[Request] Help with decoding packets

[YukiTsuki]

I'm personally sick of looking at party and whisper packets and I'm not that great at reverse engineering, so I'm offering a cash reward to anyone who can show me the formula (Must be able to be used in a calculator) used to decoded party and whisper packets.

So if your good at decoding, know how to use tools like wireshark and maybe even can read assembly feel free to help me find the decryption formula.

Simply put, the first person to show me a working formula wins.

Code:

Example packet code:

Normal chat packet of me saying 123:
0000   25 2b 00 00 00 03 00 00 52 6c 00 10 00 00 00 03  %+......Rl......
0010   67 35 16 03 00 01 00 06 00 0a 59 75 6b 69 74 73  g5........Yukits
0020   75 6b 69 00 06 00 04 31 32 33 00                 uki....123.

Party chat packet of me saying 123:
0000   70 25 00 00 00 00 a3 b4 8f 92 aa 13 34 a3 6c e0  p%..........4.l.
0010   a8 3c 42 aa 15 41 fe cc ba 98 76 57 55 25 09 1e  .<B..A....vWU%..
0020   29 0d 79 69 69                                   ).yii

Party packets use an ID system so you won't find your char name in one.

Ps. I'll leave the amount to be decided between me and the person who finds the formula. Please note, I am student so no big $$$.

[kotarou3]

Telling us your findings on the normal chat packet (such as what bytes mean what) would help us decrypt the encrypted packet. The first thing I can think of is an XOR though, since it is the fastest encryption you can get

PS. How did you work out that the party packets use an ID system if you never decrypted them?

[adam_j]

I doubt normal packets are even encrypted.

[YukiTsuki]

Normal Chat Msg

Code:

0000   34 3a 00 00 00 03 00 00 52 6c 00 10 00 00 00 03  4:......Rl......
0010   67 35 25 03 00 01 00 06 00 0a 59 75 6b 69 74 73  g5%.......Yukits
0020   75 6b 69 00 06 00 13 54 68 69 73 20 69 73 20 61  uki....This is a
0030   20 63 68 61 74 20 6d 73 67 00                     chat msg.

Party Chat Msg

Code:

0000   60 34 00 00 00 00 bc 69 78 a8 85 05 ab 64 43 0e  `4.....ix....dC.
0010   70 a3 29 60 0d 4d 0f 67 e3 6d 40 06 af 6a 94 a0  p.)`[email protected]..
0020   20 56 d6 c3 51 fb 97 af 9a f9 56 37 5a 71 7b 3e   V..Q.....V7Zq{>
0030   40 4f 2c 5a                                      @O,Z

Whisper Chat Msg

Code:

0000   b0 38 00 00 00 00 a1 f8 73 39 39 bd d4 63 15 68  .8......s99..c.h
0010   dd ce ce a1 0d ab fd 0f b3 50 81 48 d8 d5 00 22  .........P.H..."
0020   85 6b 7f be 18 3d ea 83 bd 66 9d 9a a7 50 15 d6  .k...=...f...P..
0030   97 92 a9 d0 1f 3f 99 dc                          .....?..

If you look carefully you can see that the normal chat is not encrypted and you can see my char name along with the msg "This is a chat msg"

Party and Whisper Chat are encrypted and seem to use an id system unlike the normal chat which clearly shows your char name.

I do know both party and whisper use XOR in that each byte is done in this kind of way "xor 15, xor 30, xor 45, etc". So with a party msg that has say aaa which looks like this:

Code:

0000   70 25 00 00 00 00 a6 bd 4a b3 39 eb 02 0e 57 ef  p%......J.9...W.
0010   a7 cc 09 63 6c 18 fe cc ba 98 76 57 55 25 09 1e  ...cl.....vWU%..
0020   29 5d 2a 3b 69                                   )]*;i

You'll find that turning the values to decimal values:

Code:

9 with an xor15 becomes 6
30 (1e) uses an xor30 to become 0
41 (29) uses an xor45 to become 4 (This is the length of the msg. It includes itself and the number of bytes of your msg)
93 (5d) uses an xor60 to become 97 (or "a")
42 (2a) uses an xor75 to become 97 (or "a")
59 (3b) uses an xor90 to become 97 (or "a")
105 (69) uses an xor105 to become 0

Unfortunately once you add a fourth byte to your msg (eg another "a") the whole msg changes like so:

Code:

0000   70 26 00 00 00 00 d8 36 60 7d a2 b3 8a 0e 2c 87  p&.....6`}....,.
0010   c1 65 16 c3 b6 22 7b d0 b8 95 20 4c b8 75 75 a2  .e..."{... L.uu.
0020   2d 38 89 13 4c 6c                                -8..Ll

Whisper Packets are a little different.
This is "aaa":

Code:

0000   c0 29 00 00 00 00 7c 73 ec a6 f2 4e 23 f5 9c 6b  .)....|s...N#..k
0010   31 77 1b 0d b6 7a 98 5e 74 5c 65 01 81 f7 fd 3d  1w...z.^t\e....=
0020   bd 58 86 9a 1c 86 9f bd ba                       .X.......

This is "aaaa":

Code:

0000   c0 2a 00 00 00 00 ca a0 60 64 0f a7 85 21 c9 a0  .*......`d...!..
0010   eb 96 b0 3e 54 fa ae cf 09 4f c3 b8 e6 00 18 8b  ...>T....O......
0020   59 1c be cd 04 a7 9f bd db 98                    Y.........

