packet logger

[silkytail]

Here's a tiny pw packet dumper that gets the packet data out of the client (before it encrypted and after it decrypted) and dumps to the console and to text file.
It has some little limitations however, not all login traffic dumped I believe, also there's no 'control messages' ('zero' bytes between packets).
How to use: start program | start client; login and have fun.

If you're interested in future packed investigations. feel free to icq me (the answer to antispam is 0).
Hope this will do a big step in packet works

[silkytail]

attachment was there ... here it is

[Owyn]

so... it only logs and decryps packets?

[silkytail]

yep. and what it looks like?

[ericjohn]

your wrong! yep you wrote a program that listen to the client but it lack the packet algorithm, the encryption and decryption. i doubt you already figured out the algorithm written on the client it took 1 month for the other team to figure the login encryption & decrypt and even 2 months just figuring out the encrypt and decrypt of chat sent to the server.. before they coded a real emulator. look at the screenies.. they just dont share their work! Im currently studying packets now. i was wrong at posting a wrong code at my other thread.. you can study packets algorithm without the help of clients real assembly.. im focusing on studying reverse engineering now. even it take time. cause it help alot..

take a look at these screenshots of the other team's real emu:





i just have an idea.. write a proxy that directly listen to the servers like ip:202.57.118.135 and port:29000 before it cummunicate to the client. instead of listening to the client. just like others game emulator.. im not sure whether the client encrypts the recieve packet. as for the sent packet you realy must know the algorithm.

[ericjohn]

heres an example of proxy packet encrypt and decrypt source: its just for attack packets:
its a games my friend and i play before:

he wrote this when he is sitll on online game:

the Client2Server packet:

Code:

using System;
using System.Drawing;
using System.Collections;
using System.ComponentModel;
using System.Windows.Forms;
using System.Data;
using System.Threading;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.IO;

namespace Lipsum
{
	public class Packet_Client2Server
	{
		public static byte[] logpck1= new byte[68];
		public static int user1id=0;
		public static byte[] logpck2= new byte[68];
		public static int nblog=0;

		public static bool DoSendPacket(byte[] Buffer,int Length, int id)
		{
			bool SendPacket=true;

			#region Multi hit
			if((Buffer[2]==21 && Buffer[1]==7 && Form1.frm.ServerVersion<98) || (Buffer[2]==17 && Buffer[1]==7 && Form1.frm.ServerVersion>=98))
			{
				if(Form1.frm.trackBarHitInterval.Value>0)
				{
					SendAttack sdat=new SendAttack(Buffer,id);
					new Thread(new ThreadStart(sdat.DoSendAttack)).Start();
				}
				else
				{
					for(int i = 0;i<=(int)Form1.frm.nbhit.Value;i++)
					{
						Form1.frm.gSockDst2[id].SendData(Buffer,7);
					}
				}
			}
			#endregion

			#region WalkTeleport
			if(Buffer[1]>=7 && Buffer[2]==212)
			{
				int i1,i2,i3,i4,x1,y1;
				i1=Buffer[3];
				i2=Buffer[4];
				i3=Buffer[5];
				i4=Buffer[6];
				x1=i1^93;
				y1=i1^i2^188;
				CTeleport.TeleportMap(x1,y1);
			}
			if(Buffer[1]==7 && Buffer[2]==212)
			{
				int i1,i2,i3,i4,x1,y1,x2=0,y2=0,ti;
				int depxy=1;
				i1=Buffer[3];
				i2=Buffer[4];
				i3=Buffer[5];
				i4=Buffer[6];
				x1=i1^93;
				y1=i1^i2^188;
				ti=i2^i3;
				ti=ti&112;
				ti=ti|131;
				switch(ti)
				{
					case 131:
						x2=x1+depxy;
						y2=y1;
						break;
					case 243:
						x2=x1+depxy;
						y2=y1+depxy;
						break;
					case 227:
						x2=x1+0;
						y2=y1+depxy;
						break;
					case 195:
						x2=x1-depxy;
						y2=y1+0;
						break;
					case 179:
						x2=x1-depxy;
						y2=y1-depxy;
						break;
					case 163:
						x2=x1+0;
						y2=y1-depxy;
						break;
					case 147:
						x2=x1+depxy;
						y2=y1-depxy;
						break;
					case 211:
						x2=x1-depxy;
						y2=y1+depxy;
						break;
				}
				if(x2!=0 && y2!=0)
				{
					CTeleport.TeleportMap(x2,y2);
					if(Form1.frm.checkBoxWalkTeleport.Checked)
					{
						CTeleport.Teleport(x2,y2,id);
						CTeleport.Teleport2(x2,y2,id);
					}
				}
			}
			#endregion

