OOG dev - How to capture non-interaction outgoing packets?

09/02/2017 21:17 jasty#1

So I'm dabbling in OOG stuff atm hoping eventually to make a homestead bot to farm sigils and there are a lot more packets you have to deal with than you do with normal botting.

I've found some online libraries that document a lot of them like here:
[Only registered and activated users can see links. Click Here To Register...]

and here:
[Only registered and activated users can see links. Click Here To Register...]

A lot of it is outdated and I've been updating them as I go but the list is far from comprehensive and I need to capture packets that are undocumented. I have no problems with incoming packets since I can just monitor the incoming traffic for data I need but I can't figure out what to send.

Does anyone know where the other packet sending function is for like login packets and stuff? A lot of the data I need to read I'm pretty sure I have to send a request first and the request doesn't go through the normal sendpacket routine. Ideally I'd like a tool for viewing these other packets but I'll settle for a function to breakpoint.

09/06/2017 01:31 gnitargetnisid#2

explore the last function call in the c22 sendpacket function (well not the last one, but the last client function call, before the free(...) call). I was usually able to find the packet information from examining the stack at the very beginning of that function, packet type and structure should be right there. If you can't figure it out for some packets and you know how to work with server binaries, you can get all the information you need about the non-gameworld packets from the gdelivery daemon, search for Protocol::Protocol(uint) function in IDA after applying dwarf, list cross-references and enjoy digging... Although it seems you're looking for homestead features, for which the files haven't been released yet, so I guess that won't be of much help.

I'll look into the first method tomorrow, I'm sure I had found a way to dump all packets a few months ago, I just can't remember now.

ok, so I dug up a bit further and hopefully found something. The best place to bp/detour a function for monitoring these packets seems to be the function that assembles the packet together. To find this function:

-Set a breakpoint on WS2_32.send
-do something in game so the function gets called (it actually gets called twice, the second time is for the real (encrypted) packet, however we'll need the first call)
-go to return address, it'll look something like this:

[Only registered and activated users can see links. Click Here To Register...]

-scroll up a bit until you see this function call:
[Only registered and activated users can see links. Click Here To Register...]

-follow that function and set a breakpoint at the very first instruction

information should be stored as follows:

ecx (this):
[] = interface functions pointer
[+4] = packet type array beginning
[+8] = packet type array ending

esp + 08 (first argument):
[] = interface functions pointer
[+4] = packet array beginning
[+8] = packet array ending

for example, I'll try to find out the information about AddFriend packet.

1. the breakpoint hit, we see addresses here

[Only registered and activated users can see links. Click Here To Register...]

2. I follow ecx in the stack

[Only registered and activated users can see links. Click Here To Register...]

3. Here I see that the beginning of packet type array is 0x16CE9138 and the ending is 0x16CE913A. So, the packet type fits in two bytes and we can find them at 16CE9138.
4. As seen here

[Only registered and activated users can see links. Click Here To Register...]

the packet type array has 0x80 0xCA, which is 0xCA packed into cuint.
5. Now we have the packet type, we need to get the packet structure.
6. I follow esp + 8 in the stack

[Only registered and activated users can see links. Click Here To Register...]

7. Applying the same logic, I follow the packet array beginning address, 218ED6C8
8. Here we have

[Only registered and activated users can see links. Click Here To Register...]

9. We also know the ending address, so we can get the entire packet:

00 52 E3 E1 00 00 00 00 16 65 00 6C 00 69 00 74 00 65 00 70 00 76 00 70 00 65 00 72 00 73 00 05 53 B4 00

Now I know, from digging up in server binaries before, that the structure is:

self UID (non-reversed) - 00 52 E3 E1
target UID (this is only if the client actually obtained the UID for this character name, in this case it did not, so it leaves it at 0) - 00 00 00 00
name of the character that we're trying to add as a friend - 16 65 00 6C 00 69 00 74 00 65 00 70 00 76 00 70 00 65 00 72 00 73 00
srclsid (source link server id, you can leave it at 0, it's not important) - 05 53 B4 00

hopefully that helps, I guess you should know what to do from here. Also, this is 1.5.3 client since I don't have a higher version one downloaded right now, so unless it has undergone major changes in the past few versions, the functions should still be in place.

