Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Reverse Engineering Packet Structures Through The Client?

Elite Diviner
Joined
Apr 28, 2012
Messages
420
Reaction score
439
encrypt function can be found here:

result:

function looks "terrible")))
Code:
int __stdcall sub_500B70(int a1, int *a2, unsigned int *a3)
{
  int result; // eax@1
  unsigned int v4; // edx@1
  unsigned int v5; // ecx@1
  unsigned int v6; // edx@1
  unsigned int v7; // ecx@1
  unsigned int v8; // edx@1
  unsigned int v9; // ecx@1
  unsigned int v10; // edx@1
  unsigned int v11; // ecx@1
  unsigned int v12; // edx@1
  unsigned int v13; // ecx@1
  unsigned int v14; // edx@1
  unsigned int v15; // ecx@1
  unsigned int v16; // edx@1
  unsigned int v17; // ecx@1
  unsigned int v18; // edx@1
  unsigned int v19; // ecx@1
  int v20; // ebx@1
  unsigned __int8 v21; // bp@1
  int v22; // ecx@1

  result = a1;
  v4 = *a2 ^ *(a1 + 8);
  v5 = *a3 ^ *(a1 + 12) ^ (*(a1 + 4 * (*a2 ^ *(a1 + 8)) + 3152)
                         + (*(a1 + 4 * BYTE1(v4) + 2128) ^ (*(a1 + 4 * (v4 >> 24) + 80)
                                                          + *(a1 + 4 * ((v4 >> 16) & 0xFF) + 1104))));
  v6 = *(a1 + 16) ^ (*(a1
                     + 4
                     * (*a3 ^ *(a1 + 12) ^ (*(a1 + 4 * (*a2 ^ *(a1 + 8)) + 3152)
                                          + (*(a1 + 4 * BYTE1(v4) + 2128) ^ (*(a1 + 4 * (v4 >> 24) + 80)
                                                                           + *(a1 + 4 * ((v4 >> 16) & 0xFF) + 1104)))))
                     + 3152)
                   + (*(a1 + 4 * BYTE1(v5) + 2128) ^ (*(a1 + 4 * (v5 >> 24) + 80)
                                                    + *(a1 + 4 * ((v5 >> 16) & 0xFF) + 1104)))) ^ v4;
  v7 = *(a1 + 20) ^ (*(a1 + 4 * v6 + 3152)
                   + (*(a1 + 4 * BYTE1(v6) + 2128) ^ (*(a1 + 4 * (v6 >> 24) + 80)
                                                    + *(a1 + 4 * ((v6 >> 16) & 0xFF) + 1104)))) ^ v5;
  v8 = *(a1 + 24) ^ (*(a1 + 4 * v7 + 3152)
                   + (*(a1 + 4 * BYTE1(v7) + 2128) ^ (*(a1 + 4 * (v7 >> 24) + 80)
                                                    + *(a1 + 4 * ((v7 >> 16) & 0xFF) + 1104)))) ^ v6;
  v9 = *(a1 + 28) ^ (*(a1 + 4 * v8 + 3152)
                   + (*(a1 + 4 * BYTE1(v8) + 2128) ^ (*(a1 + 4 * (v8 >> 24) + 80)
                                                    + *(a1 + 4 * ((v8 >> 16) & 0xFF) + 1104)))) ^ v7;
  v10 = *(a1 + 32) ^ (*(a1 + 4 * v9 + 3152)
                    + (*(a1 + 4 * BYTE1(v9) + 2128) ^ (*(a1 + 4 * (v9 >> 24) + 80)
                                                     + *(a1 + 4 * ((v9 >> 16) & 0xFF) + 1104)))) ^ v8;
  v11 = *(a1 + 36) ^ (*(a1 + 4 * v10 + 3152)
                    + (*(a1 + 4 * BYTE1(v10) + 2128) ^ (*(a1 + 4 * (v10 >> 24) + 80)
                                                      + *(a1 + 4 * ((v10 >> 16) & 0xFF) + 1104)))) ^ v9;
  v12 = *(a1 + 40) ^ (*(a1 + 4 * v11 + 3152)
                    + (*(a1 + 4 * BYTE1(v11) + 2128) ^ (*(a1 + 4 * (v11 >> 24) + 80)
                                                      + *(a1 + 4 * ((v11 >> 16) & 0xFF) + 1104)))) ^ v10;
  v13 = *(a1 + 44) ^ (*(a1 + 4 * v12 + 3152)
                    + (*(a1 + 4 * BYTE1(v12) + 2128) ^ (*(a1 + 4 * (v12 >> 24) + 80)
                                                      + *(a1 + 4 * ((v12 >> 16) & 0xFF) + 1104)))) ^ v11;
  v14 = *(a1 + 48) ^ (*(a1 + 4 * v13 + 3152)
                    + (*(a1 + 4 * BYTE1(v13) + 2128) ^ (*(a1 + 4 * (v13 >> 24) + 80)
                                                      + *(a1 + 4 * ((v13 >> 16) & 0xFF) + 1104)))) ^ v12;
  v15 = *(a1 + 52) ^ (*(a1 + 4 * v14 + 3152)
                    + (*(a1 + 4 * BYTE1(v14) + 2128) ^ (*(a1 + 4 * (v14 >> 24) + 80)
                                                      + *(a1 + 4 * ((v14 >> 16) & 0xFF) + 1104)))) ^ v13;
  v16 = *(a1 + 56) ^ (*(a1 + 4 * v15 + 3152)
                    + (*(a1 + 4 * BYTE1(v15) + 2128) ^ (*(a1 + 4 * (v15 >> 24) + 80)
                                                      + *(a1 + 4 * ((v15 >> 16) & 0xFF) + 1104)))) ^ v14;
  v17 = *(a1 + 60) ^ (*(a1 + 4 * v16 + 3152)
                    + (*(a1 + 4 * BYTE1(v16) + 2128) ^ (*(a1 + 4 * (v16 >> 24) + 80)
                                                      + *(a1 + 4 * ((v16 >> 16) & 0xFF) + 1104)))) ^ v15;
  v18 = *(a1 + 64) ^ (*(a1 + 4 * v17 + 3152)
                    + (*(a1 + 4 * BYTE1(v17) + 2128) ^ (*(a1 + 4 * (v17 >> 24) + 80)
                                                      + *(a1 + 4 * ((v17 >> 16) & 0xFF) + 1104)))) ^ v16;
  v19 = *(a1 + 68) ^ (*(a1 + 4 * v18 + 3152)
                    + (*(a1 + 4 * BYTE1(v18) + 2128) ^ (*(a1 + 4 * (v18 >> 24) + 80)
                                                      + *(a1 + 4 * ((v18 >> 16) & 0xFF) + 1104)))) ^ v17;
  v20 = *(a1 + 4 * BYTE1(v19) + 2128) ^ (*(a1 + 4 * (v19 >> 24) + 80) + *(a1 + 4 * ((v19 >> 16) & 0xFF) + 1104));
  v21 = v19;
  v22 = *(a1 + 76) ^ v19;
  *a3 = *(a1 + 72) ^ (*(a1 + 4 * v21 + 3152) + v20) ^ v18;
  *a2 = v22;
  return result;
}
 
