Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[Release] Tera Live Packet Sniffer

Newbie Spellweaver
Joined
Aug 23, 2008
Messages
74
Reaction score
19
Hello Dudes,

I've updated that old hex packet viewer to just show the actual tera live traffic. It gets the data just like wireshack over WinPcap.

Download
Lastest Version:
Source on Github:


Guide

1. Install WinPcap ( ) - If you have Wireshack installed you already got it.

2. Open the tool.

3. Select your Game Server.

4. Click Stop, then Start

5. Start the Game now and have Fun.
--> This is important. The Tool must be running when you login. It can't just show packets of a running game since we need the handshake packets to decrypt them.

Tips & Tricks
- If your opcode file is outdated, check or use the method described to dump new opcodes
- Server Autofocus: take a look on the serverlist.xml file. You can set the default server over the DefaultFocus="true" tag. Just delete it from hasmina and add it to your own.
- Capture Autostart: also on the serverlist.xml file. Set the tags DefaultFocus="True" AutoStart="True" on your server and delete it from the actual.

Screenshot:
8WooPZF - [Release] Tera Live Packet Sniffer - RaGEZONE Forums


Greets,
GoneUp
 

Attachments

You must be registered for see attachments list
Last edited:
Newbie Spellweaver
Joined
Aug 23, 2008
Messages
74
Reaction score
19
Note: The opcodes are from the old 1725 EU version. ?

what you mean here?

Well. The hex packeteditor I've edited is from the old C# 1725 emulator source. That's just important for the apperance of the packets, it would show a accurate opcode name instead of the 0x code in the GUI. That just works for the old opcodes.
Maybe I'm gonna update them with more actual opcodes from the Java Emulator.



Updated to v2 with new opcodes.
 
Newbie Spellweaver
Joined
Aug 23, 2008
Messages
74
Reaction score
19
the Sniffer stopped working when i enter fraya

Sounds Bad. Do the message contains a stack trace? Is wireshark properly working on your computer?
Winpcap got problems with some wireless adapters. That's why I'm asking. Wireshark is also using winpcap.
 
Newbie Spellweaver
Joined
Feb 28, 2015
Messages
9
Reaction score
1
Hi GoneUp, thanks you for you share, I've forked your repo to keep update as I can this code and made some fixes.

About CrystalCoder's exception, I guess is caused by this line in Packet's Class Constructor
Hex = Data.ToHex().Substring(4);

I'm trying to reproduce this error to get more infos about this.
 
Last edited:
Newbie Spellweaver
Joined
Aug 23, 2008
Messages
74
Reaction score
19
Hi GoneUp, thanks you for you share, I've forked your repo to keep update as I can this code and made some fixes.

About CrystalCoder's exception, I guess is caused by this line in Packet's Class Constructor


I'm trying to reproduce this error to get more infos about this.

Nice to see someone working on the code, keep going ^^
I'm not sure about the exception. It could be anything until we got more information.
 
Newbie Spellweaver
Joined
Feb 28, 2015
Messages
9
Reaction score
1
the Sniffer stopped working when i enter fraya

I've made some fixes on this version,

try it and tell me if your problem is still remain.



Don't forget to read README before do anything.
 
Newbie Spellweaver
Joined
Feb 28, 2015
Messages
9
Reaction score
1
If someone have a unpacked Tera client near version 282514 NA or EU it'll be code to keep finding Opcode ^^
 
Joined
Feb 2, 2012
Messages
412
Reaction score
249
i have found my way to get on the opcodes..
but its not a real opcode list...
you have to search your opcode manual...
for me this file is enough... i have all i need to write and update the emu

or you write a parser to create a list from the file...
like
find Case xy "C_CHECK_VERSION"
write to list...
xy = C_CHECK_VERSION


Client 30.09 EU
its the current EU Client
 
Newbie Spellweaver
Joined
Aug 23, 2008
Messages
74
Reaction score
19
@Hamer31 Nice Work dude ^^ P5yl0 Could you please tell me how did you unpack it? Wich tools, etc.?

It would be a nice solution to extract the opcodes automatically. It is easy to find them on the manual way, but the question is how to extract them :D
 
Joined
Feb 2, 2012
Messages
412
Reaction score
249
i used OlyDbg with StrongOD and Phantom Plugin..
Attached Tera Process...
switched to the Tera.exe Module...
Analyzed the File..
Search for Referenced String "I_TELEPORT"
so i get that file..

it is possible to write in olydb some scripts to write some output..
but i dont have worked much with olydb and scripting ..
so i thaugt it would be easier to write a short tool which reads that output file ..
searchs for Text Strings ASCII and reads that line...
that would be one way to write the packets to a list... without all the hex and adresses ...

but as i said for me.. that manual way is for now enough to update the emu...
i search in the file for the opcode(hex) 4DBC and in the same line i have the opcode name...C_CHECK_VERSION
thats enough for me to know at the moment...



i tried the sniffer... works like a charm...
would it be possible to add an option for local sniffing..
it would help me a lot...

on port 127.0.0.1 : 11101 so i can sniff the packets on the p-server to compare the packets with the sniffed values from the official server...
 
