IDB loginpacket

Hi, im searching for the loginpacket in a IDB. The op is 0x00 (0). (v118)

So far I found CLogin_OnPacket

Spoiler:

PHP Code:

---

int __thiscall CLogin::OnPacket(void *this, int a1, int a2)
{
  int result; // eax@1

  result = a1;
  switch ( a1 )
  {
    case 0:
      result = CLogin::OnCheckPasswordResult(a2);
      break;
    case 1:
      result = sub_6B7AB0((int)((char *)this - 8), a2);
      break;
    case 2:
      result = sub_6B7F40(a2);
      break;
    case 3:
      result = sub_6AC770(a2);
      break;
    case 4:
      result = sub_6AA930(a2);
      break;
    case 5:
      result = sub_6AE970(a2);
      break;
    case 6:
      result = sub_6ACF50(a2);
      break;
    case 7:
      result = sub_6B4D70(a2);
      break;
    case 8:
      result = sub_6AAA50(a2);
      break;
    case 9:
      result = sub_6B44C0(a2);
      break;
    case 10:
      result = sub_6B8440(a2);
      break;
    case 12:
      result = sub_6AE880(a2);
      break;
    case 14:
      result = sub_6B33E0(a2);
      break;
    case 13:
      result = sub_6B48E0(a2);
      break;
    case 11:
      result = sub_6B8AC0(a2);
      break;
    case 25:
      result = sub_6AA970(a2);
      break;
    case 34:
      result = sub_6AAA20(a2);
      break;
    case 28:
      result = sub_6AA8E0(a2);
      break;
    case 29:
      result = sub_6AE790(a2);
      break;
    case 30:
      result = sub_6B9080(a2);
      break;
    case 31:
      result = sub_6AA320(a2);
      break;
    case 32:
      result = sub_6AB180(a2);
      break;
    case 33:
      result = sub_6AB1D0(a2);
      break;
    default:
      if ( (unsigned int)(a1 - 211) <= 2 )
        JUMPOUT(loc_86B770);
      if ( (unsigned int)(a1 - 214) <= 2 )
        JUMPOUT(loc_701090);
      return result;
  }
  return result;
} 


---

But I'm not sure where to find the packet structure after this.

CLogin::OnCheckPasswordResult also didn't seen to be it.

Spoiler:

PHP Code:

---

int __thiscall sub_6B7AB0(int this, int a2)
{
  int v2; // edi@1
  int v3; // ecx@1
  int v4; // esi@1
  int v5; // ebp@1
  int result; // eax@3
  int v7; // eax@13
  int v8; // eax@16
  int v9; // edi@31
  int v10; // ebp@31
  int v11; // ebx@31
  bool v12; // zf@35
  int v13; // eax@38
  int v14; // [sp-3Ch] [bp-A8h]@31
  int v15; // [sp-38h] [bp-A4h]@31
  int v16; // [sp-34h] [bp-A0h]@31
  int v17; // [sp-30h] [bp-9Ch]@31
  int v18; // [sp-2Ch] [bp-98h]@31
  int v19; // [sp-28h] [bp-94h]@31
  int v20; // [sp-24h] [bp-90h]@31
  int v21; // [sp-20h] [bp-8Ch]@31
  int v22; // [sp-1Ch] [bp-88h]@31
  int v23; // [sp-18h] [bp-84h]@31
  int v24; // [sp-14h] [bp-80h]@31
  int v25; // [sp-10h] [bp-7Ch]@31
  int v26; // [sp-Ch] [bp-78h]@31
  signed int v27; // [sp-8h] [bp-74h]@4
  int v28; // [sp-4h] [bp-70h]@4
  int v29; // [sp+14h] [bp-58h]@31
  int v30; // [sp+18h] [bp-54h]@31
  int v31; // [sp+1Ch] [bp-50h]@16
  int v32; // [sp+20h] [bp-4Ch]@31
  int v33; // [sp+24h] [bp-48h]@31
  int v34; // [sp+28h] [bp-44h]@1
  int v35; // [sp+2Ch] [bp-40h]@31
  char v36; // [sp+30h] [bp-3Ch]@31
  char v37; // [sp+38h] [bp-34h]@31
  int v38; // [sp+40h] [bp-2Ch]@31
  int v39; // [sp+44h] [bp-28h]@31
  int v40; // [sp+48h] [bp-24h]@31
  int v41; // [sp+4Ch] [bp-20h]@31
  int v42; // [sp+50h] [bp-1Ch]@31
  int v43; // [sp+54h] [bp-18h]@31
  int v44; // [sp+58h] [bp-14h]@31
  int v45; // [sp+5Ch] [bp-10h]@31
  int v46; // [sp+68h] [bp-4h]@13

