SwTor Server Packet logger 1.4 beta

[the1domo]

SwTor Server Packet Logger 1.4 beta by the1domo

This is a simple packet logger for logging the packets from the login server for reverse engineering
this is only my first version and I'm looking for decryption method to add to it

What a can do
#1 it logs the packets to a file and in a easy to read format
#2 dumps a packet with a key to a file the key is a RSA encrypted salsa keys for encryption and decryption. "As quoted by polimorfic"
#3 dumps all packet to bin files for easier decryption.
#4 dumps all packet .pcap files so you can read in wireshark.

1.1 Update log:
Packet header fix

1.3 Update log:
#1 Fixed some errors with the error handling.
#2 Added a dumper to dump to bin files for easier decryption.
#3 Added a dumper for creating pcap files so you can read in wireshark.

1.4 Update log:
#1 Added support for ssl logging
#2 Added support for gamepad.swtor.com logging
#3 Added support for game server logging

all the URL it log's
gamepad.swtor.com 159.153.92.47:443
he1012n01.swtor.com 159.153.95.81:8995
va1poold1n0136.swtor.com 159.153.95.178:20061
va1poold1n0047.swtor.com 159.153.95.62:21610
va1poold1n0021.swtor.com 159.153.95.31:20065
va1poold1n0136.swtor.com 159.153.95.178:20065
va1poold1n0136.swtor.com 159.153.95.178:20067
va1poold1n0107.swtor.com 159.153.95.137:21607
va1poold1n0047.swtor.com 159.153.95.62:21604
va1poold1n0047.swtor.com 159.153.95.62:21606
va1poold1n0107.swtor.com 159.153.95.137:21606

These are the beginning features in the beta more to come later

swtor Packet logger 1.3:
https://www.virustotal.com/file/faff...is/1327688528/

swtor Packet logger 1.4:
https://www.virustotal.com/file/b2ee...is/1327701812/

SharpPcap.dll
https://www.virustotal.com/file/c6ad...baca/analysis/

PacketDotNet.dll
https://www.virustotal.com/file/3e83...c3a8/analysis/

For all my projects please visit
SwTorGamers.Net Home

[Analhammer]

Crashes for me at login screen.
This is the Output:
(sorry some german words @exception)

Code:

SwTor login server Packet logger 1.0 beta by the1domo

The following devices are available on this machine:
----------------------------------------------------

0) rpcap://\Device\NPF_{0BB5DDFA-361D-4A9C-8EAA-BB12436BE782} Network adapter 'R
ealtek PCIe GBE Family Controller' on local host
1) rpcap://\Device\NPF_{8E94C6C0-EE17-4D97-8E73-DA6CA90101A3} Network adapter 'R
ealtek PCIe GBE Family Controller' on local host

-- Please choose a device to capture: 0

-- The following tcpdump filter will be applied: "ip and tcp"
-- Listening on Network adapter 'Realtek PCIe GBE Family Controller' on local ho
st, hit 'Ctrl-C' to exit...
swtor login server: 15:38:45,253 Len=66 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:45,310 Len=66 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:45,310 Len=54 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:45,367 Len=76 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:45,560 Len=54 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:45,797 Len=1088 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:45,870 Len=60 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:45,870 Len=103 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:45,926 Len=60 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:45,943 Len=131 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:45,962 Len=156 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:46,60 Len=60 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:47,142 Len=147 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:47,341 Len=54 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:47,515 Len=68 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:47,515 Len=54 10.0.0.97:2686 -> 159.153.74.241:8995
swtor login server: 15:38:47,571 Len=60 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:47,574 Len=60 159.153.74.241:8995 -> 10.0.0.97:2686
swtor login server: 15:38:47,574 Len=54 10.0.0.97:2686 -> 159.153.74.241:8995

Unbehandelte Ausnahme: System.InvalidOperationException: TotalLength 0 < HeaderM
inimumLength 20
   bei PacketDotNet.IPv4Packet..ctor(ByteArraySegment bas)
   bei PacketDotNet.EthernetPacket.ParseEncapsulatedBytes(ByteArraySegment Heade
r, EthernetPacketType Type)
   bei PacketDotNet.EthernetPacket..ctor(ByteArraySegment bas)
   bei PacketDotNet.Packet.ParsePacket(LinkLayers LinkLayer, Byte[] PacketData)
   bei ConsoleApplication3.Program.device_OnPacketArrival(Object sender, Capture
EventArgs e)
   bei SharpPcap.LibPcap.PcapDevice.SendPacketArrivalEvent(RawCapture p)
   bei SharpPcap.LibPcap.PcapDevice.PacketHandler(IntPtr param, IntPtr header, I
ntPtr data)
   bei SharpPcap.LibPcap.LibPcapSafeNativeMethods.pcap_dispatch(IntPtr adaptHand
le, Int32 count, pcap_handler callback, IntPtr ptr)
   bei SharpPcap.LibPcap.PcapDevice.CaptureThread()
   bei SharpPcap.LibPcap.PcapDevice.Capture()
   bei ConsoleApplication3.Program.Main(String[] args)

it creates the swtoe_login_server_encrypted.txt but not the swtoe_login_server_key.txt

