Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Reverse Engineering Packet Structures Through The Client?

Initiate Mage
Joined
Aug 14, 2015
Messages
79
Reaction score
18
Hello people. I've been working on an emulator and using an existing server to gather/analyze the packet structures. Although there're fair amount of end-game packets that I am not able to get. If there's anyone who's worked on an emulator through gathering packet structures from the client I would love to hear how they did it.
 
Ask me about Daoism
Member
Joined
Nov 6, 2010
Messages
1,560
Reaction score
393
Depends on the client, broski.

For something like Flash, decompiling may be the key. Shockwave, on the other hand, leaves you with very little to do because it's a closed format. Games that can be decompiled, namely those that have to be installed, can typically be reverse-engineered. But it all depends on the file format.

I feel your pain, though. Spineworld is a defunct Shockwave game and I have to rely on someone's help to get server -> client packets since they refuse to release their server.
 
Initiate Mage
Joined
Aug 14, 2015
Messages
79
Reaction score
18
The client is in .exe(not a .net app) format so I guess that eliminates a complete decompiling option. I was abled to figure out encryption stuff through disassembly but can't seem to find the routine where it decides the type of packet it recieves and calls the handler for that packet.
 
Initiate Mage
Joined
Aug 14, 2015
Messages
79
Reaction score
18


It's not packed.
It's using a weird blowfish encryption so I believe regular blowfish library doesn't work.
Can provide some opcodes if needed.
Text-based explanation should be fine I think. An example that I can look up through IDA would also be appriciated if possible.
 
Elite Diviner
Joined
Apr 28, 2012
Messages
420
Reaction score
439
1. thx for client)
2.
[STRIKE]3. and, most importantly) someone knows exe startup param? (command line)[/STRIKE]
===upd===
...i understand everything)
need edit archlord.ini
 
Last edited:
Initiate Mage
Joined
Aug 14, 2015
Messages
79
Reaction score
18
Nicely done sir. That's exactly how it works. If you require the encryption/decryption methods please let me know and I'll send them your way.

And as for startup parameters:
"alefclient.exe 1:462634161 2:username|user_id|user_token|ewq"
 
Elite Diviner
Joined
Apr 28, 2012
Messages
420
Reaction score
439
@AcarX
you have a exchange traffic packet (sniff log) between client and official server?
need to packet's 3-4 (in order), i.e.:
1. client->server
2. server->client
3. client->server
..
..
----------------
i want restore the exchange, i'm not sure that the first packet (C->S) encrypted
 
Last edited:
Initiate Mage
Joined
Aug 14, 2015
Messages
79
Reaction score
18
First couple of packets aren't encrypted since 2 of them has the blowfish key(server sends key first, client encrypts its own key with server key and sends the encrypted client key, then server decrypts that key and uses that for client packets for rest of the conversation).

Official server shutdown couple years back and only english online server is . That's why I'd like to figure out how to analyze packets through client if possible. I have a functional sniffer for justac so please let me know if you need it.

Edit:
Here're the first 2 packets server sends. Second one has the server key which is 32 bytes. Once you send those 2 client should send an encrypted client key which is also 32 btyes.

Code:
firstPacket  = {    0xd6, 0x1a, 0x00, 0x48, 0xfe, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xfe, 0x35, 0x00, 0x03, 0x06,  0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6b };
secondPacket = {    0xd6, 0x32, 0x00, 0x48, 0x06, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x09, 0x03, 0x01, 0x20, 0x00, 0x14, 0x07, 0x0e, 0x29, 0xf4, 0x97, 0x1a, 0x9a, 0xdb,  0xc0, 0x30, 0x27, 0xb5, 0xff, 0xc9, 0xa7, 0xfd, 0x60, 0x20, 0x8e, 0xac, 0xf0, 0x01, 0xbf, 0xcc, 0x71, 0x0a, 0xae, 0x4c, 0xe3, 0x95, 0x49, 0x6b };
 
Last edited:
Elite Diviner
Joined
Apr 28, 2012
Messages
420
Reaction score
439
I have a functional sniffer for justac so please let me know if you need it.
he correctly decode the packets from justac?
on which it was written i.e. (java, sharp etc... )?
give it to me (in pm)
===upd===
yes... after two sends (from server) packets client responds something (key?)

