Clash Royale Documentation about cocdp HOT 48 OPEN

Cool! I spend it little bit time on those message structures. It seems like they are not that straight forward as the ones from CoC. Maybe you can make better progress than I did today :D.

from cocdp.

Checkout @clugh. He worked out the encryption for the latest Supercell games. He made a proxy which does what you want I guess (python version, c# version). The proxy is for CoC, but you can edit it easily to make it work with CR (check out my comment for the changes you have to make).
The message structures are similar to the ones CoC uses (structures).
I started working on them, if I got a bunch I maybe create a repo for them.

from cocdp.

Thank you very much! I was trying my best to use wireshark and forward the packets from my phone to my computer and got as far as the handshake, this however will be of great use, thanks! My end goal is to write a private server for clash royale.

from cocdp.

Quick question, I used your key as the server key inside of coc-proxy, then I changed the host to game.clashroyalegame.com inside of coc-proxy, but when I try to run it and connect to it after patching my libg.so, the server can't decrypt the packets. How can I fix this?

from cocdp.

Also, I've patched my libg.so using the arm offset that you gave me, with echo 72f1a4a4c48e44da0c42310f800e96624e6dc6a641a9d41c3b5039d8dfadc27e | xxd -r -p > key-new.bin set as echo ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 | xxd -r -p > key-new.bin. Why am I doing wrong?

from cocdp.

You don't change the key used to patch libg.so, you change the one used to connect to Supercell's servers here.

from cocdp.

I did change that to @123456abcdef's key, and it failed to decrypt the packets. I also tried changing the server key too.

from cocdp.

I haven't attempted to use the proxy with CR, so I don't have first-hand experience, so I'll have to defer to @123456abcdef, but assuming it works the same way as CoC, even if the server key is wrong, the proxy should still decrypt the Login packet. If that isn't working either, then there is an issue with the patched libg.so.

from cocdp.

I reinstalled the game, making a clean libg.so, but the problem isn't the client, it's the proxy saying:

ClientHandshake: {
  "unknown_0": 1,
  "unknown_1": 2,
  "majorVersion": 2,
  "unknown_3": 0,
  "minorVersion": 1507,
  "masterHash": "312f8701d02df604c8f083b84285241b5cd5745b",
  "unknown_6": 2,
  "unknown_7": 2
}
ServerHandshake: {
  "sessionKey": "2b4884c871fc5e65305521201a626281fd047180ccd83a67"
}
Failed to decrypt the message (server, 10101).

from cocdp.

In the patching instructions here, there is this line:

xxd -p -c 32 key-backup.bin

The output of that line should match @123456abcdef's key. If not, something either went wrong or you're using a different version.

from cocdp.

Yeah test that command it should print ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 otherwise I messed up the arm offset.

from cocdp.

xxd -p -c 32 key-backup.bin returns ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39

from cocdp.

What else could I possibly be doing wrong? I am sure that I am on version 1.2.3 (it is the latest) and I have changed this line: https://github.com/clugh/coc-proxy/blob/master/coc/client/crypto.py#L10 to @123456abcdef's key, then I changed this: https://github.com/clugh/coc-proxy/blob/master/proxy.py#L12 to "game.clashroyaleapp.com", 9339

from cocdp.

I have edited my hosts file on my android device to connect to my laptop running the proxy and I can see the client connects, but the server just can't decrypt the packets.

from cocdp.

Mhhh I tested it with my own proxy and can try it with @clugh's python proxy, if we are missing something. 5min.

from cocdp.

What is the specific error message you are getting? Is it Failed to decrypt the message (server, 10101).?

from cocdp.

Yes, it is

from cocdp.

After you pushed libg.so to your device, did you kill and reopen the app? It will keep the original in memory as long as it is open.

from cocdp.

I thought I wasn't supposed to have my APK patched... so I deleted and reinstalled the app. Is that the problem? I need to re-patch my libg.so?

from cocdp.

