• Welcome to Valhalla Legends Archive.
 

Reversing a new game protocol

Started by Dale, April 26, 2008, 07:52 PM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

Dale

April 26, 2008, 07:52 PM Last Edit: April 26, 2008, 07:54 PM by Dale
Well, I started at trying to reverse Silkroad Online's game protocol (http://www.silkroadonline.net/) and I started off by packet logging, and testing sending the packets, from a program I created..

From the server to the client, I receive 43 Bytes
Server -> Client
Code Select

0000   25 00 00 50 00 00 0e d4 67 c7 e2 10 b4 7c 17 02  %..P....g....|..
0010   00 00 00 14 00 00 00 8f 9d da 6a fc c6 10 a4 61  ..........j....a
0020   d2 ce 68 4d 25 9f 71 bd 3a 5b 51                 ..hM%.q.:[Q


Then, the game client sends 18 bytes
Client -> Server
Code Select

0000   0c 00 00 50 51 af 19 63 1d 36 06 41 e9 78 5e c6  ...PQ..c.6.A.x^.
0010   3c 0e                                            <.


Well, I then tested connecting my program to the server and got...
Server->Client (43 bytes)
Code Select

0000   25 00 00 50 00 00 0e ea 3d 10 b1 55 21 68 e2 8b  %..P....=..U!h..
0010   00 00 00 d7 00 00 00 b8 a0 e5 58 13 ba fd 45 41  ..........X...EA
0020   08 98 56 cb 08 73 71 e4 c5 1c 0a                 ..V..sq....


and then I send my 18 bytes..
Client->Server
Code Select

0000   0c 00 00 50 b3 c4 26 7f 5c 58 fb f5 6a 6e c2 0f  ...P..&.\X..jn..
0010   1b a0                                            ..


Right after I send that, my connection dropped, so I checked and as you can see, my 18 bytes doesn't match what the client has... (I didn't mess up, it changes) So my question is... How would I figure out what the correct 18 bytes are? and Why would the 18 bytes change? This is even before I actually get to the game, this is to receive the news and updates, so it's not my username/password and theirs no cdkey).

I don't expect the actual, exact answer, since I figure no one here has probably reversed, let alone looked at this game, I was just curious to hear opinions.

Oh and, here are the other 3 Packet logs from the client to the server (each 18 bytes)
Code Select

(Packet Log 1) Client->Server: 0c 00 00 50 64 bb 2d 41 2f 2a de 4d 1d cb b7 e3 f7 84
(Packet Log 2) Client->Server 0c 00 00 50 8c e8 4c 33 59 48 b8 2b c5 78 8b 11 29 c0
(Packet Log 3) Client->Server: 0c 00 00 50 51 af 19 63 1d 36 06 41 e9 78 5e c6 3c 0e


Any help would be greatly appreciated! Thanks!
- Dale

EDIT: Actually, staring at my packet logs on here, it occurred to me, the 43 bytes I receive above from the server to the actual client, are different then the 43 bytes that I receive through my client, could the 18 bytes be modified according to that?

UserLoser

#1
April 26, 2008, 08:16 PM
it's called disassembly and debugger

Ringo

#2
April 26, 2008, 09:08 PM
hm, at a glance, looks like its somthing like:
Code Select

(WORD) Lengh of packet (discluding header)
(DWORD) Somthing maybe containing the packet id (0x50 maybe?) and maybe a checksum for out going data
(VOID) data

It might be, that the data is compressed or encrypted, but with out seeing a dumb of the whole logon, its just a stab in the dark.
Is all the data like that, or is parts of it plain text?