===upd===
AcarX
[STRIKE]key (if that key) - does not take full packet body )[/STRIKE] (key, key)) )
hmm..
D6 - flag login server? (or flag install crypto)
next (2 byte?) - size (100%)
6b - marker end?
... little information (need more packets for analysis)
===upd===
aha, 32 bytes key len in packet №3/4 (server/client) (dynamic values):
 
Last edited:
Initiate Mage
Joined
Aug 14, 2015
Messages
79
Reaction score
18
Alright so here's all I know about packet structures so far:

- All decrypted packets begin with 0xD6 and end with 0x6B.
- All encrypted server packets begin with 0xA1 and end with 0xAF.
- All encrypted client packets begin with 0xB1 and end with 0xBF.
- Second and third bytes are for size.

For decrypted packets:
- 3rd byte is first opcode.
- 4-13(9 bytes) has no significance from what I can tell. maybe struct padding.
- 14th and 15th bytes are rest of opcodes.
- Keys begin after [0x20, 0x00] (= 32 bytes)
 
Initiate Mage
Joined
Jul 17, 2013
Messages
90
Reaction score
18
Alright so here's all I know about packet structures so far:

- All decrypted packets begin with 0xD6 and end with 0x6B.
- All encrypted server packets begin with 0xA1 and end with 0xAF.
- All encrypted client packets begin with 0xB1 and end with 0xBF.
- Second and third bytes are for size.

For decrypted packets:
- 3rd byte is first opcode.
- 4-13(9 bytes) has no significance from what I can tell. maybe struct padding.
- 14th and 15th bytes are rest of opcodes.
- Keys begin after [0x20, 0x00] (= 32 bytes)

Let me finish my work for the day and i'll take a look for you.
 
Initiate Mage
Joined
Aug 14, 2015
Messages
79
Reaction score
18
I appriciate all the help guys. I'd like to clarify my aim once again though. If possible I'd like to analyze packet structures through client instead being dependant on an online server. While I was messing around in IDA I found bunch of strings such as "Agpm::Character OnReceive(1) ..", "Agpm::Item OnReceive(1)". I believe Agpm stands for "Archlord game packet manager". Although I wasn't abled to make much sense of what was happening due to my lack of assembly knowledge.
 
Initiate Mage
Joined
Jul 17, 2013
Messages
90
Reaction score
18
I appriciate all the help guys. I'd like to clarify my aim once again though. If possible I'd like to analyze packet structures through client instead being dependant on an online server. While I was messing around in IDA I found bunch of strings such as "Agpm::Character OnReceive(1) ..", "Agpm::Item OnReceive(1)". I believe Agpm stands for "Archlord game packet manager". Although I wasn't abled to make much sense of what was happening due to my lack of assembly knowledge.

If that is the goal, you are in for a long hard trip, as most games do not leave enough information to "easily" pull structure data from ASM.

Most of the time it simply compiles the data for each opcode function and copies it to a reserved set of memory that was created based on the final packet size. That memory location is than usually pushed to whatever function handles the encryption if any is present.

So really what you are looking at doing is a ton of reverse engineering to go step by step as a particular packet is received and handled to see what kind of data that it pulls off and an attempts to see what it does with that data. This is usually why people take large dumps of packets and analyze them so they can see the exact data in use and modify it as they need to see the desired effect.

Ill use another game as an example.

Here is the packet data for character deletion, decrypted of course.

Code:
12 00 18 05 02 00 00 00  06 33 34 35 33 34 35 00  ........  .345345.
2E 1A                                             ..

I know from working with the game for a few days that the opcode for the function is 0x0518

Here is the function in game that creates that packet.

Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
00818E10  /$  55            PUSH EBP                                 ; GDMO.00818E10(guessed Arg1,Arg2)
00818E11  |.  8BEC          MOV EBP,ESP
00818E13  |.  51            PUSH ECX
00818E14  |.  894D FC       MOV DWORD PTR SS:[LOCAL.1],ECX
00818E17  |.  68 18050000   PUSH 518                                 ; /Arg1 = 518
00818E1C  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
00818E1F  |.  E8 DC86C0FF   CALL 00421500                            ; \GDMO.00421500
00818E24  |.  8B45 08       MOV EAX,DWORD PTR SS:[ARG.1]
00818E27  |.  50            PUSH EAX                                 ; /Arg1 => [ARG.1]
00818E28  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
00818E2B  |.  E8 507DC0FF   CALL 00420B80                            ; \GDMO.00420B80
00818E30  |.  8B4D 0C       MOV ECX,DWORD PTR SS:[ARG.2]
00818E33  |.  51            PUSH ECX                                 ; /Arg1 => [ARG.2]
00818E34  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
00818E37  |.  E8 1488C0FF   CALL 00421650                            ; \GDMO.00421650
00818E3C  |.  68 18050000   PUSH 518                                 ; /Arg1 = 518
00818E41  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
00818E44  |.  E8 9786C0FF   CALL 004214E0                            ; \GDMO.004214E0
00818E49  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]
00818E4C  |.  E8 0F81C0FF   CALL 00420F60                            ; [GDMO.00420F60
00818E51  |.  8BE5          MOV ESP,EBP
00818E53  |.  5D            POP EBP
00818E54  \.  C2 0800       RETN 8

Can you tell what the structure of the above packet is by looking at the dump?

How about with this?
Code:
int __thiscall sub_818E10(void *this, char Src, wchar_t *Str)
{
  void *v3; // ST04_4@1

  v3 = this;
  sub_421500((int)this, 1304);
  sub_420B80(Src);
  sub_421650(Str);
  sub_4214E0(v3, 1304);
  return sub_420F60(v3);
}


I know the structure of the above packet and code, it basically breaks down to this.
Code:
#pragma pack(push, 1)
struct  MSG_REQUEST_CHAR_DELETE
{          
    WORD pSize;       //Packet Size
    WORD pFunction;   //Packet Function
    DWORD cNumber;    //Character slot to delete
    BYTE nSize;       //Size of character name
    CHAR * cEmail;    //Email address to verify delete
    BYTE bPad;        //0x00 for padding
    WORD sWord;       //Security bytes for packet.
};
#pragma pack(pop)

So I guess my final point is this, unless you are very intimate with the game in question, it is going to be difficult to do what you want, and my advice is to learn from the packets first and than perhaps eventually you will be able to spot them in ASM. I usually dump the packets first, than if I find one that interests me that I cannot figure out without looking at the ASM, I search for the opcode for the function and just debug it as it processes that particular packet.

Sorry if this is not what you wanted, I am just trying to save you some time.

//Edit

This is a overly simplified example, the code above is now the complete code used to handle the deletion, it is simply the building of the packet. Prior steps include parsing the email entry and verifying the size etc. of it.



Also if you want, I can see about creating a system that will dump the packets for you in their decrypted form, assuming the game is still live.
 
Last edited:
Initiate Mage
Joined
Aug 14, 2015
Messages
79
Reaction score
18
Thanks for the great answer. From what I understand there's no way around having to collect packet samples from an online server unless you're a beast at assembly which I am not. And considering my issue being having problems accessing certain packets I guess I'm in a pickle here.

As for a system to dump packets, I've built a sniffer couple months back which does what I need it to do. Thanks for the suggestion though.
 
Initiate Mage
Joined
Jul 17, 2013
Messages
90
Reaction score
18
Thanks for the great answer. From what I understand there's no way around having to collect packet samples from an online server unless you're a beast at assembly which I am not. And considering my issue being having problems accessing certain packets I guess I'm in a pickle here.

As for a system to dump packets, I've built a sniffer couple months back which does what I need it to do. Thanks for the suggestion though.

No problem, I figured I would pass along the offer.
 
Back
Top