MAESTIA: Analyze server login packets

Results 1 to 2 of 2
  1. #1
    Newbie Palwal is offline
    Mar 2019 Join Date

    MAESTIA: Analyze server login packets

    MAESTIA: Analyze server login packets
    Hey guys,

    I'm currently working on reverse engineering an old MMORPG called Maestia, which has been shut down.

    I managed to reverse client patcher and now I'm stuck on the login screen to connect to server.

    When I click on login, client just sends one packet and waits for response:

     "x53\x88\xf0\xd8\x44\x35\xfc\x38" \
    The data never changes so I guess its some sort of inizial check if server is available.

    Now whatever I send back from server, client doesnt answer. Seems like it looks for a specific answer.

    One good thing, the game itself generates a log file with decent information.

    When I send a packet back to client, which is smaller than the initial packet, I get this information:

    (8696) 02/28/19 21:43:37.071  [AvaCltSockEvt::ConnectToLoginServer] Open login socket success! (
     (5800) 02/28/19 21:43:37.080  [CRITICAL][PACKETBROKEN][206,237]PACKET-SIZE = 5904
     (5800) 02/28/19 21:43:37.080  [SOCKET][CloseForce] socket 980, reason 228, old reason 255, isAlarmConnect 1
     (5800) 02/28/19 21:43:37.080  [AvaCltSockEvt::OnClose] Close Reason = 228

    When I send the same data back to client once or twice, I get this information:

      (6152) 03/03/19 19:28:41.749  [AvaCltSockEvt::ConnectToLoginServer] Open login socket success! (
     (6152) 03/03/19 19:28:41.762  [Clt Net] Undefined Packet : [Main = 1] [Sub = 10]
     (6152) 03/03/19 19:28:55.027  [WM_ACTIVATE] Inactivate
     (11808) 03/03/19 19:29:01.847  [SOCKET][CloseForce] socket 1900, reason 224, old reason 255, isAlarmConnect 1
     (11808) 03/03/19 19:29:01.847  [AvaCltSockEvt::OnClose] Close Reason = 224
    What would be the best way to solve this issue or find out what exactly the client expects? It looks like its some sort of packet header for network traffic.

    PS. redirects to my loopback adapter, its not my actual IP.

  2. #2
    Hardcore Member zipper20032 is online now
    Oct 2006 Join Date

    Re: MAESTIA: Analyze server login packets

     "x53\x88\xf0\xd8\x44\x35\xfc\x38" \
    Your packet seems to be encrypted. You need to use IDA or any other debugger for applications and try to see where is sending this packet and when is received from the server. Search for recv() and send() functions(WSASend, WSARecv), possible from winsock window library. There is a possibility in the buffer, you will see the data unencrypted before the client encrypted it and sends it to the server. If you can get to see that, when recv() from client, the client will try to decrypt it with the corresponding key. If you take the the decrypted packet from IDA and your packet sent and XOR it, you will see the decryption key, but here, there's another problem which may be a real pain in the ass. If the encryption & decryption keys are generated dynamically per connection session, that is gonna be a real headache if there's no static keys table for them. Usually there are 2 sets of tables of keys. Server to Client and Client to Server which I don't think you will find them into files or data files. Maybe in the dlls for gamecore or other dlls.

    (DecryptedPacketFromIDA XOR YourPacketSent = Decryption key)

    DecryptedPacketFromIDA = After the client tried to decrypt the packet.
    Your Packet Sent = The same packet you received(The one above)

    In any case, you will need to see how the packet is build, like where is the size of the packet, the OPCODE and the data of the packet. If there's no server alive of this game, it will be a pain in the ass without knowledge of ASM and IDA or OllyDbg.
    Last edited by zipper20032; 07-12-19 at 01:07 PM.