PCAP and more

[Terah]

I have Beta acces this weekend so can give you some packet dumps.

PM me if you need some.

[blar0]

Depends ... what tool did you use ? you own sniffer ? you hook the AES Setkey ? to be able to decrypt the messages ?

[Hfg]

@Terah Everyone gets a beta invite for this weekend

@blar0 Whats your current OP-Code Progress? Did you make a nice documentated list?

[blar0]

@Terah Everyone gets a beta invite for this weekend

I don't

@blar0 Whats your current OP-Code Progress? Did you make a nice documentated list?

I finally understood how all the crypto works. I will post soon about it maybe tomorrow

[Hfg]

Does anyone have a xml for invalid username/password?

How can I read the datalenght from the client exactly? I tried your Protocol description from the last posts, but I dont found the real request length in the received bytes.

[blar0]

Does anyone have a xml for invalid username/password?

How i can read the datalenght from the client exactly? I tried your Protocol description on the last posts, but i dont found the request length.

Invalid username / password answer :

Code:

<?xml version="1.0"?>
<zos_platform_response>
  <result_message>Access not allowed</result_message>
  <result_code>6009</result_code>
</zos_platform_response>

If the POST request succeed it will answer you :

Code:

<?xml version="1.0"?>
<zos_platform_response>
  <response>
    <queue_eta_sec>20.931716923</queue_eta_sec>
    <uuid>XXXXXXXXX</uuid>
    <callback_interval_ms>2000</callback_interval_ms>
  </response>
  <result_code>2000</result_code>
  <result_message>Authentication Pending</result_message>
</zos_platform_response>

The it will send a POST request to path "/login_queue/progress" and answer you :

Code:

<?xml version="1.0"?>
<zos_platform_response>
  <response>
    <status>5</status>
    <state_data>
      <data>
        <reservation_result>
          <retry>False</retry>
          <uuid>XXXXXXXXX</uuid>
          <succeeded>True</succeeded>
          <realm_name>Live</realm_name>
          <connectPort>24503</connectPort>
          <connectAddress>198.20.200.24</connectAddress>
          <realm_id>4000</realm_id>
          <depot_id>False</depot_id>
        </reservation_result>
        <auth_result>
          <entitlements_mask>32</entitlements_mask>
          <realm_id>4000</realm_id>
          <user_id>XXXXXXXXX</user_id>
          <uuid>XXXXXXXXX</uuid>
          <access_flags>0</access_flags>
          <email>XXXXXXXXX</email>
          <language>en</language>
          <password/>
          <account_name>XXXXXXXXX</account_name>
        </auth_result>
      </data>
    </state_data>
  </response>
  <result_code>2000</result_code>
  <result_message>Reservation Successful</result_message>
</zos_platform_response>

The client will connect to ip : 198.20.200.24 on port 24503, and send the following stuff :

Code:

