Reverse Engineering Packet Structures Through The Client?

Page 1 of 2 12 LastLast
Results 1 to 15 of 27
  1. #1
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Reverse Engineering Packet Structures Through The Client?

    Reverse Engineering Packet Structures Through The Client?
    Hello people. I've been working on an emulator and using an existing server to gather/analyze the packet structures. Although there're fair amount of end-game packets that I am not able to get. If there's anyone who's worked on an emulator through gathering packet structures from the client I would love to hear how they did it.


  2. #2
    Ask me about Daoism FullmetalPride is offline
    Alpha MaleRank
    Nov 2010 Join Date
    2,172Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Depends on the client, broski.

    For something like Flash, decompiling may be the key. Shockwave, on the other hand, leaves you with very little to do because it's a closed format. Games that can be decompiled, namely those that have to be installed, can typically be reverse-engineered. But it all depends on the file format.

    I feel your pain, though. Spineworld is a defunct Shockwave game and I have to rely on someone's help to get server -> client packets since they refuse to release their server.
    jeg snakker norsk

  3. #3
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    The client is in .exe(not a .net app) format so I guess that eliminates a complete decompiling option. I was abled to figure out encryption stuff through disassembly but can't seem to find the routine where it decides the type of packet it recieves and calls the handler for that packet.

  4. #4
    Account Upgraded | Title Enabled! jonnybravo is offline
    True MemberRank
    Sep 2006 Join Date
    764Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    post the EXE might be able to help.

    Is is packed
    Is the encryption lib base?

    need pics to walk u thru it?

  5. #5
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Exe with DLLs

    It's not packed.
    It's using a weird blowfish encryption so I believe regular blowfish library doesn't work.
    Can provide some opcodes if needed.
    Text-based explanation should be fine I think. An example that I can look up through IDA would also be appriciated if possible.

  6. #6
    only asm, only hardcore! lastfun is offline
    DeveloperRank
    Apr 2012 Join Date
    RussiaLocation
    422Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    need link for full this client ^^

  7. #7
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?


  8. #8
    only asm, only hardcore! lastfun is offline
    DeveloperRank
    Apr 2012 Join Date
    RussiaLocation
    422Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    1. thx for client)
    2. exe with GG killed for ^^ client
    [STRIKE]3. and, most importantly) someone knows exe startup param? (command line)[/STRIKE]
    ===upd===
    ...i understand everything)
    need edit archlord.ini
    Last edited by lastfun; 14-04-16 at 10:40 AM.

  9. #9
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Nicely done sir. That's exactly how it works. If you require the encryption/decryption methods please let me know and I'll send them your way.

    And as for startup parameters:
    "alefclient.exe 1:462634161 2:username|user_id|user_token|ewq"

  10. #10
    only asm, only hardcore! lastfun is offline
    DeveloperRank
    Apr 2012 Join Date
    RussiaLocation
    422Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    @AcarX
    you have a exchange traffic packet (sniff log) between client and official server?
    need to packet's 3-4 (in order), i.e.:
    1. client->server
    2. server->client
    3. client->server
    ..
    ..
    ----------------
    i want restore the exchange, i'm not sure that the first packet (C->S) encrypted
    Last edited by lastfun; 14-04-16 at 07:23 PM.

  11. #11
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    First couple of packets aren't encrypted since 2 of them has the blowfish key(server sends key first, client encrypts its own key with server key and sends the encrypted client key, then server decrypts that key and uses that for client packets for rest of the conversation).

    Official server shutdown couple years back and only english online server is justac. That's why I'd like to figure out how to analyze packets through client if possible. I have a functional sniffer for justac so please let me know if you need it.

    Edit:
    Here're the first 2 packets server sends. Second one has the server key which is 32 bytes. Once you send those 2 client should send an encrypted client key which is also 32 btyes.

    Code:
    firstPacket  = {    0xd6, 0x1a, 0x00, 0x48, 0xfe, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xfe, 0x35, 0x00, 0x03, 0x06,  0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6b };
    secondPacket = {    0xd6, 0x32, 0x00, 0x48, 0x06, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x09, 0x03, 0x01, 0x20, 0x00, 0x14, 0x07, 0x0e, 0x29, 0xf4, 0x97, 0x1a, 0x9a, 0xdb,  0xc0, 0x30, 0x27, 0xb5, 0xff, 0xc9, 0xa7, 0xfd, 0x60, 0x20, 0x8e, 0xac, 0xf0, 0x01, 0xbf, 0xcc, 0x71, 0x0a, 0xae, 0x4c, 0xe3, 0x95, 0x49, 0x6b };
    Last edited by AcarX; 14-04-16 at 11:14 PM.

  12. #12
    Ask me about Daoism FullmetalPride is offline
    Alpha MaleRank
    Nov 2010 Join Date
    2,172Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Ok, I had no idea you were this capable. I wouldn't have dumbed-down my response to you, but this is absolutely the way to go man.
    jeg snakker norsk

  13. #13
    only asm, only hardcore! lastfun is offline
    DeveloperRank
    Apr 2012 Join Date
    RussiaLocation
    422Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    I have a functional sniffer for justac so please let me know if you need it.
    he correctly decode the packets from justac?
    on which it was written i.e. (java, sharp etc... )?
    give it to me (in pm)
    ===upd===
    yes... after two sends (from server) packets client responds something (key?)

    ===upd===
    @AcarX
    [STRIKE]key (if that key) - does not take full packet body )[/STRIKE] (key, key)) )
    hmm..
    D6 - flag login server? (or flag install crypto)
    next (2 byte?) - size (100%)
    6b - marker end?
    ... little information (need more packets for analysis)
    ===upd===
    aha, 32 bytes key len in packet №3/4 (server/client) (dynamic values):
    Last edited by lastfun; 15-04-16 at 01:06 PM.

  14. #14
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Alright so here's all I know about packet structures so far:

    - All decrypted packets begin with 0xD6 and end with 0x6B.
    - All encrypted server packets begin with 0xA1 and end with 0xAF.
    - All encrypted client packets begin with 0xB1 and end with 0xBF.
    - Second and third bytes are for size.

    For decrypted packets:
    - 3rd byte is first opcode.
    - 4-13(9 bytes) has no significance from what I can tell. maybe struct padding.
    - 14th and 15th bytes are rest of opcodes.
    - Keys begin after [0x20, 0x00] (= 32 bytes)

  15. #15
    Member dTantra is offline
    MemberRank
    Jul 2013 Join Date
    94Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Quote Originally Posted by AcarX View Post
    Alright so here's all I know about packet structures so far:

    - All decrypted packets begin with 0xD6 and end with 0x6B.
    - All encrypted server packets begin with 0xA1 and end with 0xAF.
    - All encrypted client packets begin with 0xB1 and end with 0xBF.
    - Second and third bytes are for size.

    For decrypted packets:
    - 3rd byte is first opcode.
    - 4-13(9 bytes) has no significance from what I can tell. maybe struct padding.
    - 14th and 15th bytes are rest of opcodes.
    - Keys begin after [0x20, 0x00] (= 32 bytes)
    Let me finish my work for the day and i'll take a look for you.



Page 1 of 2 12 LastLast

Advertisement