GCEmu/gcpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

GCNet Packet Decryptor

A Java tool to decrypt and analyze GCNet (Grand Chase) packets from pcapng capture files.

Overview

This tool reads pcapng files containing network captures of Grand Chase game traffic, filters TCP packets on a specified port (default: 8501), and decrypts them using the GCNet security protocol. It automatically:

  1. Parses pcapng file format
  2. Extracts TCP segments and filters by port
  3. Detects the initial key exchange packet (opcode 1) to obtain session keys
  4. Decrypts all subsequent packets using DES-CBC
  5. Validates packet integrity using MD5-HMAC ICV
  6. Decompresses zlib-compressed payloads
  7. Displays decrypted packet contents in human-readable format

Building

mvn clean package

This creates two JAR files in target/:

  • gcnet-decryptor-1.0.0.jar - Standalone JAR (requires dependencies)
  • gcnet-decryptor-1.0.0-jar-with-dependencies.jar - Fat JAR with all dependencies (recommended)

Usage

java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar <pcapng-file> [port]

Parameters:

  • <pcapng-file>: Path to the pcapng capture file (required)
  • [port]: TCP port to filter on (default: 8501)

Examples:

# Decrypt packets on default port 8501
java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar capture.pcapng

# Decrypt packets on custom port
java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar capture.pcapng 9001

How It Works

GCNet Protocol Structure

The GCNet protocol has two main layers:

1. Security Layer

  • Size (2 bytes): Total security layer size
  • SPI (2 bytes): Security Parameters Index
  • Sequence Number (4 bytes): Packet counter
  • IV (8 bytes): DES initialization vector
  • Encrypted Payload (variable): DES-CBC encrypted data
  • ICV (10 bytes): Integrity check value (MD5-HMAC truncated)

2. Payload Layer

  • Opcode (2 bytes): Packet type identifier
  • Content Size (4 bytes): Size of content
  • Compression Flag (1 byte): Whether content is zlib-compressed
  • Content (variable): Actual data (possibly compressed)
  • Null Padding (4 bytes): End padding

Key Exchange

The first packet (opcode 1) contains the session keys:

  • Sent by server using default keys
  • Contains new SPI, authentication key, and encryption key
  • All subsequent packets use these new keys

Default Keys:

  • Encryption Key: C7 D8 C4 BF B5 E9 C0 FD
  • Authentication Key: C0 D3 BD C3 B7 CE B8 B8

Encryption

  • Algorithm: DES in CBC mode
  • Padding: Custom GCNet padding scheme (incrementing bytes)
  • Integrity: MD5-HMAC truncated to 10 bytes

Compression

  • Algorithm: zlib
  • Header: 78 01
  • Structure: First 4 bytes indicate decompressed size (little-endian)

Output Format

For each packet, the tool displays:

  • Source/destination IP and port
  • TCP sequence number
  • SPI and IV values
  • ICV validation status
  • Opcode and content size
  • Hex dump of decrypted content
  • Extracted readable strings

Project Structure

gcnet-decryptor/
├── pom.xml
└── src/main/java/com/gcnet/decryptor/
    ├── GCNetDecryptor.java              # Main application
    ├── pcapng/
    │   ├── PcapngParser.java            # pcapng file parser (wraps pcapngdecoder)
    │   └── TcpPacketParser.java         # TCP segment extractor
    ├── security/
    │   └── GCNetSecurityAssociation.java # Decryption & ICV validation
    └── payload/
        └── GCNetPayloadParser.java      # Payload parser & decompression

Dependencies

  • pcapng-decoder by Bertrand Martel (MIT License) - Pure Java pcapng file parser

References

Based on the GCNet library by Gabriel F. (Frihet Dev), licensed under AGPL-3.0.

Protocol documentation:

License

This project is provided as-is for educational and analysis purposes.

Description
No description provided
Readme 106 KiB
Languages
Java 100%