[FAQ] Proxies, packets and bots ooh my!

Ok so there have been a ton of random questions that have boiled down to proxies (or memory based bots) recently so I figured I'd write up some of my knowledge on the subject in one random place for people who are trying to figure it out.

DISCLAIMER: I know very little on the subject. Anything I post here is simply research I've been doing for my own little projects and should NOT be viewed as a completed knowledge lol. If anyone has corrections for me, feel free to post and I'll give full credit obviously.


What are you trying to do:

So the first question that should be asked is what are you trying to do? Level bot, aimbot, speed hack, packet logger, etc... Most if not all of these things are easiest to accomplish by creating or editing packets. To do this you really only have two options.

Option One: Memory based bots/tools

I have virtually ZERO experience with this but the idea is you create a program and hook it into the conquer process. The goal is either to inject your own .dll into the client to hook the functions you care about. You could do something as simple as reading memory addresses to see location/hp/mana and then sending input back to the client (mouse clicks) or you could do something more complicated such as hooking the send/receive functions for the client. At that point you have the same functionality of a proxy without worrying about needing to reverse whatever encryption TQ is using (cause the client already handles it)

Warning: You will still need to reverse engineer some of the client protection to make sure its either disabled or simply ignores whatever method you use to interact with conquer.exe. If not you're gonna get banned fast.

Option Two: Proxy based bots/tools

The far more common option is creating a proxy in order to intercept, block, modify or create false packets that are being sent to or from the server.

The basic setup for communication is something like


Conquer Client <--> Proxy <--> Conquer servers

You simply modify your client to connect to the proxy ip (local if you are hosting it yourself). The proxy then listens both on auth and game ports. On receiving a connection from the client it then connects to the official tq auth server.

BASIC auth procedure as I remember it (probably flawed)

Client > TQ server (basic connection, no info sent)
TQServer > Client (confirmation of connection, sends basic info... I THINK password seed? I forget)
Client > TQServer: Login information (username, password, server, etc)

Tq server then verifies that information and returns a response

TQServer > Client: Response. If a valid login then it sends the GAME SERVER ip, port and server name.

When using a proxy you will want to modify this packet so that the client is now connecting to the proxy again instead of the tq game server. Once this is done there is a dhkey exchange done to setup the blowfish encryption and packets are sent for the final login procedure and normal game play.

Assuming encryption has been set up and connections are managed correctly. You now have access to ALL information flowing between the client and server in a non encrypted format. These packets can be forwarded on to their destination or they can be blocked or modified. You can even create your own packets and send them to their destinations. EG: Send server a jump packet and your character will jump (nothing sent from client so nothing is updated there). If you want the client to update you will then need to send the jump (or other movement packet type) to the client.


Note: Sending invalid packet sizes or types can be an easy way to get botjailed. When testing new packets use a noob.

<edit>
Added link for packet sniffing/analysis. [Only registered and activated users can see links. Click Here To Register...]

It explains most things but yah... once you have your packets in a decrypted state then you can begin to look into their structure. The best way I find to do this is look for things you know and go from there.

Common things to look for in packets:

Packet length (always first 2 bytes in conquer... this + 8 should be the number of bytes. The extra 8 is the seal)
Packet type (second 2 bytes for co packets)
Character UID: contained in almost all packets. It's 4 bytes so once you know your character uid it should be easy to find and help you structure your packets alot quicker by blanking out sections of unknown bytes
Seal: All packets are sealed with a text string. The last 8 bytes of any packet! It's either TQServer or TQClient. This is determined by which way the packet is traveling. If you are making your own packet MAKE SURE YOU SEAL IT WITH THE PROPER DIRECTION! (TQServer or TQClient)
Location info Map, X, Y. MANY packets contain this information (2 bytes) so it's best when logging packets to take note of what map and coords you are at so that it's easier to figure out what everything in the packet means. NOTE: some packets *cough* general data *cough* contain 2 sets of coords often... this is generally from/to coords. Make sure you are using them properly or you could run into problems!
Timer: Very useful if you plan to be creating your own packets to send vs just logging them. It's 4 bytes and changes with every packet. It's only contained (afaik) in the general data, walk and attack packets... I could be wrong on that though. NOTE: If you plan to let others use your proxy, make sure you are using THEIR computer time for any proxy generated packets... or simply replace all user timestamps with your own as I do.
Target UID: Mostly for attacking but it's a useful thing to look for. Note: Monsters are range 400,000-500,000. That's an easy way to find it if you are trying to build an attack packet or w/e. Super easy to find.