			/*if(Buffer[0]==195 && Buffer[1]==68)
			{
				if(nblog==0)
				{
					logpck1=Buffer;
					user1id=id;
				}
				if(nblog==1)
				{
					Form1.frm.gSockDst2[user1id].SendData(logpck1,68);
					Form1.frm.gSockDst2[id].SendData(Buffer,68);
				}
				nblog++;
				Form1.frm.label28.Text=nblog.ToString();
				if(nblog==2)
					nblog=0;
				SendPacket=false;
			}
			else
			{
				nblog=0;
				Form1.frm.label28.Text=nblog.ToString();
			}*/

			return SendPacket;
		}


		public Packet_Client2Server()
		{
			//
			// TODO*: ajoutez ici la logique du constructeur
			//
		}
	}
}

SERVER 2 client:

Code:

using System;
using System.Drawing;
using System.Collections;
using System.ComponentModel;
using System.Windows.Forms;
using System.Data;
using System.Threading;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.IO;

namespace Lipsum
{
	/// <summary>
	/// Description résumée de Packet_Server2Client.
	/// </summary>
	public class Packet_Server2Client
	{

		public static bool DoReceivePacket(byte[] Buffer,int Length, int id)
		{
			byte i1,ii1;
			byte i2,ii2;
			int PosiMV,aPosiMV;
			bool SendPacket=true;
			bool pk=false;
			byte[] AttakPacket={193,7,17,0,0,0,0};

			int CurrentUser=1;
			for(int i =0;i<Form1.frm.NbUsers;i++)
			{
				if(Form1.frm.Users[i].IDSock3==id)
					CurrentUser=i;
			}

			if(Form1.frm.ServerVersion<98)
				AttakPacket[2]=21;

			#region Vault Hack
			if(Buffer[1]==4 && Buffer[2]==131 && Buffer[3]==1 && Form1.frm.chkVaultHack.Checked)
			{
				Buffer[3]=0;
				Cons.Print("Vault Hack applied",id);
			}
			#endregion

			#region Player ID
			if(Buffer[1]==12 && Buffer[2]==241)
			{
				Form1.frm.Users[CurrentUser].IDPlayer1=Buffer[5];
				Form1.frm.Users[CurrentUser].IDPlayer2=Buffer[6];
			}
			#endregion

			#region GM chars
			if(Buffer[1]==243)
			{
				/*	Buffer[19]=8;
					Buffer[45]=8;*/
			}
			#endregion

			#region Attack Packet Key
			int Code1=0,Code2=0,Code3=0,Code4=0;
			Code1=152;Code2=36;	Code3=242;Code4=104;
			if(Form1.frm.ServerVersion<98)
			{
				Code1=156;Code2=32;Code3=246;Code4=108;
			}
			#endregion
		
			#region AK V4 - kill mobs when they reappear
			if(Form1.frm.chkAKV4.Checked && (Buffer[2]==20))
			{
				for(int nbak4=0;nbak4<Buffer[3];nbak4++){
					i1=Buffer[4+nbak4*2];
					i2=Buffer[5+nbak4*2];
					if(!(i1==Form1.frm.Users[CurrentUser].IDPlayer1 && i2==Form1.frm.Users[CurrentUser].IDPlayer2))
					{
						AttakPacket[3]=(byte)(i1 ^ Code1);
						AttakPacket[4]=(byte)(i1 ^ i2 ^ Code2);
						AttakPacket[5]=(byte)(i1 ^ i2 ^ Code3);
						AttakPacket[6]=(byte)(i2 ^ (Code4));
						Cons.Print("AK v4 : "+i1.ToString() + " "+i2.ToString(),id);
						if(Form1.frm.trackBarHitInterval.Value>0)
						{
							SendAttack sdat=new SendAttack(AttakPacket,id);
							new Thread(new ThreadStart(sdat.DoSendAttack)).Start();
						}
						else
						{
							for(int i = 0;i<=(int)Form1.frm.nbhit.Value;i++)
							{
								Form1.frm.gSockDst2[id].SendData(AttakPacket,7);
							}
						}
					}
				}
			}
			#endregion

