release Tool: Conquer RSA DAT File Decrypt/Encrypt & Client Patcher

[cyano]

Hi all,

I've put together a set of small Python (3.6+) scripts for working with the RSA encrypted DAT files (like Server.dat) used in the client.

With these scripts, you can:

• Extract the RSA Public key from any Conquer.exe binary (5095, 5187, 5517, 5615, 6090, 6609 tested)
• Decrypt any RSA-encrypted DAT File (like Server.dat). See: https://conquer-online.github.io/wiki/files/formats/dat.html for a list.
  These scripts only work with RSA encrypted files.
• Re-encrypt modified DAT files with your own private key
• Patch the Conquer.exe binary with own public key. (5095, 5187, 5517, 5615, 6090, 6609 tested)
• Patch the Conquer.exe binary to bypass play.exe requirement (5095, 5187, 5517, 5615, 6090, 6609 tested) (optional patch, but on by default)

Ultimately, you can use these scripts to decrypt server.dat, replace with your own IP/Port, re-encrypt (with your own key) and patch the binary (with your key). However, you may still find ConquerLoader / Dragon Launcher is easier for running private servers. 

The project is here: https://github.com/Cyano-CO/conquer-rsa-patcher (possibly move to conquer-online github org in future)

For full technical details on how RSA works, see: https://conquer-online.github.io/wiki/security/rsa.html

 

Example: Modifying Server.dat

• Make sure you have Python3.6+ Installed (https://www.python.org/downloads/)
• One common dependency required, usually already installed system-wide (pip install cryptography), or use virtual env.
• As with all code, read & understand it before executing it.
• Don't use this on live binaries.
• All techniques are derived solely from publicly distributed client binaries. The extracted key is an RSA public key, public by design.

Git clone the repository https://github.com/Cyano-CO/conquer-rsa-patcher
The public key / Conquer.exe isn't included in this repository, copy Conquer.exe & Server.dat from your client directory to the script directory.

Extract the public key from the Conquer.exe binary. You can then decrypt Server.dat using:

python3 extract_key.py Conquer.exe
python3 decrypt_game_file.py Server.dat

 

This will create Server_decrypted.dat which you can to point to your own IP / Port or rename the servers. To use it in the client:

./generate_keypair.sh
python3 patch_client_binary.py Conquer.exe public_key.pem
python3 encrypt_game_file.py Server_decrypted.dat private_key.pem

Then copy Server_encrypted.dat & Conquer_modified.exe to your client directory, rename Server_encrypted.dat to Server.dat (backup the original first).

patch_client_binary also patches to skip play.exe requirement (turn off by --skip-patch-play-exe). So you can start Conquer_modified.exe directly and it should load your modified Server.dat

Thanks To

* Spirited For: https://cooldown.dev/topic/12-client-how-to-disassemble-conquer-for-reverse-engineering/
* adrian For: https://cooldown.dev/topic/19-client-using-decrypted-serverdat

Happy to answer questions or feedback on it

Edited April 10 by cyano
support 5095 - 6609 (All conquer 2.0 rsa server.dat patches)

[kennylovecode]

NICE WORK!

[Persis2]

Sir is this gonna work in modified client version 6609? i want to input my new ip but its not in server.dat. Its in Guard.dat 

[Spirited]

4 hours ago, Persis2 said:

Sir is this gonna work in modified client version 6609? i want to input my new ip but its not in server.dat. Its in Guard.dat 

Sounds like something someone cooked up on their own. 

[Persis2]

11 hours ago, Spirited said:

Sounds like something someone cooked up on their own. 

i bought the source with a vpn at first all is working fine but after the vps expired and i will transfer the source to my pc yo host i cannot log in, because i think i need to change the vps ip addres in the Guard.dat file but its encrypted.

[cyano]

I don't recognise the file Guard.dat - something in their own launcher implementation?

Depends how modified the client binary is. But you could try downloading the original 6609 client (See https://cooldown.dev/topic/6-guide-client-downloads/ & use the tool in this thread to modify server.dat and try connect to your server.  

 

[kennylovecode]

On 6/19/2026 at 3:25 PM, Persis2 said:

i bought the source with a vpn at first all is working fine but after the vps expired and i will transfer the source to my pc yo host i cannot log in, because i think i need to change the vps ip addres in the Guard.dat file but its encrypted.

