|
You last visited: Today at 00:18
Advertisement
Packet 1022, Magic attack
Discussion on Packet 1022, Magic attack within the CO2 Private Server forum part of the Conquer Online 2 category.
05/08/2012, 01:20
|
#1
|
elite*gold: 0
Join Date: Aug 2010
Posts: 991
Received Thanks: 1,107
|
Packet 1022, Magic attack
So when i use the Fatal Strike skill this packet is being sent to the server.
Quote:
C -> S, Length : 40, Type: 1022
28 00 FE 03 B2 CE D3 02 D7 F8 1B 00 77 25 E1 B3
76 C7 05 55 18 00 00 00 DD C9 21 65 00 00 00 00
00 00 00 00 00 00 00 00
|
breaking it down
UInt16: Length
UInt16: Type
int: Time stamp
int: Attacker ID
int: Target ID
UInt16: X
UInt16: Y
UInt16: Subtype
UInt16: Skill ID
UInt16: Unknown
Now i tried to recreate this packet in my proxy and then send it to the server to start the Fatal Strike skill.
Now creating the packet goes just fine and i am getting the exact same values every time i create a new packet except for the ( 21 65) because i have no idea what it is and it keeps changing everytime i use the skill...
when ever i send that packet to the server i get disconnected and i'm fairly sure that its not the time stamp that's disconnecting me because it works just fine with any other packet that contains a time stamp. So i was wondering. does anybody know what are these numbers ( 21 65) or maybe what those 2 bytes stand for?
|
|
|
05/08/2012, 01:23
|
#2
|
elite*gold: 0
Join Date: Jan 2008
Posts: 1,434
Received Thanks: 1,147
|
Not sure, but the skill level with some manipulation on it. I would need to look at my source.
|
|
|
05/08/2012, 01:28
|
#3
|
elite*gold: 21
Join Date: Jul 2005
Posts: 9,193
Received Thanks: 5,376
|
Yes I seem to remember X/Y/ID/Lvl being encrypted slightly. I'd have to have access to a source to double check though.
|
|
|
05/08/2012, 01:34
|
#4
|
elite*gold: 0
Join Date: Aug 2007
Posts: 1,525
Received Thanks: 230
|
i Checked my Source and Found Nothing Related to offset 26
if they r bytes 0x21 = 33; , 0x65 = 101;
i Checked FatalStrike Subtype in Attack packet but found nothing = 33 or even 101
Same for spell Information at database ...
Anyways GL
|
|
|
05/08/2012, 01:54
|
#5
|
elite*gold: 0
Join Date: Aug 2010
Posts: 991
Received Thanks: 1,107
|
Quote:
Originally Posted by pro4never
Yes I seem to remember X/Y/ID/Lvl being encrypted slightly. I'd have to have access to a source to double check though.
|
Its just that they are XOR'ing/shifting/OR'ing those values. I looked in the client and i reflected this to be able to create the packet.
PHP Code:
uint AttackerUID = Client.UID;
uint ECX = SkillID; ECX -= 0x14BE; ECX &= 0xFFFF;
//SkillID SkillID = ECX >> 3; ECX <<= 13; SkillID |= ECX;
ECX = TargetUID; ECX += 0x746F4AE6; SkillID ^= AttackerUID; ECX ^= AttackerUID; SkillID ^= 0x915D; ECX ^= 0x5F2D2463;
uint XX = ECX >> 19; ECX <<= 13; XX |= ECX; TargetUID = XX;
ECX = Client.X; ECX += 0xFFFF22EE; ECX &= 0xFFFF;
XX = ECX; ECX &= 1; XX >>= 1; XX &= 0xFFFF; ECX <<= 15; XX |= ECX;
ECX = Client.Y; ECX += 0xFFFF8922; XX ^= AttackerUID; ECX &= 0xFFFF; XX ^= 0x2ED6;
uint YY = ECX; ECX &= 0x1F; YY >>= 5; YY &= 0xFFFF; ECX <<= 0xB; YY |= ECX; YY ^= AttackerUID; YY ^= 0xB99B; ushort X = (ushort)(XX), Y = (ushort)(YY); SkillID = (ushort)(SkillID);
Console.WriteLine("{0} {1} {2} {3} {4}", X.ToString("X"), Y.ToString("X"), SkillID.ToString("X"), AttackerUID.ToString("X"), TargetUID.ToString("X"));
That shit works just fine but i don't see anything related to that value nor stored anywhere in the memory to be used in that packet later on :|
