Hi, i've been sniffing some kal packets, in order to try creating an open source server emulator written in node.js (which sounds more apropriate for nowadays) but i need help understanding the basics and figure some patterns
i altered config.pk to add my own localhost on the list of server selection and when i click on server selection on the latest engine i always get a welcome packet like these:
<Buffer 19 00 3e d2 c9 9f 91 82 a8 a6 cd 73 14 20 d1 87 db 40 ff c9 ee 3c 50 91 8d>
<Buffer 19 00 3e 10 e7 15 91 82 a8 a6 cd 73 14 20 d1 87 db 40 ff c9 ee 3c 50 91 b9>
which i reply with [0x1f, 0x00, 0x85, 0x2a, 0x92, 0xae, 0xd3, 0xdd, 0xc6, 0xff, 0xb7, 0xea, 0x86, 0x9f, 0xb7, 0xea, 0xc5, 0x8d, 0x24, 0x68, 0x91, 0xd9, 0x91, 0x91, 0x91, 0xee, 0x91, 0x91, 0xe1, 0x48, 0xe1]
and it works allowing me to fill in my login info, but i still cant quite figure how this first handshake allows me to manipulate the future packets.
Some things i noticed:
if i keep imitating the packets i sniffed it allows me to go on to character selection and joining the world itself, but only with "pre-recorded" packets, not allowing me to edit those packets because they aren't decrypted.
so my questions are:
whats the logic behind that initial handshake? does it affect on the crypt itself?
anyone knows how do i decrypt the future packets like for example the login info that the client sends once you hit "log in"? i noticed it always has a separator hex between login and password on same buffer, but even the number of the hex used to separate changes on each iteration, probally because the cryptography being decided before that, but how?
Thanks in advance, and take it easy on me, its my first time posting here :D
i altered config.pk to add my own localhost on the list of server selection and when i click on server selection on the latest engine i always get a welcome packet like these:
<Buffer 19 00 3e d2 c9 9f 91 82 a8 a6 cd 73 14 20 d1 87 db 40 ff c9 ee 3c 50 91 8d>
<Buffer 19 00 3e 10 e7 15 91 82 a8 a6 cd 73 14 20 d1 87 db 40 ff c9 ee 3c 50 91 b9>
which i reply with [0x1f, 0x00, 0x85, 0x2a, 0x92, 0xae, 0xd3, 0xdd, 0xc6, 0xff, 0xb7, 0xea, 0x86, 0x9f, 0xb7, 0xea, 0xc5, 0x8d, 0x24, 0x68, 0x91, 0xd9, 0x91, 0x91, 0x91, 0xee, 0x91, 0x91, 0xe1, 0x48, 0xe1]
and it works allowing me to fill in my login info, but i still cant quite figure how this first handshake allows me to manipulate the future packets.
Some things i noticed:
- it always starts with 19 00 3e
- the first hex of the buffer is the total number of hexes it contains
if i keep imitating the packets i sniffed it allows me to go on to character selection and joining the world itself, but only with "pre-recorded" packets, not allowing me to edit those packets because they aren't decrypted.
so my questions are:
whats the logic behind that initial handshake? does it affect on the crypt itself?
anyone knows how do i decrypt the future packets like for example the login info that the client sends once you hit "log in"? i noticed it always has a separator hex between login and password on same buffer, but even the number of the hex used to separate changes on each iteration, probally because the cryptography being decided before that, but how?
Thanks in advance, and take it easy on me, its my first time posting here :D