This is "aaaaa":

Code:

0000   c0 2b 00 00 00 00 3d 14 25 cd d6 bf 49 d7 e5 3a  .+....=.%...I..:
0010   ad 0f 07 f7 85 02 39 e7 68 e3 1a 69 98 11 eb 26  ......9.h..i...&
0020   63 aa a6 0e 47 3e 9f bd db f9 76                 c...G>....v

This is "aaaaaa":

Code:

0000   c0 2c 00 00 00 00 9c 1d ca bf ac aa 7e 68 55 64  .,..........~hUd
0010   37 c0 9c 44 d5 9b f7 15 7e a2 56 71 ac e3 b4 6e  7..D....~.Vq...n
0020   b0 fe f4 14 85 32 9f bd db f9 17 54              .....2.....T

Whisper doesn't seem to have the same change that Party msgs have but it probably uses the same system of xor.

Since a has a decimal value of 97

Code:

32 to 50 then xor it by 97 to become 83
9f to 159 then xor it by 97 to become 254
bd to 189 then xor it by 97 to become 220
db to 219 then xor it by 97 to become 186
f9 to 249 then xor it by 97 to become 152
17 to 23  then xor it by 97 to become 118

The first byte changes depending on the length but the rest seem to hold a pattern of -34

On a side note the very last byte of any msg always equals zero.

[razer951]

Are you some how related to YukiXian who posted another post about Packets?
Also I am curious to know how exactly you come about sending and receiving these packets because most of the methods of packet "sniffing" are detected except for a few such as the use of a proxy.

[YukiTsuki]

Wireshark works for me just fine. Has no problems with hackshield. You can use what ever program you like really. Packets are packets, they don't change unless whats in them changes.

Also I don't know who YukiXian is.

[kotarou3]

Wireshark was never detected and never will be

Code:

Normal chat packet of me saying 123:
0000   25 2b 00 00 00 03 00 00 52 6c 00 10 00 00 00 03  %+......Rl......
0010   67 35 16 03 00 01 00 06 00 0a 59 75 6b 69 74 73  g5........Yukits
0020   75 6b 69 00 06 00 04 31 32 33 00                 uki....123.

What I mean as in what each byte means and such is this:

Code:

00 = ? (byte)
01 = Absolute address of end of packet (byte)
02 = ? (dword)
06 = ? (dword)
0A = Size of character name (word)
0C = Size of message (dword)
etc

[YukiTsuki]

Quote:

Originally Posted by kotarou3

Wireshark was never detected and never will be

Code:

Normal chat packet of me saying 123:
0000   25 2b 00 00 00 03 00 00 52 6c 00 10 00 00 00 03  %+......Rl......
0010   67 35 16 03 00 01 00 06 00 0a 59 75 6b 69 74 73  g5........Yukits
0020   75 6b 69 00 06 00 04 31 32 33 00                 uki....123.

What I mean as in what each byte means and such is this:

Code:

00 = ? (byte)
01 = Absolute address of end of packet (byte)
02 = ? (dword)
06 = ? (dword)
0A = Size of character name (word)
0C = Size of message (dword)
etc

25 2b 00 00 is the packet id
0a is as you said the byte length of the char's name that said something plus it counts itself so we topically use a -1 on that byte.
59 75 6b 69 74 73 75 6b 69 is the char name and in this case it's me "Yukitsuki"
04 is the next length byte and is the same as the char name one
31 32 33 was the msg "123"
and then it ends with a 00 byte
The rest we're ignoring at the moment as it's not really needed for our needs. I'm sure part of the packet says if you have a name change potion on but we don't care a bout that (Which might be the "67 35 16 03" bytes).

[kotarou3]

If you didn't know what the ending NULL byte was, it was for the terminating NULL in the c-string. Remember that

So basically:

Code:

00 = Packet ID (byte)
01 = Size of packet (dword)
05 = ? (1A bytes)
19 = Size of character name (byte)
1A = Character name (&19 bytes)
1A+&19 = ? (word)
1A+&19+2 = Size of message (byte)
1A+&19+3 = Message (&(1A+&19+2) bytes)

In C (In progress):

Code:

struct {
    char id;
    size_t sizeofpacket;
    ? ?; // I'm guessing this would contain offsets and such to the strings
};

EDIT: Forgot about LE!

Also, give me a few more examples of normal chat, with what you said included

[YukiTsuki]

Normal chat isn't what we're trying to decode. We already have it in Mabimessage just fine. We're trying to decode party and whisper packets.

[Project-Mayu]

From what we know so far
byte 0 is a base packet id, a secondary id is also needed to determine that the packet is for.
byte 1,2,3,4 is a uint32 of the length of the packet

strings in mabinogi packets have a habit of starting with 6h,0h and then the length, and always end in 0h

the sample party packet thus most likely but may not, end in 6h 0h 4h 31h 32h 33h 0h
but the xor for each person is different, thus some sort of algorithm is used to xor the bytes.

[kotarou3]

Quote:

Originally Posted by YukiTsuki

Normal chat isn't what we're trying to decode. We already have it in Mabimessage just fine. We're trying to decode party and whisper packets.

I know. But having the struct for the normal chat would make it easier to decode the encrypted party chat because we know the correct values

[Project-Mayu]

the encrypted packets are defiantly different from normal packet
normal packets have the users name in plain text
Encrypted ones seem to have an Id

apart from the info I posted, we don't really know much more about the packet format, most of what we know is pure guess work.

one thing I forgot to mention, apart from the packet length, Mabinog's numbers count backwards decimal 1 = 0h 0h 0h 1h

[kotarou3]

That's not mabinogi, that's jsut Little Endian

[Project-Mayu]

I checked with Dot Net (BitConverter.IsLittleEndian)
Little Endian is 1h 0h 0h 0h
Big Endian is 0h 0h 0h 1h

my note is to be aware that Mabinogi uses both, mainly Big