hlapex by hint

cl4n1nt3l · 09/25/2006, 02:29

This is a send of packets make by hint.

Link of Download:

Guide English:

in? just a short time, tutorials of assault to vault of the castles, wolves free for send.

JCT · 09/25/2006, 04:52

ahh what language is it on and what is this and what language you speak so close to english

JCT · 09/25/2006, 05:45

ok anyone know how to open the dll in this file

CAHEK · 09/25/2006, 11:06

Give me text,i translate.

Sabin · 09/25/2006, 12:08

Quote:

Originally posted by CAHEK@Sep 25 2006, 11:06
Give me text,i translate.

doom3mortar · 09/25/2006, 15:35

this programm seems to be **** g0dl!k3 oO
jsut testet it out ... well would be good if can get a translation of the manual.
thx for the programm again

CAHEK · 09/25/2006, 16:50

I. Entering

II. Login-server

1. Enciphering of packages
2. Structure of packages
3. The designer of RequestAuthLogin-packages on C

III. Game-server.

1. Process of authorization on a server
2. Enciphering of packages
3. Report
4. xID and ObjectID
5. Examples of packages:
a) buying up/sale
b) private messages
c) OID and IID
d) we speak with NPC on an example of learning skills

IV. Problems and as it is possible to use them

1. Absence of a limit on quantity in attempts of authorization
2. Enciphering of packages
3. The removed definition of the version lineage2 a server
4. Removed "suspension" of a login-server
5. Cloning
6. Creation of "mutants" and mixture skills
7. Immortality
8. ' remote DoS' also that gives it
9. integer overflow in a network cursor l2j
10. SQL-injection
11. Sharpening (or a fairy tale about 100 %-s' enchant)
12. Geodate (circulation through walls)
13. Ïðèêîë with SocialAction (0x1b)
14. A bug in Ride (0x6a) 15. We throw out from game chars
16. A bug with RequestRestartPoint (revival and runaway from prison)
17. To undress the another's character not knowing neither a login, nor the password - unless it it is real?
18. Result

V. Bugs of new generation

VI. Pair words about C4

VII. An epilogue

VIII. References

IX. Appendices to clause

I. Introduction.

What is lineage? This is the representative of a modern game - MMORPG (Massively Multiplayer Online Role-Playing Game).
I even would tell one of the most successful and popular, if not most =).
Certainly, it is difficult to speak about popularity of this game since to count exact quantity "involved" in lineage, probably, it is impossible, but such servers as

(with as much as possible registered online in 10 000 person) and official

(with all 100 000, that it paid) let know that the figure should be impressive. The essence of game consists that (as well as in any another RPG) you have a character and the huge world in whom need to be extracted money, clothes, the weapon, experience. Finally to fight with same as you players and to amuse the vanity victories. To some people at whom well it is not got on in any way real.
To some people at whom well the real life is not got on in any way, it allows realisation in the virtual world - to become the known soldier and even to find the bride (yes, girls in lineage plays too much). Among all others online (and not only online) games, lineage bribes the graphics. Personally firstly it seemed to me improbable, that someone could create such wonderful three-dimensional beauty for simple game. But is at game and the dark parties(sides). First, it has property to tighten(delay). And not easier(simply) to tighten(delay), and to cause dependence from which it is the extremely complex(difficult) to struggle. Secondly, understand, in the industry in which turn hundred thousand èãðîìàíîâ from practically all layers of a society, business without money will not manage (as well as all in our life). In fact some people having family, work, simply do not have time for that months to pump over the character up to the necessary level. Such the layers has given birth persons who have started to sell game levels and things for real money, having created that to a new niche in the world lineage. At present, depending on size of a server (and rates), cost of well dressed character of a high level can vary from 300 $ (on dying

) up to 5 000 $ on an official server. Most jokes-it is purchase of things at administration of this or that server. Ponder, the gamer pays N-th quantity(amount) of the killed raccoons for that the administrator has added 1 record in a database of game. Here is how make money of air. That, I something has taken a great interest in the description of game) Affect year, on it spent. Certainly, in the similar industry (where are twirled money and a cloud naive and, at times silly gamers) business without us - inquisitive minds- cannot manage. Someone buys characters, someone creates and pumps over itself, we choose the third, not blazed way. The matter is that for some years of existence of this game, in it has not been found not to one vulnerability (except for especially game bugs), for it has not been written not one program, which could open to malefactors access to another's accounts. And know why? It seems to Me, young, not skilled (which posts dazzles bugtraq) pushed away malicious enciphering packages in lineage. And, even in the deciphered kind, they represent a chaotic character set. Perhaps, old men remember my clause(article) about the report of client-server interaction and vulnerability Half-Life (