[+] Send (198.20.200.24 : 24503) : 802 (0x00000322) bytes
00000000  00 00 03 1E 00 01 00 01 00 00 03 16 2B 10 00 04  ............+...
00000010  31 32 33 34 00 00 15 65 73 6F 2E 6C 69 76 65 2E  1234...eso.live.
00000020  31 2E 30 2E 30 2E 37 30 39 37 31 37 00 00 00 00  1.0.0.709717....
00000030  80 00 00 00 8B 78 9C 01 80 00 7F FF 94 16 27 7B  €...‹xœ.€..ÿ”.'{
00000040  30 7D 21 E3 5E 9F 0D 9B D9 BE A0 6A 8E F0 3D E6  0}!ã^Ÿ.›Ù***jŽð=æ
00000050  C5 F7 A3 DD 55 2F 72 F5 C6 26 49 DD 93 D2 50 DE  Å÷£ÝU/rõÆ&IÝ“ÒPÞ
00000060  6E 2B 5F 7E 0E 9F 97 FA 78 FB 3F 6E 87 25 1C 0F  n+_~.Ÿ—úxû?n‡%..
00000070  30 22 EB 7B B0 0E 28 B7 21 39 5D 39 C5 94 5C AA  0"ë{°.(·!9]9Å”\ª
00000080  E8 37 02 76 65 E9 71 E7 4A 8B 05 9D 44 4A 80 18  è7.veéqçJ‹..DJ€.
00000090  F3 0C 82 F4 2D D9 75 C7 8A 26 07 33 12 EB 58 88  ó.‚ô-ÙuÇŠ&.3.ëXˆ
000000A0  91 EA 30 5E 14 5E 40 02 16 85 7B 0D 4E BC A2 3D  ‘ê0^.^@..…{.N¼¢=
000000B0  2B A9 62 BF 80 20 F6 7E 5A 44 02 E4 7B 5E 3A AE  +©b¿€ ö~ZD.ä{^:®
000000C0  00 00 00 80 00 00 00 8B 78 9C 01 80 00 7F FF 06  ...€...‹xœ.€..ÿ.
000000D0  93 44 1A AE 83 0A 17 A8 71 3A DF 07 F5 0B 2E 4D  “D.®ƒ..¨q:ß.õ..M
000000E0  53 65 00 55 80 22 3F 9B 2A 2D 22 29 AC 1E BC 8C  Se.U€"?›*-")¬.¼Œ
000000F0  B6 F0 7B A6 6B 9C 39 61 3F 9D 61 48 A3 39 97 D6  ¶ð{¦kœ9a?.aH£9—Ö
00000100  7C 9A 8D 8F C1 CE DF 1B AE 87 CD D6 56 00 1F 5C  |š..ÁÎß.®‡ÍÖV..\
00000110  87 76 0D 7B 18 F7 2D DD DE EF C6 DA 89 C9 FE D5  ‡v.{.÷-ÝÞïÆÚ‰ÉþÕ
00000120  44 80 B3 88 55 D4 BF AF 81 92 FD 8E 71 48 F5 60  D€³ˆUÔ¿¯.’ýŽqHõ`
00000130  6C 05 59 45 31 AA F9 27 AE C1 1A 5F 2E 09 83 03  l.YE1ªù'®Á._..ƒ.
00000140  F9 E9 29 DE 5F 16 7E 67 AF 77 DA 3B 0D 15 F0 78  ùé)Þ_.~g¯wÚ;..ðx
00000150  5E 3C 86 00 00 00 80 00 00 00 8B 78 9C 01 80 00  ^<†...€...‹xœ.€.
00000160  7F FF 7B DC 1E 64 28 24 9A 27 60 A1 60 E0 7D C5  .ÿ{Ü.d($š'`¡`à}Å
00000170  65 A0 6E 4F 6A 14 A6 40 AF BA 6B 22 EE 04 56 C7  e*nOj.¦@¯ºk"î.VÇ
00000180  45 AB 30 4F 64 36 00 7A 7C B9 E2 70 50 73 C7 5C  E«0Od6.z|¹âpPsÇ\
00000190  56 3B 60 97 7A 14 B8 5A E1 62 E8 D7 54 A0 CF 6E  V;`—z.¸Zábè×T*Ïn
000001A0  C4 E1 40 B9 D8 20 F3 28 5E 77 6A D7 7B 4A 7B 19  Äá@¹Ø ó(^wj×{J{.
000001B0  FF F9 2F 68 30 30 AE 9C D1 2D A6 1B 5F 53 63 C2  ÿù/h00®œÑ-¦._ScÂ
000001C0  22 0B 85 DA 81 DE E9 6C 31 E9 86 BC 7B FF 00 FE  ".…Ú.Þél1醼{ÿ.þ
000001D0  C3 9E 64 FD F1 F4 64 63 C4 1D EF FD BD DA E4 E6  ÞdýñôdcÄ.ïý½Úäæ
000001E0  A0 AA 6B D9 42 C9 01 A1 0E D8 00 00 00 80 00 00  *ªkÙBÉ.¡.Ø...€..
000001F0  00 8B 78 9C 01 80 00 7F FF 3E 61 9A D9 F4 EB 45  .‹xœ.€..ÿ>ašÙôëE
00000200  0A 03 64 9D 95 B5 D8 93 A3 74 BD 83 F3 9D 8C E6  ..d.•µØ“£t½ƒó.Œæ
00000210  FB 8D 01 53 C1 D2 12 AA 56 CA F2 61 EF D1 40 0D  û..SÁÒ.ªVÊòaïÑ@.
00000220  28 14 93 7E 39 74 1A FE C8 2C BA 1C 69 81 EA 36  (.“~9t.þÈ,º.i.ê6
00000230  10 60 22 77 47 C1 9B 17 8A F9 36 58 81 27 13 5F  .`"wGÁ›.Šù6X.'._
00000240  AB 55 36 0A 85 D2 46 44 7E 48 92 A0 06 D8 3D FA  «U6.…ÒFD~H’*.Ø=ú
00000250  26 43 0A A5 7B F1 84 93 92 94 5F 3F 17 E8 E4 97  &C.¥{ñ„“’”_?.èä—
00000260  CC CE 47 40 87 84 92 A7 5A BD B7 0B 0F 16 DE 2B  ÌÎG@‡„’§Z½·...Þ+
00000270  DF EE 84 33 1F 4D 69 43 E6 0B AF 3D C7 0E 95 C7  ßî„3.MiCæ.¯=Ç.•Ç
00000280  24 05 35 EA 23 00 00 00 00 00 00 00 80 00 00 00  $.5ê#.......€...
00000290  8B 78 9C 01 80 00 7F FF 88 D3 72 8C 71 A3 6C 02  ‹xœ.€..ÿˆÓrŒq£l.
000002A0  54 8D 63 16 5B 97 3A 55 00 CC 3F 07 D1 10 8B FE  T.c.[—:U.Ì?.Ñ.‹þ
000002B0  C4 0B 9A 47 1C 3C 69 A3 47 7C 58 62 DF 77 9B C5  Ä.šG.<i£G|Xbßw›Å
000002C0  F9 13 C2 BA E8 9A 17 3E D8 F3 C6 9D 2B 48 07 D4  ù.ºèš.>ØóÆ.+H.Ô
000002D0  CE 6E AA 33 1C F2 0B 6F 48 55 A1 1C 4A FA F6 9E  Înª3.ò.oHU¡.Júöž
000002E0  81 E2 83 D7 DE 32 47 70 64 AA D5 36 AD D9 62 F5  .âƒ×Þ2GpdªÕ6.Ùbõ
000002F0  30 E5 72 C1 6A 67 10 4F FB 24 A5 C8 7F B1 55 97  0årÁjg.Oû$¥È.±U—
00000300  57 3E 3A 3D 7B BF 99 CC 2A 89 BA 94 0E 63 E9 9B  W>:={¿™Ì*‰º”.cé›
00000310  28 C5 47 94 D1 0D BD 71 7B B9 3F 37 04 00 02 65  (ÅG”Ñ.½q{¹?7...e
00000320  6E 00                                            n.