There are other things that these could be containing, I'd suggest conversion to string as well so that you can read any text information contained in the packet (name of spawned entity, the seal and all sorts of stuff!) It will help you alot when trying to sort out a bunch of jumbled bytes.



Once you have a working proxy you will need to setup your actual functionality/scripts. This could include auto hunting, looting, speed hacking, aimbotting, packet logging... ANYTHING.

The simplest way to do bot scripts is to add some new character variables. What I do is I simply have a bot thread that runs every 100 ms and checks for certain conditions.

Eg:

If(!Char.Botting)
return;
if(DateTime.Now < Char.LastBotTime.AddMilliseconds(Char.BotSpeed))
return;
//bot code

Something very simple like that can be used to control actions. Note: Make sure that if you do something like this you exit the function AS SOON AS POSSIBLE! If conditions are not met, STOP CHECKING FOR MORE! That's a very pointless thing to do and wastes LOTS of computing power. Check the most common conditions first (if the character isn't botting then why check if the time is correct?), then check less common conditions and make sure to write things using multiple functions. It makes tracking problems SO much easier. EG: Check if character is looting, Run a canloot/tryloot function, check if character is aimbotting, run a tryaimbot/canaimbot function, etc. By breaking things into functions you can correct, replace or completely remove sections of code without having to re-write your entire script.


Tips:
-Jumping faster than 700/750 ms will dc you unless you are using a proper speed hack or are in xp mode. DON'T DO IT!
-Sending packets sealed with the wrong thing will get you dc'd. DON'T DO IT!
-Sending packets with invalid size will get you dc'd and possibly bot jailed. DON'T DO IT!
-Sending packets with invalid values does NOT seem to get you in trouble... but still not the best plan. use a noob
J-umping to a target and attacking right away can cause dc's, Not recommended.
-Speeds are not checked when in superman or cyclone. Feel free to jump/attack faster! (note: too fast will still dc, test it out yourself. I haven't had problems with using like 100-200 ms though)
-Jumping and fsing within similar timeframes gets you dc'd. Don't do it! (Note: Fatal strike sends you to target xy... I'd be updating my coords if I were you! No need to jump)
-Updating the client too quickly can crash the client (eg: Sending it 50 jump/correct coord packets within 1 second or w/e... If you are doing a super fast xp mode... maybe only update it every 10 jumps? or use your own system)

Anyways, I have to get to work. I'll try to add in some diagrams and further info later but I just thought that with all the questions people have been asking that it might be wise to pull together some information on the subject.



Some VERY useful links.


Packet wiki (yay korv!)
[Only registered and activated users can see links. Click Here To Register...]

GREAT link on understanding packets
[Only registered and activated users can see links. Click Here To Register...]

Advice given to me when I was working on my proxy (long'ish read)
[Only registered and activated users can see links. Click Here To Register...]


DHKey Exchange!
http://en.wikipedia.org/wiki/Diffie%...n_key_exchange
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

<summary>

Ok so those links are quite technical and contain far more than you need to know... all you really need to know is that for DHKey exchange... each party uses an algorithm to produce a fairly standard small number. They send that number to the other party which is then run through their lovely algorithm to setup encryption. SUPER basic desc but the actual math behind it doesn't really matter.