			#region AK V3 - movement detection
			if(Form1.frm.checkBox1.Checked && ((Buffer[1]==8 && Buffer[2]==16  && Form1.frm.ServerVersion<98) || (Buffer[1]==8 && Buffer[2]==212  && Form1.frm.ServerVersion>=98)))
			{
				PosiMV=0;
				i1=Buffer[PosiMV+3];
				i2=Buffer[PosiMV+4];
				PosiMV+=6;
				if(!(i1==Form1.frm.Users[CurrentUser].IDPlayer1 && i2==Form1.frm.Users[CurrentUser].IDPlayer2))
				{
					AttakPacket[3]=(byte)(i1 ^ Code1);
					AttakPacket[4]=(byte)(i1 ^ i2 ^ Code2);
					AttakPacket[5]=(byte)(i1 ^ i2 ^ Code3);
					AttakPacket[6]=(byte)(i2 ^ (Code4));
					Cons.Print("AK v3 : "+i1.ToString() + " "+i2.ToString(),id);
					if(Form1.frm.trackBarHitInterval.Value>0)
					{
						SendAttack sdat=new SendAttack(AttakPacket,id);
						new Thread(new ThreadStart(sdat.DoSendAttack)).Start();
					}
					else
					{
						for(int i = 0;i<=(int)Form1.frm.nbhit.Value;i++)
						{
							Form1.frm.gSockDst2[id].SendData(AttakPacket,7);
						}
					}
				}
			}
			#endregion

			#region ServerSide Movement - Corrects teleport bug
			if((Form1.frm.ServerVersion<98 && Buffer[1]==8 && Buffer[2]==16 && Buffer[3]==Form1.frm.Users[CurrentUser].IDPlayer1 && Buffer[4]==Form1.frm.Users[CurrentUser].IDPlayer2) ||
				(Form1.frm.ServerVersion>=98 && Buffer[1]==8 && Buffer[2]==212 && Buffer[3]==Form1.frm.Users[CurrentUser].IDPlayer1 && Buffer[4]==Form1.frm.Users[CurrentUser].IDPlayer2))
			{
				//CTeleport.TeleportMap(Buffer[5],Buffer[6]);
				SendPacket=false;
			}
			#endregion

			#region AK V1
			PosiMV=0;
			if(Form1.frm.ChkAK.Checked && Buffer[0]==194)
			{
				pk=Form1.frm.chkPK.Checked && Buffer[PosiMV+3]==18;
				if( Buffer[PosiMV+3]==19 || pk )
				{
					aPosiMV=PosiMV+5;
					for(int j=0;j<(int)Buffer[aPosiMV-1];j++)
					{
						if(pk)
							PosiMV=aPosiMV+j*21;
						else
							PosiMV=aPosiMV+j*12;
						if ((((int)Buffer[PosiMV+2])<150) || (pk))
						{
							i1=Buffer[PosiMV];
							i2=Buffer[PosiMV+1];
							ii1=Buffer[PosiMV+8];
							ii2=Buffer[PosiMV+9];
							AttakPacket[3]=(byte)(i1 ^ Code1);
							AttakPacket[4]=(byte)(i1 ^ i2 ^ Code2);
							AttakPacket[5]=(byte)(i1 ^ i2 ^ Code3);
							AttakPacket[6]=(byte)(i2 ^ (Code4));
							if(CTeleport.IsAreaFree(ii1,ii2) || !(Form1.frm.AK2.Checked))
							{
								Cons.Print("AK v1 : "+i1.ToString() + " "+i2.ToString(),id);
								if(Form1.frm.chktelmonster.Checked)
								{
									CTeleport.Teleport(ii1,ii2,id);
									CTeleport.Teleport2(ii1,ii2,id);
								}								
								if(Form1.frm.trackBarHitInterval.Value>0)
								{
									SendAttack sdat=new SendAttack(AttakPacket,id);
									new Thread(new ThreadStart(sdat.DoSendAttack)).Start();
								}
								else
								{
									for(int i = 0;i<=(int)Form1.frm.nbhit.Value;i++)
									{
										Form1.frm.gSockDst2[id].SendData(AttakPacket,7);
									}
								}
							}
						}
					}
				}
			}
			#endregion