Dale

#3
April 26, 2008, 09:18 PM
At this part, its all like that, but as I get later into other packets I get data plain text

Code Select

0000   10 00 01 20 00 00 0d 00 47 61 74 65 77 61 79 53  ... ....GatewayS
0010   65 72 76 65 72 00                                erver.


and even later

Code Select

0000   24 07 0d 60 00 00 00 04 34 00 5b 45 78 74 72 61  $..`....4.[Extra
0010   20 49 6e 73 70 65 63 74 69 6f 6e 5d 20 45 78 74   Inspection] Ext
0020   72 61 20 53 65 72 76 65 72 20 49 6e 73 70 65 63  ra Server Inspec
0030   74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 ff 00  tion Completed..
0040   3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79  <b><font color=y
0050   65 6c 6c 6f 77 3e 45 78 74 72 61 20 53 65 72 76  ellow>Extra Serv
0060   65 72 20 49 6e 73 70 65 63 74 69 6f 6e 20 43 6f  er Inspection Co
0070   6d 70 6c 65 74 65 64 3c 2f 66 6f 6e 74 3e 3c 2f  mpleted</font></
0080   62 3e 0d 0a 0d 0a 45 78 74 72 61 20 73 65 72 76  b>....Extra serv
0090   65 72 20 69 6e 73 70 65 63 74 69 6f 6e 20 6f 66  er inspection of
00a0   20 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d   <b><font color=
00b0   79 65 6c 6c 6f 77 3e 50 65 72 73 69 61 3c 2f 66  yellow>Persia</f
00c0   6f 6e 74 3e 3c 2f 62 3e 20 68 61 73 20 62 65 65  ont></b> has bee
00d0   6e 20 63 6f 6d 70 6c 65 74 65 64 2e 0d 0a 0d 0a  n completed.....
00e0   3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79  <b><font color=y
00f0   65 6c 6c 6f 77 3e 54 69 6d 65 20 6f 66 20 43 6f  ellow>Time of Co
0100   6d 70 6c 65 74 69 6f 6e 3c 2f 66 6f 6e 74 3e 20  mpletion</font>
0110   3a 20 41 70 72 20 32 32 2c 20 32 30 30 38 20 31  : Apr 22, 2008 1
0120   36 3a 35 30 20 53 69 6c 6b 72 6f 61 64 20 53 74  6:50 Silkroad St
0130   61 6e 64 61 72 64 20 54 69 6d 65 3c 2f 62 3e d8  andard Time</b>.
0140   07 04 00 16 00 10 00 38 00 08 00 40 98 1e 09 1b  .......8...@....
0150   00 50 61 79 70 61 6c 20 49 6e 73 70 65 63 74 69  .Paypal Inspecti
0160   6f 6e 20 43 6f 6d 70 6c 65 74 65 64 ef 01 3c 62  on Completed..<b
0170   3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79 65 6c  ><font color=yel
0180   6c 6f 77 3e 50 61 79 70 61 6c 20 49 6e 73 70 65  low>Paypal Inspe
0190   63 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 3c  ction Completed<
01a0   2f 66 6f 6e 74 3e 3c 2f 62 3e 0d 0a 0d 0a 50 61  /font></b>....Pa
01b0   79 70 61 6c 20 69 73 20 6e 6f 77 20 77 6f 72 6b  ypal is now work
01c0   69 6e 67 20 6e 6f 72 6d 61 6c 6c 79 20 61 6e 64  ing normally and
01d0   20 74 72 61 6e 73 61 63 74 69 6f 6e 73 20 63 61   transactions ca
01e0   6e 20 70 72 6f 63 65 65 64 20 6e 6f 72 6d 61 6c  n proceed normal
01f0   6c 79 2e 0d 0a 0d 0a 3c 66 6f 6e 74 20 63 6f 6c  ly.....<font col
0200   6f 72 3d 79 65 6c 6c 6f 77 3e 48 6f 77 65 76 65  or=yellow>Howeve
0210   72 2c 20 73 6f 6d 65 20 6f 66 20 6f 75 72 20 75  r, some of our u
0220   73 65 72 73 20 63 6f 75 6c 64 20 62 65 20 72 65  sers could be re
0230   63 65 69 76 65 64 20 73 69 6c 6b 20 61 20 6c 69  ceived silk a li
0240   74 74 6c 65 20 62 69 74 20 6c 61 74 65 20 62 65  ttle bit late be
0250   63 61 75 73 65 20 6f 66 20 74 68 65 20 73 79 73  cause of the sys
0260   74 65 6d 20 64 65 6c 61 79 2e 3c 2f 66 6f 6e 74  tem delay.</font
0270   3e 0d 0a 0d 0a 57 65 20 77 69 6c 6c 20 72 65 73  >....We will res
0280   74 6f 72 65 20 53 69 6c 6b 20 74 6f 20 61 6c 6c  tore Silk to all
0290   20 75 73 65 72 73 20 74 68 61 74 20 68 61 76 65   users that have
02a0   20 6d 61 64 65 20 63 6f 6d 70 6c 65 74 65 64 20   made completed
02b0   70 61 79 6d 65 6e 74 73 20 62 75 74 20 64 69 64  payments but did
