gunbound packet structure

I am trying to emulate the gunbound server 8360 but I am having some troubles. I identified that client send packet 0x1000 (4096) to the server, like a handshake and then server sends 0x1001:

Received by server:

06 00 B1 36 00 10 00 00 00

Code:

---

00413395  |. 6A 04          PUSH 4                                  ; /Arg4 = 00000004
00413397  |. 68 01100000    PUSH 1001                                ; |Arg3 = 00001001
0041339C  |. 56            PUSH ESI                                ; |Arg2
0041339D  |. 8D96 68050000  LEA EDX,DWORD PTR DS:[ESI+568]          ; |
004133A3  |. 68 605B4700    PUSH GunBound.00475B60                  ; |Arg1 = 00475B60
004133A8  |. E8 B383FFFF    CALL GunBound.0040B760                  ; \GunBound.0040B760

---

The packet sent is like:

0A 00 E5 53 01 10 *2A 09 EC 62*

which 0A is the length, E5 53 is a math function of the length ( (length * 0x43FD) + 0xFFFFAC03) but the rest is not fixed. Everytime a new client connects this is called:

Code:

---

00412B00  . 56            PUSH ESI
00412B01  . 8B7424 08      MOV ESI,DWORD PTR SS:[ESP+8]
00412B05  . 8B06          MOV EAX,DWORD PTR DS:[ESI]
00412B07  . 57            PUSH EDI
00412B08  . 50            PUSH EAX
00412B09  . 56            PUSH ESI
00412B0A  . 68 F8224500    PUSH GunBound.004522F8                  ;  ASCII "CSvcThread::OnConnect(%08X/%08X)
"
00412B0F  . 8BF9          MOV EDI,ECX
00412B11  . E8 FA680000    CALL GunBound.00419410
00412B16  . 33C0          XOR EAX,EAX
00412B18  . B9 FFFF0000    MOV ECX,0FFFF
00412B1D  . 83C4 0C        ADD ESP,0C
00412B20  . 8D97 2C020000  LEA EDX,DWORD PTR DS:[EDI+22C]
00412B26  . 66:8986 DA0200>MOV WORD PTR DS:[ESI+2DA],AX
00412B2D  . 8986 DC020000  MOV DWORD PTR DS:[ESI+2DC],EAX
00412B33  . 8986 F8040000  MOV DWORD PTR DS:[ESI+4F8],EAX
00412B39  . 8886 E0020000  MOV BYTE PTR DS:[ESI+2E0],AL
00412B3F  . 8986 E4020000  MOV DWORD PTR DS:[ESI+2E4],EAX
00412B45  . 8986 E8020000  MOV DWORD PTR DS:[ESI+2E8],EAX
00412B4B  . 66:898E 1A0500>MOV WORD PTR DS:[ESI+51A],CX
00412B52  . 66:898E 1E0500>MOV WORD PTR DS:[ESI+51E],CX
00412B59  . 8986 30050000  MOV DWORD PTR DS:[ESI+530],EAX
00412B5F  . E8 3C6C0000    CALL GunBound.004197A0 ----> HERE
00412B64  . 8986 68050000  MOV DWORD PTR DS:[ESI+568],EAX
00412B6A  . 5F            POP EDI                                  ;  002B8CCC
00412B6B  . B0 01          MOV AL,1
00412B6D  . 5E            POP ESI
00412B6E  . C2 0800        RETN 8

---

you can see the call "---> HERE" this is the call responsible to update somekind of hash table that is used to construct the 0x1001 packet but I can't understand how it is build in the first place. When I set breakpoint there the table is already there, thus I don't know how to generate it to make the checks to build the packet. Anybody can help me here? :(:

0x1000/0x1001 are used by client/server to agree on an "Auth" dword value. This value is used later in encrypting/decrypting values in the login packet.

I'm happy to see someone else interested in reversing/emulating this game, but don't underestimate the amount of work required. You have a long way ahead of you ;-)

how do you build the 0x1001 packet to send back to the client? Can you help me? I know I'll have a lot of work but if we help each other we can achieve better results :):

thanks for the information, it confirmed my thoughts but I still dont know how to exactly build that packet =/

It doesn't get much easier than that one:

public sealed class AuthDword : Packet
{
public AuthDword(uint Random)
: base(0x1001, 10)
{
m_Stream.Write(Random);
}
}

The hard part is the one that comes after that !

you insert a random value ? I tried and my gme crashed right after.... I tried just to send a sniffed 0x1001 already constructed to the client, and it crashed

Should work, the hard part is the loginpacket that follows... if you don't get that one right I'm not surprised the gme crashes

Now I am receiving 0x1010 packet... thanks =)
If I get to any troubles I'll post here. do you have skype or something... ? would be nice to exchange ideas instead of posting here, too much delay you know =) if you want,of course..

--edit--
having some trouble now.. it seems to be encrypted... cant translate the asm to c#... the function is too big. any hints of how their encryption works?

Hehe nice work ;-)

You could come to IRC, i'm on irc.synirc.net on #gunbound

From europe though, so not online all the time :-)

As for the encryption, it's a modified SHA-1 variant for the password, and AES for the packets.
I went the route of ripping first too (which worked), but ended up recoding because our server runs on linux with mono.

Can you explain to me how the packet encryption work for this game? Are they encrypted all the time? I suppose that 0x1000 and 0x1001 aren't encrypted. I'm used to Priston Tale packets, since this is a different game Im having some trouble to find out. PT used a simple XOR encryption/decryption so it was pretty easy to translate the encryption routine to c#.

Some packets are encrypted completely (0x2010 channelchat for instance), but login is a special case. That one starts with two blocks of 16 bytes that represent crypted username and a block of data that includes packet signature and the session key (which was established with 0x1000 earlier). These use a static key for decrypting, and their values are used to setup a dynamic key schedule for AES.

After those 32 bytes is another encrypted blob that holds password, clientversion, local/external IP, etc., encrypted using the dynamic key scheme.

Once you get past those two the rest will use the same stuff most of the time :-)

hmmm I see.

Can you show me the encryption routine codes so I can try to do that? I have source for that broker emulator in C#. I noticed it has some encryption routine aswell, but can I use that or it is diferent?

add client using and gme unpack.. the session-key SHA1 ( username + password + random)

Im sorry I can't understand what you mean... can you elaborate your post?

You can add link client you use..

I am using Thors hammer client

Sheen, I got the packets, but encrypted, I am really interested in decrypting it. Would you like to work with me? Add me at skype: themarks2

Also, someone knows if the following code has something about the packet encryption?

SEE IMAGE:

http://prntscr.com/57rgzv

sou br tbm.