I use now since many month my private own Rappelz Bot.
My current technique is a Kernel driver for mouse/keyboard input and analyse logic that read the different data from the screen.
This works well for the most cases but I want more :D
e.g. find the own location without the /position command.
Find the mobs faster.
…
So I have started to take a first look into the IP Communication.
A first test with Wireshark shows that the GG don’t dislike IP analyse tools.
But Wireshark is not the best way to analyze the data, because there is to much traffic.
So I wrote a small C# program that hooked into the IP stream.
The next step is to understand the IP data.
Here start the problems , because the traffic is cryped in some way.
I think they use a key that is modifying itself after each ip-packet and do an XOR with the real data.
A nice place to test is the Ursa Caverns dungeon.
The big hand has an Dialog with an Update button. So each time you press the Button the server is sending the same Information to your client.
And if you do this during the night, you can get several messages from the server in a row.
You can see that each packet has the same length. And there is no other pattern that I noticed. E.g. there is no Header Byte that tells the client what kind of data this are. ( e.g. Global shout, Mob is moving , … )
I think the conclusion is, all data are crypted , also the Header–Byte.
The Traffic is also complete in TCP ( and not UDP )
This adds extra Traffic to the game, because some info ( All-Chat / Mob random Movement / .. ) are not so important for the game and this info could be placed to the UDP as well.
I think they decided to skip UDP , because they want to crypt everything and the concept would not work with UDP.
The server has to do the communication with 1000+ players at the same time, so I think they don’t added a crypt technique that need a lot CPU-Power or Memory.
The GameGard web page also says nothing about cryping IP traffic, so this was maybe developed from nFlavor itself. ( so the code is saved inside of the Game Code and not part of the GG DL’s)
There are now 2 Questions to answer, so we are able to decode the IP -stream
· What is the start-Value of the key ?
· How are they modifying the Key after each packet ?
A true Code Breaker could maybe find the code, if he just analyze the Data from the Ursa Caverns Hand , but I can’t.
The easier way is maybe to follow the IP Data.
So there must be an API call that gets the Data from the OS into the game.
Even the Header-Bytes are cryped, so the decrypt logic can’t be far from the API call.
Maybe somebody with more experience in this area can find the function.
P.S.
jasonxa has done some interessing posts about this.
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
My current technique is a Kernel driver for mouse/keyboard input and analyse logic that read the different data from the screen.
This works well for the most cases but I want more :D
e.g. find the own location without the /position command.
Find the mobs faster.
…
So I have started to take a first look into the IP Communication.
A first test with Wireshark shows that the GG don’t dislike IP analyse tools.
But Wireshark is not the best way to analyze the data, because there is to much traffic.
So I wrote a small C# program that hooked into the IP stream.
The next step is to understand the IP data.
Here start the problems , because the traffic is cryped in some way.
I think they use a key that is modifying itself after each ip-packet and do an XOR with the real data.
A nice place to test is the Ursa Caverns dungeon.
The big hand has an Dialog with an Update button. So each time you press the Button the server is sending the same Information to your client.
And if you do this during the night, you can get several messages from the server in a row.
You can see that each packet has the same length. And there is no other pattern that I noticed. E.g. there is no Header Byte that tells the client what kind of data this are. ( e.g. Global shout, Mob is moving , … )
I think the conclusion is, all data are crypted , also the Header–Byte.
The Traffic is also complete in TCP ( and not UDP )
This adds extra Traffic to the game, because some info ( All-Chat / Mob random Movement / .. ) are not so important for the game and this info could be placed to the UDP as well.
I think they decided to skip UDP , because they want to crypt everything and the concept would not work with UDP.
The server has to do the communication with 1000+ players at the same time, so I think they don’t added a crypt technique that need a lot CPU-Power or Memory.
The GameGard web page also says nothing about cryping IP traffic, so this was maybe developed from nFlavor itself. ( so the code is saved inside of the Game Code and not part of the GG DL’s)
There are now 2 Questions to answer, so we are able to decode the IP -stream
· What is the start-Value of the key ?
· How are they modifying the Key after each packet ?
A true Code Breaker could maybe find the code, if he just analyze the Data from the Ursa Caverns Hand , but I can’t.
The easier way is maybe to follow the IP Data.
So there must be an API call that gets the Data from the OS into the game.
Even the Header-Bytes are cryped, so the decrypt logic can’t be far from the API call.
Maybe somebody with more experience in this area can find the function.
P.S.
jasonxa has done some interessing posts about this.
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]