[Guide] Basics of Packet Editing in BnS

[DJSketch]

I'm glad to see this thread hasn't gone south as I thought it was going too Kappa

[ExerlosMyst]

Quote:

Originally Posted by Izeliae

Butthurt much?
Lmao you even copied it from a completely different thread. I'm impressed with your stupidity. Go to school

I am pretty sure it was sarcasm.....

here are some headsup.

For thoes who understand

a0y3e7lbWzrrwKP7NUHrVNlSs5Ur6ew9 <- package


If you are premium you can abuse the Premium Shop as wel as the currency exchange. (Got banned after 1 day doing that so it is not save but feel free to try)

If you know IDEA you can use the above "package" and have fun.

[DJSketch]

Quote:

Originally Posted by ExerlosMyst

I am pretty sure it was sarcasm.....

here are some headsup.

For thoes who understand

a0y3e7lbWzrrwKP7NUHrVNlSs5Ur6ew9 <- package


If you are premium you can abuse the Premium Shop as wel as the currency exchange. (Got banned after 1 day doing that so it is not save but feel free to try)

If you know IDEA you can use the above "package" and have fun.

Kinda a pointless post if you ask me without any type of explanation, other then the fact for those who know.

[atsay714]

Quote:

Originally Posted by ExerlosMyst

I am pretty sure it was sarcasm.....

here are some headsup.

For thoes who understand

a0y3e7lbWzrrwKP7NUHrVNlSs5Ur6ew9 <- package


If you are premium you can abuse the Premium Shop as wel as the currency exchange. (Got banned after 1 day doing that so it is not save but feel free to try)

If you know IDEA you can use the above "package" and have fun.

Nope. Don't understand

[Izeliae]

yea thats not just vague its beyond vague. it looks like a key, but those change.

[cabal3]

Quote:

Originally Posted by ExerlosMyst

I am pretty sure it was sarcasm.....

here are some headsup.

For thoes who understand

a0y3e7lbWzrrwKP7NUHrVNlSs5Ur6ew9 <- package


If you are premium you can abuse the Premium Shop as wel as the currency exchange. (Got banned after 1 day doing that so it is not save but feel free to try)

If you know IDEA you can use the above "package" and have fun.

i know Izeliae anti ban successful

[Brynjar94]

Link broken on CCProxy 7.2
I tried looking for it on the internet but i mostly find 8.0, would it not work?

Edit: Nvm found. (was a link from Brothersoft, just google it)

[killzone]

No one still answered me though. Are BnS packets not time-stamped?

[Izeliae]

Quote:

Originally Posted by killzone

No one still answered me though. Are BnS packets not time-stamped?

no they are not. im not sure ive seen timestamped packets before on any game though tbh. most games use a rotating key which updates every time a packet is sent, which means you cant resend old packets, but timestamped? thats new.
you will get a new key when you restart the game though, so session to session your same packet probably wont work.

[[P2933]Step29]

Quote:

Originally Posted by Izeliae

no they are not. im not sure ive seen timestamped packets before on any game though tbh. most games use a rotating key which updates every time a packet is sent, which means you cant resend old packets, but timestamped? thats new.
you will get a new key when you restart the game though, so session to session your same packet probably wont work.

By any chance, since you already unencrypted the packets. What does the packet format look like?
For example, in the game I used to play Mabinogi the packet format looked like

[OPCODE][CharID][Parameter1][Parameter2]..etcetc

what does it look like in blade and soul?
This is just to give me an idea when I'm reverse engineering the game.

[Izeliae]

Quote:

Originally Posted by [P2933]Step29

By any chance, since you already unencrypted the packets. What does the packet format look like?
For example, in the game I used to play Mabinogi the packet format looked like

[OPCODE][CharID][Parameter1][Parameter2]..etcetc

what does it look like in blade and soul?
This is just to give me an idea when I'm reverse engineering the game.

Code:

class PacketBase
{
public:
     unsigned short length;
     unsigned short opcode;
};

then extend it

Code:

class MyPacket : public PacketBase
{
public:
char data[1];
};

[atsay714]

Quote:

Originally Posted by Izeliae

Code:

class PacketBase
{
public:
     unsigned short length;
     unsigned short opcode;
};

then extend it

Code:

class MyPacket : public PacketBase
{
public:
char data[1];
};

What am I looking at right now? How did hex packets turn into C++ classes?

[Izeliae]

Quote:

Originally Posted by atsay714

What am I looking at right now? How did hex packets turn into C++ classes?

what did you expect them to be?

[ZeroPor7]

Anybody knows how to get again and again the reward of a dynamic quest in a dungeon with wpe pro..? It would be the best way to earn gold selling those items

[temp32]

This is what I have so far, I don't consider myself an expert on reversing so hopefully someone can help.