			#region Ignored Packets
			if(Buffer[0]==194 && Buffer[PosiMV+3]==19 && Form1.frm.checkBoxIgnore3.Checked)
				SendPacket=false;
			if(Buffer[0]==194 && Buffer[PosiMV+3]==18 && Form1.frm.checkBoxIgnore3.Checked)
				SendPacket=false;
			if(Buffer[1]==8 && Buffer[2]==16  && Form1.frm.ServerVersion<98 && Form1.frm.checkBoxIgnore2.Checked)
				SendPacket=false;
			if(Buffer[1]==8 && Buffer[2]==212  && Form1.frm.ServerVersion>=98 && Form1.frm.checkBoxIgnore2.Checked)
				SendPacket=false;
			if(Buffer[1]==7 && Buffer[2]==24 && Form1.frm.checkBoxIgnore1.Checked)
				SendPacket=false;
			#endregion

			return SendPacket;
		}


		public Packet_Server2Client()
		{
			//
			// TODO*: ajoutez ici la logique du constructeur
			//
		}
	}
}

[silkytail]

Quote:

Originally Posted by ericjohn

your wrong! yep you wrote a program that listen to the client but it lack the packet algorithm, the encryption and decryption. i doubt you already figured out the algorithm written on the client

No sir! dumped packets has no encryption (at least as i see it.). And I'm sure they dont, because I made something more than just simple traffic listener Want chat? no problem, here's the example:

Code:

 80 85 64 01 00 00 14 D4 62 08 11 04 30 04 3A 04  Ђ…d....Фb...0.:.
 24 00 54 1F 04 20 04 1E 04 14 04 10 04 1C 04 20  $.T.............
 00 31 04 40 04 3E 04 3D 04 37 04 3E 04 32 04 4B  .1.@.>.=.7.>.2.K
 04 35 04 20 00 37 04 3D 04 30 04 3A 04 38 04 20  .5...7.=.0.:.8..
 00 34 04 40 04 30 04 3A 04 3E 04 3D 04 30 04 20  [email protected].:.>.=.0..
 00 3F 04 3E 04 20 00

[Owyn]

it is packed, cuz chat decrypted packet example was publishe already

[silkytail]

what packed specifically?

[ericjohn]

they are not dump. use WPE pro to analyze the packet from client and compare the packets you got in littlePaw22.24.rar its almost the same. if you saw you chat in game. you can easily understand a decrypted chat packet and you can easily edit it and encrypt it again before sending it to the server so the server wont dc you.. you can analyze my posted 1st screenies.. there are decypted chatpacket posted there.. second screenshot is login packets

you need a built in decryptor and encryptor inside your littlePaw22.24.rar to fully decrypt or encrypt packets. but i have some packets of GM sent to the server like invulnerability. you wont get dcied. but you need some GM privilage to make it work..

if you like to talk can i have your IM yahoo or icq

[silkytail]

examples please. It cannot be 'almost' the same. It is either the same or completely different.
Also your server might behave a bit different, only a suggestion.. At least packets I got with wpe has high enthropy while decrypted packets has clearly visible structure and data

icq 21398845

[silkytail]

if you mean decryptor in means of showing user data in human readable form then it's only a question of interpretation data we already got .. I'm not sure I'm going to implement it... Maybe a bridge to wp ppc to reuse its scripts..

[silkytail]

understanding the packet structure is a separate task. I know text dumps are not the best tool for it but we hasn't sniffing tools like this before isn't it? So it just a first step

[ericjohn]

yes decrypted = easy to read and easy to edit then encrypt to resend back to the server without error, and yeah its the best thing to start without packet algorithm. anyway ill analyze it again later using your proggy.. ill icq after my work.. to update my findings.. maybe these dump packets, some of them its a best start of studying the algorithm for a working emu. just like wp ppc.

[BuBucekTop]

Client found.... Failed to connect to client (5)