Ah, it appears there was some miscommunication. When you said you changed the key in the patch procedure, I said not to change the key used to patch libg.so. I didn't intend that to mean not to patch the file at all.

from cocdp.

You have to replace ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 with 72f1a4a4c48e44da0c42310f800e96624e6dc6a641a9d41c3b5039d8dfadc27e and then push it to your device. The command above was just to validate my offset.

from cocdp.

Ah, Ok. Will do, then I'll let you know.

from cocdp.

It is now working! Thank you very much. It looks like I have some packets I need to define!

from cocdp.

Yeah, I think the first thing that I'll do is maybe try to intercept the contents of the packet that sets the values of the gems and coins, although it functionally won't do anything, It will give me an idea of how some of the packets work and how to make an injector ;)

from cocdp.

Also, I just want to ask, does your phone randomly crash while playing Clash Royale sometimes? I experience it rarely on my Nexus 5 (marshmallow) just curious.

from cocdp.

I'm running the patched version on Genymotion emulator and it works fine.
Changing values in the packet will most likely result in an out of sync error.

from cocdp.

Hmm, yeah now that I think of it, it could cause problems. I'll just try defining all of the packets, then I'll try writing my own server and then I can try to modify my coins, gems, chests etc.

from cocdp.

Hi!
I'm trying to do the same thing but it's a bit weird about the keys.
What's the key I have to put in the proxy ?
What's the one I have to patch on the .so file ?

from cocdp.

You have to replace ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 with 72f1a4a4c48e44da0c42310f800e96624e6dc6a641a9d41c3b5039d8dfadc27e and then push it to your device. The command above was just to validate my offset.

and

ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 needs to be entered into the client on the proxy

from cocdp.

Okay thank you very much, I use the c# version and it works well !

PS: if someone has already started to write the definitions, please share.

EDIT: In fact, I just get "false" hexadecimal data, the JSON decoder doesn't work.. It's because the definitions are wrong ?

from cocdp.

The definitions in this repo are for Clash of Clans and don't work for Clash Royale. Most messages are different.
As I wrote above, you can't extract the values of the fields directly from the decrypted messages, because they are "obfuscated", at least most fields I looked at. So I think without debugging the libg.so it is not possible to understand how the message reader works/how to extract the real values.
I'm still working on it, but I'm not that experienced with debugging such libraries, so it I will need some time :P.
We are thankful for every help :)

Edit: I was talking about this discussion link.

from cocdp.

Just jumping in here.. Just downloaded the game today and wanted to get going. Have we gotten any further with definitions?

from cocdp.

Most of the fun stuff is now happening over here: https://github.com/royale-proxy not a lot of work has been done lately mostly because of other projects... I was planning to restructure the messages (https://github.com/royale-proxy/cr-messages) into a different easier to serialize format, and then rewrite the proxy (https://github.com/royale-proxy/cr-proxy) in node.js, after we get that done, it's just a matter of continuing to define 'all teh packetz'. If you express interest in this project and want to get your hands dirty with node, let me know, and I'll be happy to add you as a contributor and find time to help out.

from cocdp.

Also, it is worth noting the risks, supercell has started to ban users for partaking in reverse-engineering the protocol, and running proxies, using them, running private servers etc. more info is available here: http://supercell.com/en/safe-and-fair-play/ however, not sure how exactly this will work for private servers as they technically can't ban you if you're not on their servers, but I don't really want to find out ;)

from cocdp.

​yeah, I'd love to look into this. I don't really enjoy the game much, but
always curious about reverse engineering.

Tbh, I'm more of a binary exploitation kinda guy (see www.ctfhacker.com),
so I wanted to try something different and this looks awesome.​ Any
recommendation on initial steps? And would the proxy work with something
like Genymotion?

On Thu, May 12, 2016 at 4:28 PM, mhsjlw [email protected] wrote:

Also, it is worth noting the risks, supercell has started to ban users
for partaking in reverse-engineering the protocol, and running proxies,
using them, running private servers etc. more info is available here:
http://supercell.com/en/safe-and-fair-play/ however, not sure how exactly
this will work for private servers as they technically can't ban you if
you're not on their servers, but I don't really want to find out ;)

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#19 (comment)

from cocdp.

