Packet 1022, Magic attack

[{ Angelius }]

So when i use the Fatal Strike skill this packet is being sent to the server.

Quote:

C -> S, Length : 40, Type: 1022
28 00 FE 03 B2 CE D3 02 D7 F8 1B 00 77 25 E1 B3
76 C7 05 55 18 00 00 00 DD C9 21 65 00 00 00 00
00 00 00 00 00 00 00 00

breaking it down

UInt16: Length
UInt16: Type
int: Time stamp
int: Attacker ID
int: Target ID
UInt16: X
UInt16: Y
UInt16: Subtype
UInt16: Skill ID
UInt16: Unknown

Now i tried to recreate this packet in my proxy and then send it to the server to start the Fatal Strike skill.
Now creating the packet goes just fine and i am getting the exact same values every time i create a new packet except for the (21 65) because i have no idea what it is and it keeps changing everytime i use the skill...

when ever i send that packet to the server i get disconnected and i'm fairly sure that its not the time stamp that's disconnecting me because it works just fine with any other packet that contains a time stamp. So i was wondering. does anybody know what are these numbers (21 65) or maybe what those 2 bytes stand for?

[CptSky]

Not sure, but the skill level with some manipulation on it. I would need to look at my source.

[pro4never]

Yes I seem to remember X/Y/ID/Lvl being encrypted slightly. I'd have to have access to a source to double check though.

[shadowman123]

i Checked my Source and Found Nothing Related to offset 26

if they r bytes 0x21 = 33; , 0x65 = 101;

i Checked FatalStrike Subtype in Attack packet but found nothing = 33 or even 101

Same for spell Information at database ...

Anyways GL

[{ Angelius }]

Quote:

Originally Posted by pro4never

Yes I seem to remember X/Y/ID/Lvl being encrypted slightly. I'd have to have access to a source to double check though.

Its just that they are XOR'ing/shifting/OR'ing those values. I looked in the client and i reflected this to be able to create the packet.

 Spoiler

PHP Code:

       uint AttackerUID = Client.UID;

        uint ECX = SkillID;
        ECX -= 0x14BE;
        ECX &= 0xFFFF;

        //SkillID
        SkillID = ECX >> 3;
        ECX <<= 13;
        SkillID |= ECX;

        ECX = TargetUID;
        ECX += 0x746F4AE6;
        SkillID ^= AttackerUID;
        ECX ^= AttackerUID;
        SkillID ^= 0x915D;
        ECX ^= 0x5F2D2463;

        uint XX = ECX >> 19;
        ECX <<= 13;
        XX |= ECX;
        TargetUID = XX;

        ECX = Client.X;
        ECX += 0xFFFF22EE;
        ECX &= 0xFFFF;


        XX = ECX;
        ECX &= 1;
        XX >>= 1;
        XX &= 0xFFFF;
        ECX <<= 15;
        XX |= ECX;

        ECX = Client.Y;
        ECX += 0xFFFF8922;
        XX ^= AttackerUID;
        ECX &= 0xFFFF;
        XX ^= 0x2ED6;

        uint YY = ECX;
        ECX &= 0x1F;
        YY >>= 5;
        YY &= 0xFFFF;
        ECX <<= 0xB;
        YY |= ECX;
        YY ^= AttackerUID;
        YY ^= 0xB99B;
        ushort X = (ushort)(XX), Y = (ushort)(YY);
        SkillID = (ushort)(SkillID);

        Console.WriteLine("{0} {1} {2} {3} {4}", X.ToString("X"), Y.ToString("X"), SkillID.ToString("X"), AttackerUID.ToString("X"), TargetUID.ToString("X")); 


That shit works just fine but i don't see anything related to that value nor stored anywhere in the memory to be used in that packet later on :|

I should have traced it all the way up to where it builds that packet because by now i don't even remember where that shit was :P

[Zeroxelli]

Well.. My p1022 is the following:

Code:

                Timestamp = PacketParser.ReadInt(Buffer, 4);
                Identity = PacketParser.ReadInt(Buffer, 8);
                Target = PacketParser.ReadInt(Buffer, 12);
                X = PacketParser.ReadShort(Buffer, 16);
                Y = PacketParser.ReadShort(Buffer, 18);
                Mode = PacketParser.ReadInt(Buffer, 20);
                SkillID = PacketParser.ReadShort(Buffer, 24);
                SkillLevel = PacketParser.ReadShort(Buffer, 26);

So the level is definitely at the offset of 26. If I remember correctly, there was something different added to the ushort for the level of fatalstrike after ninja bots came out. Don't quite remember what though. If the level is 0, just try and run some type of test to see what values make 0 = 21 65

[nTL3fTy]

First off, that whole packet is encrypted, because the subtype is set to MagicAttack.

As for the encryption, why does no one look at the EO source? It's all right there.

[Zeroxelli]

Quote:

Originally Posted by nTL3fTy

First off, that whole packet is encrypted, because the subtype is set to MagicAttack.

As for the encryption, why does no one look at the EO source? It's all right there.

Forgot I even had the EO source on a random flash drive... I think I'll go through it for old times sake. +k

[{ Angelius }]

Quote:

Originally Posted by nTL3fTy

First off, that whole packet is encrypted, because the subtype is set to MagicAttack.