You can try using some hexadecimal editors to edit these files, find the old IP, and replace it with the new one. This works effectively

[Persis2]

14 hours ago, kennylovecode said:

You can try using some hexadecimal editors to edit these files, find the old IP, and replace it with the new one. This works effectively

thank you, but i tried HxD editor but its encrypted i couldnt find the ip address,

[Persis2]

On 6/19/2026 at 4:35 AM, cyano said:

I don't recognise the file Guard.dat - something in their own launcher implementation?

Depends how modified the client binary is. But you could try downloading the original 6609 client (See https://cooldown.dev/topic/6-guide-client-downloads/ & use the tool in this thread to modify server.dat and try connect to your server.  

 

thanks but i couldt find a client 6609 in the thread

[cyano]

9 hours ago, Persis2 said:

thanks but i couldt find a client 6609 in the thread

Its in the mega (click link Installations) on the thread, under the folder Setup: Conquer_v6609.exe

That said, if Guard.dat is used only in some sort of custom launcher. Then the client binary (Conquer.exe) you have might already be unmodified & these scripts would still work (on server.dat, patch your own public key etc.). This scripts bypasses play.exe, so just run Conquer.exe after its been patched, ignoring the custom launcher.

Edited Monday at 04:53 PM by cyano

[Persis2]

3 minutes ago, cyano said:

Its in the mega (click link Installations) on the thread, under the folder installations: Conquer_6609.exe

That said, if Guard.dat is used only in some sort of custom launcher. Then the client binary (Conquer.exe) you have might already be unmodified & these scripts would still work (on server.dat, patch your own public key etc.). This scripts bypasses play.exe, so just run Conquer.exe after its been patched, ignoring the custom launcher.

thank you, ill try this one.

[Persis2]

9 minutes ago, cyano said:

Its in the mega (click link Installations) on the thread, under the folder installations: Conquer_6609.exe

That said, if Guard.dat is used only in some sort of custom launcher. Then the client binary (Conquer.exe) you have might already be unmodified & these scripts would still work (on server.dat, patch your own public key etc.). This scripts bypasses play.exe, so just run Conquer.exe after its been patched, ignoring the custom launcher.

still no 6609 in mega link.

[kennylovecode]

Guard.dat is a file loaded by a custom Loader.dat. If your server source code relies on it, you may need to remove the server's dependency on Loader, replace it with a clean client, and find some open-source Loaders to solve this problem.

[AndrejN.]

Hello all, @cyano I have a question, first of all I was able to use your method and make my original Conquer.exe launch on a clean conquer 6609 client, see the changed servers from the Server.dat file inside the login screen too, but when I try to login I am always getting the Invalid account and password message. I am using some private server source which has some patch in which I believe it has changed the encryption or even deleted it so it can log in through their modified Conquer.exe, but nevermind, the packet that it is sending is 1542 and in it, from the original Conquer.exe the password is maybe hashed or encrypted in some way and I don't know how to retrieve the original one. Does someone know a solution to this on what to do next ?

[cyano]

9 hours ago, AndrejN. said:

Hello all, @cyano I have a question, first of all I was able to use your method and make my original Conquer.exe launch on a clean conquer 6609 client, see the changed servers from the Server.dat file inside the login screen too, but when I try to login I am always getting the Invalid account and password message. I am using some private server source which has some patch in which I believe it has changed the encryption or even deleted it so it can log in through their modified Conquer.exe, but nevermind, the packet that it is sending is 1542 and in it, from the original Conquer.exe the password is maybe hashed or encrypted in some way and I don't know how to retrieve the original one. Does someone know a solution to this on what to do next ?

It sounds similar to: https://cooldown.dev/topic/823-source-6609-invalid-acc-and-password/  - has everybody suddenly got hold of this source 

That thread is probably best to move this discussion to... But my thoughts still:

Afaik "Invalid Account & Password" means its connected to some account server. I'd recommend opening wireshark and making sure that the packets are definitely going to your account server / IP address when you attempt to login.

Otherwise, if the client binary has been modified to change encryption key (unlikely, but possible) then you can reverse engineer the binary, there's a guide here: https://cooldown.dev/topic/12-client-how-to-disassemble-conquer-for-reverse-engineering/ (although I prefer to use ida, this a great getting started guide)

If you have the actual source code, assume its c#(?) - you can debug it in visual studio (set breakpoints, see the values it getting and comparing with) - trace the path of the login flow till you figure out why its rejecting that username/password.

Edited 4 hours ago by cyano

[AndrejN.]