Newbie Spellweaver
Joined
Aug 14, 2015
Messages
79
Reaction score
18
Spot on as always. I've translated those to C couple months back so I can save you the trouble.
 
YEy i has custom title^_^
Joined
Sep 29, 2006
Messages
452
Reaction score
66
One way to analyze packets from client only is to hook the functions that write the bytes and makes the packet. This way you can basically just sniff the packet while being created and get the structure same time, however this wont tell you what all the bytes represent but it would speed up analyzing them as you dont have to figure the structure out yourself.
 
Newbie Spellweaver
Joined
Aug 14, 2015
Messages
79
Reaction score
18
zarut said:
hook the functions that write the bytes and makes the packet

Could you elaborate on that please? How would I accomplish this? From what I could gather in assembly most functions don't use a separate writing function. It's mostly like:

Code:
lea edx, [buffer_addr + offset]
mov [edx], 5

Incase my assembly isn't correct, here's what I mean in C:
buffer[offset] = 5;
 
YEy i has custom title^_^
Joined
Sep 29, 2006
Messages
452
Reaction score
66
Could you elaborate on that please? How would I accomplish this? From what I could gather in assembly most functions don't use a separate writing function. It's mostly like:

Code:
lea edx, [buffer_addr + offset]
mov [edx], 5

Incase my assembly isn't correct, here's what I mean in C:
buffer[offset] = 5;
Here is a tutorial how its accomplished in silkroad:
 
Back
Top