). The purpose of that clause was to describe game and to give on a saucer almost everything that I have reached(achieved) in its(her) studying. In same clause I shall tell as to decipher traffic lineage2, I shall tell a little about features of the report, well and I shall give some operating time (as and another's), all rest I shall not publish, as general use of this can lead to chaos in this fine, balanced and quite generated virtual world =)

ATTENTION.
1. At once I warn, I shall sometimes come back to article about half-life for analogies will help you to understand easier written. And to me to write easier.
2. Article was written on the basis of the analysis of the deciphered packages and studying of an initial code lineage2 a server l2j, written on java. Accordingly, article 100 of % is valid for l2j, and for official so, how much(as far as) l2j is valid for it =)
3. All source codes are written under linux. For compilation it is necessary lib blowfish. Libs from openssl package will approach at small updating a code.
4. By the way about updating a code. In the source codes given in article, there are small mistakes in logic to exclude their thoughtless use. If you will penetrate into article and fixing they will not be a problem.
5. And the last. The full version of article was accessible long time only to the limited number of people and with an exit ñ4 to the version lineage2 and fixs the majority of bugs sharply obsoletly. About Ñ4 I shall tell a little in the end.
II. A Login-server. Introduction. We shall begin that developers lineage2 have separated a login a server from game more less to unload and without that the hammered channel of a game server. Besides the login a server has property to hang (and, it has begun with ñ3 versions lineage and proceeds to this day) and to not start up users on a server. But those who already play, do not test absolutely any discomfort =) And owing to out all of the same gays which could find and distinctly explain to developers where all the bug has crept in, it remains till now not fixed. And so, not looking at all charm of idea with unloading the game channel, our domestic administrators persistently mould a login a server on one machine together with game.

1. Enciphering of packages.

For enciphering packages which the login-server exchanges with the client, lineage uses blowfish. Yes, that algorithm which has been developed by Bruce Shnejerom in 1993. About blowfish it is important to know, that it is the symmetric block code. Symmetric - means, that the algorithm uses 1 confidential key by which data encrypt/decrypt will be decoded. And if to speak particularly about blowfish on the basis of this key are generated 18 32-bit keys and 4 matrixes in the size of 256 32-bit words everyone. By which data, in turn, encrypt.will be decoded. The block code - means, that blowfish processes given by blocks (on 8 bytes). And still it means, that if integrity øèôðîòåêñòà has been broken, we in a any way can restore a part. With reference to lineage, it is necessary to tell, that a key on the basis of which are generated connect, is a constant and it is precisely registered in source codes l2j (here on what 99 % of researchers lineage which assumed were strewed, that the key should be transferred in one of packages - see references in the end). Still it is important to note that the first 2 áàéòà data of a package are not ciphered. With enciphering, I think, we have understood. We go further.

2. Structure of packages.

First two byte a package (what are not ciphered) contain length of data of a package (as well as in halflife). The following byte bears in itself the information on type of a package. The login-server processes packages: 0x00 - RequestAuthLogin (the inquiry about authorization - contains a login and the password) 0x02 - RequestServerLogin (inquiry about call about a server) 0x05 - RequestServerList (inquiry about the list of servers) On the others it simply does not answer, leaving only record in broad gullies. The client processes packages of following types: 0x01 - authorization has not passed 0x03 - you are successfully authorized 0x04 - the answer on RequestServerLogin 0x06 - the answer on RequestServerList And also a little bit additional packages about a bath of an account, check of the version and òä - they are presented below. The following byte is additional to the above described inquiries. For example, if the server has answered us inquiry of authorization with a package of type 0x01, the following byte will contain the reason, on which authorization has not passed (for us are important: 0x03 - an incorrect login or the password, 0x07 - someone already use the account, 0x11 - is established the temporary password). But actually this byte any more absolutely service. For example, in RequestAuthLogin packages from it byte the login begins. Further there is quantity of byte which any more are not managing directors, and bear the information defined by type of a package. Well, for example, for "RequestAuthLogin" it is a field contains a login and the password. The important applicability the last have of 8 bytes of a package. They contain checksum all that goes up to them, except for besides first two bytes of a package. What image calculates this most checksum? From data 32-bit words are serially separated. The first XOR with the second. Result of this operation XOR with a following word and so on. The example of calculation checksum will be shown below.

3. The designer of packages on Ñ. With structure of packages we have understood, now it is possible to realize in programm everything, that was manual above.

