pt packet, how to decode/decrypt - 2 bytes header len ?

[karlitoz]

i was playing with priston packet
ie:
1400 0000 _ 0700 5A43 _ 7D96 F704 _ 0000 0000 0000 EE7E 435A which is the "regular" packet
[len____] [ crc + flag ] [ seed/key _][ data ]
--
but also seeing something like this

1400 4801 B048 1806 4739 2A79 2E6A A536 31C6 02D5
[len...][ dunno what else ....


which is weird cuz on my little/poor experience
packet len should have 4 bytes long (32 bits)
so im confused....

... are there any other "encryption" protocol for those kind of packets ?

any help appreciated.
thanks !!

 

[SheenBR]

It's kinda hard to know what this is about.

PT has two kinds of packets, IIRC:
0x4847xxxx
0x5032xxxx

If you receive any other opcode that do not follow this pattern, its probably custom. What are you trying to do? What server files? Are you sniffing from another server? Need more info

 

[karlitoz]

It's kinda hard to know what this is about.

PT has two kinds of packets, IIRC:
0x4847xxxx
0x5032xxxx

If you receive any other opcode that do not follow this pattern, its probably custom. What are you trying to do? What server files? Are you sniffing from another server? Need more info

hiya.. thnx for replying

well... its encrypted/encoded.. so dont know if its 0x4847 or 0x50....
the enc/dec code i found (sources everywhere) do not handle 2 bytes len,

and yes.. im sniffing from some server.. not sure if it was from pt-br or pt-eu

--
also found some kind of "packet compress" on playitem.. when it have more than 10 items
and ofcourse source code from decodecompress doesnt work as expected on that "compressed playitem"

 

[SheenBR]

Yes, if I remember correcly, the item structure uses a compression algorithm. Just like the warehouse. There is a function called EEaencode, or Eencode, something like that. Try to find in the save warehouse packet.

To know if they are using custom encryption or not, you can get the very first packet you send (the login packet ofc) and, using the common decryption algorithm, try to decrypt the packet using the byte key in a loop, from 0 to 0xFF. Then, in every iteration you check for opcode 0x48470085 in offset 0x4. If you find it, thats good, they are still using the standard PT encryption algorithm with just a different key (that you find out now)

If not, then you are out of luck. It's probably a custom algorithm. I assume you could use the source in combination with OllyDbg to find in their game where is the new encryption function they are using and try to reverse it in a high level language like C++ or C#.