The MXO RSA keys

[rajkosto]

You've obviously saw the pubkey.dat file in the same folder as matrix.exe right ?
And you think thats the only public key they use ?
Have you noticed that, when you edit it, even one byte, matrix KNOWS that its modified, and requests another copy from the server...
so, how does it KNOW that its modified ?
ill tell you

the pubkey.dat file isn't a normal DER encoded RSA public key, no.
It consists of :
ASN1 Integer of around 1024 bits (Modulus)
ASN1 Integer (Exponent), which is 17 (common value)
and then, a binary blob of 256 bytes...

Hmm, what could these 256 bytes be ?

You would notice, if you analyzed the AS_GetPublicKeyReply packet (when it does resend the key), that it sends all of these individually, and without any ASN1 encoding, first the modulus,then the exponent, then the binary blob, so we know that the blob is one continuous block, not a couple of other integers stuck together...

So what is 256 bytes, when we use RSA keys of 1024 bits... a signature.
the 256 byte blob inside pubkey.dat and the packet is the signature of the exponent and modulus before it, but what is used to create and check this signature ?

answer: client and server have another key pair. the client has another public key which is integrated into the exe, this is probably the reason for the crc checks later on, so that clients dont put their own public key.
this 2nd key pair is used to sign the first key pair, which might change (however it never has in the lifetime of mxo). the client, for the first auth packet, verifies the signature with its integrated public key, see if it matches the 256 bytes in pubkey.dat, if they do, it sends 00 00 00 04, which means, my key is good, thx

after all this is done, the client knows that the server is legit, and will carry on with sending credentials etc (probably signed with the pubkey.dat)