/*

la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor

Helps to understand lineage2 authentification.

darkgrey / m00.blackhat.ru

~broken
*/

#include "/usr/local/include/blowfish.h"

// length key
#define KEY_LEN 20
// Length RequestAuthLogin of a package is constant and equal AUTH_PKT_LEN + 2
#define AUTH_PKT_LEN 0x30

// Key on the basis of which are generated sub-keys (connect)
char key[] = "[;'.]94-31==-&%@!^+]";

// Structure bfkey which after generation sub-keys will contain 18 P sub-keys and 4 S matrixes
BF_KEY bfkey;

// Function which calculates checksum and inserts it into a package
int add_ckecksum(char *raw, int count) {
long chksum = 0L;
int i = 0;
long ecx;
for(i = 0; i < count; i += 4) {
ecx = raw[i];
ecx |= raw[i + 1];
ecx |= raw[i + 2];
ecx |= raw[i + 3];
chksum ^= ecx;
}

printf("checksum: 0x%x\n",chksum);
memcpy(raw+count, (char *)&chksum, 4);
}

// Adds a login and the password in a package (it is separated from the basic function from reasons readable)
int add_lp(char *raw, char *l, char *p) {
l[15] = '\0';
p[17] = '\0';

memcpy(raw+3,l,strlen(l));
memcpy(raw+17,p,strlen(p));
}

// Displays a package in a readable kind (for debugging)
int print_packet(char *raw, int len) {
int i, c = 0;

for(i=0;i<54;i++) printf("_");

for(i=0;i<len+2;i++) {
if((c % 0x10)==0) printf("\n0x%.2x | ", c);
printf("%.2x ",raw[i] & 0xFF);
c++;

}
printf("\n\n");
}

// The main function which designs a package
int build_auth_packet(char *login, char *pwd) {
int count = AUTH_PKT_LEN / 8;
int i;
char packet_skeleton[] =
// packet skeleton RequestAuthLogin
"\x32\x00" // The length of a package is constant and equal 0x30 + 0x02
"\x00" // Type of a package (0x00 - RequestAuthLogin)
"\x00\x00\x00\x00\x00&#09 2;x00\x00\x00\x00\x00\x00 \x00\x00\x00" // login
"\x00\x00\x00\x00\x00&#09 2;x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00" // password
"\x08" // Means the end of section login/password
"\x00\x00\x00\x00\x00&#09 2;x00\x00\x00" // in c3 not used(çàðåçåðâèðîâàííî?)
"\x00\x00\x00\x00" // checksum
"\x00\x00\x00\x00";

// add login and pass to packet
add_lp(packet_skeleton, login, pwd);

// add checksum
add_ckecksum(packet_skeleton + 2, AUTH_PKT_LEN - 8);

printf("Auth packet dump (non-crypted):\n");
print_packet(packet_skeleton, AUTH_PKT_LEN);

// We cipher blocks on 8 bytes
for(i = 0; i < count; i++)
BF_encrypt((BF_LONG *)((short*)&packet_skeleton+1+i*4), &bfkey, BF_ENCRYPT);

printf("Auth packet dump (encrypted):\n");
print_packet(packet_skeleton,AUTH_PKT_LEN);
}

int main() {
char login[] = "m00", // test login
pwd[] = "ownzu"; // password
printf("\nla2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor\n\n");

// generate sub-keys
BF_set_key(&bfkey, KEY_LEN, key);

// We collect a package
build_auth_packet(login, pwd);
}
/* eof */

Here that on my boxing the program has displayed:

bash-2.05b$ ./a.out

la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor

checksum: 0x224a0377
Auth packet dump (non-crypted):
__________________________________________________ ____
0x00 | 32 00 00 6d 30 30 00 00 00 00 00 00 00 00 00 00
0x10 | 00 6f 77 6e 7a 75 00 00 00 00 00 00 00 00 00 00
0x20 | 00 08 00 00 00 00 00 00 00 00 77 03 4a 22 00 00
0x30 | 00 00

Auth packet dump (encrypted):
__________________________________________________ ____
0x00 | 32 00 09 d9 97 e2 29 89 8c b5 1a a0 1a 83 74 43
0x10 | 39 fc 2f 03 c3 26 9c 65 b0 c4 20 28 11 c1 6a 95
0x20 | 3e 44 45 46 2a ae b9 18 91 2e 75 56 d0 dc 40 b5
0x30 | 77 2a

bash-2.05b$

To be continue...

wallymother · 09/25/2006, 21:16

Interested in seeing the rest of the translation. If it works in C4, I need this before my server changes to C5

Sabin · 09/26/2006, 00:17

intersting

JCT · 09/26/2006, 03:45

it wont work on my p server as mine runs the game as lineage2.exe instead of l2.exe so it wont target it
and in official i didnt dare to try to lvl my toon through it but it can decypher packets to client from server and visebersa so it means it can be used to make a 1 hit kill in c5 atleast

JCT · 09/26/2006, 03:48

thats why i need to open the inside.dll to edit it to work with lineage2.exe so if anyone can tell me what convertion it uses i might be able to do something

