What is the packet structure of the FIRST packet sent from the game server to the client? I'm referring to the packet that is sent before receiving the client's handshake and that includes a random key used by the client to decrypt future packets. Ultimately this information will be used to find out the structure of the individual packets that the server sends.
20 00 1F 04 20 E2 08 01 7E 79 D2 27 39 34 2E 32 33 36 2E 30 2E 31 34 35 00 00 00 00 B8 16 00
Example of the packet. I have no idea what its structure is though, sorry
I do, however, know that the first byte two bytes is the size, the 17th and 18th byte is the packet type (0x36), and byte 13 to 31 seem to be constant.
20 00 1F 04 20 E2 08 01 7E 79 D2 27 39 34 2E 32 33 36 2E 30 2E 31 34 35 00 00 00 00 B8 16 00
Example of the packet. I have no idea what its structure is though, sorry
I do, however, know that the first byte two bytes is the size, the 17th and 18th byte is the packet type (0x36), and byte 13 to 31 seem to be constant.
Thanks for responding.
So if you don't have it can I assume that it is truly as complicated as I've found to get?
And if so, how do other people have it?
Or, is there another method used to decrypt and understand the packets from TQ's server?
So if you don't have it can I assume that it is truly as complicated as I've found to get?
And if so, how do other people have it?
Or, is there another method used to decrypt and understand the packets from TQ's server?
The easiest approach would be to hook/alter/breakpoint the SendPacket() and ReceivePacket() functions inside Conquer, before they get encrypted/decrypted and get the data from there.
I use a homemade debugger for it.
However, I believe Conquer uses Blowfish as encryption, I have no idea how that is encrypted/decrypted though, but there's probably plenty of guides around on the Internet.
You could just trace back from WS_32.Recv and WS_32.Send to find the function that decrypts/encrypts packets and then start tracing forward.
The easiest approach would be to hook/alter/breakpoint the SendPacket() and ReceivePacket() functions inside Conquer, before they get encrypted/decrypted and get the data from there.
I use a homemade debugger for it.
However, I believe Conquer uses Blowfish as encryption, I have no idea how that is encrypted/decrypted though, but there's probably plenty of guides around on the Internet.
You could just trace back from WS_32.Recv and WS_32.Send to find the function that decrypts/encrypts packets and then start tracing forward.
Good luck, whatever you decide to do.
Very much appreciated! I know of and have the Blowfish encryption algorithm so that is no problem. I have no experience with hooking into .exe files so I'll read up on that.
Realize, there's different flavors of Blowfish: ECB, CFB, CBC (perhaps more, but there are the ones I know off by head). Secondly, there is a Diffe-Hellman exchange preformed. And thirdly:
in response to the packet IAmHawtness posted,
Code:
/// <summary>
/// 0x41F (Server->Client)
/// </summary>
public unsafe struct AuthResponsePacket
{
public ushort Size;
public ushort Type;
public uint Key2;
public uint Key1;
private fixed sbyte szIPAddress[16];
public int Port;
}
Realize, there's different flavors of Blowfish: ECB, CFB, CBC (perhaps more, but there are the ones I know off by head). Secondly, there is a Diffe-Hellman exchange preformed. And thirdly:
in response to the packet IAmHawtness posted,
Code:
/// <summary>
/// 0x41F (Server->Client)
/// </summary>
public unsafe struct AuthResponsePacket
{
public ushort Size;
public ushort Type;
public uint Key2;
public uint Key1;
private fixed sbyte szIPAddress[16];
public int Port;
}
Is my C# structure for it.
Thank you for your response.
Regarding encryption:
I assume I can just use the Blowfish encryption from andy's source. I would simply copy-paste the class and use the DLL. I like to understand what I use but for something like encryption I don't yet need to care about how it does what it does.
Regarding the structure:
After seeing your post I believe I'm asking the wrong question because I can decipher what the programming-language-structure of the packet is from private server sources. I'm not sure what I'm asking so I will try to explain with an example.
