Client-Server Protocol

07/04/2012 01:22 glandu2#1

Someone can confirm that rappelz use rc4 encryption between client and server ?
At least, upload server use the same XOR key to encrypt jpg files (I haven't tested if the key change when the client is restarted), but don't know if the gameserver use the same encryption

The key used by the upload server isn't redundant, seems to be rc4 (and there is a class named xrc4cipher or so in uploadserver.exe)

So if someone knows if gameserver uses rc4 or if the upload server uses the same protocol encryption as the gameserver, his answer would be great :)

07/04/2012 01:38 Xijezu#2

Gameserver, Authserver, Uploadserver & SFrame, all of them using the same Protocol and the same encryption.

07/05/2012 12:49 glandu2#3

rc4 confirmed, i can now decrypt rappelz protocol, the key is the same since the old 6.1 private server at least, so maybe they will never change it :)

07/05/2012 14:26 ptifou78#4

First tip for have emulator? if you have the project to do it connect you into skype i have to speak with you ;)

07/05/2012 19:05 glandu2#5

there is debugging info with all servers. All is in files, data structure, constants, source (in asm but it doen't matter :D) everything, database columns name, procedure, parameters, [...]

For an emu, mmmmh, i think an emu of the upload server would be possible :D xD
auth & upload shouldn't be complicated to do, but the gameserver has a LOT of things to do (10k lines of interesting structure & enums, that's a lot)

As the gameserver is really a big thing, i don't plan to do it. maybe i will make an upload server to begin, but i think i will explore all that information before, the disassembler is on captainserver.exe, it started ~1 hour ago ....... don't know if it will finish to analyse the file. Also, an emu (of the gameserver) wouldn't be a real interesting thing as everyone already know how the galanet serv works so i would make it only for fun.

Also if someone knows that: why servers are with debug symbols ? don't tell me that officials servers are also running in debug mode ? :x (or debug information is only in .pdb files ? there a lot of information in .exe, i don't use ms vc++ to know how it manage debugging symbols)

I have also 2 another projects: foobar for linux and a sort of generic game engine (for the moment there is only collision detection & opengl rendering of 3d object, modular architecture and support of all possible hardware is a must)

07/05/2012 19:10 misterd#6

rappelz comes with some tricky parts, specially when u watch the packet parsers..
If you are intending to do it , i suggest you learn more about packet parsers ^^

07/05/2012 21:23 glandu2#7

i need nothing more to understand the protocol of rappelz, i have all needed tools/data (if not i make the needed tool :p)

And the protocol used between servers is the same as between the client and server, but not encrypted

07/05/2012 22:29 haxti#8

i would really appreciate any tips to get the source of the gs. the auth source is floating around somewhere but it looks like its rather incomplete.

07/05/2012 22:39 glandu2#9

the source that i have, is assembler source, it like having the source of a text file :x, using a disassembler you can get the asm source of anything ^^ (except packed/encrypted programs like sframe but that's not the case for servers)

there are also decompilers that can decompile a program, but the output is far away from original sources

it's the same as cracking other programs, disassembler help to understand how it works and after you can modify it to bypass something or else. There is also debugging symbols in pdb files so the disassembler should be able to give more information about the program

07/05/2012 22:42 haxti#10

Quote:

Originally Posted by glandu2

the source that i have, is assembler source, it like having the source of a text file :x, using a disassembler you can get the asm source of anything ^^ (except packed/encrypted programs like sframe but that's not the case for servers)

there are also decompilers that can decompile a program, but the output is far away from original sources

Yea i tried some, but those are rather for .Net programmes.

07/05/2012 22:57 glandu2#11

decompiler for .net give you almost compilable source like java decompiler. but here you will have an ugly version of the source code providing your decompiler can decompile your code (that was not always the case for me)

else you will have assembler code like this:

Code:

mov ax,81h                              ;charge dans ax l'offset du debut de la ligne de cmd
mov di,ax                               ;di=ax
mov ax,' '                              ;caractere a chercher : un espace
xor ch,ch                               ;cx=cl
mov cl,byte ptr ds:[80h]        ;cl=cx=taille de la ligne de cmd
add di,cx                               ;ajoute cx a di pour ce placer a la fin de la ligne de cmd
mov bx,di                               ;sauvegarde di dans bx
std                                     ;mode de recherche a l'envers df=1
repne scasb                             ;cherche un espace sinon s'arrete quand cx = 0 cad quand toute la ligne de cmd est parcourue
inc di                          ;incremente di pour se replacer sur l'espace
push di                         ; sauve di pour comparaison et savoir si chemin dest ok                 ---------------->-+
mov ax,'\'                              ;recherche un slash symbole de separation de nom de dossier                                     I
mov di,bx                               ;recherche dans l'arg du fichier de dest                                                                I
mov cx,080h                             ;cx=128 -> la recherche ne s'arrete jamais sauf si on deppasse la ligne de cmd  I
repne scasb                             ;recherche                                                                                                      I
add di,2                                ;di=di+2 pour se placer just apres le '\'                                                               I
                                                ;                                                                                                               I
pop cx                          ;rapelle l'emplacement du dernier arg                                                           I

(part of a msdos program to copy files with progress indicator, not optimized at all for intel 80186 using TASM)

as you see, many comments are needed to understand the program because plain assembler is not very easily understandable, that's why i take more than one day to understand the rc4 algorithm of rappelz ...

07/05/2012 23:53 c1ph3r#12

Quote:

Originally Posted by haxti

Yea i tried some, but those are rather for .Net programmes.

You can use IDA do disassemble the gameserver.

[Only registered and activated users can see links. Click Here To Register...]

If you don't have a license you can write me a pm.