Hey everyone, I know how hard it is to code features when you don't have a packet sniffer and such. Not just that, it's very difficult when you're programming with a patch that's no longer current. This feature is even more so difficult because the feature is not in English, it's in Chinese. Here's some more information about it.
Packet Example:
You've probably seen something like what's below as a way to reject clients in the lower patches (below 5032ish). Take a look at offsets 8 and 12.
My Analysis:
So, to send a message, you first have to send the token for the rejection. The token you might see is "1" in offset 8. First, you should know that there are many tokens supported by the lower patches (more than you might think). Below is a list of tokens supported by the English client on the older patches (I'm using Conquer 1.0 in these tests).
I did find more (quite a lot more), but I couldn't get them to work with the English client on the patch I'm working on (4274). Using these tokens isn't too easy. For each token, you also need to send a message that the client recognizes. Unfortunately, these messages are in Chinese. I've been using ollydbg to get these messages, but I can't read assembly well enough to get them all yet (I'm an amateur at reverse engineering). Here are the messages I've found (using encoding GB2312):
帐号名或口令错 (Invalid account name or password):
0xd5, 0xca, 0xba, 0xc5, 0xc3, 0xfb, 0xbb, 0xf2, 0xbf, 0xda, 0xc1, 0xee, 0xb4, 0xed
该帐号被封号 (This account is banned)
0xb8, 0xc3, 0xd5, 0xca, 0xba, 0xc5, 0xb1, 0xbb, 0xb7, 0xe2, 0xba, 0xc5
请稍后重新登录 (Server Offline / Sign in later)
0xc7, 0xeb, 0xc9, 0xd4, 0xba, 0xf3, 0xd6, 0xd8, 0xd0, 0xc2, 0xb5, 0xc7, 0xc2, 0xbc
Hopefully this was informative enough for others more experienced than I am to reverse the client and understand what to look for (and what they're looking at). Here are more strings I found that didn't quite work with my patch:
6: 小时数已用尽 (Not Enough Credits)
7: 帐号已过期 (Not Enough Game Time) - Didn't bother testing actually.
10: 服务器未启动 (Unknown Server) - Didn't bother testing as well.
13: 该帐号不能登录 (Bar Password)
20: 服务器忙请稍候 (Server Busy)
21: 服务器人数已满 (Server Full)
999: 数据库错误 (Default Message) - Didn't bother testing.
Here's a small thing I programmed for making the hex arrays (I'm too lazy to type these out):
That's it. Cheers.
Packet Example:
You've probably seen something like what's below as a way to reject clients in the lower patches (below 5032ish). Take a look at offsets 8 and 12.
Code:
public static byte[] WrongPassword()
{
byte[] PacketData = new byte[0x20];
PacketData[0] = 0x20;
PacketData[1] = 0x00;
PacketData[2] = 0x1f;
PacketData[3] = 0x04;
PacketData[4] = 0x00;
PacketData[5] = 0x00;
PacketData[6] = 0x00;
PacketData[7] = 0x00;
PacketData[8] = 0x01;
PacketData[9] = 0x00;
PacketData[10] = 0x00;
PacketData[11] = 0x00;
PacketData[12] = 0xd5;
PacketData[13] = 0xca;
PacketData[14] = 0xba;
PacketData[15] = 0xc5;
PacketData[16] = 0xc3;
PacketData[17] = 0xfb;
PacketData[18] = 0xbb;
PacketData[19] = 0xf2;
PacketData[20] = 0xbf;
PacketData[21] = 0xda;
PacketData[22] = 0xc1;
PacketData[23] = 0xee;
PacketData[24] = 0xb4;
PacketData[25] = 0xed;
PacketData[26] = 0x00;
PacketData[27] = 0x00;
PacketData[28] = 0x00;
PacketData[29] = 0x00;
PacketData[30] = 0x00;
PacketData[31] = 0x00;
return PacketData;
}
So, to send a message, you first have to send the token for the rejection. The token you might see is "1" in offset 8. First, you should know that there are many tokens supported by the lower patches (more than you might think). Below is a list of tokens supported by the English client on the older patches (I'm using Conquer 1.0 in these tests).
- Invalid Password = 1
- Server Offline = 11
- Banned = 12
I did find more (quite a lot more), but I couldn't get them to work with the English client on the patch I'm working on (4274). Using these tokens isn't too easy. For each token, you also need to send a message that the client recognizes. Unfortunately, these messages are in Chinese. I've been using ollydbg to get these messages, but I can't read assembly well enough to get them all yet (I'm an amateur at reverse engineering). Here are the messages I've found (using encoding GB2312):
帐号名或口令错 (Invalid account name or password):
0xd5, 0xca, 0xba, 0xc5, 0xc3, 0xfb, 0xbb, 0xf2, 0xbf, 0xda, 0xc1, 0xee, 0xb4, 0xed
该帐号被封号 (This account is banned)
0xb8, 0xc3, 0xd5, 0xca, 0xba, 0xc5, 0xb1, 0xbb, 0xb7, 0xe2, 0xba, 0xc5
请稍后重新登录 (Server Offline / Sign in later)
0xc7, 0xeb, 0xc9, 0xd4, 0xba, 0xf3, 0xd6, 0xd8, 0xd0, 0xc2, 0xb5, 0xc7, 0xc2, 0xbc
Hopefully this was informative enough for others more experienced than I am to reverse the client and understand what to look for (and what they're looking at). Here are more strings I found that didn't quite work with my patch:
6: 小时数已用尽 (Not Enough Credits)
7: 帐号已过期 (Not Enough Game Time) - Didn't bother testing actually.
10: 服务器未启动 (Unknown Server) - Didn't bother testing as well.
13: 该帐号不能登录 (Bar Password)
20: 服务器忙请稍候 (Server Busy)
21: 服务器人数已满 (Server Full)
999: 数据库错误 (Default Message) - Didn't bother testing.
Here's a small thing I programmed for making the hex arrays (I'm too lazy to type these out):
Code:
byte[] test5 = Encoding.GetEncoding(936).GetBytes("服务器未启动");
string testString = "";
for (int index = 0; index < test5.Length; index++)
{
testString += "0x" + test5[index].ToString("X0") + ", ";
}
