Hi,
I'm looking for some saved pcap from the game !
And if you have more info about the login process, can't figure out how to craft the XML answer
Hi,
I'm looking for some saved pcap from the game !
And if you have more info about the login process, can't figure out how to craft the XML answer
After solving my problem with the xml anser, I can start to remove their obfuscation from the binary to understand the REAL communication between a client and a server.
I have cuted the first packet sent to a server :
In some of the DATA_XX, there is a key exchange from diffie hellman, other people working on this stuff in here ?Code:SIZE_DATA_WITH_HEADER [DWORD] OPCODE [WORD] UNK_WORD_01 [WORD] SIZE_DATA [DWORD] UNK_WORD_02 [WORD] Login [Word (SizeBuffer) : Buffer] GameVersion [Word (SizeBuffer) : Buffer] DATA_01 [DWORD (SizeBuffer): DWORD (TYPE) : Buffer] DATA_02 [DWORD (SizeBuffer): DWORD (TYPE) : Buffer] DATA_03 [DWORD (SizeBuffer): DWORD (TYPE) : Buffer] INT_01 [DWORD] DATA_04 [DWORD (SizeBuffer): DWORD (TYPE) : Buffer] INT_02 [DWORD] INT_03 [DWORD] INT_04 [DWORD] DATA_05 [DWORD (SizeBuffer): DWORD (TYPE) : Buffer] BYTE_01 [BYTE] LANGUAGE_BUFFER [Word (SizeBuffer) : Buffer ('en', 'fr', 'de', more ?)]
Ho and btw if some people are interested, here is a link to the unpacked binary from 1.0.0.707462 build.
Last edited by blar0; 01-04-2014 at 01:49 PM.
For the XML stuff,
If you want to try to write your own server or try to reverse the binary.
Edit the file "Platforms.xml", change login_service_url and realm_service_url to the desired ip.
When you receive a POST request on /login_queue/auth, answer the following response :
Then you will receive a POST request on /login_queue/progress, answer the following response :Code:<zos_platform_response> <response> <uuid>1234</uuid> <callback_interval_ms>100</callback_interval_ms> <queue_eta_sec>5</queue_eta_sec> </response> </zos_platform_response>
It will try to connect on IP : 192.168.1.42, PORT : 4242, and send a packet like described in the post before.Code:<zos_platform_response> <response> <status>5</status> <uuid>1234</uuid> <callback_interval_ms>100</callback_interval_ms> <queue_eta_sec>5</queue_eta_sec> <state_data> <data> <auth_result> <email>[email protected]</email> <account_name>T</account_name> <user_id>1234</user_id> <uuid>1234</uuid> <access_flags>1</access_flags> <entitlements_mask>1</entitlements_mask> </auth_result> <reservation_result> <connectAddress>192.168.1.42</connectAddress> <connectPort>4242</connectPort> <realm_name>blar0 realm</realm_name> <realm_id>4</realm_id> <depot_id>4000</depot_id> </reservation_result> </data> </state_data> </response> </zos_platform_response>
File-Upload.net - Webserver.zip
(The small download button) Source code only (C#), xml responses are hardcoded, no logic. You'll get to the point, where the first TCP packet has been sent. Can't do it further, because i have no packet log.
Have fun!
pw: ownedcore.com
you'll have to change address inside platforms xml to http://localhost:8080
Last edited by Esoserv; 01-04-2014 at 12:56 PM.
btw. which unpacker is needed for the exe?
python script : Private Paste - Pastie
I don't know what is the packer used, just use the tricks with HBP on ESP to get around the call security_init_cookie and jmp mainCRTStartup, dump the exe without fixing raw size and offset.
UNK_BUFFER [Word (SizeBuffer) : Buffer]
I think this is the language en,fr,de?
true ! I will edit the post
I was wrong with the client send / receive packet, it looks like that :
First send size of packet in Big-Endian.
Then send all the data.
Exemple with the first packet sent by the client :
First packet size equal 4, and second packet size data equal to 0x31E (79Code:[+] len(buf) = 4 (4) 0000 00 00 03 1e ....
Second packet :Code:[+] len(buf) = 798 (0000031E) 0000 00 01 00 01 00 00 03 16 2b 10 00 04 31 32 33 34 ........+...1234 0010 00 00 15 65 73 6f 2e 6c 69 76 65 2e 31 2e 30 2e ...eso.live.1.0. ... ... 0300 42 a6 c2 3d 13 e3 3d e2 78 d6 cd b1 53 c5 34 47 B..=..=.x...S.4G 0310 f8 a1 98 2f f8 a0 40 f4 04 00 02 65 6e 00 .../[email protected].
This should be the exact headerCode:+0x00 : WORD (Opcode) +0x02 : WORD (Unknow) +0x04 : DWORD (Size DATA - 8)
Last edited by blar0; 01-04-2014 at 01:47 PM.
Thanks for sharing Esoserv & blar0 !
If after first packet, you respond :
you will be able to init the connection and see this screen : https://i.imgur.com/TUWOelx.pngCode:-- packet 1 SIZE_DATA_WITH_HEADER [DWORD : 0x0A (10) ] -- packet 2 OPCODE [WORD : 0x103 (259) ] UNK_QWORD [QWORD : whatever]
It's a bit useless ... but where did you find the function that handle the opcode ?