I should have traced it all the way up to where it builds that packet because by now i don't even remember where that shit was :P
|
|
|
05/08/2012, 02:21
|
#6
|
elite*gold: 0
Join Date: May 2008
Posts: 1,769
Received Thanks: 1,142
|
Well.. My p1022 is the following:
Code:
Timestamp = PacketParser.ReadInt(Buffer, 4);
Identity = PacketParser.ReadInt(Buffer, 8);
Target = PacketParser.ReadInt(Buffer, 12);
X = PacketParser.ReadShort(Buffer, 16);
Y = PacketParser.ReadShort(Buffer, 18);
Mode = PacketParser.ReadInt(Buffer, 20);
SkillID = PacketParser.ReadShort(Buffer, 24);
SkillLevel = PacketParser.ReadShort(Buffer, 26);
So the level is definitely at the offset of 26. If I remember correctly, there was something different added to the ushort for the level of fatalstrike after ninja bots came out. Don't quite remember what though. If the level is 0, just try and run some type of test to see what values make 0 = 21 65
|
|
|
05/08/2012, 02:39
|
#7
|
elite*gold: 0
Join Date: Jun 2005
Posts: 692
Received Thanks: 353
|
First off, that whole packet is encrypted, because the subtype is set to MagicAttack.
As for the encryption, why does no one look at the EO source? It's all right there.
|
|
|
05/08/2012, 02:41
|
#8
|
elite*gold: 0
Join Date: May 2008
Posts: 1,769
Received Thanks: 1,142
|
Quote:
Originally Posted by nTL3fTy
First off, that whole packet is encrypted, because the subtype is set to MagicAttack.
As for the encryption, why does no one look at the EO source? It's all right there.
|
Forgot I even had the EO source on a random flash drive... I think I'll go through it for old times sake. +k
|
|
|
05/08/2012, 02:55
|
#9
|
elite*gold: 0
Join Date: Aug 2010
Posts: 991
Received Thanks: 1,107
|
Quote:
Originally Posted by nTL3fTy
First off, that whole packet is encrypted, because the subtype is set to MagicAttack.
As for the encryption, why does no one look at the EO source? It's all right there.
|
Here is the EO stuff
PHP Code:
#define ENCODE_MAGICATTACK(idUser,usType,idTarget,usPosX,usPosY) { \ usType = (::ExchangeShortBits((usType - 0x14BE),3) ^ (idUser) ^ 0x915D); \ idTarget = ::ExchangeLongBits(((idTarget - 0x8B90B51A) ^ (idUser) ^ 0x5F2D2463),32-13); \ usPosX = (::ExchangeShortBits((usPosX - 0xDD12),1) ^ (idUser) ^ 0x2ED6); \ usPosY = (::ExchangeShortBits((usPosY - 0x76DE),5) ^ (idUser) ^ 0xB99B); } #define DECODE_MAGICATTACK(idUser,usType,idTarget,usPosX,usPosY) { \ usType = 0xFFFF&(::ExchangeShortBits(((usType) ^ (idUser) ^ 0x915D),16-3) + 0x14BE); \ idTarget = (::ExchangeLongBits((idTarget),13) ^ (idUser) ^ 0x5F2D2463) + 0x8B90B51A; \ usPosX = 0xFFFF&(::ExchangeShortBits(((usPosX) ^ (idUser) ^ 0x2ED6),16-1) + 0xDD12); \ usPosY = 0xFFFF&(::ExchangeShortBits(((usPosY) ^ (idUser) ^ 0xB99B),16-5) + 0x76DE); }
Now do you see anything related to that value or offset 26+? because i don't :P
|
|
|
05/08/2012, 03:09
|
#10
|
elite*gold: 0
Join Date: May 2008
Posts: 1,769
Received Thanks: 1,142
|
True. I only decode the SkillID, TargetUID, X, and Y from the packet. I then check if the user has that skill, and if so, get the skill level from their skills repo. I never really bothered with the skill level.. Intriguing.
|
|
|
05/08/2012, 03:36
|
#11
|
elite*gold: 0
Join Date: Jun 2005
Posts: 692
Received Thanks: 353
|
Quote:
Originally Posted by { Angelius }
Here is the EO stuff
Now do you see anything related to that value or offset 26+? because i don't :P
|
You need to look a little deeper (usData1 here is the magic level).
