PCAP and more

[Hfg]

Thanks, now it works .

On my first try I put the code into the auth. Now I have it into progress and it works.

I dont get, why you can send a UUID... I thougt the UUID is an unique User ID. But okay, it still works...

[blar0]

When you send a POST request to : "/login_queue/auth"
On the server side it will generate (I guess) a UUID, derived from your emailadresse / UserID, timestamp, and maybe other stuff, it's like a session_id on classic website.
The length withtout "-", is 32 bytes, maybe the MD5 of what I said before. I don't know

[races]

Attachment 16726

Haha ! <3 the announcements message

[Hfg]

@races This is the easiest step :P

@blar0 Ok, this make sense.

Now we need these OP Codes and Parameters.^^
Is there another way but to decompile the Client? I tried with wireshark, but I have no idea for the parameters.

[blar0]

@races This is the easiest step :P

@blar0 Ok, this make sense.

Now we need these OP Codes and Parameters.^^
Is there another way but to decompile the Client? I tried with wireshark, but I have no idea for the parameters.

You should start by reading this post : http://www.ownedcore.com/forums/mmo/...ypt-stuff.html, the only way I know is using IDA, finding vtable for each opcode, or use my IDA python script from this thread in page 1 or 2, analyse each opcode method to "serialize" / "deserialize" the request and play with them.
Wireshark is totally useless, because after the handshake and the setkey, without knowing the AES key and IV, you won't be able to decrypt the stuff.
Hook the binary ! That's the only solution.

[blar0]

Let's assume we have made a connection to ip address 127.0.0.1 : 4242, and all the key exchange is done, we continue the adventure in the packet analysis.
Some def to understand :

Code:

typedef struct
{
  DWORD		full_size;
  WORD     	version_NS;
  WORD		streamID_NS;
  DWORD		data_size;
} HEADER_CLIENT;

and <SIZE_PAQUET> is the first Big-Endian dword received by the client.
Don't forget that the first byte in the encrypted data is useless !

Code:

Client send (127.0.0.1 : 4242, encrypted = FALSE):

<HEADER_CLIENT>
opcode 	: 0x2B0A
data 	: 
	BYTE	:	start crypt ?

This packet ask the server to start encrypted communication on the socket related to 127.0.0.1 : 4242.

Client receive (127.0.0.1 : 4242, encrypted = TRUE):

<SIZE_PAQUET>
opcode 	: 0x2B07
data   	: 
	INTEGER	:	unk
	INTEGER	:	unk
	INTEGER	:	unk
	INTEGER	:	unk
	INTEGER	:	unk
	INTEGER	:	unk
	INTEGER	:	unk
	INTEGER	:	unk
	INTEGER	:	unk
	INTEGER	:	unk

Client receive (127.0.0.1 : 4242, encrypted = TRUE):

<SIZE_PAQUET>
opcode 	: 0x02B12
data	: 
	TESO_Buffer 	: IP_Address
	QWORD			: unknow
	QWORD			: unknow
	WORD			: IP_Port
			
Client will connect to IP_Address:IP_Port (in the exemple let's assume : 127.0.0.1:6667).

Client send (127.0.0.1 : 6667, encrypted = FALSE):

<HEADER_CLIENT>
opcode	: 0x0110
data	:
	WORD		:	opcode = 0x0110
	TESO_BUFFER :	UserID
	TESO_BUFFER	:	Langage
	DWORD		:	Lobby Protocol ?
	ZLIB_BUFFER	:	PUBLIC KEY
	BYTE		:	unk
	DWORD		:	unk
	DWORD		:	unk
	ZLIB_BUFFER	:	PUBLIC KEY
	ZLIB_BUFFER	:	PUBLIC KEY
	ZLIB_BUFFER	:	PUBLIC KEY
	ZLIB_BUFFER	:	PUBLIC KEY
	DWORD		:	Regin Protocol ?
	TESO_BUFFER	:	Version
	TESO_BUFFER	:	UUID

Because we made a new connection, they remake the same handshake as explained in the other thread, so two new AES key are setup.

Code:

Client receive (127.0.0.1 : 6667, encrypted = FALSE):

<SIZE_PAQUET>
opcode	:	0x0113
data:
	DWORD	:	unk
	
Client receive (127.0.0.1 : 6667, encrypted = FALSE):

<SIZE_PAQUET>
opcode	:	0x010B
data:
    BYTE		:	unk
    ZLIB_BUFFER	: 	Key1_public_server
    ZLIB_BUFFER	: 	Key3_public_server
    ZLIB_BUFFER : 	IV;				  // length of IV must be equal to 0x10
    ZLIB_BUFFER : 	Key4_public_server
    ZLIB_BUFFER : 	Key2_public_server
	
Client send (127.0.0.1 : 6667, encrypted = FALSE):

<HEADER_CLIENT>
opcode	:	0x010A
data:
	BYTE	:	start crypt ?
	
Client receive (127.0.0.1 : 6667, encrypted = TRUE):

<SIZE_PAQUET>
opcode :	0x0103
data:
	QWORD		: unk

Client send (127.0.0.1 : 6667, encrypted = TRUE):

<HEADER_CLIENT>
opcode	:	0x011A
data	:	
	<none>

Client receive (127.0.0.1 : 6667, encrypted = TRUE):

<SIZE_PAQUET>
opcode	:	0x0115
data	:
	QWORD	:	unk
	BYTE	:	unk
	QWORD	:	unk
	BYTE	:	unk
	BYTE	:	nb something

For the moment all of thoses values are most unknown, but that is just a start.