Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Perfect World > PW Hacks, Bots, Cheats, Exploits
You last visited: Today at 21:24

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



OOG dev - How to capture non-interaction outgoing packets?

Discussion on OOG dev - How to capture non-interaction outgoing packets? within the PW Hacks, Bots, Cheats, Exploits forum part of the Perfect World category.

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Jul 2011
Posts: 144
Received Thanks: 94
Question OOG dev - How to capture non-interaction outgoing packets?

So I'm dabbling in OOG stuff atm hoping eventually to make a homestead bot to farm sigils and there are a lot more packets you have to deal with than you do with normal botting.

I've found some online libraries that document a lot of them like here:


and here:


A lot of it is outdated and I've been updating them as I go but the list is far from comprehensive and I need to capture packets that are undocumented. I have no problems with incoming packets since I can just monitor the incoming traffic for data I need but I can't figure out what to send.

Does anyone know where the other packet sending function is for like login packets and stuff? A lot of the data I need to read I'm pretty sure I have to send a request first and the request doesn't go through the normal sendpacket routine. Ideally I'd like a tool for viewing these other packets but I'll settle for a function to breakpoint.



jasty is offline  
Old 09/06/2017, 01:31   #2
 
elite*gold: 0
Join Date: Nov 2016
Posts: 5
Received Thanks: 3
explore the last function call in the c22 sendpacket function (well not the last one, but the last client function call, before the free(...) call). I was usually able to find the packet information from examining the stack at the very beginning of that function, packet type and structure should be right there. If you can't figure it out for some packets and you know how to work with server binaries, you can get all the information you need about the non-gameworld packets from the gdelivery daemon, search for Protocol::Protocol(uint) function in IDA after applying dwarf, list cross-references and enjoy digging... Although it seems you're looking for homestead features, for which the files haven't been released yet, so I guess that won't be of much help.

I'll look into the first method tomorrow, I'm sure I had found a way to dump all packets a few months ago, I just can't remember now.

ok, so I dug up a bit further and hopefully found something. The best place to bp/detour a function for monitoring these packets seems to be the function that assembles the packet together. To find this function:

-Set a breakpoint on WS2_32.send
-do something in game so the function gets called (it actually gets called twice, the second time is for the real (encrypted) packet, however we'll need the first call)
-go to return address, it'll look something like this:



-scroll up a bit until you see this function call:


-follow that function and set a breakpoint at the very first instruction

information should be stored as follows:

ecx (this):
[] = interface functions pointer
[+4] = packet type array beginning
[+8] = packet type array ending

esp + 08 (first argument):
[] = interface functions pointer
[+4] = packet array beginning
[+8] = packet array ending

for example, I'll try to find out the information about AddFriend packet.

1. the breakpoint hit, we see addresses here



2. I follow ecx in the stack



3. Here I see that the beginning of packet type array is 0x16CE9138 and the ending is 0x16CE913A. So, the packet type fits in two bytes and we can find them at 16CE9138.
4. As seen here



the packet type array has 0x80 0xCA, which is 0xCA packed into cuint.
5. Now we have the packet type, we need to get the packet structure.
6. I follow esp + 8 in the stack



7. Applying the same logic, I follow the packet array beginning address, 218ED6C8
8. Here we have



9. We also know the ending address, so we can get the entire packet:

00 52 E3 E1 00 00 00 00 16 65 00 6C 00 69 00 74 00 65 00 70 00 76 00 70 00 65 00 72 00 73 00 05 53 B4 00

Now I know, from digging up in server binaries before, that the structure is:

self UID (non-reversed) - 00 52 E3 E1
target UID (this is only if the client actually obtained the UID for this character name, in this case it did not, so it leaves it at 0) - 00 00 00 00
name of the character that we're trying to add as a friend - 16 65 00 6C 00 69 00 74 00 65 00 70 00 76 00 70 00 65 00 72 00 73 00
srclsid (source link server id, you can leave it at 0, it's not important) - 05 53 B4 00

hopefully that helps, I guess you should know what to do from here. Also, this is 1.5.3 client since I don't have a higher version one downloaded right now, so unless it has undergone major changes in the past few versions, the functions should still be in place.