Example:
I want to code my private server to respond when the client requests to view someone's gear. I can decrypt the packets sent from TQ's server through a proxy but I don't understand the values I would see. I've read (and IAmHawtness confirmed) that the first 2 bytes of any packet hold the size and I have a formula to get the ID but no idea about the others. Maybe bytes 20-50 hold the Potency value of the gear. How do I figure that out?
P.S. I would really like to talk to someone on MSN about this.
I assume I can just use the Blowfish encryption from andy's source. I would simply copy-paste the class and use the DLL. I like to understand what I use but for something like encryption I don't yet need to care about how it does what it does.
Regarding the structure:
After seeing your post I believe I'm asking the wrong question because I can decipher what the programming-language-structure of the packet is from private server sources. I'm not sure what I'm asking so I will try to explain with an example.
Example:
I want to code my private server to respond when the client requests to view someone's gear. I can decrypt the packets sent from TQ's server through a proxy but I don't understand the values I would see. I've read (and IAmHawtness confirmed) that the first 2 bytes of any packet hold the size and I have a formula to get the ID but no idea about the others. Maybe bytes 20-50 hold the Potency value of the gear. How do I figure that out?
P.S. I would really like to talk to someone on MSN about this.
Basically, with every packet, you need to make assumptions what would be in it, so say my HP is 13452, and you believe this packet contains my HP, we convert that to hex 13452 -> 0x34BC and flip it "BC 34". Now look for "BC 34" in the dump of your packet, and if you find it, it is most likely the offset for HP. Repeat this action on another packet of the same type to confirm it.
I can, for the most part, understand the values of a packet now. Now I'd like some help with decrypting them. I tried making a proxy but ran into problems regarding encryption. IAmHawtness mentioned hooking into winsock functions and so I researched but nothing was clear to me. I'd appreciate anyone that can explain it to me here or on msn.
It's fine. I was confused at first because many examples of c# hooking described "global" keyboard and mouse hooks, therefore I thought I would just have to apply that knowledge to the winsock functions. After refining my search several times I realized those examples were misleading and that it is not possible, so I'll have to learn c++ and asm sometime. I have always dreaded the time where I'd have to leave c# to perform low-level operations.
Again any tips/tutorials on the subject would be appreciated; though now, not expected.
[Question] Reading MagicType.dat 04/15/2010 - CO2 Private Server - 4 Replies Hey, I'm having some issues reading MagicType.dat. I decrypted it and I got this as an example...
1000 1 Thunder 1 0 0 0 0 1 7 500 100 0 0 9 0 4194303 2000 0 0 0 0 0 0 0 0 0 0 0 0 1000 0 1 903 Upgradable Magic~attack Intone-1 NULL NULL NULL 0 Thunder sound\thunder.wav NULL NULL 0 0 1
I searched it on elitepvpers and looked in my source but I'm scared that the source might be wrong. If anyone has a resource that'd be awesome.
Does Pixel Reading Crash the Game? 11/06/2009 - Aion - 5 Replies I am using Autoit to read aion memory & pixel colors for an addon that I'm making.
But it keeps crashing after about 10 minutes.
Does anyone else have this problem?
I am using Aion Autoit Bot Beta script - but with a "PixelSearch" function added.
Is Anyone else experiencing this problem or have a suggestion?
[question] possible bypassing trick? thanks for reading. 09/11/2008 - Cabal Online - 0 Replies Is it possible to bypass anticheat programs by using private server clients to play official servers?
to explain further:
- download a cabal private server client
(e.g. cabal cyfren, cabal bleach, cabalextreme, cabal chronicle, etc.)
- then manually patch the client with the official server's patch and install updated patch into the directory of private server client
- run private server client .exe
You'll be using different cabal client but still play in the official server
![[Question] Reading Game Server Packets](https://www.elitepvpers.com/forum/iconimages/co2-programming/question-reading-game-server-packets_ltr.gif){kind=small}
