GCEmu/gcpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

GCEmu Packet Parser

A Java tool to parse and analyze Grand Chase packets from pcapng capture files.

Overview

This tool reads pcapng files containing network captures of Grand Chase game traffic, filters TCP packets on a specified port (default: 9501), and decrypts them. It automatically:

  1. Parses pcapng file format
  2. Extracts TCP segments and filters by port
  3. Detects the initial key exchange packet (opcode 1) to obtain session keys
  4. Decrypts all subsequent packets
  5. Validates packet integrity
  6. Decompresses compressed payloads
  7. Displays decrypted packet contents in human-readable format

Building

mvn clean package

This creates two JAR files in target/:

  • gcpp-1.0.0.jar - Standalone JAR (requires dependencies)
  • gcpp-1.0.0-jar-with-dependencies.jar - Fat JAR with all dependencies (recommended)

Usage

java -jar target/gcpp-1.0.0-jar-with-dependencies.jar <pcapng-file> [port]

Parameters:

  • <pcapng-file>: Path to the pcapng capture file (required)
  • [port]: TCP port to filter on (default: 9501)

Examples:

# Decrypt packets on default port 9501
java -jar target/gcpp-1.0.0-jar-with-dependencies.jar capture.pcapng

# Decrypt packets on custom port
java -jar target/gcpp-1.0.0-jar-with-dependencies.jar capture.pcapng 9001

How It Works

Grand Chase Protocol Structure

The Grand Chase protocol has two main layers:

1. Security Layer

  • Size (2 bytes): Total security layer size
  • SPI (2 bytes): Security Parameters Index
  • Sequence Number (4 bytes): Packet counter
  • IV (8 bytes): DES initialization vector
  • Encrypted Payload (variable): DES-CBC encrypted data
  • ICV (10 bytes): Integrity check value (MD5-HMAC truncated)

2. Payload Layer

  • Opcode (2 bytes): Packet type identifier
  • Content Size (4 bytes): Size of content
  • Compression Flag (1 byte): Whether content is zlib-compressed
  • Content (variable): Actual data (possibly compressed)
  • Padding (4 bytes): End padding

Key Exchange

The first packet (opcode 1) contains the session keys:

  • Sent by server using default keys
  • Contains new SPI, authentication key, and encryption key
  • All subsequent packets use these new keys

Default Keys:

  • Encryption Key: C7 D8 C4 BF B5 E9 C0 FD
  • Authentication Key: C0 D3 BD C3 B7 CE B8 B8

Encryption

  • Algorithm: DES in CBC mode
  • Padding: Custom padding scheme (incrementing bytes)
  • Integrity: MD5-HMAC truncated to 10 bytes

Compression

  • Algorithm: zlib
  • Header: 78 01
  • Structure: First 4 bytes indicate decompressed size (little-endian)

Output Format

For each packet, the tool displays:

  • Source/destination IP and port
  • TCP sequence number
  • SPI and IV values
  • ICV validation status
  • Opcode and content size
  • Hex dump of decrypted content
  • Extracted readable strings

Project Structure

gcnet-decryptor/
├── pom.xml
└── src/main/java/com/gcpp
    ├── GCPacketParser.java              # Main application
    ├── pcapng/
    │   ├── PcapngParser.java            # pcapng file parser (wraps pcapngdecoder)
    │   └── TcpPacketParser.java         # TCP segment extractor
    ├── security/
    │   └── SecurityAssociation.java     # Decryption & ICV validation
    └── payload/
        └── PayloadParser.java           # Payload parser & decompression

Dependencies

  • pcapng-decoder by Bertrand Martel (MIT License) - Pure Java pcapng file parser
Description
No description provided
Readme 106 KiB
Languages
Java 100%