General Discussion | Reversing a new game protocol

Author	Message	Time
dlStevens	Well, I started at trying to reverse Silkroad Online's game protocol (http://www.silkroadonline.net/) and I started off by packet logging, and testing sending the packets, from a program I created.. From the server to the client, I receive 43 Bytes Server -> Client [code] 0000 25 00 00 50 00 00 0e d4 67 c7 e2 10 b4 7c 17 02 %..P....g....\|.. 0010 00 00 00 14 00 00 00 8f 9d da 6a fc c6 10 a4 61 ..........j....a 0020 d2 ce 68 4d 25 9f 71 bd 3a 5b 51 ..hM%.q.:[Q [/code] Then, the game client sends 18 bytes Client -> Server [code] 0000 0c 00 00 50 51 af 19 63 1d 36 06 41 e9 78 5e c6 ...PQ..c.6.A.x^. 0010 3c 0e <. [/code] Well, I then tested connecting my program to the server and got... Server->Client (43 bytes) [code] 0000 25 00 00 50 00 00 0e ea 3d 10 b1 55 21 68 e2 8b %..P....=..U!h.. 0010 00 00 00 d7 00 00 00 b8 a0 e5 58 13 ba fd 45 41 ..........X...EA 0020 08 98 56 cb 08 73 71 e4 c5 1c 0a ..V..sq.... [/code] and then I send my 18 bytes.. Client->Server [code] 0000 0c 00 00 50 b3 c4 26 7f 5c 58 fb f5 6a 6e c2 0f ...P..&.\X..jn.. 0010 1b a0 .. [/code] Right after I send that, my connection dropped, so I checked and as you can see, my 18 bytes doesn't match what the client has... (I didn't mess up, it changes) So my question is... How would I figure out what the correct 18 bytes are? and Why would the 18 bytes change? This is even before I actually get to the game, this is to receive the news and updates, so it's not my username/password and theirs no cdkey). I don't expect the actual, exact answer, since I figure no one here has probably reversed, let alone looked at this game, I was just curious to hear opinions. Oh and, here are the other 3 Packet logs from the client to the server (each 18 bytes) [code] (Packet Log 1) Client->Server: 0c 00 00 50 64 bb 2d 41 2f 2a de 4d 1d cb b7 e3 f7 84 (Packet Log 2) Client->Server 0c 00 00 50 8c e8 4c 33 59 48 b8 2b c5 78 8b 11 29 c0 (Packet Log 3) Client->Server: 0c 00 00 50 51 af 19 63 1d 36 06 41 e9 78 5e c6 3c 0e [/code] Any help would be greatly appreciated! Thanks! - Dale EDIT: Actually, staring at my packet logs on here, it occurred to me, the 43 bytes I receive above from the server to the actual client, are different then the 43 bytes that I receive through my client, could the 18 bytes be modified according to that?	April 27, 2008, 12:52 AM
UserLoser	it's called disassembly and debugger	April 27, 2008, 1:16 AM
Ringo	hm, at a glance, looks like its somthing like: [code] (WORD) Lengh of packet (discluding header) (DWORD) Somthing maybe containing the packet id (0x50 maybe?) and maybe a checksum for out going data (VOID) data [/code] It might be, that the data is compressed or encrypted, but with out seeing a dumb of the whole logon, its just a stab in the dark. Is all the data like that, or is parts of it plain text?	April 27, 2008, 2:08 AM
dlStevens	At this part, its all like that, but as I get later into other packets I get data plain text [code] 0000 10 00 01 20 00 00 0d 00 47 61 74 65 77 61 79 53 ... ....GatewayS 0010 65 72 76 65 72 00 erver. [/code] and even later [code] 0000 24 07 0d 60 00 00 00 04 34 00 5b 45 78 74 72 61 $..`....4.[Extra 0010 20 49 6e 73 70 65 63 74 69 6f 6e 5d 20 45 78 74 Inspection] Ext 0020 72 61 20 53 65 72 76 65 72 20 49 6e 73 70 65 63 ra Server Inspec 0030 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 ff 00 tion Completed.. 