Packets are sent from another thread and there is a loop repeatedly calling WSASend. I haven't been able to locate the place where it is grabbing the uncrypted packets yet.

struct NetworkObject {
+16 = socket
+32 = pUnknown1
+44 = pWSAObject
+56 = bytes sent?
}

struct WSAObject {
+4 = LPWSAOVERLAPPED
+20 = unk1
+24 = LPWSABUF
}

Code:

C26A90
char __thiscall SendPacket2(int this, int AnotherObject)
{
  int that; // esi@1
  int v3; // ebx@1
  void *v4; // esp@1
  int v5; // ecx@1
  int size3; // eax@1
  int size2; // ebx@1
  char result; // al@2
  int v9; // ecx@5
  void *v10; // esp@8
  int unknownFunc; // ecx@8
  int size1; // eax@10
  int v13; // eax@12
  DWORD BytesSent; // ecx@14
  int buffer; // [sp+0h] [bp-24h]@1
  int integer; // [sp+10h] [bp-14h]@9
  int pBuffer; // [sp+14h] [bp-10h]@8
  int integer2; // [sp+18h] [bp-Ch]@1
  int size4; // [sp+1Ch] [bp-8h]@1

  that = this;
  v3 = *(_DWORD *)(this + 88);
  v4 = alloca(*(_DWORD *)(this + 88));
  v5 = *(_DWORD *)(this + 4);
  LOBYTE(integer2) = 0;
  size3 = (*(int (__stdcall **)(int, int *, int))(*(_DWORD *)v5 + 72))(AnotherObject, &buffer, buffer_size_4096);// write unecrypted? LoadPacket c2b630
  size2 = size3;
  size4 = size3;
  if ( size3 <= 0 )
    return 0;
  *(_DWORD *)(that + 72) += size3;
  if ( *(_DWORD *)(that + 80) )
  {
    if ( *(_BYTE *)(that + 84) )
    {
      v9 = *(_DWORD *)(that + 4);
      if ( v9 )
      {
        (*(void (**)(void))(*(_DWORD *)v9 + 4))();// not called
        size2 = size4;
      }
    }
  }
  if ( *(_DWORD *)(that + 64) )
  {
    v10 = alloca(*(_DWORD *)(that + 88));
    unknownFunc = *(_DWORD *)(that + 68);
    pBuffer = (int)&buffer;
    if ( unknownFunc )
    {
      integer = 0;
      (**(void (__stdcall ***)(int *, int *, int *, int *))unknownFunc)(&integer, &integer2, &buffer, &size4);// not called
      size2 = size4;
    }
    size1 = (*(int (__stdcall **)(int *, int, int, _DWORD, int))(**(_DWORD **)(that + 64) + 24))(// c58a20, this calls AES
              &buffer,
              size2,
              pBuffer,
              *(_DWORD *)(that + 88),
              integer2);
    if ( size1 < 0 || !size1 )
      return 0;
    v13 = WritePacket(*(_DWORD *)(that + 44), pBuffer, size1);
  }
  else
  {
    v13 = WritePacket(*(_DWORD *)(that + 44), (int)&buffer, size2);
  }
  if ( v13 <= 0 )
  {
    result = 1;
  }
  else if ( (unsigned __int8)(*(int (**)(void))(*(_DWORD *)AnotherObject + 8))() )
  {
    result = 1;
    ++*(_DWORD *)(that + 56);
  }
  else
  {
    result = SendPacket(BytesSent, (unsigned int)&buffer, that); // calls wsasend
  }
  return result;
}

int __thiscall LoadPacket(void *this, int AnotherObject, int buffer, int maybelength)
{
  int that; // esi@1
  __int16 v5; // ax@4
  int result; // eax@4

  that = (int)this;
  if ( (signed __int16)(*(int (__thiscall **)(int))(*(_DWORD *)AnotherObject + 12))(AnotherObject) >= 0
    && (signed int)(signed __int16)(*(int (__thiscall **)(_DWORD))(*(_DWORD *)AnotherObject + 12))(AnotherObject) < *(_DWORD *)(that + 44)
    && *(_DWORD *)(that + 48) )
  {
    v5 = (*(int (__thiscall **)(int))(*(_DWORD *)AnotherObject + 12))(AnotherObject);
    result = TouchesPacket(maybelength, *(_DWORD *)(that + 48) + 20 * v5, AnotherObject, buffer, that);
  }
  else
  {
    result = sub_C2B720(buffer, AnotherObject, maybelength);// not called
  }
  return result;
}

Code:

struct OpenStoragePacket {
  unsigned short length = 0xC; // length of entire struct
  unsigned short opcode = 0x036C
  int id1 // NPC id or Area id
  int id2 // NPC id or Area id
}