  v2 = this;
  v34 = this;
  v3 = *(_DWORD *)(this + 396);
  *(_DWORD *)(v34 + 472) = 0;
  (*(void (__stdcall **)(signed int))(*(_DWORD *)v3 + 64))(3);
  v4 = a2;
  v5 = (unsigned __int8)CInPacket::Decode1(a2);
  *(_BYTE *)(v2 + 580) = CInPacket::Decode1(v4);
  if ( dword_116E0CC )
    sub_6D5990(1);
  result = v5 + 1;
  switch ( v5 + 1 )
  {
    case 0:
    case 7:
    case 9:
    case 10:
      v28 = 0;
      v27 = 15;
      goto LABEL_24;
    case 3:
    case 4:
      v28 = 0;
      v27 = 16;
      goto LABEL_24;
    case 14:
      v28 = 0;
      v27 = 21;
      goto LABEL_24;
    case 6:
      v28 = 0;
      v27 = 20;
      goto LABEL_24;
    case 5:
      v28 = 0;
      v27 = 3;
      goto LABEL_24;
    case 8:
      sub_6B4B30(0, 0);
      v28 = 0;
      v27 = 17;
      goto LABEL_24;
    case 11:
      v28 = 0;
      v27 = 19;
      goto LABEL_24;
    case 12:
      v28 = 0;
      v27 = 14;
      goto LABEL_24;
    case 15:
      result = sub_6C1600(27);
      if ( result )
      {
        StringPool::GetInstance();
        v7 = *(_DWORD *)StringPool::GetString(&a2, 3201);
        sub_C76810(v7, 0);
        result = a2;
        v46 = -1;
        if ( a2 )
          result = ZXString_char____Release((volatile LONG *)(a2 - 12));
      }
      break;
    case 16:
      result = sub_6C1600(26);
      if ( result )
      {
        StringPool::GetInstance();
        v8 = *(_DWORD *)StringPool::GetString(&v31, 3201);
        v46 = 1;
        sub_C76810(v8, 0);
        result = v31;
        v46 = -1;
        if ( v31 )
          result = ZXString_char____Release((volatile LONG *)(v31 - 12));
      }
      break;
    case 17:
    case 22:
      v28 = 0;
      v27 = 33;
      goto LABEL_24;
    case 44:
      v28 = 0;
      v27 = 72;
      goto LABEL_24;
    case 45:
      v28 = 0;
      v27 = 78;
      goto LABEL_24;
    case 18:
      v28 = 0;
      v27 = 27;
      goto LABEL_24;
    case 26:
      v28 = 0;
      v27 = 40;
      goto LABEL_24;
    case 39:
      v28 = 0;
      v27 = 901;
LABEL_24:
      result = sub_6C1890(v27, v28);
      break;
    default:
      break;
  }
  if ( !v5 || v5 == 12 || v5 == 23 )
  {
    switch ( *(_BYTE *)(v2 + 580) )
    {
      case 0:
      case 1:
        if ( dword_116E0CC )
          sub_6D5990(0);
        v9 = CInPacket::Decode4(v4);
        v10 = (unsigned __int8)CInPacket::Decode1(v4);
        LOBYTE(v33) = CInPacket::Decode1(v4);
        LOBYTE(v32) = CInPacket::Decode1(v4);
        CInPacket::Decode1(v4);
        CInPacket::DecodeStr(&v30);
        v46 = 3;
        LOBYTE(v31) = CInPacket::Decode1(v4);
        LOBYTE(a2) = CInPacket::Decode1(v4);
        CInPacket::DecodeBuffer(&v36, 8);
        dword_1173128(&v36, &v42);
        CInPacket::DecodeBuffer(&v37, 8);
        dword_1173128(&v37, &v38);
        v11 = CInPacket::Decode4(v4);
        CInPacket::DecodeStr(&v29);
        v35 = (int)&v28;
        LOBYTE(v46) = 4;
        v28 = 0;
        sub_431510(&v29);
        v27 = v11;
        v23 = v38;
        v24 = v39;
        v22 = 0;
        v25 = v40;
        v21 = 0;
        v26 = v41;
        LOBYTE(v46) = 5;
        v17 = v42;
        v18 = v43;
        v19 = v44;
        v20 = v45;
        v16 = a2;
        v15 = v31;
        a2 = (int)&v14;
        v14 = 0;
        sub_431510(&v30);
        LOBYTE(v46) = 4;
        sub_6ADB90(v9, v10, v33, v32, v14, v15, v16, v17, v18, v19, v20, v21, v22, v23, v24, v25, v26, v27, v28);
        a2 = ZAllocEx_ZAllocAnonSelector___Alloc(196);
        LOBYTE(v46) = 6;
        if ( a2 )
          sub_6D87A0(v34);
        LOBYTE(v46) = 3;
        if ( v29 )
          ZXString_char____Release((volatile LONG *)(v29 - 12));
        result = v30;
        v12 = v30 == 0;
        goto LABEL_39;
      case 2:
      case 3:
        result = sub_6C1480(31, 0);
        if ( result && !*(_DWORD *)(v2 + 464) )
        {
          StringPool::GetInstance();
          v13 = *(_DWORD *)StringPool::GetString(&v35, 5);
          v46 = 2;
          sub_C76810(v13, 0);
          result = v35;
          v12 = v35 == 0;
LABEL_39:
          v46 = -1;
          if ( !v12 )
            result = ZXString_char____Release((volatile LONG *)(result - 12));
        }
        break;
      default:
        result = sub_6C1890(15, 0);
        break;
    }
  }
  return result;
} 


