true;
                            }
                        }
                    }
                    break;

for example:

HostToKey("live-arena-51ju0.agar.io", "22.2.0") = 0xc0152a6c
HostToKey("live-arena-m54jm1.agar.io", "22.2.0") = 0xab9e06c3
HostToKey("live-arena-18ho3ui.agar.io", "22.2.0") = 0x7b82962d
HostToKey("0", "22.2.0") = 0x70da3604
HostToKey("01", "22.2.0") = 0xca576f8d
HostToKey("0123", "22.2.0") = 0x97e19807
HostToKey("012345", "22.2.0") = 0xe120f23c
HostToKey("0123", "0") = 0x4882540d
HostToKey("0123", "1") = 0xd7cabed8
HostToKey("0123", "01") = 0x760f555d
HostToKey("0", "0") = 0x3e148e4f
HostToKey("0", "1") = 0x3a9bdeb6
HostToKey("1", "0") = 0xde352bf5
HostToKey("1", "1") = 0xec0fb969

Here is a little hint, HostToKey function depends on the constant 1540483477 and strings are concatenated and transformed to byte array before calculation :)

[mahirozdin]

@Barbosik can u mail me ? ozdinmt@gmail.com im open for payed support. I just need you to check my code and integrate to protocol 20 if you can.

[Barbosik]

@mahirozdin you can do it yourself with debugger embedded to the Chrome browser. There is more than enough information already provided. You should do it yourself, because you're need to understand that sharing this info to botters will leads to quick algorithm change and you will be needed to spend additional several hours in debugger to discover a new algorithm.

Also using bots will leads to unwanted game lags. This is not good.

[mahirozdin]

@Barbosik I dont know how to start observing. Could you give steps. I have the protocol key and bot is connecting to the server. Afterthat im getting oppcodes but i dont know which oppcode means what. :(

EDİT : I find it but oppcodes are not right... I need an encriton key and i dont know how to find it.

Is that right ? this._encryptionKey = 673720360 ^ this._protocolKey;

want to email you but i cant find your email can you mail me so i can share my codes with you ozdinmt@gmail.com