Understanding TCP Packets

[jayc89]

Good evening, I wondered if someone would be able to help with a few TCP packets I'm trying to decipher. In this case, as an example, it is swapping boots within a MMO;

When equipping boots #1 (three times);

Code:

04 00 A6 00 AA FE 44 67 
04 00 A6 00 C9 23 BF 82 
04 00 A6 00 0F B3 6F 56

When equipping boots #2 (three times);

Code:

04 00 1A 01 A5 D2 6D A9 
04 00 1A 01 96 B7 2B CC 
04 00 1A 01 F0 47 D5 9F

I believe the first value is the packet length (or similar) with values 2-4 being the "header"?;

Code:

04 00 1A 01 [B]A5 D2 6D A9[/B]

And the 3rd and 4th values related to the actual item being equipped;

Code:

04 00 [B]1A 01[/B] A5 D2 6D A9

However if I use WPE to modify the packet to equip boots #1 when boots #2 are clicked. e.g.

Code:

SEARCH:04 00 A6 00
MODIFY:04 00 1A 01

The packet is modified correctly, but the same boots are equipped so I think I am missing something within the last four values.

Could anyone offer some suggestions as to where I am going wrong, or what I need to do?

Thank you in advanced

From looking into the packets further it appears the first 4 values are "header" information. With the first value being the actual size of the "useful data". For instance, if a navigate my character with the left arrow key I get;

Code:

02 00 35 00 E5 42 
02 00 35 00 D5 99

The first four values are the same, and the latter two (the size of the "useful" information) are random, they appear to be some way encrypted, perhaps?

If I navigate right using the right arrow key;

Code:

02 00 31 00 D6 69 
02 00 31 00 EE C7

Any guidance would be awesome

As an update -

I'm told the packets are encrypt which leads me to believe the first four digits are indeed the header with the remaining the encrypted "important information". Could the 3rd digit be some kind of encryption key?

[Saedelaere*]

My guess:
Byte 1-2: length (without header)
Byte 3-4: opcode (command)

[jayc89]

Quote:

Originally Posted by Saedelaere*

My guess:
Byte 1-2: length (without header)
Byte 3-4: opcode (command)

Thanks Saedelaere, that would look about right to me.

The problem I'm having is the "interesting" part of the packet appears to be totally random (running the same command multiple time, produces different outputs) so it looks like it could be encrypted perhaps on timestamp?

A regular packet is transmitted back to the server which I thought was just a keep alive, but maybe the client regularly generates a new encryption key and this is sending it back to the server, or similar?

[qkuh]

Seems to be encrypted.