[Howto] Create packet checksums

saweet · 09/03/2009, 05:21

For many of you packet hackers around here I noticed many are slightly modifying captured packets and resending them. Which usually results in getting disconnected. The majority of the time it's due to not including the new checksum of the packet, the other time it's because the packet wasn't encrypted.

To create a packet checksum, you must first be familiar with the structure of a basic 9Dragons packet. A sample packet looks like the following:

Code:

0C 00 62 02 1D 73 04 0A 01 00 F5 D3

The first byte of every packet is the size or length of the data. In this case it's 12 bytes long. Many people mistake this thinking the first byte is the packet id. The second byte is an identifier which tells us if the packet is encrypted or not. Have you seen 0x10 here before? That means the data was encrypted. The rest of the packet is our data, except the last 2 bytes.

So what are the last 2 bytes? You've probably guessed it already, that's the checksum. How do you create a checksum? The first step is creating a byte array with a size big enough to hold the checksum. You would do it like the following using our packet from before:

In C#:

Code:

byte[] packet = new byte[] { 0x0C, 0, 0x62, 2, 0x1D, 0x73, 4, 0x0A, 1, 0, 0, 0 };

In VB:

Code:

Dim buffer As Byte() = New Byte() { &H0C, 0, &H62, 2, &H1D, &H73, 4, &H0A, 1, 0, 0, 0 }

To create the checksum, we need to iterate through the byte array and increment on each byte + the sum of the previous byte. Since there is no previous byte on the first run, you start with 0x0. Here is the function I use to create a checksum:

In C#:

Code:

public static void CreateCheckSum(byte[] buffer)
{
    if (buffer != null)
    {
        byte num = 0;
        for (int i = 0; i < (buffer[0] - 2); i++)
        {
            num = (byte) (num + buffer[i]);
        }
        buffer[buffer[0] - 2] = (byte) (1 - num);
    }
}

In VB:

Code:

Public Shared Sub CreateCheckSum(ByVal buffer As Byte())
    If (Not buffer Is Nothing) Then
        Dim num As Byte = 0
        Dim i As Integer
        For i = 0 To (buffer(0) - 2) - 1
            num = CByte((num + buffer(i)))
        Next i
        buffer((buffer(0) - 2)) = CByte((1 - num))
    End If
End Sub

And I suppose you thought this was going to be difficult. As you can see what we did here was just as stated above, and then at the end of the code we add the checksum to the end of byte array. The checksum will take 2 bytes, so we insert it at buffer[0] - 2 (remember offset 0 = the size of the packet?) With a basic function to create valid checksums you'll have far greater success in sending modified packets that the server will try to do something with instead of booting you off the server!

I posted the function as simple as possible, for those of you who are using a different programming language it should be easy for you to translate it accordingly.

~~Nirf~~ · 09/03/2009, 15:21

Lol lol, what was the point in that...

Edit: I didn't even read it xD

dreamerdd · 09/09/2009, 06:39

oh k having prob with wpe o.O

basically doing the drop /pickup thing but when i search for hex /text i cant find anything but when serching with rev engive i can find exactely what im looking for . but i dont know how umm to modify the address i find with rev engine.so i try to putthe address into wpe using the filter setting o.O.Aslo wandering( since im playing in english atm does that mess with the results of serches im geting). Idk im trying alot of different things and reading up on some of these engines and packet makes(modifiers)

some of the programs i m using atm

WPE Pro
Rev engine 8.3
Tserch
cheat engine 5.5
Art Money pro

mrkenneth · 09/21/2009, 18:38

Quote:

Originally Posted by dreamerdd

oh k having prob with wpe o.O

basically doing the drop /pickup thing but when i search for hex /text i cant find anything but when serching with rev engive i can find exactely what im looking for . but i dont know how umm to modify the address i find with rev engine.so i try to putthe address into wpe using the filter setting o.O.Aslo wandering( since im playing in english atm does that mess with the results of serches im geting). Idk im trying alot of different things and reading up on some of these engines and packet makes(modifiers)

some of the programs i m using atm

WPE Pro
Rev engine 8.3
Tserch
cheat engine 5.5
Art Money pro

WPE Pro
Rev engine 8.3 You Lost?
Tserch
cheat engine 5.5 What the OMG!!! ?
Art Money pro i feel sorry for u dude...