09/08/2017 03:36 derleyvolt#3

what is a c22 ? thx

09/11/2017 07:16 jasty#4

@[Only registered and activated users can see links. Click Here To Register...] Very nice thanks for the info. That should help find packets pre-encryption.
@[Only registered and activated users can see links. Click Here To Register...] c22 is a type of packet that is the container for most of the packets used by bots... movement, casting skills, talking to npcs, etc.

There are other types of packets though such as the login protocol, sending chat messages, requesting character appearance when someone walks into your view radius, requesting homestead data when entering a homestead. etc.

Here's a pretty big list of packets I found in some old thread:

Spoiler

09/11/2017 10:54 derleyvolt#5

thx jasty

08/13/2018 06:46 ariesta1503#6

I want to make OOG cat shop, is anyone willing to share example or clues or something? thanks

08/13/2018 17:36 jasty#7

I learned a lot about OOG stuff from existing projects like:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]

There is also this tool called Pandora here:
[Only registered and activated users can see links. Click Here To Register...]

Which when combined with a proxy can capture and decode all packets so you can figure out what you need to send. Most of the packets involved with catshops are already well documented.

Unfortunately right now Arc authentication is required and the russians who figured out how to get around it aren't sharing atm. I have a good understanding about how the normal authentication works but figuring out how to authenticate with arc and what to do with the login token is a bit beyond my ability.

08/14/2018 11:31 derleyvolt#8

Jasty, to you, what most dificult in figuring out how arc authenticate works?
in what pw version was this implemented? thx bro

08/17/2018 19:24 jasty#9

Well first you need to login to Arc with OAuth probably.

Then while logging into the game you have to use that access token to generate the encryption key somehow instead of using the password.

The encryption key in the old protocol was RC4( MD5(login + password), Servery Key), something like that. I'm not sure what the expression would be for using an access token instead of a password.

If you figure it out let me know.

05/24/2019 07:30 200Char#10

Quote:

Originally Posted by jasty

Well first you need to login to Arc with OAuth probably.

Then while logging into the game you have to use that access token to generate the encryption key somehow instead of using the password.

The encryption key in the old protocol was RC4( MD5(login + password), Servery Key), something like that. I'm not sure what the expression would be for using an access token instead of a password.

If you figure it out let me know.

hi jasty can u tell me how send move at pwluaoog?

05/26/2019 23:11 jasty#11

You have to send raw move packets.

Move:

Code:

            Packet p = new Packet();
            p.AddUInt16(0x0000) //header
                .AddFloat(pos.x)
                .AddFloat(pos.z)
                .AddFloat(pos.y)
                .AddFloat(pos.x)
                .AddFloat(pos.z)
                .AddFloat(pos.y)
                .AddUInt16(delta)  //delta millisecs = ~500
                .AddUInt16((ushort)((speed * 256) + .5), true) //speed = walk speed = player + 0x540 = ~4.8f
                .AddByte(mode) // walk = 0x21
                .AddUInt16(player.MoveCounter++, true); // Counter at player struct + 0xD18
            sendPacket(p.Bytes);

05/27/2019 23:42 200Char#12

Quote:

Originally Posted by jasty

You have to send raw move packets.

Move:

Code:

            Packet p = new Packet();
            p.AddUInt16(0x0000) //header
                .AddFloat(pos.x)
                .AddFloat(pos.z)
                .AddFloat(pos.y)
                .AddFloat(pos.x)
                .AddFloat(pos.z)
                .AddFloat(pos.y)
                .AddUInt16(delta)  //delta millisecs = ~500
                .AddUInt16((ushort)((speed * 256) + .5), true) //speed = walk speed = player + 0x540 = ~4.8f
                .AddByte(mode) // walk = 0x21
                .AddUInt16(player.MoveCounter++, true); // Counter at player struct + 0xD18
            sendPacket(p.Bytes);

thanks you for the answer , but i new on c# where i should input this on pwluaogg and how i can use/call the function from protocol.lua

05/31/2019 18:33 jasty#13

Are you even able to use pwluaogg to get through Arc? I didn't think it worked.

You'd have to see how to send raw packets with that framework and adapt that packet format. All the fields are in reverse byte order. If you aren't comfortable with manipulating packet data you shouldn't bother with OOG stuff yet.

05/09/2020 01:02 bmurji#14

Did this work?