Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[Help] Reversing Client Packets Structure

Joined
Jul 8, 2009
Messages
445
Reaction score
63
[Help] Find Opcodes Client decompiled

Hello i dont have enought knowledge in ASM to do this so i am here to ask if someone with theses knowledge would help me to do this ! i have de client decompiled but each fuction like this :
Code:
//----- (005629A0) --------------------------------------------------------
signed __int64 __cdecl sub_5629A0(int a1)
{
  unsigned __int8 v1; // al@1
  int v2; // edi@5
  signed __int64 result; // rax@5

  sub_562AF0(a1);
  v1 = sub_5624F0(a1);
  if ( (signed int)v1 > 80 )
    sub_55E990(*(_DWORD *)a1, "%s too new: read version %d.%d; expected at most %d.%d", *(_DWORD *)(a1 + 16));
  if ( (signed int)v1 < 80 )
    sub_55E990(*(_DWORD *)a1, "%s too old: read version %d.%d; expected at least %d.%d", *(_DWORD *)(a1 + 16));
  v2 = (unsigned __int8)sub_5624F0(a1);
  *(_DWORD *)(a1 + 12) = sub_562B80() != v2;
  sub_562B40(a1, 4);
  sub_562B40(a1, 4);
  sub_562B40(a1, 4);
  sub_562B40(a1, 6);
  sub_562B40(a1, 8);
  sub_562B40(a1, 9);
  sub_562B40(a1, 9);
  sub_562B40(a1, 8);
  result = (signed __int64)sub_562980(a1);
  if ( (_DWORD)result != 31415926 )
    sub_55E990(*(_DWORD *)a1, "unknown number format in %s", *(_DWORD *)(a1 + 16));
  return result;
}

So how i will find exemple Opcode 0x03 and etc...
 
Last edited:
Initiate Mage
Joined
May 2, 2017
Messages
2
Reaction score
1
You need to first understand that most clients do not rely on their own code to implement server communication. Clients will use some external library. You need to be able to view the import table and look at what libraries are being imported. Look at what functions are being referenced. There are more than likely library functions for sending and receiving data like winsock library.

Try using a debugger and set breakpoints on all references on these library calls. This should be able to show you data as soon as it is available on the buffer to be sent/recvd. You will need to understand how to trace in the debugger from that point and go backwards to the point where data is not manipulated. Eventually, you should be able to find the point where data is normal :)

Then, you should be able to trace back to the function that zips/encrypts/manipulates data. You can take a look at the data before that encryption, and then use something to dump that data which should represent the packet. If the protocol is unknown, then you will need to figure out the protocol, and somewhere in there should be opcode. Perhaps the opcode is within the first few bytes or towards the end (unlikely).

good luck~
 
Back
Top