What you gonna do with those?, Hack Flash games?, something is named Winhex, and is kinda better, or u have MHS..

Btw i havent readed anything is post, i just laughted when u show those noob Programs when Saweet talks about checksums..HAHA.....

Btw u talk about find Hex... also Offsets. why the F! do u use those noob things then?, get Winhex.. -.-

saweet · 09/21/2009, 20:38

Quote:

Originally Posted by dreamerdd

oh k having prob with wpe o.O

basically doing the drop /pickup thing but when i search for hex /text i cant find anything but when serching with rev engive i can find exactely what im looking for . but i dont know how umm to modify the address i find with rev engine.so i try to putthe address into wpe using the filter setting o.O.Aslo wandering( since im playing in english atm does that mess with the results of serches im geting). Idk im trying alot of different things and reading up on some of these engines and packet makes(modifiers)

Well I haven't played much with either of these packets. However what I do know about those 2 packets is:

0x73 = pick-up item packet - Looks like:

Code:

12 00 73 4E 8E A3 C2 01 D2 CC 43 1A 18 E7 01 00 3F 6B

Offset 0x0 (byte) = length of packet
Offset 0x1 (byte) = encrypted packet flag (0x00 = no encryption)
Offset 0x2 (byte) = packet id
Offset 0x3 (float) = x coordinate
Offset 0x7 (float) = y coordinate
Offset 0x11 (uint) = item unique id
Offset 0x13 (uint) = ? don't know yet
Offset 0x15 (byte) = 0x00
Offset 0x16 (uint) = checksum

0x75 = drop item packet -Looks like:

Code:

0B 00 75 00 19 01 00 00 00 00 00

Offset 0x0 (byte) = length of packet
Offset 0x1 (byte) = encrypted packet flag (0x00 = no encryption)
Offset 0x2 (byte) = packet id
Offset 0x4 (byte) = slot id in all backpacks (ie: 19 = 1st backpack, slot 1)
Offset 0x5 (byte) = quantity of item
Offset 0x9 (uint) = checksum

I don't know how relevant the other offsets are. However, don't set the slot id below 19 or you'll start dropping your entire backpacks on the ground

Remember when dealing with coordinates like in the first example you need to add (MapSize / 2) So if you have a X coordinate of 4E 8E A3 C2 like in the example, which is -81.88 then you add the MapSize / 2. Since I was in Liaodong and it is a 1024x1024 map, then you would add 512 to get a X coordinate of 430.12.

dreamerdd · 09/21/2009, 23:07

i dont see you producing **** mrkenneth so how can u laugh ??

mrkenneth · 09/22/2009, 00:21

Quote:

Originally Posted by dreamerdd

i dont see you producing **** mrkenneth so how can u laugh ??

Hmmm.. what do u Producting

? and i laught by you xD CE.. Revv eng... lool
u gonna whine over that lil post?, go to dekaron treads. and read if im just a leecher :/

dreamerdd · 09/22/2009, 01:00

well this is 9d not deckron .................and u seem posting like ur a mod or an elite hacker ?.? which both i don't really care about it any way o.O and found some of your old any one got cheats for 9d threads while i was serching in the old threads for viet stuuff xD. any way not really a big deal to me any o.O.any way yawn imma go play my healer k =D