---

sub_6B7AB0 couldn't render in pseudo code, but that probably has nothing to do with finding the login packet.

Please don't flame :blushing: Im new to all this. I'm just trying to learn. And I've allready learnt a lot from moogra's update guide and Heidi's IDB guide. I just don't fully understand it yet.

Thanks in advance for thinking with me! :thumbup:

- - - Updated - - -

This is the error im having, big chunk of packet problems:

Spoiler:

Code:

---

Received data :
00 D2 71 96 C3 48 86 27 E3 15 E8 3D 90 9D C6 05 53 C9 09 3B 3E FE 17 53 6D 2C 48
 F1 49 94 08 94 59 66 D8 B6 EB 2A E6 82 8C F9 5C 5C EF E1 0E BC 18 EF 1B 0F 46 4
B 9B C0 DA 7B 64 69 C6 E2 62 D3 93 3D 4B E5 18 3B CE 5E 92 06 23 6C 40 66 74 6B
64 B2 2E 17 BC B2 9B 0C AE 08 14 9E 94 CB CC 04 8B 45 EF 22 C7 93 57 EB E7 C1 30
 1F 1B 61 61 02 57 4E 4B A0 B1 EF 3A 5A D7 42 BE 8C A9 7D
.Êq?├H?'Ò.Þ=??ã.S╔.;>■.Sm,H±I?.?YfÏÂÙ*µ??¨\\´ß.╝.´..FK?└┌{diãÔbË?=KÕ.;╬^?.#l@ftk
d▓..╝▓?.«..??╦╠.?E´"Ã?WÙþ┴0..aa.WNKá▒´:ZÎB¥?®}
Received data : (Unhandled)
00 D2 71 96 C3 48 86 27 E3 15 E8 3D 90 9D C6 05 53 C9 09 3B 3E FE 17 53 6D 2C 48
 F1 49 94 08 94 59 66 D8 B6 EB 2A E6 82 8C F9 5C 5C EF E1 0E BC 18 EF 1B 0F 46 4
B 9B C0 DA 7B 64 69 C6 E2 62 D3 93 3D 4B E5 18 3B CE 5E 92 06 23 6C 40 66 74 6B
64 B2 2E 17 BC B2 9B 0C AE 08 14 9E 94 CB CC 04 8B 45 EF 22 C7 93 57 EB E7 C1 30
 1F 1B 61 61 02 57 4E 4B A0 B1 EF 3A 5A D7 42 BE 8C A9 7D
.Êq?├H?'Ò.Þ=??ã.S╔.;>■.Sm,H±I?.?YfÏÂÙ*µ??¨\\´ß.╝.´..FK?└┌{diãÔbË?=KÕ.;╬^?.#l@ftk
d▓..╝▓?.«..??╦╠.?E´"Ã?WÙþ┴0..aa.WNKá▒´:ZÎB¥?®}