What your proxy will be doing is a "man in the middle attack". Seeing as this key is public, all you have to do is put something (your proxy) in the middle. Setup a connection to each party (server and client) and receive the keys that they want to use for encryption. This allows you to understand the encryption that each party is using and to use it to send information in that direction. The fact that the two are not using the same key is meaningless because you are doing all that on your proxy!

Lets use the example of a packet coming from the client.

Client tries to send a packet to the server.

Proxy decrypts this packet using the CLIENT'S encryption key + blowfish and all that good stuff.

Proxy reads/alters the packet

Proxy ENCRYPTS the packet using the SERVER'S encryption key + blowfish and all that good stuff.

Proxy sends the packet to the server.


And just like that, the proxy is able to understand, modify and create packets without issue and neither party knows that their encryption is wrong because the proxy simply is using two different keys. One for the client and one for the server.

If my desc is off... please correct me.. Encryption tends to confuse the hell out of me but this is my basic understanding of how it works.




<OTHER C# RESORCES>

C# for dummies E-book: Very good basic guide to programming
[Only registered and activated users can see links. Click Here To Register...]

C# Primer E-book
[Only registered and activated users can see links. Click Here To Register...]

C# Bible E-book
[Only registered and activated users can see links. Click Here To Register...]

Quote:

Originally Posted by pro4never Option One: Memory based bots/tools I have virtually ZERO experience with this but the idea is you create a program and hook it into the conquer process (generally through a dll). Once done you can read memory addresses such as hp/mana and from what I understand you can read/modify the memory addresses for incoming/outgoing packets. This will allow for all sorts of proxy like functionality. Warning: This is generally done with C++ for injection seeing as afaik it's far easier to do that way vs other languages... you could do something like a loader in C++ and the actual program in C# or w/e... but generally these types of things are done in C++ Some VERY useful links. Packet wiki (yay korv!) [Only registered and activated users can see links. Click Here To Register...] There was a really good intro to understanding packets posted on here already... I simply can't find the link atm. I'll post it later. Advice given to me when I was working on my proxy (long'ish read) [Only registered and activated users can see links. Click Here To Register...]

Well I can clear a few things up for ya on the memory side, you're proxy option post was pretty accurate.

Now a memory hook can be done a few ways, doesn't even require dll injection at all.

DLL Injection just gets you inside the processes address space then allows you to hook the send / recv packet functions inside of conquer's memory, you can do this outside of a dll just as easily.

Only advantage to using a dll I can think of is if you actually want to make a memory based bot that hooks lots of functions, but for just a packet hook it's not really necessary.

After you have the send/ recv packets hooked you can set up the actual bots exactly like a proxy.
There's no more need to use any memory modifications after that is done.

Not much of an advantage using C++ vs any other language either, once the hooks are finished everything else is the same.

Advantage to using a packet hook: You can do it pre-encryption / post-decryption so there is no need to use any of the encryption classes you'll find around.

#Sticky

You may also want to include these wikipedia pages:

Man-in-the-middle attack - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Diffie–...n_key_exchange

They illustrate how to trick the client/server into using your generated secret keys.

Quote:

Originally Posted by princeofpain You may also want to include these wikipedia pages: Man-in-the-middle attack - Wikipedia, the free encyclopedia Diffie?Hellman key exchange - Wikipedia, the free encyclopedia They illustrate how to trick the client/server into using your generated secret keys.

Yah thanks for the links.. was planning on adding some of that stuff+ diagrams tomorrow when i had the time. Wrote this like 20 min before i had training lol.

Nice guide.

Good job, many thanks to you.
Shouldn't this be in the programming section, though?

Also this should be removed
http://en.wikipedia.org/wiki/Diffie%...n_key_exchange

it almost exploded my brain with all that math.

Updated with the packet structure link, some of my advice on finding packet structures, tips and warnings about creating your own proxy, some more information on writing your own bot/proxy scripts and some other stuff.

