[Question] Reading Game Server Packets

[Belth]

What is the packet structure of the FIRST packet sent from the game server to the client? I'm referring to the packet that is sent before receiving the client's handshake and that includes a random key used by the client to decrypt future packets. Ultimately this information will be used to find out the structure of the individual packets that the server sends.

Any help is appreciated.

[IAmHawtness]

Code:

20 00 1F 04 20 E2 08 01 7E 79 D2 27 39 34 2E 32 33 36 2E 30 2E 31 34 35 00 00 00 00 B8 16 00

Example of the packet. I have no idea what its structure is though, sorry

I do, however, know that the first byte two bytes is the size, the 17th and 18th byte is the packet type (0x36), and byte 13 to 31 seem to be constant.

[Belth]

Quote:

Originally Posted by IAmHawtness

Code:

20 00 1F 04 20 E2 08 01 7E 79 D2 27 39 34 2E 32 33 36 2E 30 2E 31 34 35 00 00 00 00 B8 16 00

Example of the packet. I have no idea what its structure is though, sorry

I do, however, know that the first byte two bytes is the size, the 17th and 18th byte is the packet type (0x36), and byte 13 to 31 seem to be constant.

Thanks for responding.

So if you don't have it can I assume that it is truly as complicated as I've found to get?
And if so, how do other people have it?
Or, is there another method used to decrypt and understand the packets from TQ's server?

[IAmHawtness]

Quote:

Originally Posted by Belth

Thanks for responding.

So if you don't have it can I assume that it is truly as complicated as I've found to get?
And if so, how do other people have it?
Or, is there another method used to decrypt and understand the packets from TQ's server?

The easiest approach would be to hook/alter/breakpoint the SendPacket() and ReceivePacket() functions inside Conquer, before they get encrypted/decrypted and get the data from there.

I use a homemade debugger for it.

However, I believe Conquer uses Blowfish as encryption, I have no idea how that is encrypted/decrypted though, but there's probably plenty of guides around on the Internet.

You could just trace back from WS_32.Recv and WS_32.Send to find the function that decrypts/encrypts packets and then start tracing forward.

Good luck, whatever you decide to do.

[Belth]

Quote:

Originally Posted by IAmHawtness

The easiest approach would be to hook/alter/breakpoint the SendPacket() and ReceivePacket() functions inside Conquer, before they get encrypted/decrypted and get the data from there.

I use a homemade debugger for it.

However, I believe Conquer uses Blowfish as encryption, I have no idea how that is encrypted/decrypted though, but there's probably plenty of guides around on the Internet.

You could just trace back from WS_32.Recv and WS_32.Send to find the function that decrypts/encrypts packets and then start tracing forward.

Good luck, whatever you decide to do.

Very much appreciated! I know of and have the Blowfish encryption algorithm so that is no problem. I have no experience with hooking into .exe files so I'll read up on that.

[InfamousNoone]

Realize, there's different flavors of Blowfish: ECB, CFB, CBC (perhaps more, but there are the ones I know off by head). Secondly, there is a Diffe-Hellman exchange preformed. And thirdly:

in response to the packet IAmHawtness posted,

Code:

    /// <summary>
    /// 0x41F (Server->Client)
    /// </summary>
    public unsafe struct AuthResponsePacket
    {
        public ushort Size;
        public ushort Type;
        public uint Key2;
        public uint Key1;
        private fixed sbyte szIPAddress[16];
        public int Port;
}

Is my C# structure for it.

[Belth]

Quote:

Originally Posted by InfamousNoone

Realize, there's different flavors of Blowfish: ECB, CFB, CBC (perhaps more, but there are the ones I know off by head). Secondly, there is a Diffe-Hellman exchange preformed. And thirdly:

in response to the packet IAmHawtness posted,

Code:

    /// <summary>
    /// 0x41F (Server->Client)
    /// </summary>
    public unsafe struct AuthResponsePacket
    {
        public ushort Size;
        public ushort Type;
        public uint Key2;
        public uint Key1;
        private fixed sbyte szIPAddress[16];
        public int Port;
}

Is my C# structure for it.

Thank you for your response.

Regarding encryption:

I assume I can just use the Blowfish encryption from andy's source. I would simply copy-paste the class and use the DLL. I like to understand what I use but for something like encryption I don't yet need to care about how it does what it does.

Regarding the structure:

After seeing your post I believe I'm asking the wrong question because I can decipher what the programming-language-structure of the packet is from private server sources. I'm not sure what I'm asking so I will try to explain with an example.

Example:

I want to code my private server to respond when the client requests to view someone's gear. I can decrypt the packets sent from TQ's server through a proxy but I don't understand the values I would see. I've read (and IAmHawtness confirmed) that the first 2 bytes of any packet hold the size and I have a formula to get the ID but no idea about the others. Maybe bytes 20-50 hold the Potency value of the gear. How do I figure that out?

P.S. I would really like to talk to someone on MSN about this.

[Ultimatum]

Belth, pm me your msn, ill add you in the morning. Can't help you tonight cause im about to go, but ill show you tomorrow

[InfamousNoone]

Quote:

Originally Posted by Belth

Thank you for your response.

Regarding encryption:

I assume I can just use the Blowfish encryption from andy's source. I would simply copy-paste the class and use the DLL. I like to understand what I use but for something like encryption I don't yet need to care about how it does what it does.

Regarding the structure:

After seeing your post I believe I'm asking the wrong question because I can decipher what the programming-language-structure of the packet is from private server sources. I'm not sure what I'm asking so I will try to explain with an example.

Example:

I want to code my private server to respond when the client requests to view someone's gear. I can decrypt the packets sent from TQ's server through a proxy but I don't understand the values I would see. I've read (and IAmHawtness confirmed) that the first 2 bytes of any packet hold the size and I have a formula to get the ID but no idea about the others. Maybe bytes 20-50 hold the Potency value of the gear. How do I figure that out?

P.S. I would really like to talk to someone on MSN about this.

Basically, with every packet, you need to make assumptions what would be in it, so say my HP is 13452, and you believe this packet contains my HP, we convert that to hex 13452 -> 0x34BC and flip it "BC 34". Now look for "BC 34" in the dump of your packet, and if you find it, it is most likely the offset for HP. Repeat this action on another packet of the same type to confirm it.

The thing to note is some packets have sub-types.

[Belth]

Thanks to your help and google, a few days later:

I can, for the most part, understand the values of a packet now. Now I'd like some help with decrypting them. I tried making a proxy but ran into problems regarding encryption. IAmHawtness mentioned hooking into winsock functions and so I researched but nothing was clear to me. I'd appreciate anyone that can explain it to me here or on msn.

P.S. I use C#.

[_tao4229_]

If you're this ******* motivated, add me on msn:



I'll give you whatever you really need.

[galdik]

poor beth
tao ...

[Belth]

It's fine. I was confused at first because many examples of c# hooking described "global" keyboard and mouse hooks, therefore I thought I would just have to apply that knowledge to the winsock functions. After refining my search several times I realized those examples were misleading and that it is not possible, so I'll have to learn c++ and asm sometime. I have always dreaded the time where I'd have to leave c# to perform low-level operations.

Again any tips/tutorials on the subject would be appreciated; though now, not expected.