---

CLogin::OnCheckPasswordResult is 0x00.

Pretty much how you would decode it is reference your v117's getAuthSuccessRequest or whatever it's named in Lithium, and then look in it at IDA.

Notes:
Decode1 = byte = 00 = mplew.write(0);
Decode2 = short = 00 00 = mplew.writeShort(0);
Decode4 = int = 00 00 00 00 = mplew.writeInt(0);
DecodeStr = string = 01 00 61 = mplew.writeMapleAsciiString("a");
DecodeBuffer depends. Decode buffer is usually like CInPacket::DecodeBuffer(v12, 0x8u); The 0x8u part is the length of the buffer. When 0x8u is set, it means it's a long (00 00 00 00 00 00 00 00, mplew.writeLong(0), but when it's sometihng like 0xDu it means it's 13. Normally this is a mplew.writeMapleAsciiString("a", 13); which means you have a max amount of characters at 13.

With all of this, looking in that IDB you will find Decode calls. These are what you'll be writing in your packet. Some are booleans which is like if (CInPacket::Decode1(v4)) {, and etc. But like I said, just reference your v117's. I doubt much if anything has changed on that packet.

Thanks! Will see if I can manage. I've also enabled logging (like you also recommended) and I'm slowly becoming a lot wiser. Starting to get things slowly. It's giving me clear error's so that's nice.

Also, thank you soo much. You've been the most helpfull person so far :D. Can't thank you enough!!

Quote:

---

Originally Posted by pow3rran9er

Thanks! Will see if I can manage. I've also enabled logging (like you also recommended) and I'm slowly becoming a lot wiser. Starting to get things slowly. It's giving me clear error's so that's nice.

Also, thank you soo much. You've been the most helpfull person so far :D. Can't thank you enough!!

---

No problem. Once you've fixed your first handler and your first packet, it gets easier and easier.

Also, a really off-topic question I couldn't resist, but that "xDMS" server back in 2009.. Are you referring to xDreamerMS v62 with 500x 150x and 10x rates?

Quote:

---

Originally Posted by chunkarama

No problem. Once you've fixed your first handler and your first packet, it gets easier and easier.

Also, a really off-topic question I couldn't resist, but that "xDMS" server back in 2009.. Are you referring to xDreamerMS v62 with 500x 150x and 10x rates?

---

Haha, I get that a lot. Actually I believe xDreamerMS got on about a week after mine. Mine had more focus on wz-edits and custom Party-Quests. So no. It wasn't dreamer. Was allways a bit jeaulous about Dreamer since they had an awesome system that made entire channels PvP. Whilst I only had 1 pvp map. I was simply too stupid to comprehend that it would be quite easy to make it over an entire channel.

I was quite active around the time servers like D.ChaosMS-EX were running actually. I remember going onto their chatbox and trolling on the fact they were still even using hamachi. (I was quite annoying back then en very proud I had portforwarded. Ah well, most 13 year old's are like that I suppose.)
Also had multiples disputes on whether my WZ editor was leeching their files. In review, he probably was. He was jamming togheter all maple versions and pvs customs.

Ah well... I'm drifting off. Back to work! (Tho loving the nostalgia this brings)