CAHEK · 09/26/2006, 09:17

III. A Game-server
1. Process of authorization on a login-server and call on a game-server. Authorization on a login a server occurs in some stages.
1) a login the server sends us a greeting in the form of a package in length of 11 bytes (in general it contains the information on the version).
2) we answer it RequestAuthLogin with inquiry
3) if the password true, sends us a package with 32 bit number of our account (it always constant) - we shall call SessionKey *1.
4) we send it RequestServerList, on what the server answers us the list of servers containing game, ports, number of playing users, the maximal number of users.
5) we send RequestServerLogin, on what the server checks ours AccessLevel (if it is equal-1, means we ¬Ù¬Ñ¬Ò¬Ñ¬ß¬Ö¬ß¬í) and depending on our login, the password, a level of access and a socket, generates unique 32-bit SessionKey *2 on which in a consequence we will be authorized with a game-server. If the game server in down, simulates this condition (administrators do it for work on a server) or is simply full, refuses to accept us.
6) if all is good, we climb on a game server. We send it a certain package (for everyone ©¡3 a server it the, but constant), on what it answers 12 byte with a package containing first 4 bytes of key which it is fastened to others 4 bytes (which are constant) and is received 64 a bit key. In the further we shall use it for decoding and coding game packages. It is important to note, that with everyone of races coded a package, its length increases to the first part of a key.
7) we send it a login and two identifiers (already in the ciphered kind) which we have received in a session with a login-server. In the answer we receive the list of characters. Here so, in 7 stages we shall be authorized on a server =) Difficultly, but it is safe. Probably, someone from you had a question: and whether probably to come on a game server directly? Without participation a login of a server. About it I shall write below.

2. Enciphering packets
As I already wrote enciphering of packages above, for enciphering game packages lineage uses a 64-bit key. The first it 4 byte undertake from the very first package of the game-server, the second. N-th symbol from a clear text, XOR's with N-th byte a key further undertakes. In parallel with it XOR's (N-1)-th symbol from a clear text on 0xFF. Above results of both calculations operation " digit-by-digit And " is spent. And on such algorithm each symbol since the first is ciphered. As you can see, as each subsequent symbol will be ciphered, depends from previous. And it means, that if at us the first part of a package is for whatever reasons damaged, or it simply is not present, decipher the second part we cannot. Well it so, to a word. Actually it for us is not important. Still it is important to note that the first part of a key variable. With each new deciphered package, to the first I 4 byte the length of these to data increases. That is, having an initial key (at the moment of connection with a login a server) and, having pulled out a package during the certain moment from a session with a game-server decipher it we cannot. For this purpose we need to restore all packages which were up to it. Basically, quantity of possible combinations of a key of equally ~423 million. In view of simplicity of algorithm, modern computers can make somewhere 10 000 iterations in a second (can even more) and to find a key a maximum for 12 hours. But for this purpose we need to know even about the maintenance of a package. For what authors have made a key to variables? I think, all it is clear, with a view of safety. Though, it is a question about TCP (instead of about UDP as in the same halflife) in which someone stranger "to put" in a session extremely inconveniently.
3. The report. As well as in packages of the login-server, first two byte are allocated towards the length. Further the byte means type of a package. Here on types of packages which the client lineage2 (should process C3 the some people I shall make comments):
// sends a login-server
0x01 loginfail2
0x02 accountKicked1
0x03 loginok
0x04 serverlist
0x05 serverfail
0x06 playfail
0x07 playok
0x08 accountKicked
0x09 blockedAccMsg // banned
0x20 protocol version different
0x00 VersionCheck