Enjoy!
P4N

btw: Thanks for the sticky, I think this is officially my first (then gain it's not like things in pserver section really get stickied lol)

Quote:

Originally Posted by DeathByMoogles Good job, many thanks to you. Shouldn't this be in the programming section, though? Also this should be removed http://en.wikipedia.org/wiki/Diffie%...n_key_exchange it almost exploded my brain with all that math.

The math part of it isn't really what's important. The link contains 'everything you could ever want to know about dhkey exchanges'. I'd say it's good enough. I'll write a SUPER basic excerpt/description of how it works to accompany the link though.

*cough* if I get my desc on it wrong... please correct me... I'd much rather have my ego shot than be giving out incorrect information.

You can add the example 5228 proxy I released.

Nice guide p4n, hopefully the "how to make bot/proxy?" threads will vanish.

[code]
System.Net.Sockets.SocketException: Only one usage of each socket address (proto
col/network address/port) is normally permitted
at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress
socketAddress)
at System.Net.Sockets.Socket.Bind(EndPoint localEP)
at COProxy.Proxy.Start(String ServerIP, Int32 Port) in C:\Users\Alan\Download
s\Epvp Source\Epvp Source\Epvp Source\COProxy\COProxy\Program.cs:line 231
at COProxy.Program.Main(String[] args) in C:\Users\Alan\Downloads\Epvp Source
\Epvp Source\Epvp Source\COProxy\COProxy\Program.cs:line 35
AuthSniffer ->Connected to server successfully.
GameSniffer ->Connected to server successfully.
Game - Packet: Server -> Client, ID: 58458
System.NullReferenceException: Object reference not set to an instance of an obj
ect.
at COProxy.Program.GameClientData(StateObj StO, Byte[] data) in C:\Users\Alan
\Downloads\Epvp Source\Epvp Source\Epvp Source\COProxy\COProxy\Program.cs:line 1
63
[code/]

I am lost >.< I am assuming it is something that I will need to find using a packet reader?

Quote:

Originally Posted by WHITELIONX [code] System.Net.Sockets.SocketException: Only one usage of each socket address (proto col/network address/port) is normally permitted at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress) at System.Net.Sockets.Socket.Bind(EndPoint localEP) at COProxy.Proxy.Start(String ServerIP, Int32 Port) in C:\Users\Alan\Download s\Epvp Source\Epvp Source\Epvp Source\COProxy\COProxy\Program.cs:line 231 at COProxy.Program.Main(String[] args) in C:\Users\Alan\Downloads\Epvp Source \Epvp Source\Epvp Source\COProxy\COProxy\Program.cs:line 35 AuthSniffer ->Connected to server successfully. GameSniffer ->Connected to server successfully. Game - Packet: Server -> Client, ID: 58458 System.NullReferenceException: Object reference not set to an instance of an obj ect. at COProxy.Program.GameClientData(StateObj StO, Byte[] data) in C:\Users\Alan \Downloads\Epvp Source\Epvp Source\Epvp Source\COProxy\COProxy\Program.cs:line 1 63 [\code] I am lost >.< I am assuming it is something that I will need to find using a packet reader?

you cannot bind twice to the same port.. null exception is you trying to use the new bound port which never opened

thanks for this program I`em vary happy

More explanation of packets.

I posted the link to how to interpret packets already but I thought seeing as I just wrote up the exact same thing for someone else who was asking, I may as well throw it in this thread as well.

Quote:

Originally Posted by DeathByMoogles okay so 08 00 27 1A 56 AC B2 C1 Open calc put in A172 in hex mode switch to dec and i get 41330 that right? if it is, what can i do with that info?

naww

1A 27

Each byte is its own unique value. You reverse the bytes, not the internal values (it's like saying I have 100 and 12. You have 112 not 211)

here's an example packet.

*Note* Doing this from memory so I may have my values wrong.

