firstPacket = { 0xd6, 0x1a, 0x00, 0x48, 0xfe, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xfe, 0x35, 0x00, 0x03, 0x06, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6b };
secondPacket = { 0xd6, 0x32, 0x00, 0x48, 0x06, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x09, 0x03, 0x01, 0x20, 0x00, 0x14, 0x07, 0x0e, 0x29, 0xf4, 0x97, 0x1a, 0x9a, 0xdb, 0xc0, 0x30, 0x27, 0xb5, 0xff, 0xc9, 0xa7, 0xfd, 0x60, 0x20, 0x8e, 0xac, 0xf0, 0x01, 0xbf, 0xcc, 0x71, 0x0a, 0xae, 0x4c, 0xe3, 0x95, 0x49, 0x6b };
he correctly decode the packets from justac?I have a functional sniffer for justac so please let me know if you need it.
Alright so here's all I know about packet structures so far:
- All decrypted packets begin with 0xD6 and end with 0x6B.
- All encrypted server packets begin with 0xA1 and end with 0xAF.
- All encrypted client packets begin with 0xB1 and end with 0xBF.
- Second and third bytes are for size.
For decrypted packets:
- 3rd byte is first opcode.
- 4-13(9 bytes) has no significance from what I can tell. maybe struct padding.
- 14th and 15th bytes are rest of opcodes.
- Keys begin after [0x20, 0x00] (= 32 bytes)
I appriciate all the help guys. I'd like to clarify my aim once again though. If possible I'd like to analyze packet structures through client instead being dependant on an online server. While I was messing around in IDA I found bunch of strings such as "Agpm::Character OnReceive(1) ..", "Agpm::Item OnReceive(1)". I believe Agpm stands for "Archlord game packet manager". Although I wasn't abled to make much sense of what was happening due to my lack of assembly knowledge.
12 00 18 05 02 00 00 00 06 33 34 35 33 34 35 00 ........ .345345.
2E 1A ..
CPU Disasm
Address Hex dump Command Comments
00818E10 /$ 55 PUSH EBP ; GDMO.00818E10(guessed Arg1,Arg2)
00818E11 |. 8BEC MOV EBP,ESP
00818E13 |. 51 PUSH ECX
00818E14 |. 894D FC MOV DWORD PTR SS:[LOCAL.1],ECX
00818E17 |. 68 18050000 PUSH 518 ; /Arg1 = 518
00818E1C |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1] ; |
00818E1F |. E8 DC86C0FF CALL 00421500 ; \GDMO.00421500
00818E24 |. 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
00818E27 |. 50 PUSH EAX ; /Arg1 => [ARG.1]
00818E28 |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1] ; |
00818E2B |. E8 507DC0FF CALL 00420B80 ; \GDMO.00420B80
00818E30 |. 8B4D 0C MOV ECX,DWORD PTR SS:[ARG.2]
00818E33 |. 51 PUSH ECX ; /Arg1 => [ARG.2]
00818E34 |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1] ; |
00818E37 |. E8 1488C0FF CALL 00421650 ; \GDMO.00421650
00818E3C |. 68 18050000 PUSH 518 ; /Arg1 = 518
00818E41 |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1] ; |
00818E44 |. E8 9786C0FF CALL 004214E0 ; \GDMO.004214E0
00818E49 |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1]
00818E4C |. E8 0F81C0FF CALL 00420F60 ; [GDMO.00420F60
00818E51 |. 8BE5 MOV ESP,EBP
00818E53 |. 5D POP EBP
00818E54 \. C2 0800 RETN 8
int __thiscall sub_818E10(void *this, char Src, wchar_t *Str)
{
void *v3; // ST04_4@1
v3 = this;
sub_421500((int)this, 1304);
sub_420B80(Src);
sub_421650(Str);
sub_4214E0(v3, 1304);
return sub_420F60(v3);
}
#pragma pack(push, 1)
struct MSG_REQUEST_CHAR_DELETE
{
WORD pSize; //Packet Size
WORD pFunction; //Packet Function
DWORD cNumber; //Character slot to delete
BYTE nSize; //Size of character name
CHAR * cEmail; //Email address to verify delete
BYTE bPad; //0x00 for padding
WORD sWord; //Security bytes for packet.
};
#pragma pack(pop)
Thanks for the great answer. From what I understand there's no way around having to collect packet samples from an online server unless you're a beast at assembly which I am not. And considering my issue being having problems accessing certain packets I guess I'm in a pickle here.
As for a system to dump packets, I've built a sniffer couple months back which does what I need it to do. Thanks for the suggestion though.