since we got some geniuses here figure out what that says
and decode that =0(

1 Hide Hide 20 Recv
0000 14 00 28 9D 11 62 01 E3 0A 75 C3 84 97 18 C1 64 ..(..b...u.....d
0010 00 00 00 00 ....

2 Hide Hide 5 Send
0000 05 10 01 B1 ED ..... the 05 never changes o.Obut the rest do

3 Hide Hide 106 Recv
0000 06 00 90 00 00 00 64 00 1B 42 61 63 61 72 64 69 ......d..Bacardi
0010 31 35 31 00 00 00 00 00 00 00 00 00 00 00 00 00 151.............
0020 00 00 00 55 04 19 08 00 03 11 01 01 01 01 01 00 ...U............
0030 01 00 31 00 3F 01 69 04 62 2D 00 00 BA 05 03 12 ..1.?.i.b-......
0040 00 8A 6F 65 C3 00 DA 0C C2 00 00 00 00 00 00 14 ..oe............
0050 EC 03 07 00 00 00 00 00 00 00 00 00 00 00 4E 00 ..............N.
0060 00 00 00 00 00 00 00 00 00 00 ..........

4 Hide Hide 27 Send
0000 1B 10 17 67 14 B6 01 22 F2 42 C8 08 D5 83 F7 0E ...g...".B......
0010 BD F6 2A 8D 21 C3 ED FB EC F1 52 ..*.!.....R

5 Hide Hide 25 Recv
0000 19 10 18 19 08 8A 6F 65 C3 00 DA 0C C2 8A 6F 65 ......oe......oe
0010 C3 00 DA 0C C2 00 00 03 04 .........

6 Hide Hide 27 Send
0000 1B 10 15 13 37 CD 11 42 1E 47 42 C1 E9 B4 83 46 ....7..B.GB....F
0010 F1 15 28 F9 02 B8 67 22 D0 36 43 ..(...g".6C

7 Hide Hide 25 Recv
0000 19 00 18 19 08 8A 6F 65 C3 00 DA 0C C2 8A 6F 65 ......oe......oe
0010 C3 00 DA 0C C2 00 00 13 04 .........

8 Hide Hide 20 Recv
0000 14 00 28 9D 11 62 01 E3 0A 75 C3 84 97 18 C1 64 ..(..b...u.....d
0010 00 00 00 00 ....

9 Hide Hide 42 Send
0000 2A 10 82 EB 57 AD 14 5D 39 58 F3 4A 46 81 7A 1E *...W..]9X.JF.z.
0010 DA C7 8C EB E4 88 B0 51 39 58 F3 4A 46 81 7A 1E .......Q9X.JF.z.
0020 DA C7 73 14 1B 77 0C B5 88 40 ..s..w...@

10 Hide Hide 8 Send
0000 08 10 A1 E6 68 FC 51 71 ....h.Qq

11 Hide Hide 27 Send
0000 1B 10 01 2F 0E 7A CD 2C 64 CE 94 C1 C0 E0 38 89 .../.z.,d.....8.
0010 79 C5 3C C5 3B 0F B1 D2 FC BF E2 y.<.;......

12 Hide Hide 6 Recv
0000 06 00 13 17 19 08 ......

13 Hide Hide 100 Recv
0000 64 00 1B 42 61 63 61 72 64 69 31 35 31 00 00 00 d..Bacardi151...
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 55 04 19 .............U..
0020 08 00 03 11 01 01 01 01 01 00 01 00 31 00 3F 01 ............1.?.
0030 69 04 62 2D 00 00 BA 05 03 12 00 8A 6F 65 C3 00 i.b-........oe..
0040 DA 0C C2 00 00 00 00 00 00 04 EC 03 07 00 00 00 ................
0050 00 00 00 00 00 00 00 00 4E 00 00 00 00 00 00 00 ........N.......
0060 00 00 00 00 ....

14 Hide Hide 25 Recv
0000 19 00 18 19 08 8A 6F 65 C3 00 DA 0C C2 8A 6F 65 ......oe......oe
0010 C3 00 DA 0C C2 00 00 E3 01 .........