[the1domo]

Hello may I see the output that you got in the swtoe_login_server_encrypted.txt specifically the #5 packet

Code:

--------------------------------------------------------------------------------
swtor login server: 15:1:14,880 Len=1088 5.6.8.9:9350 -> 159.153.95.81:8995
--------------------------------------------------------------------------------
Data:  ******* Raw Hex Output - length=1088 bytes
Data: Segment:                   Bytes:                              Ascii:
Data: --------------------------------------------------------------------------
Data: 0000  78 cd 8e cf 1e 8e 6c f0  49 7c 37 49 08 00 45 00   x.....l. I|7I..E.
Data: 0010  04 32 06 87 40 00 80 06  00 00 32 4c 62 1b 9f 99   .2..@... ..2Lb...
Data: 0020  5f 51 24 86 23 23 98 50  bc 1e 16 77 da 49 50 18   _Q$.##.P ...w.IP.
Data: 0030  40 23 97 76 00 00 04 0a  04 00 00 0a c2 01 00 00   @#.v.... ........
Data: 0040  37 32 44 39 30 42 41 44  32 43 33 43 43 45 44 43   72D90BAD 2C3CCEDC
Data: 0050  41 33 30 35 39 46 36 41  39 41 31 39 33 32 39 41   A3059F6A 9A19329A
Data: 0060  34 39 46 35 44 41 44 45  41 46 36 33 36 30 37 42   49F5DADE AF63607B
Data: 0070  45 44 44 36 33 31 43 37  43 46 46 38 39 38 33 41   EDD631C7 CFF8983A

[Analhammer]

There: Pastebin.com

[the1domo]

i fix the Packet header in v1.1 Please give this a try

[Analhammer]

Yeah it dumps the key now (still crashes at char selection with the above exception).

[the1domo]

OKay I can code some handlers. In the next revision.

[the1domo]

1.3 Update log:
#1 Fixed some errors with the error handling.
#2 Added a dumper to dump to bin files for easier decryption.
#3 Added a dumper for creating pcap files so you can read in wireshark.

[the1domo]

1.4 Update log:
#1 Added support for ssl logging
#2 Added support for gamepad.swtor.com logging
#3 Added support for game server logging

all the URL it log's
gamepad.swtor.com 159.153.92.47:443
he1012n01.swtor.com 159.153.95.81:8995
va1poold1n0136.swtor.com 159.153.95.178:20061
va1poold1n0047.swtor.com 159.153.95.62:21610
va1poold1n0021.swtor.com 159.153.95.31:20065
va1poold1n0136.swtor.com 159.153.95.178:20065
va1poold1n0136.swtor.com 159.153.95.178:20067
va1poold1n0107.swtor.com 159.153.95.137:21607
va1poold1n0047.swtor.com 159.153.95.62:21604
va1poold1n0047.swtor.com 159.153.95.62:21606
va1poold1n0107.swtor.com 159.153.95.137:21606

[K123]

Any chance on this going open-source?

[Analhammer]

Any chance on this going open-source?

It's .NET code, you can pretty much decompile it back to nice readable code without problems with the neccessary tools...
If you can't find them with simple google usage you shouldn't be viewing code anyway...

Other than that, its pretty easy to create something like this. Sadly the interesting encryption related informations are not (yet?) implemented.

[polimorfic]

for sniffer you can use wpcap library.

if domo and me add enc/decompression code to logger, than it will be in win32 native dll, not c#.

[K123]

Other than that, its pretty easy to create something like this. Sadly the interesting encryption related informations are not (yet?) implemented.

Perhaps, but why not just save everyone time and just add a .zip with the source?

[polimorfic]

Perhaps, but why not just save everyone time and just add a .zip with the source?

because everyone waiting while one lost its time... I search on web and did not find any team with real results.

[K123]

polimorfic says: "Go make one yourself."
Analhammer says: "Go decompile it yourself."

Whatever. Keep it closed source. My time is valuable and I'm not wasting it by reinventing your wheels and sharing my findings with you.