[HELP] Analyzing sniffed packets

Nikolen · Jan 27, 2016

hi everybody. i want to develop server and create missed packets myself. can anybody explain me how i can analyze sniffed packet?

example this is sniffed mission buy packet. how i can analyze it? @CodeDragon, @PROGRAMMATOR please help me about that

Time:22:30:47:183
Source:201.77.235.150:39190 Destination:192.168.1.X
[SERVER]>Receive Data Size Leng:102
[SERVER]>Receive Real Size Leng:98
[SERVER]>OpCode:2606
00000000 62 00 2E 0A 00 00 00 00 D8 D6 00 00 01 01 00 00 bи.ииииипоииииии
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000060 00 00 01 05 00 00

Time:22:30:47:386
Source:201.77.235.150:39190 Destination:192.168.1.X
[SERVER]>Receive Data Size Leng:29
[SERVER]>Receive Real Size Leng:25
[SERVER]>OpCode:535
00000000 19 00 17 02 01 00 00 00 DA DE 6E 5F CD 86 0D 02 ииииииии┌яn_═?ии
00000010 00 00 00 00 00 00 00 00 01 00 00 00 00 иииииииииииии

anykia · Jan 27, 2016

I think it's something like that:

00000000 62 00 2E 0A 00 00 00 00 D8 D6 00 00 01 01 00 00 bи.ииииипоииииии
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000060 00 00 01 05 00 00

62 00 = 00 62 = 98 = Receive Real Size Length [2 bytes] (Little Endian Byte Order/Inverted)
2E 0A = 0A 2E = 2606 = OpCode:2606 [2 bytes] (Little Endian Byte Order/Inverted)

[Packet data] [98 bytes]
00 00 00 00 D8 D6 00 00 01 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 01 05 00 00
[\Packet data]

Total size: 102 bytes

About the content you should look with IDA PRO + Point Blank.exe > Strings > CUPOM > ReadPacket, etc...

Nikolen · Jan 27, 2016

anykia said:
I think it's something like that:

00000000 62 00 2E 0A 00 00 00 00 D8 D6 00 00 01 01 00 00 bи.ииииипоииииии
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000060 00 00 01 05 00 00

62 00 = 00 62 = 98 = Receive Real Size Length [2 bytes] (Little Endian Byte Order/Inverted)
2E 0A = 0A 2E = 2606 = OpCode:2606 [2 bytes] (Little Endian Byte Order/Inverted)

[Packet data] [98 bytes]
00 00 00 00 D8 D6 00 00 01 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 01 05 00 00
[\Packet data]

Total size: 102 bytes

About the content you should look with IDA PRO + Point Blank.exe > Strings > CUPOM > ReadPacket, etc...

thanks, i will try it. i have dumped point blank.exe and ida pro. but i don't know what i must look for in ida pro

zOne62 · Jan 29, 2016

anykia said:
I think it's something like that:

00000000 62 00 2E 0A 00 00 00 00 D8 D6 00 00 01 01 00 00 bи.ииииипоииииии
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000060 00 00 01 05 00 00

62 00 = 00 62 = 98 = Receive Real Size Length [2 bytes] (Little Endian Byte Order/Inverted)
2E 0A = 0A 2E = 2606 = OpCode:2606 [2 bytes] (Little Endian Byte Order/Inverted)

[Packet data] [98 bytes]
00 00 00 00 D8 D6 00 00 01 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 01 05 00 00
[\Packet data]

Total size: 102 bytes

About the content you should look with IDA PRO + Point Blank.exe > Strings > CUPOM > ReadPacket, etc...

this program does not work properly?? 41 bytes

REMOVED

Taiga · Jan 29, 2016

If you're going to use Piercing blow, then just use PointShark.

Aesir · Jan 29, 2016

Nikolen said:
hi everybody. i want to develop server and create missed packets myself. can anybody explain me how i can analyze sniffed packet?

example this is sniffed mission buy packet. how i can analyze it? @CodeDragon, @PROGRAMMATOR please help me about that

Time:22:30:47:183
Source:201.77.235.150:39190 Destination:192.168.1.X
[SERVER]>Receive Data Size Leng:102
[SERVER]>Receive Real Size Leng:98
[SERVER]>OpCode:2606
00000000 62 00 2E 0A 00 00 00 00 D8 D6 00 00 01 01 00 00 bи.ииииипоииииии
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ииииииииииииииии
00000060 00 00 01 05 00 00

Time:22:30:47:386
Source:201.77.235.150:39190 Destination:192.168.1.X
[SERVER]>Receive Data Size Leng:29
[SERVER]>Receive Real Size Leng:25
[SERVER]>OpCode:535
00000000 19 00 17 02 01 00 00 00 DA DE 6E 5F CD 86 0D 02 ииииииии┌яn_═?ии
00000010 00 00 00 00 00 00 00 00 01 00 00 00 00 иииииииииииии

You should read the packet as structure.
If you wanna follow this advice, you may need 2 structures: 1 for the packet header (packet length + opcode) and 1 for the packet body, which will change according to the opcode.
In C++ is quite easy because you can quickly transfer the memory (bytes) to the pointed structure, in c# is a bit more harder because you need to marshal the byte array to a struct.
Hope this will help you

[HELP] Analyzing sniffed packets

Nikolen

Junior Spellweaver

anykia

Newbie Spellweaver

Nikolen

Junior Spellweaver

zOne62

Newbie Spellweaver

Taiga

◝(⁰▿⁰)◜Smile◝ (⁰▿⁰)◜

Aesir

Experienced Elementalist

About Us

Online statistics

Forum statistics

RaGEZONE Sponsor