gnitargetnisid is offline  
Thanks
2 Users
Old 09/08/2017, 03:36   #3
 
elite*gold: 0
Join Date: Jun 2016
Posts: 37
Received Thanks: 0
what is a c22 ? thx
derleyvolt is offline  
Old 09/11/2017, 07:16   #4
 
elite*gold: 0
Join Date: Jul 2011
Posts: 144
Received Thanks: 94
@ Very nice thanks for the info. That should help find packets pre-encryption.
@ c22 is a type of packet that is the container for most of the packets used by bots... movement, casting skills, talking to npcs, etc.

There are other types of packets though such as the login protocol, sending chat messages, requesting character appearance when someone walks into your view radius, requesting homestead data when entering a homestead. etc.

Here's a pretty big list of packets I found in some old thread:


jasty is offline  
Old 09/11/2017, 10:54   #5
 
elite*gold: 0
Join Date: Jun 2016
Posts: 37
Received Thanks: 0
thx jasty
derleyvolt is offline  
Old 08/13/2018, 06:46   #6
 
elite*gold: 0
Join Date: Sep 2016
Posts: 2
Received Thanks: 0
I want to make OOG cat shop, is anyone willing to share example or clues or something? thanks
ariesta1503 is offline  
Old 08/13/2018, 17:36   #7
 
elite*gold: 0
Join Date: Jul 2011
Posts: 144
Received Thanks: 94
I learned a lot about OOG stuff from existing projects like:




There is also this tool called Pandora here:


Which when combined with a proxy can capture and decode all packets so you can figure out what you need to send. Most of the packets involved with catshops are already well documented.


Unfortunately right now Arc authentication is required and the russians who figured out how to get around it aren't sharing atm. I have a good understanding about how the normal authentication works but figuring out how to authenticate with arc and what to do with the login token is a bit beyond my ability.
jasty is offline  
Thanks
1 User
Old 08/14/2018, 11:31   #8
 
elite*gold: 0
Join Date: Jun 2016
Posts: 37
Received Thanks: 0
Jasty, to you, what most dificult in figuring out how arc authenticate works?
in what pw version was this implemented? thx bro
derleyvolt is offline  
Old 08/17/2018, 19:24   #9
 
elite*gold: 0
Join Date: Jul 2011
Posts: 144
Received Thanks: 94
Well first you need to login to Arc with OAuth probably.

Then while logging into the game you have to use that access token to generate the encryption key somehow instead of using the password.

The encryption key in the old protocol was RC4( MD5(login + password), Servery Key), something like that. I'm not sure what the expression would be for using an access token instead of a password.

If you figure it out let me know.
jasty is offline  
Old 05/24/2019, 07:30   #10
 
elite*gold: 0
Join Date: Mar 2016
Posts: 3
Received Thanks: 0
Smile

Quote:
Originally Posted by jasty View Post
Well first you need to login to Arc with OAuth probably.

Then while logging into the game you have to use that access token to generate the encryption key somehow instead of using the password.

The encryption key in the old protocol was RC4( MD5(login + password), Servery Key), something like that. I'm not sure what the expression would be for using an access token instead of a password.

If you figure it out let me know.
hi jasty can u tell me how send move at pwluaoog?
200Char is offline  
Old 05/26/2019, 23:11   #11
 
elite*gold: 0
Join Date: Jul 2011
Posts: 144
Received Thanks: 94
You have to send raw move packets.

