work on packet structure

Results 1 to 1 of 1
  1. 31-07-10 #1
    pipelli
    Member pipelli is offline
    MemberRank
    Sep 2008 Join Date
    61Posts

    Showoff work on packet structure

    Hi,

    since I worked on that, and to make this section look like there was development ;), I'll try to provide as much info as I can. I reversed it from the client side, but I hope server creates packets the same way.

    The packets are encrypted with XOR and use a sequence number also there is a "checksum".

    here is a example small packet
    Code:
    0500b01b77761e6466

first 2 byte tell the length of the red part, which is data + checksum.
0500 b0 1b 7776 1e 6466

the packet data + 1 byte after it is encrypted with xor. there is a xor key, 
which I first guessed with cryptool, but later just extracted from the client, 
when I noticed I have to play with IDA to make progress..
the xorkey can be shifted and the 3rd byte tells us how much it is shifted.
0500 b0 1b 7776 1e 6466

the 4th byte is part of the sequence number. 
it is "sequenceid (I called it magic in my python code) XOR last byte of xor-key".
0500 b0 1b 7776 1e 6466

This is the xored data
0500 b0 1b 7776 1e 6466

this byte is part of the checksum, you need to reconstruct the XORing algorithm 
which also procudes this.
0500 b0 1b 7776 1e 6466

this are the first bytes of the xorkey used as "checksum"? 
"sequenceid % 4" decides how much bytes to add.
0500 b0 1b 7776 1e 6466
    after a packet is forged you need to change the sequence id
    Code:
    v7 = 2 * sequenceid + 2
if ( v7 > 119 ) {
    v7 %= 119
}
new_sequenceid = v7 + 1
    the xor key in hex display
    Code:
    766D646C666A68756438333070776B6C646C6B765B5D66106A646D766C643B736B2C6D637569653872696A6D66766B6964666F3334302D70666C636C2C3B6473645D7530337534306A76636F6E766E303838393268306E6E6C736E6C6473662F2C3B766D735B70662D32666A645D7530337534306A76636F6E766E3038320000
    after you encrypted the data, you see the "actual" protocol

    in this case it is just the opcode "1310".
    generaly the first 2 bytes of data are the opcode the rest is what ever. I didn't look into that in detail.

    here is a python script containing the opcodes and error codes ripped from the client.

    prot.py

    so when we look up "1310" with the correct endianness we get "T_PC_CONNECT_GET_SERVER_GROUP_LIST" which requests serverlist from the server.

    sry for my bad english.
    sry that info might be wrong/wrong explanation, it was the first time I tried reversing network of a game.
    Last edited by pipelli; 01-08-10 at 12:51 PM.
    Reply With Quote Reply With Quote
  2. Check out our sponsor
    work on packet structure


« Previous Thread | Next Thread »

Advertisement