I. Entering
II. Login-server
1. Enciphering of packages
2. Structure of packages
3. The designer of RequestAuthLogin-packages on C
III. Game-server.
1. Process of authorization on a server
2. Enciphering of packages
3. Report
4. xID and ObjectID
5. Examples of packages:
a) buying up/sale
b) private messages
c) OID and IID
d) we speak with NPC on an example of learning skills
IV. Problems and as it is possible to use them
1. Absence of a limit on quantity in attempts of authorization
2. Enciphering of packages
3. The removed definition of the version lineage2 a server
4. Removed "suspension" of a login-server
5. Cloning
6. Creation of "mutants" and mixture skills
7. Immortality
8. ' remote DoS' also that gives it
9. integer overflow in a network cursor l2j
10. SQL-injection
11. Sharpening (or a fairy tale about 100 %-s' enchant)
12. Geodate (circulation through walls)
13. Ïðèêîë with SocialAction (0x1b)
14. A bug in Ride (0x6a) 15. We throw out from game chars
16. A bug with RequestRestartPoint (revival and runaway from prison)
17. To undress the another's character not knowing neither a login, nor the password - unless it it is real?
18. Result
V. Bugs of new generation
VI. Pair words about C4
VII. An epilogue
VIII. References
IX. Appendices to clause
I. Introduction.
What is lineage? This is the representative of a modern game - MMORPG (Massively Multiplayer Online Role-Playing Game).
I even would tell one of the most successful and popular, if not most =).
Certainly, it is difficult to speak about popularity of this game since to count exact quantity "involved" in lineage, probably, it is impossible, but such servers as
[Only registered and activated users can see links. Click Here To Register...] (with as much as possible registered online in 10 000 person) and official
[Only registered and activated users can see links. Click Here To Register...] (with all 100 000, that it paid) let know that the figure should be impressive. The essence of game consists that (as well as in any another RPG) you have a character and the huge world in whom need to be extracted money, clothes, the weapon, experience. Finally to fight with same as you players and to amuse the vanity victories. To some people at whom well it is not got on in any way real.
To some people at whom well the real life is not got on in any way, it allows realisation in the virtual world - to become the known soldier and even to find the bride (yes, girls in lineage plays too much). Among all others online (and not only online) games, lineage bribes the graphics. Personally firstly it seemed to me improbable, that someone could create such wonderful three-dimensional beauty for simple game. But is at game and the dark parties(sides). First, it has property to tighten(delay). And not easier(simply) to tighten(delay), and to cause dependence from which it is the extremely complex(difficult) to struggle. Secondly, understand, in the industry in which turn hundred thousand èãðîìàíîâ from practically all layers of a society, business without money will not manage (as well as all in our life). In fact some people having family, work, simply do not have time for that months to pump over the character up to the necessary level. Such the layers has given birth persons who have started to sell game levels and things for real money, having created that to a new niche in the world lineage. At present, depending on size of a server (and rates), cost of well dressed character of a high level can vary from 300 $ (on dying
[Only registered and activated users can see links. Click Here To Register...]) up to 5 000 $ on an official server. Most jokes-it is purchase of things at administration of this or that server. Ponder, the gamer pays N-th quantity(amount) of the killed raccoons for that the administrator has added 1 record in a database of game. Here is how make money of air. That, I something has taken a great interest in the description of game) Affect year, on it spent. Certainly, in the similar industry (where are twirled money and a cloud naive and, at times silly gamers) business without us - inquisitive minds- cannot manage. Someone buys characters, someone creates and pumps over itself, we choose the third, not blazed way. The matter is that for some years of existence of this game, in it has not been found not to one vulnerability (except for especially game bugs), for it has not been written not one program, which could open to malefactors access to another's accounts. And know why? It seems to Me, young, not skilled (which posts dazzles bugtraq) pushed away malicious enciphering packages in lineage. And, even in the deciphered kind, they represent a chaotic character set. Perhaps, old men remember my clause(article) about the report of client-server interaction and vulnerability Half-Life (
[Only registered and activated users can see links. Click Here To Register...]). The purpose of that clause was to describe game and to give on a saucer almost everything that I have reached(achieved) in its(her) studying. In same clause I shall tell as to decipher traffic lineage2, I shall tell a little about features of the report, well and I shall give some operating time (as and another's), all rest I shall not publish, as general use of this can lead to chaos in this fine, balanced and quite generated virtual world =)
ATTENTION.