0040 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79 <b><font color=y 0050 65 6c 6c 6f 77 3e 45 78 74 72 61 20 53 65 72 76 ellow>Extra Serv 0060 65 72 20 49 6e 73 70 65 63 74 69 6f 6e 20 43 6f er Inspection Co 0070 6d 70 6c 65 74 65 64 3c 2f 66 6f 6e 74 3e 3c 2f mpleted</font></ 0080 62 3e 0d 0a 0d 0a 45 78 74 72 61 20 73 65 72 76 b>....Extra serv 0090 65 72 20 69 6e 73 70 65 63 74 69 6f 6e 20 6f 66 er inspection of 00a0 20 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d <b><font color= 00b0 79 65 6c 6c 6f 77 3e 50 65 72 73 69 61 3c 2f 66 yellow>Persia</f 00c0 6f 6e 74 3e 3c 2f 62 3e 20 68 61 73 20 62 65 65 ont></b> has bee 00d0 6e 20 63 6f 6d 70 6c 65 74 65 64 2e 0d 0a 0d 0a n completed..... 00e0 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79 <b><font color=y 00f0 65 6c 6c 6f 77 3e 54 69 6d 65 20 6f 66 20 43 6f ellow>Time of Co 0100 6d 70 6c 65 74 69 6f 6e 3c 2f 66 6f 6e 74 3e 20 mpletion</font> 0110 3a 20 41 70 72 20 32 32 2c 20 32 30 30 38 20 31 : Apr 22, 2008 1 0120 36 3a 35 30 20 53 69 6c 6b 72 6f 61 64 20 53 74 6:50 Silkroad St 0130 61 6e 64 61 72 64 20 54 69 6d 65 3c 2f 62 3e d8 andard Time</b>. 0140 07 04 00 16 00 10 00 38 00 08 00 40 98 1e 09 1b .......8...@.... 0150 00 50 61 79 70 61 6c 20 49 6e 73 70 65 63 74 69 .Paypal Inspecti 0160 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 ef 01 3c 62 on Completed..<b 0170 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79 65 6c ><font color=yel 0180 6c 6f 77 3e 50 61 79 70 61 6c 20 49 6e 73 70 65 low>Paypal Inspe 0190 63 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 3c ction Completed< 01a0 2f 66 6f 6e 74 3e 3c 2f 62 3e 0d 0a 0d 0a 50 61 /font></b>....Pa 01b0 79 70 61 6c 20 69 73 20 6e 6f 77 20 77 6f 72 6b ypal is now work 01c0 69 6e 67 20 6e 6f 72 6d 61 6c 6c 79 20 61 6e 64 ing normally and 01d0 20 74 72 61 6e 73 61 63 74 69 6f 6e 73 20 63 61 transactions ca 01e0 6e 20 70 72 6f 63 65 65 64 20 6e 6f 72 6d 61 6c n proceed normal 01f0 6c 79 2e 0d 0a 0d 0a 3c 66 6f 6e 74 20 63 6f 6c ly.....<font col 0200 6f 72 3d 79 65 6c 6c 6f 77 3e 48 6f 77 65 76 65 or=yellow>Howeve 0210 72 2c 20 73 6f 6d 65 20 6f 66 20 6f 75 72 20 75 r, some of our u 0220 73 65 72 73 20 63 6f 75 6c 64 20 62 65 20 72 65 sers could be re 0230 63 65 69 76 65 64 20 73 69 6c 6b 20 61 20 6c 69 ceived silk a li 0240 74 74 6c 65 20 62 69 74 20 6c 61 74 65 20 62 65 ttle bit late be 0250 63 61 75 73 65 20 6f 66 20 74 68 65 20 73 79 73 cause of the sys 0260 74 65 6d 20 64 65 6c 61 79 2e 3c 2f 66 6f 6e 74 tem delay.</font 0270 3e 0d 0a 0d 0a 57 65 20 77 69 6c 6c 20 72 65 73 >....We will res 0280 74 6f 72 65 20 53 69 6c 6b 20 74 6f 20 61 6c 6c tore Silk to all 0290 20 75 73 65 72 73 20 74 68 61 74 20 68 61 76 65 users that have 02a0 20 6d 61 64 65 20 63 6f 6d 70 6c 65 74 65 64 20 made completed 02b0 70 61 79 6d 65 6e 74 73 20 62 75 74 20 64 69 64 payments but did 02c0 20 6e 6f 74 20 72 65 63 65 69 76 65 20 53 69 6c not receive Sil 02d0 6b 20 64 75 72 69 6e 67 20 74 68 65 20 74 69 6d k during the tim 02e0 65 20 6f 66 20 69 6e 73 70 65 63 74 69 6f 6e 2e e of inspection. 02f0 20 54 68 69 73 20 73 69 6c 6b 20 77 69 6c 6c 20 This silk will 0300 62 65 20 72 65 73 74 69 74 75 74 65 64 20 77 69 be restituted wi 0310 74 68 69 6e 20 61 20 63 6f 75 70 6c 65 20 6f 66 thin a couple of 0320 20 64 61 79 73 2e 0d 0a 0d 0a 57 65 20 61 70 6f days.....We apo 0330 6c 6f 67 69 7a 65 20 66 6f 72 20 74 68 65 20 70 logize for the p 0340 72 6f 62 6c 65 6d 73 20 74 68 69 73 20 6d 61 79 roblems this may 0350 20 68 61 76 65 20 63 61 75 73 65 64 2e d8 07 04 have caused.... 0360 00 16 00 10 00 35 00 22 00 40 fd eb 26 36 00 5b .....5.".@..&6.[ 0370 57 65 65 6b 6c 79 20 49 6e 73 70 65 63 74 69 6f Weekly Inspectio 0380 6e 5d 20 57 65 65 6b 6c 79 20 53 65 72 76 65 72 n] Weekly Server 0390 20 49 6e 73 70 65 63 74 69 6f 6e 20 43 6f 6d 70 Inspection Comp 03a0 6c 65 74 65 64 6b 01 3c 62 3e 3c 66 6f 6e 74 20 letedk.