15 Hide Hide 5 Send
0000 05 10 AC 9C 5A ....Z

16 Hide Hide 6 Recv
0000 06 00 90 00 00 00 ......

17 Hide Hide 20 Recv
0000 14 00 28 9D 11 62 01 E3 0A 75 C3 84 97 18 C1 64 ..(..b...u.....d budlite?
0010 00 00 00 00 ....

18 Hide Hide 100 Recv
0000 64 00 1B 42 61 63 61 72 64 69 31 35 31 00 00 00 d..Bacardi151...
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 55 04 19 .............U..
0020 08 00 03 11 01 01 01 01 01 00 01 00 31 00 3F 01 ............1.?.
0030 69 04 62 2D 00 00 BA 05 03 12 00 8A 6F 65 C3 00 i.b-........oe..
0040 DA 0C C2 00 00 00 00 00 00 04 EC 03 07 00 00 00 ................
0050 00 00 00 00 00 00 00 00 4E 00 00 00 00 00 00 00 ........N.......
0060 00 00 00 00 ....

19 Hide Hide 27 Send
0000 1B 10 21 AD B1 70 9F C2 9D FE 40 FC BB C0 31 56 [email protected]
0010 8D 72 1C 47 84 05 65 EF 87 9F B2 .r.G..e....

20 Hide Hide 25 Recv
0000 19 00 18 19 08 8A 6F 65 C3 00 DA 0C C2 8A 6F 65 ......oe......oe
0010 C3 00 DA 0C C2 00 00 E3 01 .........

21 Hide Hide 20 Recv
0000 14 00 28 9D 11 62 01 E3 0A 75 C3 84 97 18 C1 64 ..(..b...u.....d
0010 00 00 00 00 ....

22 Hide Hide 5 Send
0000 05 10 F7 CD A4 .....

23 Hide Hide 100 Recv
0000 64 00 1B 42 61 63 61 72 64 69 31 35 31 00 00 00 d..Bacardi151...
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 55 04 19 .............U..
0020 08 00 03 11 01 01 01 01 01 00 01 00 31 00 3F 01 ............1.?.
0030 69 04 62 2D 00 00 BA 05 03 12 00 8A 6F 65 C3 00 i.b-........oe..
0040 DA 0C C2 00 00 00 00 00 00 04 EC 03 07 00 00 00 ................
0050 00 00 00 00 00 00 00 00 4E 00 00 00 00 00 00 00 ........N.......
0060 00 00 00 00 ....

24 Hide Hide 6 Recv
0000 06 00 90 00 00 00 ......

25 Hide Hide 20 Recv
0000 14 00 28 9D 11 62 01 E3 0A 75 C3 84 97 18 C1 64 ..(..b...u.....d
0010 00 00 00 00 ....

26 Hide Hide 100 Recv
0000 64 00 1B 42 61 63 61 72 64 69 31 35 31 00 00 00 d..Bacardi151...
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 55 04 19 .............U..
0020 08 00 03 11 01 01 01 01 01 00 01 00 31 00 3F 01 ............1.?.
0030 69 04 62 2D 00 00 BA 05 03 12 00 8A 6F 65 C3 00 i.b-........oe..
0040 DA 0C C2 00 00 00 00 00 00 04 EC 03 07 00 00 00 ................
0050 00 00 00 00 00 00 00 00 4E 00 00 00 00 00 00 00 ........N.......
0060 00 00 00 00 ....

