Hi everyone,
I opened this thread so we can discuss about the login packet, if anyone has some details about it that would be nice if you would share it with us.
The protocol that used for the connection is TCP so the first packets of course would be the [SYN]-> <-[SYN,ACK] ->[ACK] conversation and then the client sends the packet with the id & pass data.
Here are few packets data, each line represent a packet data (edit: copy it to a notepad to see it better)
ID: AAA Password: AAA
ID: BBB Password: BBB
I did manually the spaces to distinguish between diffrent/similiar bytes between the packets.
All the packets start with the same bytes "5c 00 00 00" then we got 2 bytes that has nothing to do with the id/password strings since they are created randomly or by something else that I would like to know.
Then again the bytes repeat "01801000296be9ea94fb1c1ad58f", since those bytes never change I guess we don't have to spend time on them.
After those bytes we have few bytes that always change even if we enter the same details, then looks like those bytes represent our login details.
I'm trying to collect information and to assemble the pazzle but I need more information to do that.
Btw setting the Xor key to 0 in the Korean clients won't produce the packet data as plain text (thanks bobsbol).
edit: why the data inside the code tags is in 2 lines instead of 1 with scroll bar to right and left as showed in my preview it's messy now
I opened this thread so we can discuss about the login packet, if anyone has some details about it that would be nice if you would share it with us.
The protocol that used for the connection is TCP so the first packets of course would be the [SYN]-> <-[SYN,ACK] ->[ACK] conversation and then the client sends the packet with the id & pass data.
Here are few packets data, each line represent a packet data (edit: copy it to a notepad to see it better)
ID: AAA Password: AAA
Code:
5c000000 40 18 01801000296be9ea94fb1c1ad58f 6ab6395469d42e36d87eeac9bd86387855f43f366cb01633c00352cc7c12f5c7688d6d9f5e722219efc14d5636f0005faec7444537c37d80fb20e9bf3f77eb609538071ae88ce52d
5c000000 10 18 01801000296be9ea94fb1c1ad58f a67ef19ca11ce6fe10b62201754ef0b09d3cf7fea478defb08cb9a04b4da3d0fa045a55796baead12709859efe38c897660f8c8dff0bb54833e82177f7bf23a85df0cfd220442de5
5c000000 51 18 01801000296be9ea94fb1c1ad58f 66bd325f62df253dd375e1c2b68d33735eff343d67bb1d38cb0859c77719fecc6386669455792912e4ca465d3dfb0b54a5cc4f4e3cc8768bf02be2b4347ce06b9e330c11e387ee26
5c000000 d0 18 01801000296be9ea94fb1c1ad58f da0d82efd26f958d63c55172063d591835945f560cd07653a06332ac1c7295a708ed0dff3e1242798fa12d365690603fcea7242557a31de09b4089df5f178b00f558677a88ec854d
5c000000 57 18 01801000296be9ea94fb1c1ad58f ee36b9d4e954aeb658fe6a493d062e634eef242d77ab0d28db1849d76709eedc7396768445693902f4da564d2deb1b44b5dc5f5e2cd8669be03bf2a4246cf07b8e231c01f397fe36
5c000000 38 18 01801000296be9ea94fb1c1ad58f fa22adc0fd40baa24cea7e5d291203426fce050c568a2c09fa3968f64628cffd52b757a564481823d5fb776c0cca3a6594fd7e7f0df947bac11ad385054dd15aaf023d20d2b6df17
5c000000 23 19 01801000296be9ea94fb1c1ad58f 16cf402d10ad574fa10793b0c4ffeeaf8223e8e1bb67c1e417d4851babc52210bf5aba4889a5f5ce38169a81e127d78879109392e014aa572cf73e68e8a03cb742efd0cd3f5b32fa
5c000000 80 18 01801000296be9ea94fb1c1ad58f b26ae588b508f2ea04a23615615a4b0a27864d441ec26441b27120be0e6087b51aff1fed2c00506b9db33f244482722ddcb5363745b10ff289529bcd4d059912e74a75689afe975f
5c000000 c5 17 01801000296be9ea94fb1c1ad58f ca129df0cd708a927cda4e6d1922bff1dc7db6bfe5399fba498adb45f59b7c4ee104e416d7fbab906648c4dfbf7989d6274ecdccbe4af40972a96036b6fe62e91cb18e9361056ca4
5c000000 a5 17 01801000296be9ea94fb1c1ad58f ea32bdd0ed50aab25cfa6e4d39029fd1fc5d969fc519bf9a69aafb65d5bb5c6ec124c436f7db8bb04668e4ff9f59a9f6076eedec9e6ad4295289401696de42c93c91aeb341254c84
5c000000 d9 17 01801000296be9ea94fb1c1ad58f de0689e4d9649e8668ce5a790d36abe5c869a2abf12d8bae5d9ecf51e18f685af510f002c3efbf84725cd0cbab6d9dc2335ad9d8aa5ee01d66bd7422a2ea76fd08a59a87751178b0
5c000000 7a 18 01801000296be9ea94fb1c1ad58f 3aed620f328f756d8325b192e6dd400e238249401ac66045b67524ba0a6483b11efb1be92804546f99b73b2040867629d8b1323341b50bf68d569fc949019d16e34e716c9efa935b
ID: BBB Password: BBB
Code:
5c000000 62 18 01801000296be9ea94fb1c1ad58f 4e99167b46fb0119f451c6e591aa216f42e328217ba70124d71445db6b05e2d07f9a7a884965350efbd6594222e4144bbad3505123d76994ef34fdab2b63ff74812c130efc98f139
5c000000 da 17 01801000296be9ea94fb1c1ad58f f621aec3fe43b9a14ce97e5d291299d7fa5b9099c31fb99c6facfd63d3bd5a68c722c230f1dd8db6436ee1fa9a5cacf3026be8e99b6fd12c578c451393db47cc3994abb644204981
5c000000 dd 17 01801000296be9ea94fb1c1ad58f ce1699f4c9748e967bde496a1e25aee0cd6ca7aef4288eab589bca54e48a6d5ff015f507c6eaba817459d6cdad6b9bc4355cdfdeac58e61b60bb7224a4ec70fb0ea39c8173177eb6
All the packets start with the same bytes "5c 00 00 00" then we got 2 bytes that has nothing to do with the id/password strings since they are created randomly or by something else that I would like to know.
Then again the bytes repeat "01801000296be9ea94fb1c1ad58f", since those bytes never change I guess we don't have to spend time on them.
After those bytes we have few bytes that always change even if we enter the same details, then looks like those bytes represent our login details.
I'm trying to collect information and to assemble the pazzle but I need more information to do that.
Btw setting the Xor key to 0 in the Korean clients won't produce the packet data as plain text (thanks bobsbol).
edit: why the data inside the code tags is in 2 lines instead of 1 with scroll bar to right and left as showed in my preview it's messy now
Last edited: