Let's assume we have made a connection to ip address 127.0.0.1 : 4242, and all the key exchange is done, we continue the adventure in the packet analysis.
Some def to understand :
Code:
typedef struct
{
DWORD full_size;
WORD version_NS;
WORD streamID_NS;
DWORD data_size;
} HEADER_CLIENT;
and <SIZE_PAQUET> is the first Big-Endian dword received by the client.
Don't forget that the first byte in the encrypted data is useless !
Code:
Client send (127.0.0.1 : 4242, encrypted = FALSE):
<HEADER_CLIENT>
opcode : 0x2B0A
data :
BYTE : start crypt ?
This packet ask the server to start encrypted communication on the socket related to 127.0.0.1 : 4242.
Client receive (127.0.0.1 : 4242, encrypted = TRUE):
<SIZE_PAQUET>
opcode : 0x2B07
data :
INTEGER : unk
INTEGER : unk
INTEGER : unk
INTEGER : unk
INTEGER : unk
INTEGER : unk
INTEGER : unk
INTEGER : unk
INTEGER : unk
INTEGER : unk
Client receive (127.0.0.1 : 4242, encrypted = TRUE):
<SIZE_PAQUET>
opcode : 0x02B12
data :
TESO_Buffer : IP_Address
QWORD : unknow
QWORD : unknow
WORD : IP_Port
Client will connect to IP_Address:IP_Port (in the exemple let's assume : 127.0.0.1:6667).
Client send (127.0.0.1 : 6667, encrypted = FALSE):
<HEADER_CLIENT>
opcode : 0x0110
data :
WORD : opcode = 0x0110
TESO_BUFFER : UserID
TESO_BUFFER : Langage
DWORD : Lobby Protocol ?
ZLIB_BUFFER : PUBLIC KEY
BYTE : unk
DWORD : unk
DWORD : unk
ZLIB_BUFFER : PUBLIC KEY
ZLIB_BUFFER : PUBLIC KEY
ZLIB_BUFFER : PUBLIC KEY
ZLIB_BUFFER : PUBLIC KEY
DWORD : Regin Protocol ?
TESO_BUFFER : Version
TESO_BUFFER : UUID
Because we made a new connection, they remake the same handshake as explained in the other thread, so two new AES key are setup.
Code:
Client receive (127.0.0.1 : 6667, encrypted = FALSE):
<SIZE_PAQUET>
opcode : 0x0113
data:
DWORD : unk
Client receive (127.0.0.1 : 6667, encrypted = FALSE):
<SIZE_PAQUET>
opcode : 0x010B
data:
BYTE : unk
ZLIB_BUFFER : Key1_public_server
ZLIB_BUFFER : Key3_public_server
ZLIB_BUFFER : IV; // length of IV must be equal to 0x10
ZLIB_BUFFER : Key4_public_server
ZLIB_BUFFER : Key2_public_server
Client send (127.0.0.1 : 6667, encrypted = FALSE):
<HEADER_CLIENT>
opcode : 0x010A
data:
BYTE : start crypt ?
Client receive (127.0.0.1 : 6667, encrypted = TRUE):
<SIZE_PAQUET>
opcode : 0x0103
data:
QWORD : unk
Client send (127.0.0.1 : 6667, encrypted = TRUE):
<HEADER_CLIENT>
opcode : 0x011A
data :
<none>
Client receive (127.0.0.1 : 6667, encrypted = TRUE):
<SIZE_PAQUET>
opcode : 0x0115
data :
QWORD : unk
BYTE : unk
QWORD : unk
BYTE : unk
BYTE : nb something
For the moment all of thoses values are most unknown, but that is just a start.