Initiate Mage
Joined
Nov 5, 2014
Messages
2
Reaction score
1
You don't even need to unpack the executable to find the opcodes.
Otherwise you also could just hook the themida functions, like an certain bot creator probably did.
(Olly plugins won't work on win 7/8 64 bit+)

If you think IDA will help you that much, then, there is an unpack script which can be found with google. (For me it needed an rework at some lines, thanks to the ultra smart dude who created it)


With an unpacked exe you can easily do some hex edit and poop like hooks, but you will
not get around finding out all offsets by yourself, if no one is gentle enough to
do the work for you. I found the refresh position of characters myself - used this
to teleport me - and also the UseSkill and such functions.
Till now I didn't finish to use skills by Id. (Weird functions and a huge amount of
skills + levels -> too much work for a game which is only hyped in ru atm)


@@
Those opcodes are quite useless, since you need the structs of the packets and
without reserve engineering you can't get those which aren't used ordinary
by the client. - In the hope to find a packet that actually gives you a kind
of super boost like teleport or the removal of an instance's cd.
(If you are not about to make an emulator)
I have used to find the packets opcodes and structs myself.




I don't exactly know how the client generates the structures, like for the target packet,
but I managed to use the decrypt function itself to send this packet.
Just had some failures there with some other packets, like join instance packet, maybe it was also just because the function is called by two different threads.


However this is how the structure looked like for me, when sending the skill + target list


Code:
typedef struct SAttackPacket
    {
        uint16_t size; //0x17
        uint16_t opcode; //58453
        uint16_t skillId; //Id+levelOfSkill
        uint16_t unknown; //1024
        uint8_t charge; //0/1
        float x;
        float y;
        float z;
        uint16_t dir; 
    } TAttackPacket;


    struct SUB_SECTION_TARGET
    {
        SUB_SECTION_TARGET(uint32_t num, uint32_t id, uint32_t _type)
        {
            step = num;
            head = num * 0x10 + 0x1F;
            head_1 = num * 0x10 + 0x3F;
            target = id;
            type = _type;
        };
        SUB_SECTION_TARGET()
        {
        }
        ~SUB_SECTION_TARGET()
        {
        }
        uint16_t head;
        uint16_t head_1;
        uint32_t step;
        uint32_t target;
        uint32_t type;
    };


    struct SUB_SECTION_POS
    {
        SUB_SECTION_POS(uint32_t num, uint32_t next, float x, float y, float z)
        {
            head = num * 0x10 + 0x2F;
            head_1 = next * 0x10 + 0x3F;
        };
        SUB_SECTION_POS()
        {
        }
        ~SUB_SECTION_POS()
        {
        }
        uint16_t head;
        uint16_t head_1;
        float x;
        float y;
        float z;
    };


    struct TSECTION
    {
        SUB_SECTION_TARGET _target[4];
        SUB_SECTION_POS _pos;
    };


    struct SECTION
    {
        SECTION()
        {
        }
        ~SECTION()
        {
        }
        SUB_SECTION_TARGET _1;
        SUB_SECTION_POS _2;
        TSECTION _3[5];
    };


    typedef struct STargetListPacket
    {
        uint16_t size; //6f (0x15 targets)
        uint16_t opcode; //31096
        uint16_t unknown; //84
        uint16_t seg_0; //0x1F 0x00
        uint16_t amount;
        uint16_t seg_1; //0x2F 0x00
        uint16_t skillId; //skillId+10+stage
        uint16_t unknown_1; //1024
        float x;
        float y;
        float z;
        uint16_t dir;
        uint8_t  hit;
        SECTION  segments;
    } TTargetListPacket;


I'd like to use ns-3 (c++ lib) to make myself an own send function
with the decrypt function included.
An sticky thread where people post their results by finding packets and it's structures, would be amazing, too.


@P-Servers
That will be a HUGE amount of work for sure if you want something decent.
Btw. the direction in degrees = dir/180, if I remember right.
 
Newbie Spellweaver
Joined
Feb 28, 2015
Messages
9
Reaction score
1
@P5yl0 Thanks you for telling your way of how to find opcode without unpack client. If you want capture on 127.0.0.1:11101, I can't do modify it actually, but you can get my source at or GoneUp linked in first thread.


@test0r57 I'm currently trying to unpack client by myself with Ollydbg + StrongOD + PhantOm, with a script. But it break on address pointed by API. So I need to adjust a bit the script. I hope I'll achieve this with succes.
 
Initiate Mage
Joined
Nov 14, 2007
Messages
3
Reaction score
1
This is awesome tool. Thank you for releasing it!

Btw can someone post how did they unpack tera.exe with this script?
 
Newbie Spellweaver
Joined
Feb 28, 2015
Messages
9
Reaction score
1
I have made some enhancement on the tool. Also I implemented custom address server for sniffing Private Server or any non listed Server.

DDL :

It doesn't contain source, but contain PDB files.. I don't test it so much, so if you have any issue, feel free to contact me.

Edit : As far as i've read we can't get loopback device on windows.
 
Last edited:
Initiate Mage
Joined
Dec 5, 2013
Messages
4
Reaction score
9
For those wondering how to get the opcode names here's a little guide.

1. In cheat engine, find the function that references the string "I_TELEPORT". Look just above that and find the start of the function. (In this case 0x0191D0A0)

9oQVfqM - [Release] Tera Live Packet Sniffer - RaGEZONE Forums


2. Make a c++ dll that looks like with the address that you got in the previous step.

3. Now inject it into the Tera process, after which you should see some message boxes. Click OK on those, then in your TERA\Client\Binaries folder you should see a file called opcodes.txt full of opcodes. (You can just change the output directory if you want)

<- Here is a dump of the latest opcodes.
 

Attachments

You must be registered for see attachments list
Last edited:
Initiate Mage
Joined
Nov 14, 2007
Messages
3
Reaction score
1
Jesus guys ... this thread is flying like a hawk. so much of useful information its hard to process everything on time lol ^^

This tool for getting opcodes is simply amazing ... i was strugelling with pulling one by one with CE >.<

Thanks again!
 
Back
Top