[Hfg]

If I response:

<?xml version="1.0"?>
<zos_platform_response>
<result_message>Access not allowed</result_message>
<result_code>6009</result_code>
</zos_platform_response>

on /login_queue/, I got the error 201. But I want the error message like "Your password or username are invalid!". I know that there is a message like this, but I dont know what I have to send to the client for display this message. Which HTTP Header you are used to send the "Access not allowed" message? Is it HTTP/1.1 202 Accepted, too?

And now to the content length:
Which byte contains the content length? I tough it have to be: 03 1E. But this gives me the dec. value 330. But I need the value 802, because of the 802 bytes. Where is the context?

[blar0]

Yep 202, don't know the error code for this message.
With HTTP header :

Content-type = "application/xml"
User-Agent = "User-Agent: eso/1.0.0"

you are working with Big-Endian value :

Code:

>>> 0x31E
798

I don't see the problem, this value is the full size of the packet minus the DWORD for the size.

In my example :

Code:

>>> 802 - 4
798
>>> hex(798)
'0x31e'

[Hfg]

Thanks a lot . I were brain ****ed xD. I hope that maybe another got these Login Message for invalid username or password.

[blar0]

Enjoy

Code:

<?xml version="1.0" encoding="utf-8"?>
<zos_platform_response>
<response>
<status>3</status>
<state_data>
<data>
<error>
<http_code>406</http_code>
<result_code>8000</result_code>
<result_message>Invalid email/passwd</result_message>
</error>
</data>
</state_data>
</response>
<result_code>2000</result_code>
<result_message>Authentication Failed</result_message>
</zos_platform_response>

[Hfg]

Thanks

But does this works for you? I tried it with HTTP Code 202 and 406, but both doesn't works. I got error 401...

[blar0]

This one is "HTTP/1.1 200 OK" apparently.
I didn't try it.

[Hfg]

:/ It doesn't work. But this shouldn't be our main target.

[Hfg]

Little information btw.:

If you send the initialisation code:

char[] { 0x00, 0x00, 0x00, 0x0a, 0x01, 0x03, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00 };

2 Times, you will throw back to the login screen...

[blar0]

I think you didn't understand how the XML stuff works.
It works well here :



Fake webserver listening on port 8000, python script :

Code:

import SimpleHTTPServer
import SocketServer
import logging
import cgi
import sys

PORT = 8000
UUID = "1234"

class ServerHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        BANNER_RESPONSE = '''<?xml version="1.0" encoding="utf-8"?>
                             <zos_platform_response>
                                 <response>
                                     <message>Hello owned-core.com !!!</message>
                                 </response>
                                 <result_code>2000</result_code>
                                 <result_message>success</result_message>
                             </zos_platform_response>'''
        self.send_response(200)
        self.send_header("Content-type", "application/x-www-form-urlencoded")
        self.send_header("Content-length", len(BANNER_RESPONSE))
        self.end_headers()
        self.wfile.write(BANNER_RESPONSE)

    def do_POST(self):
        path = self.translate_path(self.path)
        if "auth" in path:
            AUTH_RESPONSE = '''<?xml version='1.0' encoding='utf-8'?>
                               <zos_platform_response>
                                   <response>
                                       <queue_eta_sec>20.912726923</queue_eta_sec>
                                       <uuid>''' + UUID + '''</uuid>
                                       <callback_interval_ms>2000</callback_interval_ms>
                                   </response>
                                   <result_code>2000</result_code>
                                   <result_message>Authentication Pending</result_message>
                               </zos_platform_response>'''
            self.send_response(202)
            self.send_header("Content-type", "application/xml")
            self.send_header("Content-length", len(AUTH_RESPONSE))
            self.end_headers()
            self.wfile.write(AUTH_RESPONSE)
            return
        elif "progress" in path:
            PROGRESS_RESPONSE = '''<?xml version="1.0" encoding="utf-8"?>
                                   <zos_platform_response>
                                       <response>
                                           <status>3</status>
                                           <state_data>
                                               <data>
                                                   <error>
                                                       <http_code>406</http_code>
                                                       <result_code>8000</result_code>
                                                       <result_message>Invalid email/passwd</result_message>
                                                   </error>
                                               </data>
                                           </state_data>
                                       </response>
                                       <result_code>2000</result_code>
                                       <result_message>Authentication Failed</result_message>
                                   </zos_platform_response>'''
            self.send_response(200)
            self.send_header("Content-type", "application/xml")
            self.send_header("Content-length", len(PROGRESS_RESPONSE))
            self.end_headers()
            self.wfile.write(PROGRESS_RESPONSE)
            return
            
Handler = ServerHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
httpd.serve_forever()