# GCEmu Packet Parser

A Java tool to parse and analyze Grand Chase packets from pcapng capture files.

## Overview

This tool reads pcapng files containing network captures of Grand Chase game traffic, filters TCP packets on a specified port (default: 9501), and decrypts them. It automatically:

1. Parses pcapng file format
2. Extracts TCP segments and filters by port
3. Detects the initial key exchange packet (opcode 1) to obtain session keys
4. Decrypts all subsequent packets
5. Validates packet integrity
6. Decompresses compressed payloads
7. Displays decrypted packet contents in human-readable format

## Building

```bash
mvn clean package
```

This creates two JAR files in `target/`:
- `gcpp-1.0.0.jar` - Standalone JAR (requires dependencies)
- `gcpp-1.0.0-jar-with-dependencies.jar` - Fat JAR with all dependencies (recommended)

## Usage

```bash
java -jar target/gcpp-1.0.0-jar-with-dependencies.jar <pcapng-file> [port]
```

**Parameters:**
- `<pcapng-file>`: Path to the pcapng capture file (required)
- `[port]`: TCP port to filter on (default: 9501)

**Examples:**

```bash
# Decrypt packets on default port 9501
java -jar target/gcpp-1.0.0-jar-with-dependencies.jar capture.pcapng

# Decrypt packets on custom port
java -jar target/gcpp-1.0.0-jar-with-dependencies.jar capture.pcapng 9001
```

## How It Works

### Grand Chase Protocol Structure

The Grand Chase protocol has two main layers:

#### 1. Security Layer
- **Size** (2 bytes): Total security layer size
- **SPI** (2 bytes): Security Parameters Index
- **Sequence Number** (4 bytes): Packet counter
- **IV** (8 bytes): DES initialization vector
- **Encrypted Payload** (variable): DES-CBC encrypted data
- **ICV** (10 bytes): Integrity check value (MD5-HMAC truncated)

#### 2. Payload Layer
- **Opcode** (2 bytes): Packet type identifier
- **Content Size** (4 bytes): Size of content
- **Compression Flag** (1 byte): Whether content is zlib-compressed
- **Content** (variable): Actual data (possibly compressed)
- **Padding** (4 bytes): End padding

### Key Exchange

The first packet (opcode 1) contains the session keys:
- Sent by server using default keys
- Contains new SPI, authentication key, and encryption key
- All subsequent packets use these new keys

**Default Keys:**
- Encryption Key: `C7 D8 C4 BF B5 E9 C0 FD`
- Authentication Key: `C0 D3 BD C3 B7 CE B8 B8`

### Encryption

- **Algorithm**: DES in CBC mode
- **Padding**: Custom padding scheme (incrementing bytes)
- **Integrity**: MD5-HMAC truncated to 10 bytes

### Compression

- **Algorithm**: zlib
- **Header**: `78 01`
- **Structure**: First 4 bytes indicate decompressed size (little-endian)

## Output Format

For each packet, the tool displays:
- Source/destination IP and port
- TCP sequence number
- SPI and IV values
- ICV validation status
- Opcode and content size
- Hex dump of decrypted content
- Extracted readable strings

## Project Structure

```
gcnet-decryptor/
├── pom.xml
└── src/main/java/com/gcpp
    ├── GCPacketParser.java              # Main application
    ├── pcapng/
    │   ├── PcapngParser.java            # pcapng file parser (wraps pcapngdecoder)
    │   └── TcpPacketParser.java         # TCP segment extractor
    ├── security/
    │   └── SecurityAssociation.java     # Decryption & ICV validation
    └── payload/
        └── PayloadParser.java           # Payload parser & decompression
```

## Dependencies

- **[pcapng-decoder](https://github.com/bertrandmartel/pcapng-decoder)** by Bertrand Martel (MIT License) - Pure Java pcapng file parser