[Release] Tera Live Packet Sniffer

[GoneUp]

Could you provide a screen of the memory viewer at that address?

 

[[GM]Xia]

Could you provide a screen of the memory viewer at that address?

add me to skype please lo1997xd

 

[amakrkr]

Edit: Delete this post.

 

[TieLay]

how about newest OP-codes for 33.08 or 34.07???

 

[GoneUp]

Added them. The one from EU actual dosen't match 3308 or 3407. If someone needs them he should create his own file or wait until EU get the 3407 patch.

You must be registered to see links

 

[TieLay]

Now is 36.03 on NA, wait OPcodes...

 

[[GM]Xia]

i will print you the opcode tomorrow after work

 

[Ulysse31]

Hello,

I have noticed that it's a matter of time within a recording session that the decrypt/encrypt gets obsolete, it's related to the amount of data that is being processed and it happens, in my case, both with output and input of data on the stream.

So I am wondering the reason for that and I am guessing that it is because the sniffer doesn't handle "TCP previous segment not captured" (ie packetloss) too well, could anyone confirm/infirm ?

 

[GoneUp]

I never really tested it in heavy traffic situations. The pv could struggle with that.
Nope, packet loss is not the cause. TCP is made for reliability. If something is missing it will be retransmissited. Hmmm. Valid point how these retrans packets are handled. In the worst case it is handled more than once and we got a problem.

Guess that some additional checks and smth like a packet queue will address these issues. Will look at it next week ^^

 

[Ulysse31]

I never really tested it in heavy traffic situations. The pv could struggle with that.
Nope, packet loss is not the cause. TCP is made for reliability. If something is missing it will be retransmissited. Hmmm. Valid point how these retrans packets are handled. In the worst case it is handled more than once and we got a problem.

Guess that some additional checks and smth like a packet queue will address these issues. Will look at it next week ^^

Yes,
I know TCP is reliable and packet gets retransmitted, however I am not sure *when* then sniffing happens, because if the sniffer takes the packets in the same order wireshark does (and i'd assume this might be true) then it very well could explain a few things. But indeed if it takes the packets in the same order a clientless program or Tera.exe itself does, then it wouldn't matter as the "TCP retransmission" gives them back all at once.

I have first noticed it on NA, there are many players and on MT the download of packet is significant, my PacketViewer can no longer decrypt packet within 20 seconds to 2 minutes. Some infos that might help you diagnostic it :
I am confident the decryption is failing because the packets still show up on the left column, however they have Obselete size (can go up to 65 000 size) and obsolete titles (that dont get renamed by PV anymore).

I have myself a clientless program I coded, I tried heavy traffic (IE 1500 bytes per sec) and both decryption and encryption of PV got crushed. With low traffic decryption will always fail first (as would be expected because on normal use we download a lot more than we upload).
On EU the traffic is much less intense and the PV can actually work fine for tens of minutes. Although the packets eventually arrive with a significant delay. Also i am from EU so maybe i lose less packets here.

I guess it could also be that with too heavy traffic the reception buffer gets filled up and the decryption ends up decrypting only part of a packet somewhen.

Hope this could help,
Thanks for this tool, it's very usefull.

Cheers,
Ulysse

 

[Arko Darlok]

Hi everyone!I found a problem that when i try to inject of the library, into process, their crash. On creating thread. This applies to various programs for injection. Do you have fought the problem? I use the source code library that comes with a sniffer.
I am sorry for my "google translate"

 

[Gothos]

There are a lot of fun special cases with TCP reassembly:

* Out of order arrival
* Lost+resent data
* Resent data that doesn't have the same packet boundaries as original packets.
* For example I received a bunch of data followed by another packet that contained the same data again but with additional data in the end.
* The byte counter can overflow. This can even happen if the connection sends much less than 4 GiB, since the starting value is random
* Packets might fail CRC validation (I don't handle that one)
* Packets dropped by WinPcap (larger buffer sizes help, at least in some cases)
GoneUp if you want, you can use my TCP reassembly code in your packet viewer.

 

[GoneUp]

Hm, that's true. How easy it would be with a proper tcpclient ^^
I will maybe integrate it, depends how much work it needs to get it work.
Or I will invest my time in a general proxy based approach. I'm thinking about a concept I saw a long time ago at the mmo silkroad. The client was connected over a local proxy to server and the proxy offered a socket for 3rd party programs. The socket received a copy of all packets that are transmitted, plus it was able to inject packets in the network stream.
My main problem for that approach is atm to find a proper way to redirect the client. A loopback adapter for a ip of different server on the serverlist works, but that's not a really easy/nice solution for the problem. A custom launcher with a own login and a own serverlist would be by far the simplest solution...

Does someone know if one of these tera starters/the neostarter with custom arguments still work on the current gameforge client?

 

[kinvao]

NeoLauncher does not work with the lastest client revs. I tested it and didn't open the client. The other basics launchers works with the same arguments.
Let me ask something(kind offtopic):
There are any unpacked datacenter for the latest client?

 

[GoneUp]

Damm it. Then I need to go the hard way and fix/reverse a launcher.
Hm, datacenter. Don't think so. The last I know are these in the thread https://forum.ragezone.com/f797/release-tera-datacenter-unpacked-eur-1064404/
Sadly he didn't post the tool to extract the key.

 

[mangojoe]

Newest Datacenter can be found here:

https://forum.ragezone.com/f797/release-tera-datacenter-unpacked-eur-1084054/#post8525176

 

[kinvao]

Damm it. Then I need to go the hard way and fix/reverse a launcher.

Use teraLauncher or any other launcher posted over here. Only NeoLauncher dont work. Or you want to do something else with the launcher than just open the client?

 

[GoneUp]

Use teraLauncher or any other launcher posted over here. Only NeoLauncher dont work. Or you want to do something else with the launcher than just open the client?

I need the custom arguments since I want to insert my own serverlist and userdata. Is that possible with any actual launcher?

mangojoe thx for the datacenter. Could you share the tool to gather the DC key ? Then we are able to do it on our own and don't need you ^^

 

[kinvao]

I need the custom arguments since I want to insert my own serverlist and userdata. Is that possible with any actual launcher?

The custom arguments for those working launchers depends on the tera.exe generated by the generator tool. I'm not sure about the meaning of some arguments but when you generate the exe file you must specify the serverlist link. That direction comes compiled with the exe...
In the arguments you only send the username, password and client languaje. The other arguments are only "0" and "1"...I cant tell what those arguments do. To give a more accurate answer I need to see the generator's source.

 

[GoneUp]

Hm. Could maybe work. I just want to redirect it to my local serverlist and start it with my username and password.