Users browsing this thread: 1 Guest(s)
World-list packet description.
|
06-17-2009, 09:53 AM,
(This post was last modified: 07-30-2009, 07:02 AM by Morpheus.)
|
|||
|
|||
World-list packet description.
Architect gives some classes about how world-list works on a real client.
NEWEST EXPLANATION This explanation is more exactly & updated (from yesterday) and could be more comprehensive as is almost simple "machine" readable code For a World list packet generation, we need: 26 hex bytes: Packet lenght & crypto things unsigned int 2 bytes: length of the char data unsigned int 3 bytes: length of the char data - 4 Quote:Lenght of the data is calculated as sum of : unsigned int 2 bytes: "02 00" unsigned int 2 bytes: <sum of chars on all servers> ##for each char## 14 bytes hex block: - unsigned int 3 bytes: number of bytes to the right, till charname starts (pointer to charname lenght position) - unsigned int 4 bytes: id of character - unsigned int 4 bytes: "00 00 00 00" - unsigned int 1 byte: char status flag Quote:00 -> character normal - unsigned int 2 bytes: server ID where char is in ##for each char (part 2)## 2 + N bytes hex block: - unsigned int 2 bytes: lenght of charname+1 - N bytes hex block: 00 + charname unsigned int 2 bytes: <number of worlds available> unsigned int 1 byte: "00" ##for each world## 32 bytesMAX hex block : - unsigned int 2 bytes: serverID - unsigned int 1 byte: "00" - hex block N bytes: world name - hex block 20-N zero bytes: Padding/Zeros till world name+zeros = 20 bytes - unsigned int 1 byte: world status flag Quote:00 -> World down unsigned int 1 byte: server style flag Quote:01 --> PVE World -unsigned int 6 bytes: "F1 1D 07 00 01 00" unknown but static, maybe world server id -unsigned int 1 byte: World Population flag Quote:31 --> Low Rest parts of the packet are crypto things and that's Rajko world xD. OLD EXPLANATION Old explanation, just for history record. This is part of the group of packets sent in the process of login through login server, just before contacting margin server. Note: real charnames are replace by "--" and username by "uu" for security reasons. Code: 0000 82 63 0B 00 00 00 00 00 00 00 00 00 00 BB 00 F3 .c.............. At first sight it could look complex, but it can be almost put into pieces very easily. Let's go to top: first part is useless at first, because is not really known how to treat em, refering to: Code: 0010 01 1F 00 00 00 21 00 C0 D0 00 00 59 00 00 00 55 It must be a signature of some kind, including some ciphered info, apart from timestamp, for example. Following with interesting things: User characters codes Code: <><> <> <> 00 02 00 00 1C 00 0A 6F 1F 00 00 00 00 00 .........o...... This part looks tricky but its easy to see, you will. Decoding it by parts: "00 02" at start means that there are 2 chars for this user (02) on the margin server, counting all the worlds that are there. What's going with the other parts? They correspond to the info about the players we mentioned first. Its what is called as "array" (or a struct) of info from player data. It should match this pattern: Player: {globalid, localid, name,status, IDServerIn} So if we take a close look we cand see the matches and separate one of the chars... it makes this magic numbers (14 bytes): 00 00 1C 00 0A 6F 1F 00 00 00 00 00 00 15 <00 00 1C 00 0A 06 1F> stands for global + local id <00 00 00 00> are unused bytes (or unknown yet) <00> stands for status flag Architect Wrote:flag can be set as 2 numbers. They must be in this list:<15> stands for server id which must match with a server id (see below) We can repeat this with the other char, and we will see dif id's but the rest of the packet is the same. Ok what's up with the rest of the part I posted? Look carefully, I didnt talked about name of the cars! See what we have: 00 0A 00 -- -- -- -- -- -- -- -- -- 00 0C 00 -- -- -- -- -- -- -- -- -- -- -- 00 Again, its simply. We got 2 items as names so we take a division and analyze: Note: Why I took this division? Because 00 xxxx 00 means a unicode string with text "xxxx" and the 0's are the delimiters as stard/end 00 0A 00 -- -- -- -- -- -- -- -- -- 00 <00>Separator from above <0A>Characters to follow. That means '10' in hexadecimal, so chars must be 9 plus a \0 char (end-of-string on c) <-- -- -- -- -- -- -- -- --> chars on the name <00> end-of-string Great, we got all the fields identified on a world-list data Worlds available codes Code: <><> <> <> <> <> <> <> <> <> <> <> 00 03 00 00 15 00 uuuuuuuuu...... First part delimites the number of worlds available (which wont be more than 3 in real world list) with the "00 03" bytes and another "00" to delimit space between this and each world item. As user codes, world codes got a patter which can be near to this one: World: {id, name, style, status, populationLevel} So we take one item from the list, the first one (32bytes): 00 15 00 52 65 63 75 72 73 69 6F 6E 00 00 00 00 00 00 00 00 00 00 00 01 01 F1 1D 07 00 01 00 31 <00 15> stands for server ID. this one is what the chars will be associated with. <00> delimiter (text) <52 65 63 75 72 73 69 6F 6E 00> name (Recursion) + end-of-string <00 00 00 00 00 00 00 00 00 00> unknown yet or possible space for more chars for world name <01> server status flag Architect Wrote:Must be set to:<01> server style flag Architect Wrote:Must be set to:<F1 1D 07 00 01 00> unknown data (may be world internalid) <31> server population load flag Architect Wrote:Must be set to: Rest of the packet At the moment, the rest of the packet is almost unknown, apart from username but, its a work-in-progress |
|||
06-17-2009, 01:53 PM,
(This post was last modified: 06-17-2009, 04:02 PM by Neo.)
