PCAP and more

[blar0]

Hi,

I'm looking for some saved pcap from the game !
And if you have more info about the login process, can't figure out how to craft the XML answer

[blar0]

After solving my problem with the xml anser, I can start to remove their obfuscation from the binary to understand the REAL communication between a client and a server.
I have cuted the first packet sent to a server :

Code:

SIZE_DATA_WITH_HEADER [DWORD]
OPCODE [WORD]
UNK_WORD_01 [WORD]
SIZE_DATA [DWORD]
UNK_WORD_02 [WORD]
Login        [Word (SizeBuffer) : Buffer]
GameVersion  [Word (SizeBuffer) : Buffer]
DATA_01	     [DWORD (SizeBuffer): DWORD (TYPE) : Buffer]
DATA_02	     [DWORD (SizeBuffer): DWORD (TYPE) : Buffer]
DATA_03	     [DWORD (SizeBuffer): DWORD (TYPE) : Buffer]
INT_01		 [DWORD]
DATA_04	     [DWORD (SizeBuffer): DWORD (TYPE) : Buffer]
INT_02		 [DWORD]
INT_03		 [DWORD]
INT_04		 [DWORD]
DATA_05	     [DWORD (SizeBuffer): DWORD (TYPE) : Buffer]
BYTE_01	     [BYTE]
LANGUAGE_BUFFER	 [Word (SizeBuffer) : Buffer ('en', 'fr', 'de', more ?)]

In some of the DATA_XX, there is a key exchange from diffie hellman, other people working on this stuff in here ?

Ho and btw if some people are interested, here is a link to the unpacked binary from 1.0.0.707462 build.

[blar0]

For the XML stuff,

If you want to try to write your own server or try to reverse the binary.

Edit the file "Platforms.xml", change login_service_url and realm_service_url to the desired ip.

When you receive a POST request on /login_queue/auth, answer the following response :

Code:

<zos_platform_response>
<response>
<uuid>1234</uuid>
<callback_interval_ms>100</callback_interval_ms>
<queue_eta_sec>5</queue_eta_sec>
</response>
</zos_platform_response>

Then you will receive a POST request on /login_queue/progress, answer the following response :

Code:

<zos_platform_response>
<response>
<status>5</status>
<uuid>1234</uuid>
<callback_interval_ms>100</callback_interval_ms>
<queue_eta_sec>5</queue_eta_sec>
<state_data>
<data> 
<auth_result>
<email>[email protected]</email>
<account_name>T</account_name>
<user_id>1234</user_id>
<uuid>1234</uuid>
<access_flags>1</access_flags>
<entitlements_mask>1</entitlements_mask>
</auth_result>
<reservation_result>
<connectAddress>192.168.1.42</connectAddress>
<connectPort>4242</connectPort>
<realm_name>blar0 realm</realm_name>
<realm_id>4</realm_id>
<depot_id>4000</depot_id>
</reservation_result>
</data>
</state_data>
</response>
</zos_platform_response>

It will try to connect on IP : 192.168.1.42, PORT : 4242, and send a packet like described in the post before.

[Esoserv]

File-Upload.net - Webserver.zip

(The small download button) Source code only (C#), xml responses are hardcoded, no logic. You'll get to the point, where the first TCP packet has been sent. Can't do it further, because i have no packet log.

Have fun!

[blar0]

File-Upload.net - Webserver.zip

(The small download button) Source code only (C#), xml responses are hardcoded, no logic. You'll get to the point, where the first TCP packet has been sent. Can't do it further, because i have no packet log.

Have fun!

I have already stuff like that in python , but thanks anyway.
I really need packet dump !!!

[races]

File-Upload.net - Webserver.zip

(The small download button) Source code only (C#), xml responses are hardcoded, no logic. You'll get to the point, where the first TCP packet has been sent. Can't do it further, because i have no packet log.

Have fun!

What's the password for the archive ?

or blar0 can you share your python script ?

[Esoserv]

pw: ownedcore.com

you'll have to change address inside platforms xml to http://localhost:8080

[Esoserv]

btw. which unpacker is needed for the exe?

[blar0]

python script : Private Paste - Pastie

I don't know what is the packer used, just use the tricks with HBP on ESP to get around the call security_init_cookie and jmp mainCRTStartup, dump the exe without fixing raw size and offset.

[Esoserv]

UNK_BUFFER [Word (SizeBuffer) : Buffer]

I think this is the language en,fr,de?

[blar0]

true ! I will edit the post

[blar0]

I was wrong with the client send / receive packet, it looks like that :

First send size of packet in Big-Endian.
Then send all the data.

Exemple with the first packet sent by the client :

Code:

[+] len(buf) = 4 (4)

0000  00 00 03 1e                                       ....

First packet size equal 4, and second packet size data equal to 0x31E (79

Code:

[+] len(buf) = 798 (0000031E)
0000  00 01 00 01 00 00 03 16 2b 10 00 04 31 32 33 34   ........+...1234
0010  00 00 15 65 73 6f 2e 6c 69 76 65 2e 31 2e 30 2e   ...eso.live.1.0.
...
...
0300  42 a6 c2 3d 13 e3 3d e2 78 d6 cd b1 53 c5 34 47   B..=..=.x...S.4G
0310  f8 a1 98 2f f8 a0 40 f4 04 00 02 65 6e 00         .../[email protected].

Second packet :

Code:

+0x00 : WORD (Opcode)
+0x02 : WORD (Unknow)
+0x04 : DWORD (Size DATA - 8)

This should be the exact header

[races]

Thanks for sharing Esoserv & blar0 !

[blar0]

If after first packet, you respond :

Code:

-- packet 1
SIZE_DATA_WITH_HEADER [DWORD : 0x0A (10) ]
-- packet 2
OPCODE [WORD : 0x103 (259) ]
UNK_QWORD [QWORD : whatever]

you will be able to init the connection and see this screen : https://i.imgur.com/TUWOelx.png

[races]

It's a bit useless ... but where did you find the function that handle the opcode ?