The development process will be mostly:

• Run proxy
• Un-descripted packets will appear as buffers
• Stare at the buffers until your eyes bleed
• Find out all fields of the packet
• Describe the packet as a single file
• Now move onto the next packet

Once we have most packets defined, we will start development a standalone server. Currently, I need to rewrite that proxy to make it more modular, then we can start to define more packets.

from cocdp.

However, if you're into binary reverse engineering, it wouldn't hurt if you could decompile the libg.so file that is stored in the lib/ folder in the decompressed apk. That could contain important info

from cocdp.

could we move this to #clashroyale on freenode?

from cocdp.

Hi evry one i know its kind of an old conversation but i d Also like to work on defining thoose cr packets and i see that you guys already started so that would be Nice if you accept to share your work on thoose packets and fields ! That would be a huge gain of Time ;)

from cocdp.

Is anyone still working on this? I got most of Login (client) and LoginOk (server) deserialized. It's not yet checked in. I also figured out the key for CR 1.4.1.

from cocdp.

@akirarat @mhsjlw @ctfhacker
http://imgur.com/a/g3SPE

from cocdp.

TRIGGERED @BerkanYildiz

from cocdp.

@BerkanYildiz flaunting your closed-source server is really just counter-productive for a discussion like this

from cocdp.

@mhsjlw Of course.

from cocdp.

Any news ?

from cocdp.

Is this stuff still accurate or did it get outdated?

from cocdp.

@coolnickname Outdated

from cocdp.