02c0   20 6e 6f 74 20 72 65 63 65 69 76 65 20 53 69 6c   not receive Sil
02d0   6b 20 64 75 72 69 6e 67 20 74 68 65 20 74 69 6d  k during the tim
02e0   65 20 6f 66 20 69 6e 73 70 65 63 74 69 6f 6e 2e  e of inspection.
02f0   20 54 68 69 73 20 73 69 6c 6b 20 77 69 6c 6c 20   This silk will
0300   62 65 20 72 65 73 74 69 74 75 74 65 64 20 77 69  be restituted wi
0310   74 68 69 6e 20 61 20 63 6f 75 70 6c 65 20 6f 66  thin a couple of
0320   20 64 61 79 73 2e 0d 0a 0d 0a 57 65 20 61 70 6f   days.....We apo
0330   6c 6f 67 69 7a 65 20 66 6f 72 20 74 68 65 20 70  logize for the p
0340   72 6f 62 6c 65 6d 73 20 74 68 69 73 20 6d 61 79  roblems this may
0350   20 68 61 76 65 20 63 61 75 73 65 64 2e d8 07 04   have caused....
0360   00 16 00 10 00 35 00 22 00 40 fd eb 26 36 00 5b  .....5.".@..&6.[
0370   57 65 65 6b 6c 79 20 49 6e 73 70 65 63 74 69 6f  Weekly Inspectio
0380   6e 5d 20 57 65 65 6b 6c 79 20 53 65 72 76 65 72  n] Weekly Server
0390   20 49 6e 73 70 65 63 74 69 6f 6e 20 43 6f 6d 70   Inspection Comp
03a0   6c 65 74 65 64 6b 01 3c 62 3e 3c 66 6f 6e 74 20  letedk.<b><font
03b0   63 6f 6c 6f 72 3d 79 65 6c 6c 6f 77 3e 57 65 65  color=yellow>Wee
03c0   6b 6c 79 20 53 65 72 76 65 72 20 49 6e 73 70 65  kly Server Inspe
03d0   63 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 3c  ction Completed<
03e0   2f 66 6f 6e 74 3e 3c 2f 62 3e 0d 0a 0d 0a 49 6e  /font></b>....In
03f0   20 6f 72 64 65 72 20 74 6f 20 6d 61 69 6e 74 61   order to mainta
0400   69 6e 20 61 20 70 6c 65 61 73 61 6e 74 20 67 61  in a pleasant ga
0410   6d 69 6e 67 20 61 6e 64 20 73 6d 6f 6f 74 68 20  ming and smooth
0420   70 61 74 63 68 69 6e 67 20 65 78 70 65 72 69 65  patching experie
0430   6e 63 65 2c 20 77 65 65 6b 6c 79 20 73 65 72 76  nce, weekly serv
0440   65 72 20 69 6e 73 70 65 63 74 69 6f 6e 20 6f 66  er inspection of
0450   20 61 6c 6c 20 73 65 72 76 65 72 73 20 68 61 73   all servers has
0460   20 62 65 65 6e 20 63 6f 6d 70 6c 65 74 65 64 2e   been completed.
0470   0d 0a 0d 0a 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c  ....<b><font col
0480   6f 72 3d 79 65 6c 6c 6f 77 3e 54 69 6d 65 20 6f  or=yellow>Time o
0490   66 20 43 6f 6d 70 6c 65 74 69 6f 6e 3c 2f 66 6f  f Completion</fo
04a0   6e 74 3e 20 3a 20 41 70 72 20 32 32 2c 20 32 30  nt> : Apr 22, 20
04b0   30 38 20 31 36 3a 30 35 20 53 69 6c 6b 72 6f 61  08 16:05 Silkroa
04c0   64 20 53 74 61 6e 64 61 72 64 20 54 69 6d 65 3c  d Standard Time<
04d0   2f 62 3e 0d 0a 0d 0a 3c 62 3e 3c 66 6f 6e 74 20  /b>....<b><font
04e0   63 6f 6c 6f 72 3d 79 65 6c 6c 6f 77 3e 5b 50 61  color=yellow>[Pa
04f0   74 63 68 5d 3c 2f 66 6f 6e 74 3e 3c 2f 62 3e 0d  tch]</font></b>.
0500   0a 2d 20 44 61 74 61 62 61 73 65 20 62 61 63 6b  .- Database back
0510   75 70 d8 07 04 00 16 00 10 00 0a 00 38 00 40 dc  up..........8.@.
0520   b3 11 0d 00 50 61 79 70 61 6c 20 4e 6f 74 69 63  ....Paypal Notic
0530   65 e7 01 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f  e..<b><font colo
0540   72 3d 79 65 6c 6c 6f 77 3e 50 61 79 70 61 6c 20  r=yellow>Paypal
0550   4e 6f 74 69 63 65 3c 2f 66 6f 6e 74 3e 3c 2f 62  Notice</font></b
0560   3e 0d 0a 0d 0a 50 61 79 70 61 6c 20 69 73 20 6e  >....Paypal is n
0570   6f 77 20 77 6f 72 6b 69 6e 67 20 6e 6f 72 6d 61  ow working norma
0580   6c 6c 79 20 61 6e 64 20 74 72 61 6e 73 61 63 74  lly and transact
0590   69 6f 6e 73 20 63 61 6e 20 70 72 6f 63 65 65 64  ions can proceed
05a0   20 6e 6f 72 6d 61 6c 6c 79 2e 0d 0a 0d 0a 3c 66   normally.....<f
05b0   6f 6e 74 20                                      ont