I don't think I have the same source tho, because I am able to log in and work the source for a longer time now, anyway the problem that it had with was the patch for DX9 version didn't work, I am working on the DX8 only and I was trying to resolve that. Also I know that the currently modified original Conquer.exe is sending the packets to my account server because I can see the packet dump that I am displaying for login. I can share them and you will see the difference, also I am able to log in without the password with your method and modifying the authserver login method to not require the password, but that is out of option .

So here is the packet from your method that I use on the original 6609 client is:
Packet Length : 312, PacketType: 1542
38 01 06 06 00 00 00 00 77 61 72 00 00 00 00 00      ;8war
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 4D 79 43 6F 6E 71 75 65 72  ;MyConquer
00 00 00 00 00 00 00 00 30 30 31 35 35 44 33 35      ;00155D35
43 37 45 33 00 00 00 00 00 00 00 00 00 00 00 00      ;C7E3
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 31 30 00 00 00 00 00 00 00 00 00 00 00 00 00      ;10
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 FE 98 CD 0F C6 01 92 93 F9 1F 8E B8      ;■?═╞??∙?╕
7D 80 82 FF 17 2A 4C AB D3 36 2D 91 7A DE EE 33      ;}?? *L½╙6-?z▐ε3
39 7F 6F 9A 6C BB 09 77 1D 62 A9 DA C1 13 8E 01      ;9o?l╗     wb⌐┌┴?
D0 B3 82 43 79 4C 27 EE 94 82 89 53 5E A6 64 7C      ;╨│?CyL'ε???S^ªd|
BD 58 10 4D 07 96 E3 41                              ;╜XM?πA

User: [war] Server: [MyConquer] MacID: [C7E3] Password: []

as you can see here the password field is empty, also I am also not sure if this is the right packet from which the client sends the password but highly likely...

and the one from the what I believe is the modified patched Conquer.exe that was used with this source sends this one:
Packet Length : 312, PacketType: 1542
38 01 06 06 00 00 00 00 77 61 72 00 00 00 00 00      ;8war
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 03 72 8C 81 00 00 00 00      ;r?ü
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 4D 79 43 6F 6E 71 75 65 72  ;MyConquer
00 00 00 00 00 00 00 00 30 30 31 35 35 44 33 35      ;00155D35
43 37 45 33 00 00 00 00 00 00 00 00 00 00 00 00      ;C7E3
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 31 30 00 00 00 00 00 00 00 00 00 00 00 00 00      ;10
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ;
00 00 00 00 A0 DF FB 39 69 30 F7 8A C0 41 C5 6B      ;á▀√9i0≈?└A┼k
5D 46 E9 56 B9 12 CB 1B 99 98 2C F5 FA 09 5E F8      ;]FΘV╣╦?,⌡·        ^°
AF 46 53 61 78 5F A1 DD 02 62 B3 73 29 4D 5A 3A      ;»FSax_í▌b│s)MZ:
A0 E8 3C 4E C7 63 D0 F4 7A 5B BA 54 2A FB 09 43      ;áΦ<N╟c╨⌠z[║T*√    C
96 EB 4A 0F EE 49 24 1F                              ;?δJεI$

User: [war] Server: [MyConquer] MacID: [C7E3] Password: [war]

you can see here the 03 72 8C 81  or the ascii: ;r?ü is the password (war) sent from that client for which the server source uses this XOR decryption method which i believe is what was modified for the patched Conquer.exe on how to send the password, so it can decrypt it:
            public static string DecryptXor(byte[] data, byte size)
            {
                byte[] buffer = new byte[Math.Min(size, (byte)32)];
                for (int i = 0; i < Math.Min(size, (byte)32); i++)
                {
                    buffer[i] = (byte)(Key1[(i * 0x2c) % 0x20] ^ data[i]);
                    buffer[i] = (byte)(Key2[(i * 0x63) % 0x20] ^ buffer[i]);
                }
                return System.Text.Encoding.ASCII.GetString(buffer).Replace("\0", "");
            }

so what I am asking is how the original Conquer.exe sends the password, is it encrypted, hashed or maybe like a plain text(i doubt that). Also is that 1542 packet the right one to look for the password in?

ps. I am not so familiar with reverse engineering, tried it but that is out of my expertise 

Edited 4 hours ago by AndrejN.

[Spirited]

Hey all, I'm going to politely ask that you use the other thread for this, because it's not related to this one. I'll move over the posts, if you'd like.