Encrypting:
Code:
m_pInfo->usData1 = (usData1+0x100*(m_pInfo->dwTimeStamp%0x100))^0x3721;
Decrypting:
Code:
USHORT usLev = (m_pInfo->usData1^0x3721)&0xff;
|
|
|
05/08/2012, 04:18
|
#12
|
elite*gold: 0
Join Date: May 2008
Posts: 1,769
Received Thanks: 1,142
|
Question is, why are you reconstructing the packet in the first place? With a proxy all you should be doing is breaking down the packet, analyzing it, and forwarding it on to the original target. So, just make a copy of the packet before you break it down, and use that copy to send it back unharmed.
|
|
|
05/08/2012, 07:29
|
#13
|
elite*gold: 21
Join Date: Jul 2005
Posts: 9,193
Received Thanks: 5,376
|
Quote:
Originally Posted by Zeroxelli
Question is, why are you reconstructing the packet in the first place? With a proxy all you should be doing is breaking down the packet, analyzing it, and forwarding it on to the original target. So, just make a copy of the packet before you break it down, and use that copy to send it back unharmed.
|
Sounds like he may be trying to make a bot in which case he needs to construct his own packets.
The reason he gets dc'd is NOT because he's not filling in this value properly, it's because he's not encrypting the values he creates for X/Y/Target/SkillID/SkillLevel
|
|
|
05/08/2012, 07:36
|
#14
|
elite*gold: 0
Join Date: May 2008
Posts: 1,769
Received Thanks: 1,142
|
Quote:
Originally Posted by pro4never
Sounds like he may be trying to make a bot in which case he needs to construct his own packets.
The reason he gets dc'd is NOT because he's not filling in this value properly, it's because he's not encrypting the values he creates for X/Y/Target/SkillID/SkillLevel
|
That would do it. If a value is passed to the decrypt function of the server, and it does not decrypt properly, the server would (on real co, at least,) disconnect him. It disconnects in a lot of cases where it suspects forgery. Problem is, the server reports his account every time it happens. So hopefully his noob hasn't come in contact with his main if he's on a real server.
|
|
|
05/08/2012, 12:45
|
#15
|
elite*gold: 0
Join Date: Aug 2010
Posts: 991
Received Thanks: 1,107
|
Quote:
Originally Posted by Zeroxelli
Question is, why are you reconstructing the packet in the first place? With a proxy all you should be doing is breaking down the packet, analyzing it, and forwarding it on to the original target. So, just make a copy of the packet before you break it down, and use that copy to send it back unharmed.
|
I'm reconstructing that packet because i don't want to hook the magic attack function anymore and i don't want to send key strokes anymore :P
Its a memory based bot/proxy that i made long time ago... i use it to packet sniff and auto hunt/loot and i thought about upgrading it some more and then release it to the public cus i'm not making any use of it
Quote:
Originally Posted by pro4never
Sounds like he may be trying to make a bot in which case he needs to construct his own packets.
The reason he gets dc'd is NOT because he's not filling in this value properly, it's because he's not encrypting the values he creates for X/Y/Target/SkillID/SkillLevel
|
The bot is already up and running there is a video for it in my signature.
And yes not filling that value was the reason im getting disconnected... Thanks to nTL3fTy
Quote:
Originally Posted by nTL3fTy
You need to look a little deeper (usData1 here is the magic level).
Encrypting:
Code:
m_pInfo->usData1 = (usData1+0x100*(m_pInfo->dwTimeStamp%0x100))^0x3721;
Decrypting:
Code:
USHORT usLev = (m_pInfo->usData1^0x3721)&0xff;
|
WriteUInt16((ushort)(1 + 0x100 * (Environment.TickCount % 0x100) ^ 0x3721), 26);
That did the trick and It works like charm...
Thanks
|
|
|
Similar Threads
|
any cheat engine for Attack, Magic Attack And Defense?
04/16/2012 - Cabal Online - 2 Replies
as the title it says..i'm looking for Attack, Magic Attack And Defense address in cheat engine for Cabal Online..TIA
|
Magic attack packet
08/02/2008 - Conquer Online 2 - 2 Replies
Ok so me and my bro have been programming a private server for some time now and we've hit a rather anoying problem...
so if anyone knows what the info in the magic attack packet that the client sends to the server means please share the info... =/ we just cant seem to work it out.
|
All times are GMT +2. The time now is 00:18.
|
|