<b><font 03b0 63 6f 6c 6f 72 3d 79 65 6c 6c 6f 77 3e 57 65 65 color=yellow>Wee 03c0 6b 6c 79 20 53 65 72 76 65 72 20 49 6e 73 70 65 kly Server Inspe 03d0 63 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 3c ction Completed< 03e0 2f 66 6f 6e 74 3e 3c 2f 62 3e 0d 0a 0d 0a 49 6e /font></b>....In 03f0 20 6f 72 64 65 72 20 74 6f 20 6d 61 69 6e 74 61 order to mainta 0400 69 6e 20 61 20 70 6c 65 61 73 61 6e 74 20 67 61 in a pleasant ga 0410 6d 69 6e 67 20 61 6e 64 20 73 6d 6f 6f 74 68 20 ming and smooth 0420 70 61 74 63 68 69 6e 67 20 65 78 70 65 72 69 65 patching experie 0430 6e 63 65 2c 20 77 65 65 6b 6c 79 20 73 65 72 76 nce, weekly serv 0440 65 72 20 69 6e 73 70 65 63 74 69 6f 6e 20 6f 66 er inspection of 0450 20 61 6c 6c 20 73 65 72 76 65 72 73 20 68 61 73 all servers has 0460 20 62 65 65 6e 20 63 6f 6d 70 6c 65 74 65 64 2e been completed. 0470 0d 0a 0d 0a 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c ....<b><font col 0480 6f 72 3d 79 65 6c 6c 6f 77 3e 54 69 6d 65 20 6f or=yellow>Time o 0490 66 20 43 6f 6d 70 6c 65 74 69 6f 6e 3c 2f 66 6f f Completion</fo 04a0 6e 74 3e 20 3a 20 41 70 72 20 32 32 2c 20 32 30 nt> : Apr 22, 20 04b0 30 38 20 31 36 3a 30 35 20 53 69 6c 6b 72 6f 61 08 16:05 Silkroa 04c0 64 20 53 74 61 6e 64 61 72 64 20 54 69 6d 65 3c d Standard Time< 04d0 2f 62 3e 0d 0a 0d 0a 3c 62 3e 3c 66 6f 6e 74 20 /b>....<b><font 04e0 63 6f 6c 6f 72 3d 79 65 6c 6c 6f 77 3e 5b 50 61 color=yellow>[Pa 04f0 74 63 68 5d 3c 2f 66 6f 6e 74 3e 3c 2f 62 3e 0d tch]</font></b>. 0500 0a 2d 20 44 61 74 61 62 61 73 65 20 62 61 63 6b .- Database back 0510 75 70 d8 07 04 00 16 00 10 00 0a 00 38 00 40 dc up..........8.@. 0520 b3 11 0d 00 50 61 79 70 61 6c 20 4e 6f 74 69 63 ....Paypal Notic 0530 65 e7 01 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f e..<b><font colo 0540 72 3d 79 65 6c 6c 6f 77 3e 50 61 79 70 61 6c 20 r=yellow>Paypal 0550 4e 6f 74 69 63 65 3c 2f 66 6f 6e 74 3e 3c 2f 62 Notice</font></b 0560 3e 0d 0a 0d 0a 50 61 79 70 61 6c 20 69 73 20 6e >....Paypal is n 0570 6f 77 20 77 6f 72 6b 69 6e 67 20 6e 6f 72 6d 61 ow working norma 0580 6c 6c 79 20 61 6e 64 20 74 72 61 6e 73 61 63 74 lly and transact 0590 69 6f 6e 73 20 63 61 6e 20 70 72 6f 63 65 65 64 ions can proceed 05a0 20 6e 6f 72 6d 61 6c 6c 79 2e 0d 0a 0d 0a 3c 66 normally.....<f 05b0 6f 6e 74 20 ont [/code]	April 27, 2008, 2:18 AM
warz	You really don't need to guess at this kind of stuff. Like UserLoser mentioned - check this out in a debugger, disassemble files you think are related, etc. SRSLY.	April 27, 2008, 4:43 AM
dlStevens	Yeah, I've looked at it in IDA an OllyDbg but, I'm just trying to get as much out of a packet log as possible.. since I'm not really that experienced in disassembly.. But I probably should since my purpose in this is to learn..	April 27, 2008, 5:08 AM
UserLoser	wrong forum too	April 27, 2008, 6:36 AM
Ringo	[quote author=Dale link=topic=17470.msg177935#msg177935 date=1209262706] At this part, its all like that, but as I get later into other packets I get data plain text [/quote] o, they are probly hash's or encrypted blocks (or maybe compressed data if the lenghs are not constant) of password's and what ever else gets authed. So as ul mentioned, debugging is probly the best way through that, if they are not common algorithms.	April 27, 2008, 8:09 AM
dlStevens	[quote author=Ringo link=topic=17470.msg177947#msg177947 date=1209283763] [quote author=Dale link=topic=17470.msg177935#msg177935 date=1209262706] At this part, its all like that, but as I get later into other packets I get data plain text [/quote] o, they are probly hash's or encrypted blocks (or maybe compressed data if the lenghs are not constant) of password's and what ever else gets authed. So as ul mentioned, debugging is probly the best way through that, if they are not common algorithms. [/quote] Well, while I was researching I read that Silkroad uses the Blowfish algorithm, but I just haven't found out if it's encrypting these packets as well as the game packets, or just game packets.	April 27, 2008, 4:56 PM