// Sends a game-server
0x01 MoveToLocation
0x02 NpcSay
0x03 CharInfo // Means surrounding characters
0x04 UserInfo
0x06 Attack
0x07 Attack
0x08 Attacked
0x09 Attacked
0x0a AttackCanceld
0x0b Die
0x0c Revive
0x0d AttackOutOfRange
0x0e AttackInCoolTime
0x0f AttackDeadTarget
0x10 LeaveWorld
0x11 AuthLoginSuccess
0x12 AuthLoginFail
0x13 CharList // The chars list
0x15 SpawnItem // On the some people C3 the answer to a choice char
0x16 DropItem // On the some ¬³3 transfers info about mob
0x17 GetItem
0x18 EquipItem
0x19 UnequipItem
0x1a StatusUpdate
0x1b NpcHtmlMessage // To the some people C3 transfers the list clothes with ItemID and them ObjectID 0x1c SellList
0x1d BuyList
0x1e DeleteObject
0x1f CharSelectInfo
0x20 LoginFail
0x21 CharSelected
0x22 NpcInfo
0x23 NewCharacterSuccessPacket
0x24 NewCharacterFailPacket
0x25 CharCreateOk
0x26 CharCreateFail
0x27 ItemList
0x28 SunRise
0x29 SunSet
0x2a EquipItemSuccess // Has become outdated
0x2b EquipItemFail // Has become outdated
0x2c UnEquipItemSuccess // Has become outdated
0x2d UnEquipItemFail // Has become outdated
0x2e TradeStart
0x2f TradeStartOk // Has become outdated
0x30 TradeOwnAdd
0x31 TradeOtherAdd
0x32 TradeDone
0x33 CharDeleteSuccess
0x34 CharDeleteFail
0x35 ActionFail
0x36 ServerClose
0x37 InventoryUpdate
0x38 TeleportToLocation
0x39 TargetSelected
0x3a TargetUnselected
0x3b AutoAttackStart
0x3c AutoAttackStop
0x3d SocialAction
0x3e ChangeMoveType
0x3f ChangeWaitType
0x40 NetworkFail // Has become outdated
0x43 CreatePledge
0x44 AskJoinPledge
0x45 JoinPledge
0x46 WithdrawalPledge
0x47 OustPledgeMember
0x48 SetOutPledgeMember
0x49 DismissPledge
0x4a SetDismissPledge
0x4b AskJoinParty
0x4c JoinParty
0x4d WithdrawalParty
0x4e OustPartyMember
0x4f SetOustPartyMember
0x50 DismissParty
0x51 SetDismissParty
0x52 MagicAndSkillList
0x53 WarehouseDepositList
0x54 WarehouseWithdrawalList
0x55 WarehouseDone
0x56 ShortCutRegister
0x57 ShortCutInit
0x58 ShortCutDelete
0x59 StopMove
0x5a MagicSkillUser
0x5b MagicSkillCanceld
0x5d CreatureSay
0x5e EquipUpdate
0x5f StopMoveWithLocation
0x60 DoorInfo
0x61 DoorStatusUpdate
0x63 PartySmallWindowAll
0x64 PartySmallWindowAdd
0x65 PartySmallWindowDeleteAll
0x66 PartySmallWindowDelete
0x67 PartySmallWindowUpdate
0x68 PledgeShowMemberListAll
0x69 PledgeShowMemberListUpdate
0x6a PledgeShowMemberListAdd
0x6b PledgeShowMemberListDelete
0x6c MagicList // Has become outdated
0x6d SkillList
0x6e VehicleInfo
0x6f VehicleDeparture
0x70 VehicleCheckLocation
0x71 GetOnVehicle
0x72 GetOffVehicle
0x73 TradeRequest
0x74 RestartResponse
0x75 MoveToPawn
0x76 SetTo
0x77 StartRotating
0x78 FinishRotating
0x79 MoveBackwardToLocation // Is available in view of skill or to_the_nearest_village after death
0x7a SystemMessage
0x7d StartPledgeWar
0x7e ReplyStartPledgeWar
0x7f StopPledgeWar
0x80 ReplyStopPledgeWar
0x81 SurrenderPledgeWar
0x82 ReplySurrenderPledgeWar
0x83 SetPledgeCrest // Has become outdated
0x84 PledgeCrest
0x85 SetupGauge
0x86 ShowBoard
0x87 ChooseInventoryItem
0x89 MoveToLocationInVehicle
0x8a StopMoveInVehicle
0x8b ValidateLocationInVehicle
0x8c TradeOtherAdd2
0x8d TradePressOwnOK // Has become outdated
0x8e MagicSkillLaunched
0x8f FriendAddRequestResult
0x90 FriendAdd // Has become outdated
0x91 FriendRemove // Has become outdated
0x92 FriendList // Has become outdated
0x93 FriendStatus // Has become outdated
0x94 TradePressOtherOk // Has become outdated
0x95 FriendAddRequestResult2
0x96 LeaveWorld2
0x97 AbnormalStatusUpdate
0x98 QuestList
0x99 EnchantResult
0x9a AuthServerList // Has become outdated
0x9b PledgeShowMemberListDeleteAll
0x9c PledgeInfo
0x9d PledgeExtendedInfo
0x9e SurrenderPersonally
0x9f Ride
0xa1 PledgeShowInfoUpdate
0xa2 ClientAction
0xa3 AquireSkillList
0xa4 AquireSkillInfo
0xa5 ServerObjectInfo
0xa6 HideGm
0xa7 AquireSkillDone
0xa8 GMViewCharacterInfo
0xa9 GMViewPledgeInfo
0xaa GMViewSkillInfo
0xab GMviewMagicInfo
0xac GMViewQuestInfo
0xad GMViewItemList
0xae GMViewWarehouseWithdrawList
0xaf PartyMatchList
0xb0 PartyMatchDetail
0xb1 PlaySound
0xb2 StaticObject
0xb3 PrivateSellList2
0xb4 PrivateBuyList2
0xb5 PrivateStoreMsg
0xb6 ShowMinimapPacket
0xb7 ReviveRequest // Has become outdated
0xb8 AbnormalVisualEffect
0xb9 TutorialShowHtml
0xba TutorialShowQuestionMark
0xbb TutorialEnableClientEvent
0xbc TutorialClose
0xbd ShowRadar
0xbe DeleteRadar
0xbf MyTargetSelected
0xc0 PartyMemberPosition
0xc1 AskJoinAlliance
0xc2 JoinAlliance
0xc3 WithdrawAlliance
0xc4 OustAllianceMemberPledge
0xc5 DismissAlliance
0xc6 SetAllianceCrest // Has become outdated
0xc7 ReceiveAllyCrest
0xc8 ServerCloseSocket // Has become outdated
0xc9 PetStatusShow
0xca PetInfo
0xcb PetItemList
0xcc PetInventoryUpdate
0xcd AllianceInfo // Has become outdated
0xce PetStatusUpdate
0xcf PetDelete
0xd0 PrivateSellList
0xd1 PrivateBuyList
0xd2 PrivateStoreMsg
0xd3 VehicleStart
0xd4 RequestTimeCheck
0xd5 StartAllianceWar
0xd6 ReplyStartAllianceWar // Has become outdated
0xd7 StopAllianceWar
0xd8 ReplyStopAllianceWar // Has become outdated
0xd9 SurrenderAllianceWar // Has become outdated
0xda SkillCoolTimePacket
0xdb PackageToListPacket
0xdc PackageSendableListPacket
0xdd EarthQuake
0xde FlyToLocation
0xdf BlockList // Has become outdated
0xe0 SpecialCamera
0xe1 NormalCamera
0xe2 CastleSiegeInfoPacket
0xe3 CastleSiegeAttackerList
0xe4 CastleSiegeDefenderList
0xe5 NickNameChanged
0xe6 PledgeStatusChanged
0xe7 RelationChanged
0xe8 OnEventTrigger
0xe9 MultiSellListPacket
0xea SetSummonRemainTime
0xeb OnSkillRemainSec
0xec NetPingPacket

