Packet scrambling?

[ghost]

It seam agar use a new decryption methode !

[ghost]

protocol 13

[ZfsrGhS953]

@lefela4 As it turns out, the packets aren't encrypted at all, but the agar.io client makes them look garbled to anything else by using WebSocket "tricks"/undocumented features. I looked at the packets through Wireshark and they look normal from there. The bots can be fixed creating your own WebSocket library using node.js's TCP APIs

[ghost]

@ZfsrGhS953 How can we make a WebSocket library?

[ZfsrGhS953]

@lefela4 By using node.js's TCP APIs and implementing the protocol according to this documentation. But first, we need to capture the packets using Wireshark. When implementing the protocol, don't forget to prevent the MASK flag from being read, because that's what causes the packets to become garbled.

[ghost]

@ZfsrGhS953 Ok, so if I understand we need to make a new WebSocket library using TCP APIs and implement the protocol using the documentation you send. What we need to do whit the captured packet ? And what the packet 241 is for ?

[ZfsrGhS953]

@lefela4 We will make a new agario-client with the captured packets we find. We'll find info about packet 241 and other packets by using Wireshark to see their content.

[ghost]

@ZfsrGhS953 Ok, I already fixed everything on the protocol 9 so can we take mine ? It send the good packet 255 each time it reset. Do you have a skype account or something ?

[ZfsrGhS953]

@lefela4 But agar.io runs on protocol 13.

[ghost]

@ZfsrGhS953 Yes, I know it the same protocol, in the protocol 11 they added the capcha. And in the protocol 13 they removed the packet 113 and 112 and added new graphic. If you want, I wrote the protocol there : https://github.com/lefela4/Agar.io-client-v3/blob/master/protocole.md

[ghost]

@ZfsrGhS953 Do it possible the incomming message are SHA-1 and base64 encoded ?

[ZfsrGhS953]

@lefela4 Yes. Did you find a decoder?

[ghost]

@ZfsrGhS953 Yes. We can also use the one in the agar.io core ? in agar.io/mc/agario.js

[ZfsrGhS953]

@lefela4 Yes. But we need to find packets first, before we can try to decode them. Use wireshark.

[ghost]

@ZfsrGhS953 what do you mean ? You need some scrambled packet ?

[ZfsrGhS953]

@lefela4 We need the exact opposite - unscrambled packets. Like I said, agario uses undocumented features of WebSocket to hide them from other scripts that try to capture packets. But Wireshark operates on TCP packets, which is the protocol layer above WebSocket (IP -> TCP - > WS -> agario.js). Therefore it can capture the packets before they get scrambled

[ghost]

@ZfsrGhS953 Ok now i undertand

[ghost]

@ZfsrGhS953 So I found those packet : 1f fa 6a 20 e0 12 63 30 e0 e2 d8 98 37 39 84 d8 1f 1d 8e dd 1f 1d db 20 e0 e2 6a 20 e0 e2 6a The byte 0x1f is the opcode 255.

I tryed whit the AES decryption methode. Everytime, I am getting the packet 33. Maybe it a part of it. The key are 1073733539 3797345567 3768189413 13

1073733539 is the UINT32 of the packet 241 (old key of the protocol 9) 3797345567 is the UINT32 of the packet 255. 3768189413 is the result of a aesrotator key. 13 is the protocol version that is what i get : AES: 336cccb1a07a72281d320adf3cb3584f3559d6ba6dfb46d701b54bae55cc42

ORIGINAL : 1f fa 6a 20 e0 12 63 30 e0 e2 d8 98 37 39 84 d8 1f 1d 8e dd 1f 1d db 20 e0 e2 6a 20 e0 e2 6a

if 33 is 1f whit the key 3797345567. I think we need to do an other decryption type ? Maybe it a new prosses ?

[ghost]

@ZfsrGhS953 Sorry i make a fail. It was the same cmd ^^ How wireshare use to unscramble the TCP packet ?

[ghost]

this is a presidential debate in the making

[ghost]

?

[ghost]

@ZfsrGhS953 I just found what decoder agar.io use. I think they use the Unserialiser for the incomming packet. It use BASE64 and MD5 or SHA1. In agario.js you can look for nt["haxe.Serializer"] and nt["haxe.Unserializer"]. I thing we need to run the core out in node js and call those function.

[ghost]

@ZfsrGhS953 There : https://haxe.org/manual/std-serialization.html we can found the documentary. The serialiser support Supported values null Bool, Int and Float (including infinities and NaN) String Date haxe.io.Bytes (encoded as base64) Array and List haxe.ds.StringMap, haxe.ds.IntMap and haxe.ds.ObjectMap anonymous structures Haxe class instances (not native ones) enum instances

Serializer API : http://api.haxe.org/haxe/Serializer.html Unserializer API : http://api.haxe.org/haxe/Unserializer.html

I found an alternative : https://www.npmjs.com/package/hron

[ZfsrGhS953]

@lefela4 Great! Now we can get the Wireshark and get ALL packets! Download it here!

[ghost]

@ZfsrGhS953 So, how can we bypass it ?

[ghost]

@ZfsrGhS953 Why you send a virus to my firend..

[ZfsrGhS953]

@lefela4 Oh sorry, it's not me it's The website which I uploaded it too. Maybe try from here

[ghost]

@ZfsrGhS953 No it good I will try on the original website

[ghost]

anyone got unmangled V72 source code?

[ghost]

@XtremePlayzCODE what?

[ghost]

@lefela4 the v72 source (this repo) has random function names like xc wc ba

[ghost]

@XtremePlayzCODE and ?..

[ghost]

@lefela4 i want more descriptive function names ._.

[ghost]

for debugging purposes

[ghost]

@XtremePlayzCODE Oh,

[ghost]

@ZfsrGhS953 You are wrong. In wireshark they are encrypted

[ghost]

so you don't have it

[StrikerJS]

u wot

[ghost]

DOES ANYONE HAVE THE UNMINIFIED SOURCE CODE FOR V72???

[StrikerJS]

sry no xddddddddd xaxaxaxaxa

[ghost]

FFFFFFFFFFFFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUCCCCCCCCCCCCCCCCCCCCCCCCCCCCKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK

[StrikerJS]

xaxaxaxaxaxaxaxaxaxaxaxaaxaxaxaxaxaxaxaxaxaxax

[ZfsrGhS953]

@lefela4 In the unpatched version, that is? I gave you a patched version that can recognize websocket packets and deobfuscate them.

[StrikerJS]

Zfsr Dont rat me xd

[StrikerJS]

U fucking asshole its a virus BAT/Forkbomb.A

[StrikerJS]

stored in temp

[ghost]

@ZfsrGhS953 Not it a virus

[ghost]

Oh fucker @ZfsrGhS953

[ghost]

@ZfsrGhS953 I figured out agar.io bots. I have working bots on the protocol 13.

[ghost]

Yep guys ! Agar.io bots is simple to make ;)

[ghost]

Holy shit I want beta access @lefela4