As for the encryption, why does no one look at the EO source? It's all right there.

Here is the EO stuff

PHP Code:

#define    ENCODE_MAGICATTACK(idUser,usType,idTarget,usPosX,usPosY) {    \
                usType        = (::ExchangeShortBits((usType - 0x14BE),3) ^ (idUser) ^ 0x915D);    \
                idTarget    = ::ExchangeLongBits(((idTarget - 0x8B90B51A) ^ (idUser) ^ 0x5F2D2463),32-13); \
                usPosX        = (::ExchangeShortBits((usPosX - 0xDD12),1) ^ (idUser) ^ 0x2ED6);    \
                usPosY        = (::ExchangeShortBits((usPosY - 0x76DE),5) ^ (idUser) ^ 0xB99B);    }
#define    DECODE_MAGICATTACK(idUser,usType,idTarget,usPosX,usPosY) {    \
                usType        = 0xFFFF&(::ExchangeShortBits(((usType) ^ (idUser) ^ 0x915D),16-3) + 0x14BE);    \
                idTarget    = (::ExchangeLongBits((idTarget),13) ^ (idUser) ^ 0x5F2D2463) + 0x8B90B51A; \
                usPosX        = 0xFFFF&(::ExchangeShortBits(((usPosX) ^ (idUser) ^ 0x2ED6),16-1) + 0xDD12);    \
                usPosY        = 0xFFFF&(::ExchangeShortBits(((usPosY) ^ (idUser) ^ 0xB99B),16-5) + 0x76DE);    } 


Now do you see anything related to that value or offset 26+? because i don't :P

[Zeroxelli]

True. I only decode the SkillID, TargetUID, X, and Y from the packet. I then check if the user has that skill, and if so, get the skill level from their skills repo. I never really bothered with the skill level.. Intriguing.

[nTL3fTy]

Quote:

Originally Posted by { Angelius }

Here is the EO stuff

Now do you see anything related to that value or offset 26+? because i don't :P

You need to look a little deeper (usData1 here is the magic level).
Encrypting:

Code:

m_pInfo->usData1 = (usData1+0x100*(m_pInfo->dwTimeStamp%0x100))^0x3721;

Decrypting:

Code:

USHORT usLev = (m_pInfo->usData1^0x3721)&0xff;

[Zeroxelli]

Question is, why are you reconstructing the packet in the first place? With a proxy all you should be doing is breaking down the packet, analyzing it, and forwarding it on to the original target. So, just make a copy of the packet before you break it down, and use that copy to send it back unharmed.

[pro4never]

Quote:

Originally Posted by Zeroxelli

Question is, why are you reconstructing the packet in the first place? With a proxy all you should be doing is breaking down the packet, analyzing it, and forwarding it on to the original target. So, just make a copy of the packet before you break it down, and use that copy to send it back unharmed.

Sounds like he may be trying to make a bot in which case he needs to construct his own packets.

The reason he gets dc'd is NOT because he's not filling in this value properly, it's because he's not encrypting the values he creates for X/Y/Target/SkillID/SkillLevel

[Zeroxelli]

Quote:

Originally Posted by pro4never

Sounds like he may be trying to make a bot in which case he needs to construct his own packets.

The reason he gets dc'd is NOT because he's not filling in this value properly, it's because he's not encrypting the values he creates for X/Y/Target/SkillID/SkillLevel

That would do it. If a value is passed to the decrypt function of the server, and it does not decrypt properly, the server would (on real co, at least,) disconnect him. It disconnects in a lot of cases where it suspects forgery. Problem is, the server reports his account every time it happens. So hopefully his noob hasn't come in contact with his main if he's on a real server.

[{ Angelius }]

Quote:

Originally Posted by Zeroxelli

Question is, why are you reconstructing the packet in the first place? With a proxy all you should be doing is breaking down the packet, analyzing it, and forwarding it on to the original target. So, just make a copy of the packet before you break it down, and use that copy to send it back unharmed.

I'm reconstructing that packet because i don't want to hook the magic attack function anymore and i don't want to send key strokes anymore :P

Its a memory based bot/proxy that i made long time ago... i use it to packet sniff and auto hunt/loot and i thought about upgrading it some more and then release it to the public cus i'm not making any use of it

Quote:

Originally Posted by pro4never

Sounds like he may be trying to make a bot in which case he needs to construct his own packets.

The reason he gets dc'd is NOT because he's not filling in this value properly, it's because he's not encrypting the values he creates for X/Y/Target/SkillID/SkillLevel

The bot is already up and running there is a video for it in my signature.
And yes not filling that value was the reason im getting disconnected... Thanks to nTL3fTy

Quote:

Originally Posted by nTL3fTy

You need to look a little deeper (usData1 here is the magic level).
Encrypting:

Code:

m_pInfo->usData1 = (usData1+0x100*(m_pInfo->dwTimeStamp%0x100))^0x3721;

Decrypting:

Code:

USHORT usLev = (m_pInfo->usData1^0x3721)&0xff;

WriteUInt16((ushort)(1 + 0x100 * (Environment.TickCount % 0x100) ^ 0x3721), 26);

That did the trick and It works like charm...

Thanks