@mhsjlw Is there any chance you could provide the general protocol for CR post-1.7.0 update?
I am trying to make a server...
shop.csv.decode.csv "Name","Category","TID","Rarity","Disabled","Resource","Cost","Count","CycleDuration","CycleDeadzoneStart","CycleDeadzoneEnd","TopSection","SpecialOffer","DurationSecs","AvailabilitySecs","SyncToShopCycle","Chest","TrophyLimit","IAP","StarterPack_Item0_Type","StarterPack_Item0_ID","StarterPack_Item0_Param1","StarterPack_Item1_Type","StarterPack_Item1_ID","StarterPack_Item1_Param1","StarterPack_Item2_Type","StarterPack_Item2_ID","StarterPack_Item2_Param1","ValueMultiplier","ActivatedFromEvent","AppendArenaToChestName","TiedToArenaUnlock","RepeatPurchaseGemPackOverride","EventName","CostAdjustBasedOnChestContents" "String","String","String","String","boolean","String","int","int","int","int","int","boolean","boolean","int","int","boolean","String","int","String","String","String","int","String","String","int","String","String","int","int","String","boolean","String","String","String","boolean" "SecretLegendary","SecretLegendary","TID_SHOP_SECRET_LEGENDARY",,,"Diamonds",500,,21,7,,,"TRUE",,,,"Legendary",1400,,,,,,,,,,,,,,,,, "SecretEpic","SecretEpic","TID_SHOP_SECRET_EPIC",,,"Gold",10000,,14,,3,,"TRUE",,,,"Epic",1000,,,,,,,,,,,,,"TRUE",,,,"TRUE" "Spell","Spell",,,,,,,,,,"TRUE",,,,,,,,,,,,,,,,,,,,,,, "Chest","Chest",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, "ResourceGold","Gold",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, "ResourceDiamond","Diamond",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, "SpellReleaseOfferCommon","SpellStack",,"Common",,"Diamonds",100,400,,,,"TRUE",,259200,86400,"TRUE",,,,,,,,,,,,,,,,,,, "SpellReleaseOfferRare","SpellStack",,"Rare",,"Diamonds",150,100,,,,"TRUE",,259200,86400,"TRUE",,,,,,,,,,,,,,,,,,, "SpellReleaseOfferEpic","SpellStack",,"Epic",,"Diamonds",400,10,,,,"TRUE",,259200,86400,"TRUE",,,,,,,,,,,,,,,,,,, "StarterPackArena3","StarterPack","TID_SHOP_STARTER_PACK_ARENA_3",,,"IAP",,,10,3,2,,"TRUE",,,,,800,"com.supercell.scroll.consumablestarterpack0","Chest","Giant_Arena3",,"ResourceDiamond","com.supercell.scroll.gempack5",,"ResourceGold","Gold1",,5,,,,,, "StarterPackArena4","StarterPack","TID_SHOP_STARTER_PACK_ARENA_4",,,"IAP",,,10,3,2,,"TRUE",,,,,1100,"com.supercell.scroll.consumablestarterpack1","Chest","Magic_Arena4",,"ResourceDiamond","com.supercell.scroll.gempack5",,"ResourceGold","Gold1",,8,,,,,, "StarterPackArena5","StarterPack","TID_SHOP_STARTER_PACK_ARENA_5",,,"IAP",,,10,3,2,,"TRUE",,,,,1400,"com.supercell.scroll.consumablestarterpack2","Chest","Super_Arena5",,"ResourceDiamond","com.supercell.scroll.gempack0",,"ResourceGold","Gold1",,7,,,,,, "StarterPackArena6","StarterPack","TID_SHOP_STARTER_PACK_ARENA_6",,,"IAP",,,10,3,2,,"TRUE",,,,,1700,"com.supercell.scroll.consumablestarterpack3","Chest","Magic_Arena6",,"ResourceDiamond","com.supercell.scroll.gempack0",,"ResourceGold","Gold2",,3,,,,,, "StarterPackArena7","StarterPack","TID_SHOP_STARTER_PACK_ARENA_7",,,"IAP",,,10,3,2,,"TRUE",,,,,2000,"com.supercell.scroll.consumablestarterpack4","Chest","Super_Arena7",,"ResourceDiamond","com.supercell.scroll.gempack1",,"ResourceGold","Gold2",,4,,,,,, "StarterPackArena8","StarterPack","TID_SHOP_STARTER_PACK_ARENA_8",,,"IAP",,,10,3,2,,"TRUE",,,,,2300,"com.supercell.scroll.consumablestarterpack5","Chest","Magic_Arena8",,"ResourceDiamond","com.supercell.scroll.gempack1",,"ResourceGold","Gold3",,5,,,,,, "StarterPackArenaL","StarterPack","TID_SHOP_STARTER_PACK_ARENA_L",,,"IAP",,,10,3,2,,"TRUE