Move:
Code:
            Packet p = new Packet();
            p.AddUInt16(0x0000) //header
                .AddFloat(pos.x)
                .AddFloat(pos.z)
                .AddFloat(pos.y)
                .AddFloat(pos.x)
                .AddFloat(pos.z)
                .AddFloat(pos.y)
                .AddUInt16(delta)  //delta millisecs = ~500
                .AddUInt16((ushort)((speed * 256) + .5), true) //speed = walk speed = player + 0x540 = ~4.8f
                .AddByte(mode) // walk = 0x21
                .AddUInt16(player.MoveCounter++, true); // Counter at player struct + 0xD18
            sendPacket(p.Bytes);
jasty is offline  
Thanks
1 User
Old 05/27/2019, 23:42   #12
 
elite*gold: 0
Join Date: Mar 2016
Posts: 3
Received Thanks: 0
Quote:
Originally Posted by jasty View Post
You have to send raw move packets.

Move:
Code:
            Packet p = new Packet();
            p.AddUInt16(0x0000) //header
                .AddFloat(pos.x)
                .AddFloat(pos.z)
                .AddFloat(pos.y)
                .AddFloat(pos.x)
                .AddFloat(pos.z)
                .AddFloat(pos.y)
                .AddUInt16(delta)  //delta millisecs = ~500
                .AddUInt16((ushort)((speed * 256) + .5), true) //speed = walk speed = player + 0x540 = ~4.8f
                .AddByte(mode) // walk = 0x21
                .AddUInt16(player.MoveCounter++, true); // Counter at player struct + 0xD18
            sendPacket(p.Bytes);
thanks you for the answer , but i new on c# where i should input this on pwluaogg and how i can use/call the function from protocol.lua
200Char is offline  
Old 05/31/2019, 18:33   #13
 
elite*gold: 0
Join Date: Jul 2011
Posts: 144
Received Thanks: 94
Are you even able to use pwluaogg to get through Arc? I didn't think it worked.

You'd have to see how to send raw packets with that framework and adapt that packet format. All the fields are in reverse byte order. If you aren't comfortable with manipulating packet data you shouldn't bother with OOG stuff yet.


jasty is offline  
Reply

Tags
oog



« [Release] HZD WQ Bot for PWI: Eclipse | Any bot for pw 1.4.2 »

Similar Threads
[Question]Interaction between servers
06/28/2016 - CO2 Programming - 5 Replies
how the authentication server communicates with the game server in conquer?
Live user interaction von 2 usern (!?)
05/29/2016 - Web Development - 4 Replies
hey leute, hat jemand eine idee wie das coinflip system auf csgowild funktioniert? würde mich über eine grobe erklärung oder die Programmiersprache mit ich es umsetzen kann sehr freuen. Für einen kompletten code würde ich auch zahlen. Erklärung: Meine lage (bsp.) Ich habe eine website bei der jeder user über z.b. PP geld aufladen kann. Jetzt soll User1 die möglichkeit haben eine "Spiel" zu eröffnen, jeder andere user kann diesem beitreten. Wenn sich 2 spieler gefunden haben wird ein...
Packets packets packets...
10/06/2012 - CO2 Private Server - 13 Replies
I have been struggling to understand what is a Packet how could i create one with the data i want then send it to my server So please any one tell if as example i want to send some info from my client to my server, then handle them from the server how could i do that : i have my socket server, also i don't wanna copy and paste codes i want to UNDERSTAND. My PacketReader.cs
Object Interaction
11/30/2005 - WoW Exploits, Hacks, Tools & Macros - 3 Replies
I have known this exploit since WoW came out, but thought I would share it here first. I discover that the interacting symbol (arrow w/ a gear) when you mouse over still stays on some objects after you have already "used" it. Example the Cleaning Room in GR! Since Cleaning those Objects take forever you could possibly be quick enough to do multiple turnins. Now for the big one! Recently the Felwood Plants no longer have casting time to open. I have been able to get loot from them as...



All times are GMT +1. The time now is 21:24.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

BTC: 33E6kMtxYa7dApCFzrS3Jb7U3NrVvo8nsK
ETH: 0xc6ec801B7563A4376751F33b0573308aDa611E05

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2019 elitepvpers All Rights Reserved.