From the client to a server:
0x01 MoveBackwardToLocation
0x02 Say
0x03 EnterWorld
0x04 Action
0x08 RequestAuthLogin
0x09 Logout
0x0a Attack
0x0b CharacterCreate
0x0c CharacterDelete
0x0d CharacterSelect
0x0e NewCharacter
0x0f ItemList
0x10 RequestEquipItem
0x11 RequestUnEquipItem
0x12 RequestDropItem
0x12 RequestDropItemFromPet
0x14 UseItem
0x15 TradeRequest
0x16 AddTradeItem
0x17 TradeDone
0x1a RequestTeleport
0x1b SocialAction
0x1c ChangeMoveType // Has become outdated. Now used 'RequestActionUse'
0x1d ChangeWaitType // Has become outdated. Now used 'RequestActionUse'
0x1e RequestSellItem
0x1f RequestBuyItem
0x20 RequestLinkHtml
0x21 RequestBypassToServer
0x22 RequestBBSwrite
0x23 RequestCreatePledge
0x24 RequestJoinPledge
0x25 RequestAnswerJoinPledge
0x26 RequestWithDrawalPledge
0x27 RequestOustPledgeMember
0x28 RequestDismissPledge
0x29 RequestJoinParty
0x2a RequestAnswerJoinParty
0x2b RequestWithDrawalParty
0x2c RequestOustPartyMember
0x2d RequestDismissParty
0x2e RequestMagicSkillList
0x2f RequestMagicSkillUse
0x30 Appearing
0x31 SendWareHouseDepositList
0x32 SendWareHouseWithDrawList
0x33 RequestShortCutReg
0x34 RequestShortCutUse
0x35 RequestShortCutDel
0x37 RequestTargetCancel
0x38 Say2 // private (on some servers - la2.ru - used 0x39)
0x3c RequestPledgeMemberList
0x3e RequestMagicList
0x3f RequestSkillList
0x41 MoveWithDelta
0x42 GetOnVehicle
0x43 GetOffVehicle
0x44 AnswerTradeRequest
0x45 RequestActionUse
0x46 RequestRestart
0x47 RequestSiegeInfo
0x48 ValidatePosition
0x49 RequestSEKCustom
0x4a StartRotating
0x4b FinishRotating
0x4d RequestStartPledgeWar
0x4e RequestReplyStartPledgeWar
0x4f RequestStopPledgeWar
0x50 RequestReplyStopPledgeWar
0x51 RequestSurrenderPledgeWar
0x52 RequestReplySurrenderPledgeWar
0x53 RequestSetPledgeCrest
0x55 RequestGiveNickName // In general used for installation title CL's. Can for what¡¦
0x57 RequestShowboard
0x58 RequestEnchantItem
0x59 RequestDestroyItem
0x5b SendBypassBuildCmd
0x5e RequestFriendInvite
0x5f RequestFriendAddReply
0x60 RequestFriendList
0x61 RequestFriendDel
0x62 CharacterRestore
0x63 RequestQuestList
0x64 RequestDestroyQuest
0x66 RequestPledgeInfo
0x67 RequestPledgeExtendedInfo
0x68 RequestPledgeCrest
0x69 RequestSurrenderPersonally
0x6a Ride
0x6b RequestAcquireSkillInfo
0x6c RequestAcquireSkill
0x6d RequestRestartPoint
0x6e RequestGMCommand
0x6f RequestPartyMatchConfig
0x70 RequestPartyMatchList
0x71 RequestPartyMatchDetail
0x72 RequestCrystallizeItem
0x73 RequestPrivateStoreManage
0x74 SetPrivateStoreList
0x75 RequestPrivateStoreManageCancel
0x76 RequestPrivateStoreQuit
0x77 SetPrivateStoreMsg
0x78 RequestPrivateStoreList
0x79 SendPrivateStoreBuyList
0x7a ReviveReply
0x7b RequestTutorialLinkHtml
0x7c RequestTutorialPassCmdToServer
0x7d RequestTutorialQuestionMark
0x7e RequestTutorialClientEvent
0x7f RequestPetition
0x80 RequestPetitionCancel
0x81 RequestGMList
0x82 RequestJoinAlly
0x83 RequestAnswerJoinAlly
0x84 RequestWithdrawAlly
0x85 RequestOustAlly
0x86 RequestDismissAlly
0x87 RequestSetAllyCrest
0x88 RequestAllyCrest
0x89 RequestChangePetName
0x8a RequestPetUseItem
0x8b RequestGiveItemToPet
0x8c RequestGetItemFromPet
0x8e RequestAllyInfo
0x8f RequestPetGetItem
0x90 RequestPrivateStoreBuyManage
0x91 SetPrivateBuyList
0x92 RequestPrivateStoreBuyManageCancel
0x93 RequestPrivateStoreBuyQuit
0x94 SetPrivateBuyMsg
0x95 RequestPrivateStoreBuyList
0x96 SendPrivateStoreBuyBuyList
0x97 SendTimeCheckPacket
0x98 RequestStartAllianceWar
0x99 ReplyStartAllianceWar
0x9a RequestStopAllianceWar
0x9b ReplyStopAllianceWar
0x9c RequestSurrenderAllianceWar
0x9d RequestSkillCoolTime
0x9e RequestPackageSendableItemList
0x9f RequestPackageSend
0xa0 RequestBlock
0xa1 RequestCastleSiegeInfo
0xa2 RequestCastleSiegeAttackerList
0xa3 RequestCastleSiegeInfo
0xa4 RequestJoinCastleSiege
0xa5 RequestConfirmCastleSiegeWaitingList
0xa6 RequestSetCastleSiegeTime
0xa7 RequestMultiSellChoose
0xa8 NetPing

