Basically i decide to make kind of radar witch post all seen Doods in one firebase and visualize them in the web (aka archebox )
to do that had 2 approaches to inject my code into the process and hook internal function or to create a a packet sniffer. I decided to go for the second option.
Client version is 6.x
so far i manage to decrypt the packets.(S2C type 5 ) here is an example packet
Code:
59 1b 2e 03 01 96 3d 02 15 cb 08 b7 27 23 3d 00
00 54 b8 01 00 00 00 00 7f bd 85 00 97 10 9a 00
14 55 03 00 00 00 00 3d 83 00 00 80 3f cf e9 07
00 00 00 00 00 00 00 00 00 00 00 00 00 15 09 b1
0a d9 53 34 5f 00 00 00 00 00 00 00 00 ff ff ff
ff fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00
Actually that packets looks like SCDoodadsCreatedPacket what i mean
0x59 - checksum
0x1b - sequance
2e 03 - OpCode (0x32E strange)
0x01 number of doods in list
96 3d 02 15 - probably object id
cb 08 - doodad_almighty_id in doodad_func_groups table
cb 08 - id in doodad_func_groups table
....
15 09 b1 0a are probably kind of time stamp to next phase
So basically i can identify the dood unfortunately have no idea how the get the position (X,Y,Z).
Edit :
Here is some additional information that i found today
After the server maintenance my sniffer start to report difernet OpCodes here is an example
Code:
00000000 53 07 b1 00 01 be fe 00 15 e9 08 bd 11 40 3d 00
00000010 00 00 00 00 00 00 00 00 e9 cf 85 00 60 07 9a 00
00000020 55 55 03 00 00 00 00 6f bd 00 00 80 3f cf e9 07
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 45 b4 00
00000040 14 06 85 33 5f 00 00 00 00 00 00 00 00 ff ff ff
00000050 ff fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060 00 00 00 00 00 00
OpCode : B1
CRC : 53
So by guess is that OpCodes are obfuscated (probably with Xor again) but the key is transmitted in some of the initial packets