Client>server General data

25 00 1A 27 3D 9A 1B 00 2D 01 B4 00 00 00 00 00
65 1B DB 0E 89 00 00 00 2E 01 C0 00 33 04 00 00
FF FF FF FF 00 54 51 43 6C 69 65 6E 74

00 25 (or just 25) is packet length in hex. (37 in dec) + 8 = number of bytes. The 8 bytes are for the seal (TQClient or TQServer)
1A 27 is packet type (10010 in dec cause 271A)
3D 9A 1B 00 Character ID (1808957)
2D 01 X Coord
B4 00 Y Coord

4 byte break

4 byte time stamp (easy to find, log lots of the same packet and see what value keeps changing)

2E 01 Other X
C0 00 Other Y (in jump there is a from and a to x/y... I forget which is which seeing as I'm doing this from memory)

89 00 00 00 = subtype (137 is jump) (calling it a DWord simply because it's simpler than shifting 3 bytes after reading it)

33 04 00 00 Map


After that there is some FF'd values which afaik are not used. It's different in the returned server>client packets though so basically just follow guidelines from the packets you log.


54 51 43 6C 69 65 6E 74 Server seal (convert to string to get what it says.) TQClient in this case meaning it's going Client>Server. The seal says where the packet is coming FROM. This is VERY important. Seal with what you need or else you get dc'd.

Note: the way to convert to string fyi is Encoding.ASCII.GetString(bytes) iirc


There's a very basic breakdown of a very common, current(ish) packet. using that + a packet reader/writer you should be able to create your own packets to send to either client or server to create the desired action (jump in this case. Also works for correct coords/flash step if sending to client)


<edit>

You asked what you do with the info once you have it. See what I did where I interpret the values I pull from the packet? I guess and test different uses for chunks of bytes and figure out what they are used for. Packets are always structured the same! (although it changes between some patches) so once you know what the X'th byte represents in one general data packet (type 10010) then you know what it represents in ALL general data packets. Once you know what all (or most) of the bytes represent then you can create them all on your own using custom values to create actions such as a bot that jumps around by sending packets to the server with custom x/y info... or reading incoming packets to determine what monsters are near you.



</copypaste>


Hope that helps some ppl. If I got some values wrong, feel free to correct me. I was just doing it based on memory and a single packet dump I had laying around my hdd. It's to be a simple example of how to interpret a conquer packet, not a full guide.



If you read the link I posted in the original post (far more useful imo) then you will know the difference between big/little endian and word/dword/etc...

All you really need to know though is that in packets things are grouped into chunks of bytes. byte being a single byte, word being 2 bytes, dword being 4, qword being as many bytes as you want (usually the length is listed directly preceding it... eg: Character/account names). You need to invert the order of these to make any sense of them.

For this mini explanation lets just use the first dword that basically any packets in the universe contain... the packet length (you obviously need to know the length before you do anything!)

Our imaginary packet has a total of 20 bytes in length.... so we need to create a hex dword that has a value of 18 (because the dword takes up 2 bytes)

so the first values in our packet will be 12... but wait! we need two bytes!

12 00

that's the packet length! If we had a larger value, say 256 it would be

00 01

Why does this happen?

Simple! the largest value a single byte can hold is 255 (FF). Convert 256 from dec to hex and you end up with 100 so the first byte is 01 and the second byte is 00.. you then reverse them and you end up with 00 01. The SMALLEST value goes first

When I say the smallest value goes first... thinking about it in terms of change might be easiest. If I say I have 12 pennies and 1 quarter... you know I have 37 cents... but the values are separate! So you have

12 01 (12 pennies, 1 quarter)

It's a flawed explanation but hopefully it will let you at least partially visualize why bytes are separate and how they work. You have a max value it can hold of 255... after that you have to continue on to the next largest unit (think of counting 255-256 as the same as counting 99-100... the next largest unit transfers over to the next byte and creates 00 01)


anyways, that's enough flawed analogies/metaphors for now. If anyone has questions or corrections for me, feel free to post.

Great guide. I would like to suggest adding OpenSSL to the list of resources. It is a great open-source library with a bunch of cryptographic algorithms (blowfish being one of them).