27 Hide Hide 11 Send
0000 0B 10 FD 9B F7 39 69 AF 6F 9B E0 .....9i.o..

28 Hide Hide 27 Send
0000 1B 00 18 19 08 8A 6F 65 C3 00 DA 0C C2 8A 6F 65 ......oe......oe
0010 C3 00 DA 0C C2 00 00 E0 01 3A 45 .........:E

29 Hide Hide 60 Recv
0000 09 00 75 32 32 01 00 00 00 1A 00 76 01 00 00 34 ..u22......v...4
0010 06 01 00 B5 34 65 C3 34 8A 0D C2 00 00 02 01 00 ....4e.4........
0020 7C 00 01 19 10 18 19 08 8A 6F 65 C3 00 DA 0C C2 |........oe.....
0030 8A 6F 65 C3 00 DA 0C C2 00 00 E3 01 .oe.........

30 Hide Hide 5 Send
0000 05 10 CD 1C 1C .....

31 Hide Hide 26 Recv
0000 1A 00 90 00 01 00 34 06 01 00 B5 34 65 C3 34 8A ......4....4e.4.
0010 0D C2 00 00 02 01 00 7C 00 01 .......|..

32 Hide Hide 100 Recv
0000 64 00 1B 42 61 63 61 72 64 69 31 35 31 00 00 00 d..Bacardi151...
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 55 04 19 .............U..
0020 08 00 03 11 01 01 01 01 01 00 01 00 31 00 3F 01 ............1.?.
0030 69 04 62 2D 00 00 BA 05 03 12 00 8A 6F 65 C3 00 i.b-........oe..
0040 DA 0C C2 00 00 00 00 00 00 04 EC 03 07 00 00 00 ................
0050 00 00 00 00 00 00 00 00 4E 00 00 00 00 00 00 00 ........N.......
0060 00 00 00 00 ....

33 Hide Hide 20 Recv
0000 14 00 28 9D 11 62 01 E3 0A 75 C3 84 97 18 C1 64 ..(..b...u.....d
0010 00 00 00 00 ....

34 Hide Hide 11 Send
0000 0B 00 75 00 41 01 00 00 00 3F 47 ..u.A....?G

35 Hide Hide 35 Recv
0000 09 00 75 32 41 01 00 00 00 1A 00 76 01 00 00 36 ..u2A......v...6
0010 06 01 00 C0 22 65 C3 BD C8 0D C2 00 00 0A 07 00 ...."e..........
0020 26 00 01 &..

36 Hide Hide 27 Send
0000 1B 00 18 19 08 8A 6F 65 C3 00 DA 0C C2 8A 6F 65 ......oe......oe
0010 C3 00 DA 0C C2 00 00 E0 01 3A 48 .........:H

37 Hide Hide 25 Recv
0000 19 00 18 19 08 8A 6F 65 C3 00 DA 0C C2 8A 6F 65 ......oe......oe
0010 C3 00 DA 0C C2 00 00 E3 01 .........

38 Hide Hide 100 Recv
0000 64 00 1B 42 61 63 61 72 64 69 31 35 31 00 00 00 d..Bacardi151...
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 55 04 19 .............U..
0020 08 00 03 11 01 01 01 01 01 00 01 00 31 00 3F 01 ............1.?.
0030 69 04 62 2D 00 00 BA 05 03 12 00 8A 6F 65 C3 00 i.b-........oe..
0040 DA 0C C2 00 00 00 00 00 00 04 EC 03 07 00 00 00 ................
0050 00 00 00 00 00 00 00 00 4E 00 00 00 00 00 00 00 ........N.......
0060 00 00 00 00 ....

39 Hide Hide 5 Send
0000 05 00 90 6C 49 ...lI

40 Hide Hide 20 Recv
0000 14 00 28 9D 11 62 01 E3 0A 75 C3 84 97 18 C1 64 ..(..b...u.....d
0010 00 00 00 00 ....

41 Hide Hide 46 Recv
0000 2E 00 90 00 02 00 34 06 01 00 B5 34 65 C3 34 8A ......4....4e.4.
0010 0D C2 00 00 02 01 00 7C 00 01 36 06 01 00 C0 22 .......|..6...."
0020 65 C3 BD C8 0D C2 00 00 0A 07 00 26 00 01 e..........&..

yawn .....