Jumping and packets!

**~~ashleyww~~** · 06-05-2009

Okay, ive just used a packet sniffer and jumped 9 times.
These are the packets that got sniffed

Code:

FD E2 4B 14 0A 32 00 00 00 00 00 00 B5 58 7A 00 5B 13 22 46 B7 C2 5B 44 4E 9F A5 44 67 FA EF 3E 39 03 00 00
D4 76 0B 97 3B 35 00 00 00 00 00 00 6E BB 7A 00 5B 13 22 46 B7 C2 5B 44 4E 9F A5 44 67 FA EF 3E 39 03 00 00 
34 55 59 F8 DB B5 00 00 00 00 00 00 8C 1F 7B 00 5B 13 22 46 B7 C2 5B 44 50 9F A5 44 67 FA EF 3E 39 03 00 00
53 53 F8 06 A2 E9 00 00 00 00 00 00 2B AA 7B 00 5B 13 22 46 B7 C2 5B 44 4F 9F A5 44 67 FA EF 3E 39 03 00 00 
01 BE E3 4E 14 7E 00 00 00 00 00 00 6E F1 7B 00 5B 13 22 46 B7 C2 5B 44 53 9F A5 44 67 FA EF 3E 39 03 00 00
0F AE 57 75 38 2A 00 00 00 00 00 00 BC 61 7C 00 5B 13 22 46 B7 C2 5B 44 4D 9F A5 44 67 FA EF 3E 39 03 00 00
F3 71 A4 C0 D8 D7 00 00 00 00 00 00 1F B1 7C 00 5B 13 22 46 B7 C2 5B 44 4F 9F A5 44 67 FA EF 3E 39 03 00 00 
E6 F6 B2 C8 A6 FB 00 00 00 00 00 00 31 19 7D 00 5B 13 22 46 B7 C2 5B 44 4D 9F A5 44 67 FA EF 3E 39 03 00 00
43 EB 99 8B 48 97 00 00 00 00 00 00 18 99 7D 00 5B 13 22 46 B7 C2 5B 44 4D 9F A5 44 67 FA EF 3E 39 03 00 00

How would i resend this?

**lanman92** · 06-05-2009

Look at the MangOS source code. at MovementHandler.cpp. You'll see that you're dumping a timestamp, guid, and location/orientation and a movementfield. The first 6 bytes are encrypted using the key in the WoWConnection class(kynox's stuff...).

**~~ashleyww~~** · 06-05-2009

Sorry what?

**lanman92** · 06-05-2009

I have a question for Kynox/cypher/boogey..... Why is the header for each packet different even though the length and opcode stay the same? Does the algorithm change the key with each packet?

**wraithZX** · 06-05-2009

From memory, the algorithm for "encrypting" the opcode header was a cyclic 40 byte key.
Jump a few more times and it'll repeat.
That said, didn't they switch to rc4 now? Haven't looked at the network side of things in ages...

**lanman92** · 06-05-2009

It is RC4, and I have the 20-bit key used for encryption. I don't really follow what you're saying there.

**~~ashleyww~~** · 06-05-2009

If anyone wants to teach me a thing or two about these... id be willing to say that you helped he a lot when I release my project!

**kynox** · 06-05-2009

The key changes, like wraith said because its cyclic. Meaning, once it reaches the end, it starts over again from the start.

@ OP: What you need to do is recreate a packet (without the header) and send it into NetGame::SendPacket which will handle all the dirty work.

As for the structure of the packet, check the mangos src. It's a rather simple packet.

**lanman92** · 06-05-2009

But, shouldn't the key restart at the beginning fairly soon then, since 6 bytes is pretty close to 20-bits, isn't it? Or is it always different because of the new place that it starts in the key(not lining up with previous set of opcodes).

EDIT: Here's some help with the packet structure.

the packet is 6 bytes of header(containing opcode + size + garbage) and then uint movementflags and then movementinfo.

struct movementInfo {
uint unk1;
float X;
float Y;
float Z;
float o;
}

AddpacketHandler is at 0x5F9310, ClearPacketHandlers is at 0x5F9330. I still don't know where the 'CNet::Sendpacket' is at though =/

**BoogieManTM** · 06-05-2009

Originally Posted by lanman92

But, shouldn't the key restart at the beginning fairly soon then, since 6 bytes is pretty close to 20-bits, isn't it? Or is it always different because of the new place that it starts in the key(not lining up with previous set of opcodes).

EDIT: Here's some help with the packet structure.

the packet is 6 bytes of header(containing opcode + size + garbage) and then uint movementflags and then movementinfo.

struct movementInfo {
uint unk1;
float X;
float Y;
float Z;
float o;
}

AddpacketHandler is at 0x5F9310, ClearPacketHandlers is at 0x5F9330. I still don't know where the 'CNet::Sendpacket' is at though =/

The structure for movement packets is:

opcode
uint MovementFlags
short unk (i'm always sending 0)
uint timestamp (system time in milliseconds)
float x
float y
float z
float orientation
uint unk (usually 0, it's another set of flags apparently)

**lanman92** · 06-05-2009

What happens if you send the wrong timestamp? Wouldn't speedhacks send bad timestamps...? Any help with reversing the right function? I've been hovering around 0x5F92F0 and it's sub-calls for hours.

EDIT: whenever I look at the buffer coming into that address, it's always ** 98 00. Not sure why, but it is.

**BoogieManTM** · 06-05-2009

Originally Posted by lanman92

What happens if you send the wrong timestamp? Wouldn't speedhacks send bad timestamps...? Any help with reversing the right function? I've been hovering around 0x5F92F0 and it's sub-calls for hours.

EDIT: whenever I look at the buffer coming into that address, it's always ** 98 00. Not sure why, but it is.

Wrong timestamp == instant disconnect. Not sure about the send packet functions. I wrote those myself in my client :P Can't help ya there

**lanman92** · 06-05-2009

Haha, that's so cool, yet so unbelievable. I'm guessing you're pretty much a GM. lol.

EDIT: How do you recommend decrypting the packets? I thought about brute-forcing it, wouldn't be very hard i think. I can see the key, I just don't know much about HMAC/RC4. =/

Shout-Out

User Tag List

Thread: Jumping and packets!

Thread Tools

Search Thread