warz

#4
April 26, 2008, 11:43 PM
You really don't need to guess at this kind of stuff. Like UserLoser mentioned - check this out in a debugger, disassemble files you think are related, etc. SRSLY.

Dale

#5
April 27, 2008, 12:08 AM
Yeah, I've looked at it in IDA an OllyDbg but, I'm just trying to get as much out of a packet log as possible.. since I'm not really that experienced in disassembly.. But I probably should since my purpose in this is to learn..

UserLoser

#6
April 27, 2008, 01:36 AM
wrong forum too

Ringo

#7
April 27, 2008, 03:09 AM
Quote from: Dale on April 26, 2008, 09:18 PM
At this part, its all like that, but as I get later into other packets I get data plain text
o, they are probly hash's or encrypted blocks (or maybe compressed data if the lenghs are not constant) of password's and what ever else gets authed.
So as ul mentioned, debugging is probly the best way through that, if they are not common algorithms.

Dale

#8
April 27, 2008, 11:56 AM
Quote from: Ringo on April 27, 2008, 03:09 AM
Quote from: Dale on April 26, 2008, 09:18 PM
At this part, its all like that, but as I get later into other packets I get data plain text
o, they are probly hash's or encrypted blocks (or maybe compressed data if the lenghs are not constant) of password's and what ever else gets authed.
So as ul mentioned, debugging is probly the best way through that, if they are not common algorithms.

Well, while I was researching I read that Silkroad uses the Blowfish algorithm, but I just haven't found out if it's encrypting these packets as well as the game packets, or just game packets.
Print
|
Go Up Pages1
User actions