Hi,
since I worked on that, and to make this section look like there was development
, I'll try to provide as much info as I can. I reversed it from the client side, but I hope server creates packets the same way.
The packets are encrypted with XOR and use a sequence number also there is a "checksum".
here is a example small packet
after a packet is forged you need to change the sequence id
the xor key in hex display
after you encrypted the data, you see the "actual" protocol
in this case it is just the opcode "1310".
generaly the first 2 bytes of data are the opcode the rest is what ever. I didn't look into that in detail.
here is a python script containing the opcodes and error codes ripped from the client.
so when we look up "1310" with the correct endianness we get "T_PC_CONNECT_GET_SERVER_GROUP_LIST" which requests serverlist from the server.
sry for my bad english.
sry that info might be wrong/wrong explanation, it was the first time I tried reversing network of a game.
since I worked on that, and to make this section look like there was development
, I'll try to provide as much info as I can. I reversed it from the client side, but I hope server creates packets the same way.The packets are encrypted with XOR and use a sequence number also there is a "checksum".
here is a example small packet
Code:
0500b01b77761e6466
[COLOR="Blue"]first 2 byte[/COLOR] tell the length of the [COLOR="Red"]red part, which is data + checksum[/COLOR].
[COLOR="blue"]0500[/COLOR] b0 1b [COLOR="Red"]7776 1e 6466[/COLOR]
the packet data + 1 byte after it is encrypted with xor. there is a xor key,
which I first guessed with cryptool, but later just extracted from the client,
when I noticed I have to play with IDA to make progress..
the xorkey can be shifted and the [COLOR="Blue"]3rd byte[/COLOR] tells us how much it is shifted.
0500 [COLOR="Blue"]b0[/COLOR] 1b 7776 1e 6466
the [COLOR="Blue"]4th byte[/COLOR] is part of the sequence number.
it is "sequenceid (I called it magic in my python code) XOR last byte of xor-key".
0500 b0 [COLOR="Blue"]1b[/COLOR] 7776 1e 6466
This is the xored data
0500 b0 1b [COLOR="Blue"]7776[/COLOR] 1e 6466
this byte is part of the checksum, you need to reconstruct the XORing algorithm
which also procudes this.
0500 b0 1b 7776 [COLOR="Blue"]1e[/COLOR] 6466
this are the first bytes of the xorkey used as "checksum"?
"sequenceid % 4" decides how much bytes to add.
0500 b0 1b 7776 1e [COLOR="Blue"]6466[/COLOR]after a packet is forged you need to change the sequence id
Code:
v7 = 2 * sequenceid + 2
if ( v7 > 119 ) {
v7 %= 119
}
new_sequenceid = v7 + 1the xor key in hex display
Code:
766D646C666A68756438333070776B6C646C6B765B5D66106A646D766C643B736B2C6D637569653872696A6D66766B6964666F3334302D70666C636C2C3B6473645D7530337534306A76636F6E766E303838393268306E6E6C736E6C6473662F2C3B766D735B70662D32666A645D7530337534306A76636F6E766E3038320000after you encrypted the data, you see the "actual" protocol
in this case it is just the opcode "1310".
generaly the first 2 bytes of data are the opcode the rest is what ever. I didn't look into that in detail.
here is a python script containing the opcodes and error codes ripped from the client.
You must be registered to see links
so when we look up "1310" with the correct endianness we get "T_PC_CONNECT_GET_SERVER_GROUP_LIST" which requests serverlist from the server.
sry for my bad english.
sry that info might be wrong/wrong explanation, it was the first time I tried reversing network of a game.
Last edited:
