Tool for a Tool

Page 1 of 2

12/29/2011 09:43 AutoLib#1

I've noticed a few threads of .txt files with packets in them. Naturally, I decided to make a program to make these more convenient to use. Here's a shot of my current progress:

[Only registered and activated users can see links. Click Here To Register...]

I have the basic idea of everything already planned. This shell will send a message to Alissa and tell it to send the packet this creates. Think of it as an easy way to remember and use packets without opening a bunch of text files.

However, I am having trouble understanding the workings of the packet data. From all my research I've gathered the following.

The starting 8 characters indicate the function of the packet.
- 00008EC3 for Shadow Missions
- 0000A42B for Mana Tunnels
- 0000526C for Chat
- 00006982 for Skill Loading
I know how to retrieve character ID's and how to use them.
I know how to use skill ID's to load skills.

Note: I am not necessarily asking for complete hand-out packets, but just an overview of how they work. Also note that all my information is mostly gathered from one or two posts. I have searched for many hours and haven't come up with anything substantial.

My questions are:

Are the first 8 digits the "opcode"? Sounds right to me.
How do I get the data to populate the end of the message? I know the packet for loading defense is:
00006982<Char ID>070200024E2106000100
This is how I can decompile it so far:
- 00006982 - Load Skill Opcode
- <Char ID> - Self explanatory
- 07020002 - No clue. Guessing it's a parameter?
- 4E21 - 20001, the code for Defense.
- 06000100 - Again, no clue.
Can anyone explain those two parts?
And just in general, are there any decent guides to packet codes? Every thread I've seen asking about them turns into a giant flame war and has little if any information. Would be ironic if this turns into the same thing.

12/29/2011 09:51 Heavenlyhero#2

1. yes, the first 8 digits are the "opcode"
2. Generally, most general packets end in two or four 0s.
3. Look for alissa source. You can study how the packet builder works in it.

12/29/2011 10:03 AutoLib#3

1. Thanks
2. That doesn't really cover how the parameters are formed or how to get them, or if you can.
3. I completely forgot Alissa came with source, but it's coded in Delphi and I don't have access to it. Notepad++ works, but then again I barely understand Delphi. Second, that doesn't answer my question. I know how packets work by themselves. I was trying to ask about how Mabinogi packets are formed as in opcodes and parameters(again). I guess 2 and 3 in my questions can be combined.

Edit: 3 is probably not clear. I don't mean formed as in put x here, I mean how do you get the opcode and parameters of a function and understand what they do. I'm assuming it's all in-game packet sniffing.

12/29/2011 12:03 VanHef#4

I wonder about some of those extra numbers too :D
IDK about all of them, but i can offer this:
1.Some of the numbers are essentially just dividers to seperate params
02,03,04,05,06 etc
Some of the numbers are related to the number of digits in a string
in english = "4cat" "6horse" "5bear"
3.Alissa sometimes builds a packet differently than the game did and it
seems to work just the same.
Your example:
00006982<Char ID>070200024E2106000100
Alissa might build like this:
00006982<Char ID>060200024E2106000100
4.Might find info here: [Only registered and activated users can see links. Click Here To Register...]

12/29/2011 16:23 cloudkiller2006#5

below here, in the spoilers, are several guides on packets i've released here earlier. these should cover most of it

they are, in order:
-animation
-status effect
-duels
-whispers
-additional reading (has to do with strings)

Spoiler

these packets still work. note that the recieved ones are NOT seen by others.

hope you enjoy it, feel free to ask any questions.

12/29/2011 16:32 tylian1#6

Just to clarify some things.

Quote:

15 <--- packet number

That's the length of the packet in bytes, not counting the header in bytes iirc.
It does some weird funky math when it's over 0x80 iirc..

It's generally safe to ignore this and parse the parameters individually, Mabi even ignores it iirc.

Quote:

00 <--- start of the text
0C <--- amount of characters in the text (includes itself)

The length for the string in the packet information is a word, that is, it takes up two bytes instead of one.
So it's 000C (or 12 characters)

Quote:

546F75736869726F753232 <--- the name of the target in hex
00 <--- end of the text

The end of the text is actually part of the text. Mabi packets are C-Style null-terminated strings.

12/29/2011 16:33 cloudkiller2006#7

curse you tyl!
ah well, moar info for him ;;

12/29/2011 16:43 tylian1#8

Well he seemed to know what he was doing so, decided to give him the nitty-gritty! XD

12/29/2011 21:28 Blade3575#9

Alissa pretty much splits off the parameters for you:

00008FC4 - Change Title OP Code
00 T_WORD : 11003 [2AFB]
01 T_WORD : 0 [0000]

00 T_WORD : XXXXX - This is the title code, when building packets you don't need the things to the right from my experience.

Lot of things may have multiple character ID's and these would be put in parameters as above and will be put under T_ID, as with item ID's.

The built packet for what I showed above would look like this:
00008FC4001000000004CABC060200022AFB020000

12/29/2011 21:55 AutoLib#10

I'm kind of surprised at the amount of help I got. Thanks Cloud for all the examples, Tylian for noting that they are C strings, and Blade for noting Alissa splits the parameters. I noticed Alissa did it last night but didn't quite understand it.

So I'm guessing if I want to find opcodes for specific things (i.e. 6982 for skills, A88A for duel/pvp, etc), I have to do them myself in-game and extract the packet? If so I have a lot of in-game packet sniffing to do. In the mean time I'm building a scanner for csend since it's easier than finding opcodes for packets with parameters.

Edit: New question, are ALL received packets visual only? From what I've gathered I'd say so. Just had a fun experience with trying to use a Recv to do something.

Being an amateur I thought I could just moon gate, grab the packet and have a free teleport to Ceo Island. I though it worked since I tested it while on Ceo Island and it kept putting me back at the tunnel. Teleported to Dun and back to make sure it worked and got this:

[Only registered and activated users can see links. Click Here To Register...]

Long story short, lesson learned. Can't just resend packet with same result.

I also found out that the client sends a sort of confirmation packet when it receives items. I tested this with the snowball and I get something like

RECV - Item Gain Screen (Shows the snowball with info, etc)
RECV - Item Gain Message (System Message that says "obtained x")
RECV - I didn't note the last one, but it was visual like the last two
SEND - 00006598<CharID>02010100(Something like that anyway. Not sure of exact opcode.)

This stuck out at me because I Recv the same type of packet when I do certain actions. I'm pretty sure that's what stops you from getting more than one.

Anyway I digress. Might be completely wrong.

12/29/2011 23:24 exec#11

Quote:

Originally Posted by AutoLib

So I'm guessing if I want to find opcodes for specific things (i.e. 6982 for skills, A88A for duel/pvp, etc), I have to do them myself in-game and extract the packet? If so I have a lot of in-game packet sniffing to do. In the mean time I'm building a scanner for csend since it's easier than finding opcodes for packets with parameters.

Edit: New question, are ALL received packets visual only? From what I've gathered I'd say so. Just had a fun experience with trying to use a Recv to do something.

Naturally the server tells your client what to display. So every packet you receive is an information, that normally would come from the server. You can do funny stuff here, but it'll always be client sided. And even though Mabinogi has some security flaws, you can't change what the server knows about your character, no matter what packets you let your client receive. Only things you send will actually do something.

About a scanner for csend, aka packets without parameters, I'm pretty sure there already is one [Only registered and activated users can see links. Click Here To Register...], isn't there?

Edit: Wow... my first post, after being registered here for exactly 6 years xD

12/29/2011 23:39 AutoLib#12

Quote:

Originally Posted by exec

Naturally the server tells your client what to display. So every packet you receive is an information, that normally would come from the server. You can do funny stuff here, but it'll always be client sided. And even though Mabinogi has some security flaws, you can't change what the server knows about your character, no matter what packets you let your client receive. Only things you send will actually do something.

About a scanner for csend, aka packets without parameters, I'm pretty sure there already is one [Only registered and activated users can see links. Click Here To Register...], isn't there?

Edit: Wow... my first post, after being registered here for exactly 6 years xD

First post in 6 years? How'd you manage that? Anyway, thanks for the input.

I thought so. I almost flipped the first time I "duplicated" AP. Had a message say AP +25, but it was just client sided sadly. As for that scanner, I don't think it works well. I see people in the thread saying it can make your character unusable. Second, I actually am running it now on an alternate account and I am not seeing it log anything. I get this:

Code:

...
[12/29/11 16:36:06] - Scanned 582
[12/29/11 16:36:06] - Scanned 583
[12/29/11 16:36:07] - Scanned 584
...

Tir teleport opcode takes no parameters that I know and is 582. So shouldn't it be marking it or something? I don't think it's working.

12/29/2011 23:45 exec#13

I've never tested it, but it's listing Codes, isn't it?^^ I'd believe these are parameter-less packets. No need to mark them or anything.

12/30/2011 00:07 AutoLib#14

Quote:

Originally Posted by exec

I've never tested it, but it's listing Codes, isn't it?^^ I'd believe these are parameter-less packets. No need to mark them or anything.

The problem is it lists every single packet as a parameter-less packet. There is no skipping that I see. So this is basically counting from 0x01 to 0xFFFFFFFF and writing it to a file.

12/30/2011 04:01 Blade3575#15

If it's doing what I think it is, you basically just need to watch your screen for changes. It's probably just a plain scanner that could be made up using a simple macro and Alissa/Agnes telling it to send (StartOP-1)&CharID

Page 1 of 2