As you can see, the majority of client packages begins with word Request that is translated as "inquiry". Yes, really, all process of game looks approximately so: the server constantly transfers us a condition of the world, position of
Mobs/players/npc and others. We when something should (be gone, attacked and other) transfer "inquiry". All is very simple. 4. XID and ObjectID each thing (the subject, NPC) in game has the 16/32 bit the identifier (trades - 8 bit). Its sense that, you see, it is more convenient to transfer on a network 2/4 byte number, than a phrase of N length like: " Crystal Scroll: Enchant Weapon (Grade B) " or nickname NPC like " Magister MacTePqpJlOMaCTeP ". As you understand, it serves for identification of this or that object. The list of these identifiers and NPC/subjects corresponding them to be stored and on a server and the client, and among themselves they is not synchronized in any way. That is, if to replace this table on a server it is necessary ¬á¬Ñ¬ä¬é¬Ú¬ä¬î and the client is one of the reasons, why at each server the patch.

Besides this identifier is still 32 bit Object ID. After call in the game world, a server appropriates to each of subjects which are at the Persian, unique OID. And OID each subsequent subject is OID current-1. That is OID it is generated at all random, and under the order. After assignment, OID it is reserved, so that anybody has not managed any more to receive similar. This information, by the way, is not confirmed by source codes, that is is my own conclusion. If it not so, on proprocession of a full circle (from 0xFFFFFFFF up to 0x00000000) it can it will turn out so, that already borrowed OID it will be appropriated to a new belonging, that will lead to unknown consequences (to an opportunity of cloning or simple falling of a server). But a problem that range OID enough big

And if to be more exact, it is necessary to appropriate OID to ~4.3 billion things to pass a full circle, what even on a server with mega-online will borrow N of days (and can also weeks). Still time I shall repeat, this all the assumption. But the matter is that I, for example, Did not see some la2 server (even off) with uptime more than week. The problem just in it can? And as a whole, OID it is necessary for struggle against cloning. To be exact with revealing of this. As to NPC, OID at them stands out under the same law, but at occurrence NPC in the world. With OID characters the same.