|
|||
|
|||
RE: World-list packet description.
Woah This is awesome. Cool..ok the rest part is the part that changes everytime...the first part , i think maybe it could be the same twofish decryption style like the world packets maybe.
Aaah i found something out too for this world packet : Somwehre in the code there is the following: Code: 01514E7900757365726E616D65000000000000000000000000000000000000000000000000000001000000003575384A00000000000000000000000000000000000000000000000000000000000000000017 The 3575384A is a timestamp, but it must be read backwards...means : 4A387535 , so we can fgenerate timestamp for this packet I dont try if this work , and if this is a part of the decryption, but i will test it So the first packet reply is a timestamp too in the backwards order. After i tested to add only the timestamp, i got the "Server incopatible" message..that means, that the timestamp is only a part of the decryption of the two parts maybe. Somewhere in this parts there must be a margin and client checksum i think.[/code] |
|||
06-29-2009, 04:53 AM,
|
|||
|
|||
RE: World-list packet description.
are you trying to do launchpad ? you should ask the everquest 2 guys about that, they got a launchpad going...
|
|||
06-29-2009, 02:46 PM,
(This post was last modified: 06-29-2009, 02:48 PM by Neo.)
|
|||
|
|||
RE: World-list packet description.
https://www.assembla.com/wiki/show/swgemu/Packets - is very helpful to understand the SOE Protocol (for launchpad only at MxO).
The Problem we have is that MxO use Launchpad for auth but there is an additional MxO Auth Server too. |
|||
07-01-2009, 01:00 AM,
|
|||
|
|||
RE: World-list packet description.
Rajko, i think that the packet I descrived above, matches in some ways a struct on C++, like:
{integer,..., arrayofchars,arrayofServers,...} Or even some object like "Character {data, name}" in that structure. Could yo have a peek on it to confirm on c++? Maybe we could "decrypt" the parts that are unknown now and create a "real" auth server answer, following a pattern. I'm thinking that it looks like some "struct.pack" structure on python, but not so sure about where to cut/paste to send to "struct.unpack". |
|||
07-01-2009, 01:57 AM,
|
|||
|
|||
RE: World-list packet description.
you would have to reverse engineer it to get the entire prodecure...
and i cant even find the fucking thing, let alone do anything with it |
|||
07-26-2009, 01:33 PM,
|
|||
|
|||
RE: World-list packet description.
after that gobbledy gook morpheous posted, thres 0x36 0x01 and then 80 bytes signature using pubkey.dat as verifier
this signature is of the md5 of the (5 bytes before first username) all the way up to 0x60 00. 0x60 00 means theres 96 bytes of encrypted data after and its encrypted with twofish using AUTH_KEY as key and challenge as IV inside is completely random data (but doesnt change unless i change username) i have no idea what it is, but if i change even one byte of it, things go boom, and it just hangs at loading character after the encrypted data is just your username again etc |
|||
07-27-2009, 03:42 PM,
|
|||
|
|||
RE: World-list packet description.
WORLDLIST (AS_AuthReply) ANALYZING COMPLETE.
AUTH FULLY FUNCTIONAL, CHECK OUT REALITY SVN MOVING ON TO MARGIN (already know how key exchange is done, about to implement) |
|||
07-28-2009, 02:01 PM,
|
|||
|
|||
RE: World-list packet description.
yes i saw it on the SVN yesterday and tried it out
VERY VERY VERY VERY VERY GREAT WORKS DUDES!!!!!!!!! I didnt had believe that this is possible lol...but you both are awesome. |
|||
07-28-2009, 09:00 PM,
|
|||
|
|||
RE: World-list packet description.
World list structure (non crypto parts) updated.
Yay, more info discovered . Little but less "unknown parts" now |
|||
« Next Oldest | Next Newest »
|