# GCNet Packet Decryptor A Java tool to decrypt and analyze GCNet (Grand Chase) packets from pcapng capture files. ## Overview This tool reads pcapng files containing network captures of Grand Chase game traffic, filters TCP packets on a specified port (default: 8501), and decrypts them using the GCNet security protocol. It automatically: 1. Parses pcapng file format 2. Extracts TCP segments and filters by port 3. Detects the initial key exchange packet (opcode 1) to obtain session keys 4. Decrypts all subsequent packets using DES-CBC 5. Validates packet integrity using MD5-HMAC ICV 6. Decompresses zlib-compressed payloads 7. Displays decrypted packet contents in human-readable format ## Building ```bash mvn clean package ``` This creates two JAR files in `target/`: - `gcnet-decryptor-1.0.0.jar` - Standalone JAR (requires dependencies) - `gcnet-decryptor-1.0.0-jar-with-dependencies.jar` - Fat JAR with all dependencies (recommended) ## Usage ```bash java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar [port] ``` **Parameters:** - ``: Path to the pcapng capture file (required) - `[port]`: TCP port to filter on (default: 8501) **Examples:** ```bash # Decrypt packets on default port 8501 java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar capture.pcapng # Decrypt packets on custom port java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar capture.pcapng 9001 ``` ## How It Works ### GCNet Protocol Structure The GCNet protocol has two main layers: #### 1. Security Layer - **Size** (2 bytes): Total security layer size - **SPI** (2 bytes): Security Parameters Index - **Sequence Number** (4 bytes): Packet counter - **IV** (8 bytes): DES initialization vector - **Encrypted Payload** (variable): DES-CBC encrypted data - **ICV** (10 bytes): Integrity check value (MD5-HMAC truncated) #### 2. Payload Layer - **Opcode** (2 bytes): Packet type identifier - **Content Size** (4 bytes): Size of content - **Compression Flag** (1 byte): Whether content is zlib-compressed - **Content** (variable): Actual data (possibly compressed) - **Null Padding** (4 bytes): End padding ### Key Exchange The first packet (opcode 1) contains the session keys: - Sent by server using default keys - Contains new SPI, authentication key, and encryption key - All subsequent packets use these new keys **Default Keys:** - Encryption Key: `C7 D8 C4 BF B5 E9 C0 FD` - Authentication Key: `C0 D3 BD C3 B7 CE B8 B8` ### Encryption - **Algorithm**: DES in CBC mode - **Padding**: Custom GCNet padding scheme (incrementing bytes) - **Integrity**: MD5-HMAC truncated to 10 bytes ### Compression - **Algorithm**: zlib - **Header**: `78 01` - **Structure**: First 4 bytes indicate decompressed size (little-endian) ## Output Format For each packet, the tool displays: - Source/destination IP and port - TCP sequence number - SPI and IV values - ICV validation status - Opcode and content size - Hex dump of decrypted content - Extracted readable strings ## Project Structure ``` gcnet-decryptor/ ├── pom.xml └── src/main/java/com/gcnet/decryptor/ ├── GCNetDecryptor.java # Main application ├── pcapng/ │ ├── PcapngParser.java # pcapng file parser (wraps pcapngdecoder) │ └── TcpPacketParser.java # TCP segment extractor ├── security/ │ └── GCNetSecurityAssociation.java # Decryption & ICV validation └── payload/ └── GCNetPayloadParser.java # Payload parser & decompression ``` ## Dependencies - **[pcapng-decoder](https://github.com/bertrandmartel/pcapng-decoder)** by Bertrand Martel (MIT License) - Pure Java pcapng file parser ## References Based on the [GCNet](https://github.com/frihet/GCNet) library by Gabriel F. (Frihet Dev), licensed under AGPL-3.0. Protocol documentation: - [The Security Layer](../GCNet/docs/en/The%20Security%20Layer.md) - [The Cryptography](../GCNet/docs/en/The%20Cryptography.md) - [The Payload Layer](../GCNet/docs/en/The%20Payload%20Layer.md) - [The Security Protocol Setup](../GCNet/docs/en/The%20Security%20Protocol%20Setup.md) ## License This project is provided as-is for educational and analysis purposes.