5. Examples of packages.
a) purchase of subjects to put on buying up a subject, we need to take advantage with 3 of packages. The first 0x94 (SetPrivateBuyMsg). Apparently from the name it establishes that message which will be is deduced above a head at the Persian during the moment of trade (what on a yellow background). Here an example:

// SetPrivateStoreBuyMsg a package

XX XX // the Size of data
94 // type of a package
41 00 41 00 41 00 42 00 42 00 42 00 // the text. Symbols should be divided among themselves null-byte
00 00 // the end of a package

Further we use a package of type 0x91 (SetPrivateBuyList). In it just we transfer quantity of subjects, Item ID and the price. For example:

// SetPrivateStoreList a package
XX XX // the Size of data
91 // type of a package
01 00 00 00 // quantity of things
// the beginning of the block
e1 02 00 00 // Item ID
00 00 01 00 00 00 // how many subjects of the given type to buy up
e8 03 00 00 // the price
// the end of the block

I shall a little explain this package. We have put them on buying up 1 thing with IID 0x2e1 (Scroll of Resurrection) for 1000 ¬Ñ¬Õ¬Ö¬ß. And last package of type 0x1d. It directly starts trade:
XX XX // the size of data
1d // type
01 00 00 00 // quantity
As to sale, there practically all same. Only instead of ' SetPrivateBuyMsg ' used ' SetPrivateStoreMsg ', and instead of ' SetPrivateBuyList ' - ' SetPrivateStoreList ' accordingly. And, nearly has not forgotten, instead of Item ID used Object ID because we sell any concrete subject.

b) private messages Here all is very simple.

XX XX // the size of data
38 // type of a package (Say2)
42 00 42 00 42 00 42 // the message (BBBB)
00 00 00 02 00 00 00 // breakspace=)
41 00 41 00 41 00 41 // nickname (¬¡¬¡¬¡¬¡)
00 00 00 // the end

c) an example of a package in which the server transfers us the list of all subjects which are on ¬é¬Ñ¬â¬Ö. And, this package assigns to everyone Item ID unique Object ID.

XX XX // length of a package
1b // type of a package (0x1b on antaras.ru)
00 00 05 00 // quantity of subjects
04 00 // type of a belonging
1e 26 14 40 // Object ID
d4 15 00 00 // Item ID (0x15d4 - Tutorial Guide)
01 00 00 00 // Quantity
05 00 00 00 00 00 00 00 00 00 00 00 00 00 // Sharpening, ¬Ü¬Ó¬Ö¬ã¬ä¬à¬Ó¬í¬Û ¬Ú¬ä¬Ö¬Þ, droped or not and still something
01 00 // type of a belonging
1d 26 14 40 // Object ID
7b 04 00 00 // Item ID (0x47b - Squire's pants)
01 00 00 00 // Quantity
01 00 00 00 00 00 00 08 00 00 00 00 00 00 01 00 // type of a belonging
1c 26 14 40 // Object ID
7a 04 00 00 // Item ID (0x47a - Squire's Shirt)
01 00 00 00 // Quantity
01 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 // type of a belonging
1b 26 14 40 // Object ID
0a 00 00 00 // Item ID (0x0a - dagger)
01 00 00 00 // Quantity 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 // type of a belonging
1a 26 14 40 // Object ID
42 09 00 00 // Item ID (0x942 - Guild Member's Club)
01 00 00 00 // Quantity
00 00 00 00 00 00 80 00 00 00 00 00 00 00

d) we speak with NPC on an example of learning skills For the beginning, we need to allocate NPC and to get with it dialogue:
04 // type of a package (Action)
51 14 10 48 // OID NPC
// further there are coordinates the character
c6 51 01 00 // X
52 45 02 00 // Y
b8 f2 ff ff // Z
00 // the end

And unitary ¬á¬à¬ã¬í¬Ý¬Ü¬Ñ this package - allocation NPC. To get with it dialogue, it is necessary to send this package still time. Further, when the window with a choice of dialogues opens and you choose item " Learn skills ", the client sends a server here such package:

21 // type of a package (RequestBypassToServer)
6c 00 65 00 61 00 72 00 6e 00 5f 00 73 00 6b 00 69 00 6c 00 6c 00 00 // learn_skill
00 // the end After a call of dialogue with skills, you can or look the information on any skill by means of:

6b // type of a package (RequestAcquireSkillInfo)
10 00 00 00 // number of skill
09 00 00 00 // the level to learn this skill, is sent precisely same package, but with type 0x63 (RequestAcquireSkill)

To be continue...

CAHEK · 09/26/2006, 16:37

Full translate

wallymother · 09/26/2006, 17:09

Is it possible to make items with this

JCT · 09/26/2006, 18:54

specify what you mean if you asking set up dwarf to make its a no if you mean like the item just drop off mob i see posibility