Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

MAESTIA: Analyze server login packets

Initiate Mage
Joined
Mar 17, 2019
Messages
3
Reaction score
1
Hey guys,

I'm currently working on reverse engineering an old MMORPG called Maestia, which has been shut down.

I managed to reverse client patcher and now I'm stuck on the login screen to connect to server.

When I click on login, client just sends one packet and waits for response:


Code:
 "x53\x88\xf0\xd8\x44\x35\xfc\x38" \
"\xff\x01\x11\x7d\x1a\xc0\xff\xab"
The data never changes so I guess its some sort of inizial check if server is available.

Now whatever I send back from server, client doesnt answer. Seems like it looks for a specific answer.

One good thing, the game itself generates a log file with decent information.

When I send a packet back to client, which is smaller than the initial packet, I get this information:

Code:
(8696) 02/28/19 21:43:37.071  [AvaCltSockEvt::ConnectToLoginServer] Open login socket success! (195.122.162.198:21001)
 (5800) 02/28/19 21:43:37.080  [CRITICAL][PACKETBROKEN][206,237]PACKET-SIZE = 5904

 (5800) 02/28/19 21:43:37.080  [SOCKET][CloseForce] socket 980, reason 228, old reason 255, isAlarmConnect 1

 (5800) 02/28/19 21:43:37.080  [AvaCltSockEvt::OnClose] Close Reason = 228


When I send the same data back to client once or twice, I get this information:

Code:
  (6152) 03/03/19 19:28:41.749  [AvaCltSockEvt::ConnectToLoginServer] Open login socket success! (195.122.162.198:21001)
 (6152) 03/03/19 19:28:41.762  [Clt Net] Undefined Packet : [Main = 1] [Sub = 10]
 (6152) 03/03/19 19:28:55.027  [WM_ACTIVATE] Inactivate
 (11808) 03/03/19 19:29:01.847  [SOCKET][CloseForce] socket 1900, reason 224, old reason 255, isAlarmConnect 1

 (11808) 03/03/19 19:29:01.847  [AvaCltSockEvt::OnClose] Close Reason = 224

What would be the best way to solve this issue or find out what exactly the client expects? It looks like its some sort of packet header for network traffic.


PS. 195.122.162.198 redirects to my loopback adapter, its not my actual IP.
 
Joined
Oct 8, 2006
Messages
740
Reaction score
289
Code:
[COLOR=#666666] "x53\x88\xf0\xd8\x44\x35\xfc\x38" \
[/COLOR][COLOR=#666666]"\xff\x01\x11\x7d\x1a\xc0\xff\xab"[/COLOR]

Your packet seems to be encrypted. You need to use IDA or any other debugger for applications and try to see where is sending this packet and when is received from the server. Search for recv() and send() functions(WSASend, WSARecv), possible from winsock window library. There is a possibility in the buffer, you will see the data unencrypted before the client encrypted it and sends it to the server. If you can get to see that, when recv() from client, the client will try to decrypt it with the corresponding key. If you take the the decrypted packet from IDA and your packet sent and XOR it, you will see the decryption key, but here, there's another problem which may be a real pain in the butt. If the encryption & decryption keys are generated dynamically per connection session, that is gonna be a real headache if there's no static keys table for them. Usually there are 2 sets of tables of keys. Server to Client and Client to Server which I don't think you will find them into files or data files. Maybe in the dlls for gamecore or other dlls.

(DecryptedPacketFromIDA XOR YourPacketSent = Decryption key)

DecryptedPacketFromIDA = After the client tried to decrypt the packet.
Your Packet Sent = The same packet you received(The one above)

In any case, you will need to see how the packet is build, like where is the size of the packet, the OPCODE and the data of the packet. If there's no server alive of this game, it will be a pain in the butt without knowledge of ASM and IDA or OllyDbg.
 
Last edited:
Back
Top