1. At once I warn, I shall sometimes come back to article about half-life for analogies will help you to understand easier written. And to me to write easier.
2. Article was written on the basis of the analysis of the deciphered packages and studying of an initial code lineage2 a server l2j, written on java. Accordingly, article 100 of % is valid for l2j, and for official so, how much(as far as) l2j is valid for it =)
3. All source codes are written under linux. For compilation it is necessary lib blowfish. Libs from openssl package will approach at small updating a code.
4. By the way about updating a code. In the source codes given in article, there are small mistakes in logic to exclude their thoughtless use. If you will penetrate into article and fixing they will not be a problem.
5. And the last. The full version of article was accessible long time only to the limited number of people and with an exit ñ4 to the version lineage2 and fixs the majority of bugs sharply obsoletly. About Ñ4 I shall tell a little in the end.
II. A Login-server. Introduction. We shall begin that developers lineage2 have separated a login a server from game more less to unload and without that the hammered channel of a game server. Besides the login a server has property to hang (and, it has begun with ñ3 versions lineage and proceeds to this day) and to not start up users on a server. But those who already play, do not test absolutely any discomfort =) And owing to out all of the same gays which could find and distinctly explain to developers where all the bug has crept in, it remains till now not fixed. And so, not looking at all charm of idea with unloading the game channel, our domestic administrators persistently mould a login a server on one machine together with game.
1. Enciphering of packages.
For enciphering packages which the login-server exchanges with the client, lineage uses blowfish. Yes, that algorithm which has been developed by Bruce Shnejerom in 1993. About blowfish it is important to know, that it is the symmetric block code. Symmetric - means, that the algorithm uses 1 confidential key by which data encrypt/decrypt will be decoded. And if to speak particularly about blowfish on the basis of this key are generated 18 32-bit keys and 4 matrixes in the size of 256 32-bit words everyone. By which data, in turn, encrypt.will be decoded. The block code - means, that blowfish processes given by blocks (on 8 bytes). And still it means, that if integrity øèôðîòåêñòà has been broken, we in a any way can restore a part. With reference to lineage, it is necessary to tell, that a key on the basis of which are generated connect, is a constant and it is precisely registered in source codes l2j (here on what 99 % of researchers lineage which assumed were strewed, that the key should be transferred in one of packages - see references in the end). Still it is important to note that the first 2 áàéòà data of a package are not ciphered. With enciphering, I think, we have understood. We go further.
2. Structure of packages.
First two byte a package (what are not ciphered) contain length of data of a package (as well as in halflife). The following byte bears in itself the information on type of a package. The login-server processes packages: 0x00 - RequestAuthLogin (the inquiry about authorization - contains a login and the password) 0x02 - RequestServerLogin (inquiry about call about a server) 0x05 - RequestServerList (inquiry about the list of servers) On the others it simply does not answer, leaving only record in broad gullies. The client processes packages of following types: 0x01 - authorization has not passed 0x03 - you are successfully authorized 0x04 - the answer on RequestServerLogin 0x06 - the answer on RequestServerList And also a little bit additional packages about a bath of an account, check of the version and òä - they are presented below. The following byte is additional to the above described inquiries. For example, if the server has answered us inquiry of authorization with a package of type 0x01, the following byte will contain the reason, on which authorization has not passed (for us are important: 0x03 - an incorrect login or the password, 0x07 - someone already use the account, 0x11 - is established the temporary password). But actually this byte any more absolutely service. For example, in RequestAuthLogin packages from it byte the login begins. Further there is quantity of byte which any more are not managing directors, and bear the information defined by type of a package. Well, for example, for "RequestAuthLogin" it is a field contains a login and the password. The important applicability the last have of 8 bytes of a package. They contain checksum all that goes up to them, except for besides first two bytes of a package. What image calculates this most checksum? From data 32-bit words are serially separated. The first XOR with the second. Result of this operation XOR with a following word and so on. The example of calculation checksum will be shown below.
3. The designer of packages on Ñ. With structure of packages we have understood, now it is possible to realize in programm everything, that was manual above.