",,,,,3000,"com.supercell.scroll.consumablestarterpack6","Chest","Legendary",,"ResourceDiamond","com.supercell.scroll.gempack1",,"ResourceGold","Gold3",,5,,,,,, "Red","Red",,,,,,,,,,,,,,,,,"com.supercell.scroll.red","ResourceDiamond","com.supercell.scroll.gempack0",,,,,,,,,,,,,, "RumbleBundle0","Rumble","TID_SHOP_RUMBLE_0",,,,,,,,,,,,,,,,"com.supercell.scroll.rumblebundle0","ResourceDiamond","com.supercell.scroll.gempack5",,"Chest","Magic_",,,,,,,,,,"RumbleShop", "RumbleBundle1","Rumble","TID_SHOP_RUMBLE_1",,,,,,,,,,,,,,,,"com.supercell.scroll.rumblebundle1","ResourceDiamond","com.supercell.scroll.gempack0",,"ResourceGold","Gold2",,,,,,,,,,"RumbleShop", "RumbleBundle2","Rumble","TID_SHOP_RUMBLE_2",,,,,,,,,,,,,,,,"com.supercell.scroll.rumblebundle2","ResourceDiamond","com.supercell.scroll.gempack1",,"Chest","Super_",,,,,,,,,,"RumbleShop", "SuperMagicalOffer","EventChest",,,,"Diamonds",1000,,,,,,"TRUE",,,,"Super",,,,,,,,,,,,,"SuperMagicalOffer","TRUE",,,, "LegendaryOffer","EventChest",,,,"Diamonds",500,,,,,,"TRUE",,,,"Legendary",1400,,,,,,,,,,,,"LegendaryOffer","TRUE",,,, "GiantOffer","EventChest",,,,"Diamonds",100,,,,,,"TRUE",,,,"Giant",1100,,,,,,,,,,,,"GiantOffer","TRUE",,,, "MagicalOffer","EventChest",,,,"Diamonds",200,,,,,,"TRUE",,,,"Magic",1100,,,,,,,,,,,,"MagicalOffer","TRUE",,,, "EpicOffer","EventChest",,,,"Gold",10000,,,,,,"TRUE",,,,"Epic",1100,,,,,,,,,,,,"EpicOffer","TRUE",,,, "SpellStackOfferCommon","SpellStack",,"Common",,"Gold",1000,100,,,,"TRUE",,86400,86400,"TRUE",,1100,,,,,,,,,,,,,,,,, "SpellStackOfferRare","SpellStack",,"Rare",,"Gold",3000,30,,,,"TRUE",,86400,86400,"TRUE",,1100,,,,,,,,,,,,,,,,, "SpellStackOfferEpic","SpellStack",,"Epic",,"Gold",5000,5,,,,"TRUE",,86400,86400,"TRUE",,1100,,,,,,,,,,,,,,,,, "StarterPackArena9","StarterPack","TID_SHOP_STARTER_PACK_ARENA_9",,,"IAP",,,10,3,2,,"TRUE",,,,,2600,"com.supercell.scroll.consumablestarterpack7","Chest","Super_Arena9",,"ResourceDiamond","com.supercell.scroll.gempack1",,"ResourceGold","Gold2",,4,,,"Arena9",,, "HolidayBundle0","Rumble","TID_SHOP_HOLIDAY_0",,,,,,,,,,,,,,,,"com.supercell.scroll.consumableholidaypack0","ResourceDiamond","com.supercell.scroll.gempack1",,"Chest","Giant_",,,,,2,,,,"com.supercell.scroll.gempack0","HolidayBundle", "HolidayBundle1","Rumble","TID_SHOP_HOLIDAY_1",,,,,,,,,,,,,,,,"com.supercell.scroll.consumableholidaypack1","ResourceDiamond","com.supercell.scroll.gempack2",,"Chest","Magic_",,,,,3,,,,"com.supercell.scroll.gempack1","HolidayBundle", "HolidayBundle2","Rumble","TID_SHOP_HOLIDAY_2",,,,,,,,,,,,,,,,"com.supercell.scroll.consumableholidaypack2","ResourceDiamond","com.supercell.scroll.gempack3",,"Chest","Super_",,,,,4,,,,"com.supercell.scroll.gempack2","HolidayBundle", "ChineseNewYearBundle0","Rumble","TID_SHOP_RUMBLE_1",,,,,,,,,,,,,,,,"com.supercell.scroll.consumablechinesenewyear0","ResourceDiamond","com.supercell.scroll.gempack5",,"ResourceGold","Gold1",,,,,,,,,"com.supercell.scroll.gempack5","ChineseNewYearBundle", "ChineseNewYearBundle1","Rumble","TID_SHOP_RUMBLE_0",,,,,,,,,,,,,,,,"com.supercell.scroll.consumablechinesenewyear1","ResourceDiamond","com.supercell.scroll.gempack0",,"Chest","Magic_",,,,,,,,,"com.supercell.scroll.gempack0","ChineseNewYearBundle", "ChineseNewYearBundle2","Rumble","TID_SHOP_RUMBLE_2",,,,,,,,,,,,,,,,"com.supercell.scroll.consumablechinesenewyear2","ResourceDiamond","com.supercell.scroll.gempack1",,"Chest","Super_",,,,,,,,,"com.supercell.scroll.gempack1","ChineseNewYearBundle",

I found that in a decoded .csv file inside the clash royale apk. btw.

from cocdp.