Author

Message

Time

dlStevens

Well, I started at trying to reverse Silkroad Online's game protocol (http://www.silkroadonline.net/) and I started off by packet logging, and testing sending the packets, from a program I created..

From the server to the client, I receive 43 Bytes
Server -> Client
[code]
0000 25 00 00 50 00 00 0e d4 67 c7 e2 10 b4 7c 17 02 %..P....g....|..
0010 00 00 00 14 00 00 00 8f 9d da 6a fc c6 10 a4 61 ..........j....a
0020 d2 ce 68 4d 25 9f 71 bd 3a 5b 51 ..hM%.q.:[Q
[/code]

Then, the game client sends 18 bytes
Client -> Server
[code]
0000 0c 00 00 50 51 af 19 63 1d 36 06 41 e9 78 5e c6 ...PQ..c.6.A.x^.
0010 3c 0e <.
[/code]

Well, I then tested connecting my program to the server and got...
Server->Client (43 bytes)
[code]
0000 25 00 00 50 00 00 0e ea 3d 10 b1 55 21 68 e2 8b %..P....=..U!h..
0010 00 00 00 d7 00 00 00 b8 a0 e5 58 13 ba fd 45 41 ..........X...EA
0020 08 98 56 cb 08 73 71 e4 c5 1c 0a ..V..sq....
[/code]

and then I send my 18 bytes..
Client->Server
[code]
0000 0c 00 00 50 b3 c4 26 7f 5c 58 fb f5 6a 6e c2 0f ...P..&.\X..jn..
0010 1b a0 ..
[/code]

Right after I send that, my connection dropped, so I checked and as you can see, my 18 bytes doesn't match what the client has... (I didn't mess up, it changes) So my question is... How would I figure out what the correct 18 bytes are? and Why would the 18 bytes change? This is even before I actually get to the game, this is to receive the news and updates, so it's not my username/password and theirs no cdkey).

I don't expect the actual, exact answer, since I figure no one here has probably reversed, let alone looked at this game, I was just curious to hear opinions.