/*
la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor
Helps to understand lineage2 authentification.
darkgrey / m00.blackhat.ru
~broken
*/
#include "/usr/local/include/blowfish.h"
// length key
#define KEY_LEN 20
// Length RequestAuthLogin of a package is constant and equal AUTH_PKT_LEN + 2
#define AUTH_PKT_LEN 0x30
// Key on the basis of which are generated sub-keys (connect)
char key[] = "[;'.]94-31==-&%@!^+]";
// Structure bfkey which after generation sub-keys will contain 18 P sub-keys and 4 S matrixes
BF_KEY bfkey;
// Function which calculates checksum and inserts it into a package
int add_ckecksum(char *raw, int count) {
long chksum = 0L;
int i = 0;
long ecx;
for(i = 0; i < count; i += 4) {
ecx = raw[i];
ecx |= raw[i + 1];
ecx |= raw[i + 2];
ecx |= raw[i + 3];
chksum ^= ecx;
}
printf("checksum: 0x%x\n",chksum);
memcpy(raw+count, (char *)&chksum, 4);
}
// Adds a login and the password in a package (it is separated from the basic function from reasons readable)
int add_lp(char *raw, char *l, char *p) {
l[15] = '\0';
p[17] = '\0';
memcpy(raw+3,l,strlen(l));
memcpy(raw+17,p,strlen(p));
}
// Displays a package in a readable kind (for debugging)
int print_packet(char *raw, int len) {
int i, c = 0;
for(i=0;i<54;i++) printf("_");
for(i=0;i<len+2;i++) {
if((c % 0x10)==0) printf("\n0x%.2x | ", c);
printf("%.2x ",raw[i] & 0xFF);
c++;
}
printf("\n\n");
}
// The main function which designs a package
int build_auth_packet(char *login, char *pwd) {
int count = AUTH_PKT_LEN / 8;
int i;
char packet_skeleton[] =
// packet skeleton RequestAuthLogin
"\x32\x00" // The length of a package is constant and equal 0x30 + 0x02
"\x00" // Type of a package (0x00 - RequestAuthLogin)
"\x00\x00\x00\x00\x00	 2;x00\x00\x00\x00\x00\x00 \x00\x00\x00" // login
"\x00\x00\x00\x00\x00	 2;x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00" // password
"\x08" // Means the end of section login/password
"\x00\x00\x00\x00\x00	 2;x00\x00\x00" // in c3 not used(çàðåçåðâèðîâàííî?)
"\x00\x00\x00\x00" // checksum
"\x00\x00\x00\x00";
// add login and pass to packet
add_lp(packet_skeleton, login, pwd);
// add checksum
add_ckecksum(packet_skeleton + 2, AUTH_PKT_LEN - 8);
printf("Auth packet dump (non-crypted):\n");
print_packet(packet_skeleton, AUTH_PKT_LEN);
// We cipher blocks on 8 bytes
for(i = 0; i < count; i++)
BF_encrypt((BF_LONG *)((short*)&packet_skeleton+1+i*4), &bfkey, BF_ENCRYPT);
printf("Auth packet dump (encrypted):\n");
print_packet(packet_skeleton,AUTH_PKT_LEN);
}
int main() {
char login[] = "m00", // test login
pwd[] = "ownzu"; // password
printf("\nla2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor\n\n");
// generate sub-keys
BF_set_key(&bfkey, KEY_LEN, key);
// We collect a package
build_auth_packet(login, pwd);
}
/* eof */
Here that on my boxing the program has displayed:
bash-2.05b$ ./a.out
la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor
checksum: 0x224a0377
Auth packet dump (non-crypted):
__________________________________________________ ____
0x00 | 32 00 00 6d 30 30 00 00 00 00 00 00 00 00 00 00
0x10 | 00 6f 77 6e 7a 75 00 00 00 00 00 00 00 00 00 00
0x20 | 00 08 00 00 00 00 00 00 00 00 77 03 4a 22 00 00
0x30 | 00 00
Auth packet dump (encrypted):
__________________________________________________ ____
0x00 | 32 00 09 d9 97 e2 29 89 8c b5 1a a0 1a 83 74 43
0x10 | 39 fc 2f 03 c3 26 9c 65 b0 c4 20 28 11 c1 6a 95
0x20 | 3e 44 45 46 2a ae b9 18 91 2e 75 56 d0 dc 40 b5
0x30 | 77 2a
bash-2.05b$
To be continue...