jann/m2dev-client-src
1
0
Fork 0
forked from metin-server/m2dev-client-src
Code Pull Requests Activity
255 Commits 5 Branches 0 Tags
a9407a5781bdc722139cf3b660092d3a3ccf618c
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
rtw1x1 a9407a5781 fix: Key validation failure
2026-02-03 11:58:21 +00:00
.github/workflows
GitHub actions workflow added
2025-09-22 12:32:03 +03:00
buildtool
init
2025-08-18 19:46:48 +02:00
extern
fix: Optimized UTF8, BiDi, Debug
2026-01-20 21:23:31 +00:00
src
fix: Key validation failure
2026-02-03 11:58:21 +00:00
vendor
XChaCha20-Poly1305 via libsodium
2026-02-03 11:12:32 +00:00
.gitattributes
lib files moved from LFS to normal repo
2025-08-27 12:29:24 +02:00
.gitignore
MRMJ-1: Messenger & Skills fixes
2025-12-14 05:12:39 +02:00
CMakeLists.txt
XChaCha20-Poly1305 via libsodium
2026-02-03 11:12:32 +00:00
README.md
XChaCha20-Poly1305 via libsodium
2026-02-03 11:12:32 +00:00

README.md

Client Source Repository

build

This repository contains the source code necessary to compile the game client executable.

How to build

cmake -S . -B build

cmake --build build

📋 Changelog

Encryption & Security Overhaul

The entire legacy encryption system has been replaced with libsodium.

Removed Legacy Crypto

  • Crypto++ (cryptopp) vendor library — Completely removed from the project
  • Panama cipher (CFilterEncoder, CFilterDecoder) — Removed from NetStream
  • TEA encryption (tea.h, tea.cpp) — Removed from both client and server
  • DH2 key exchange (cipher.h, cipher.cpp) — Removed from EterBase
  • Camellia cipher — Removed all references
  • _IMPROVED_PACKET_ENCRYPTION_ — Entire system removed (XTEA key scheduling, sequence encryption, key agreement)
  • adwClientKey[4] — Removed from all packet structs (TPacketCGLogin2, TPacketCGLogin3, TPacketGDAuthLogin, TPacketGDLoginByKey, TPacketLoginOnSetup) and all associated code on both client and server
  • LSS_SECURITY_KEY — Dead code removed ("testtesttesttest" hardcoded key, GetSecurityKey() function)

New Encryption System (libsodium)

  • X25519 key exchangeSecureCipher class handles keypair generation and session key derivation via crypto_kx_client_session_keys / crypto_kx_server_session_keys
  • XChaCha20-Poly1305 AEAD — Used for authenticated encryption of handshake tokens (key exchange, session tokens)
  • XChaCha20 stream cipher — Used for in-place network buffer encryption via EncryptInPlace() / DecryptInPlace() (zero overhead, nonce-counter based replay prevention)
  • Challenge-response authentication — HMAC-based (crypto_auth) verification during key exchange to prove shared secret derivation
  • New handshake protocolHEADER_GC_KEY_CHALLENGE / HEADER_CG_KEY_RESPONSE / HEADER_GC_KEY_COMPLETE packet flow for secure session establishment

Network Encryption Pipeline

  • Client send path — Data is encrypted at queue time in CNetworkStream::Send() (prevents double-encryption on partial TCP sends)
  • Client receive path — Data is decrypted immediately after recv() in __RecvInternalBuffer(), before being committed to the buffer
  • Server send path — Data is encrypted in DESC::Packet() via EncryptInPlace() after encoding to the output buffer
  • Server receive path — Newly received bytes are decrypted in DESC::ProcessInput() via DecryptInPlace() before buffer commit

Login Security Hardening

  • Removed plaintext login pathHEADER_CG_LOGIN (direct password to game server) has been removed. All game server logins now require a login key obtained through the auth server (HEADER_CG_LOGIN2 / LoginByKey)
  • CSPRNG login keysCreateLoginKey() now uses randombytes_uniform() (libsodium) instead of the non-cryptographic Xoshiro128PlusPlus PRNG
  • Single-use login keys — Keys are consumed (removed from the map) immediately after successful authentication
  • Shorter key expiry — Expired login keys are cleaned up after 15 seconds (down from 60 seconds). Orphaned keys (descriptor gone, never expired) are also cleaned up
  • Login rate limiting — Per-IP tracking of failed login attempts. After 5 failures within 60 seconds, the IP is blocked with a BLOCK status and disconnected. Counter resets after cooldown or successful login
  • Removed Brazil password bypass — The LC_IsBrazil() block that unconditionally disabled password verification has been removed

Pack File Encryption

  • libsodium-based pack encryptionPackLib now uses XChaCha20-Poly1305 for pack file encryption, replacing the legacy Camellia/XTEA system
  • Secure key derivation — Pack encryption keys are derived using crypto_pwhash (Argon2id)
View Git Blame Copy Permalink
Description
No description provided
Readme 110 MiB
Languages
C 87.7%
C++ 12.3%