Oh and, here are the other 3 Packet logs from the client to the server (each 18 bytes)
[code]
(Packet Log 1) Client->Server: 0c 00 00 50 64 bb 2d 41 2f 2a de 4d 1d cb b7 e3 f7 84
(Packet Log 2) Client->Server 0c 00 00 50 8c e8 4c 33 59 48 b8 2b c5 78 8b 11 29 c0
(Packet Log 3) Client->Server: 0c 00 00 50 51 af 19 63 1d 36 06 41 e9 78 5e c6 3c 0e
[/code]

Any help would be greatly appreciated! Thanks!
- Dale

EDIT: Actually, staring at my packet logs on here, it occurred to me, the 43 bytes I receive above from the server to the actual client, are different then the 43 bytes that I receive through my client, could the 18 bytes be modified according to that?

April 27, 2008, 12:52 AM

UserLoser

it's called disassembly and debugger

April 27, 2008, 1:16 AM

Ringo

hm, at a glance, looks like its somthing like:
[code]
(WORD) Lengh of packet (discluding header)
(DWORD) Somthing maybe containing the packet id (0x50 maybe?) and maybe a checksum for out going data
(VOID) data
[/code]
It might be, that the data is compressed or encrypted, but with out seeing a dumb of the whole logon, its just a stab in the dark.
Is all the data like that, or is parts of it plain text?

April 27, 2008, 2:08 AM

dlStevens

At this part, its all like that, but as I get later into other packets I get data plain text

[code]
0000 10 00 01 20 00 00 0d 00 47 61 74 65 77 61 79 53 ... ....GatewayS
0010 65 72 76 65 72 00 erver.
[/code]

and even later

[code]
0000 24 07 0d 60 00 00 00 04 34 00 5b 45 78 74 72 61 $..`....4.[Extra
0010 20 49 6e 73 70 65 63 74 69 6f 6e 5d 20 45 78 74 Inspection] Ext
0020 72 61 20 53 65 72 76 65 72 20 49 6e 73 70 65 63 ra Server Inspec
0030 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 ff 00 tion Completed..
0040 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79 Extra Serv
0060 65 72 20 49 6e 73 70 65 63 74 69 6f 6e 20 43 6f er Inspection Co
0070 6d 70 6c 65 74 65 64 3c 2f 66 6f 6e 74 3e 3c 2f mpleted</
0080 62 3e 0d 0a 0d 0a 45 78 74 72 61 20 73 65 72 76 b>....Extra serv
0090 65 72 20 69 6e 73 70 65 63 74 69 6f 6e 20 6f 66 er inspection of
00a0 20 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d Persia</f
00c0 6f 6e 74 3e 3c 2f 62 3e 20 68 61 73 20 62 65 65 ont> has bee
00d0 6e 20 63 6f 6d 70 6c 65 74 65 64 2e 0d 0a 0d 0a n completed.....
00e0 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79 Time of Co
0100 6d 70 6c 65 74 69 6f 6e 3c 2f 66 6f 6e 74 3e 20 mpletion
0110 3a 20 41 70 72 20 32 32 2c 20 32 30 30 38 20 31 : Apr 22, 2008 1
0120 36 3a 35 30 20 53 69 6c 6b 72 6f 61 64 20 53 74 6:50 Silkroad St
0130 61 6e 64 61 72 64 20 54 69 6d 65 3c 2f 62 3e d8 andard Time.
0140 07 04 00 16 00 10 00 38 00 08 00 40 98 1e 09 1b .......8...@....
0150 00 50 61 79 70 61 6c 20 49 6e 73 70 65 63 74 69 .Paypal Inspecti
0160 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 ef 01 3c 62 on Completed..Paypal Inspe
0190 63 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 3c ction Completed<
01a0 2f 66 6f 6e 74 3e 3c 2f 62 3e 0d 0a 0d 0a 50 61 /font>....Pa
01b0 79 70 61 6c 20 69 73 20 6e 6f 77 20 77 6f 72 6b ypal is now work
01c0 69 6e 67 20 6e 6f 72 6d 61 6c 6c 79 20 61 6e 64 ing normally and
01d0 20 74 72 61 6e 73 61 63 74 69 6f 6e 73 20 63 61 transactions ca
01e0 6e 20 70 72 6f 63 65 65 64 20 6e 6f 72 6d 61 6c n proceed normal
01f0 6c 79 2e 0d 0a 0d 0a 3c 66 6f 6e 74 20 63 6f 6c ly.....Howeve
0210 72 2c 20 73 6f 6d 65 20 6f 66 20 6f 75 72 20 75 r, some of our u
0220 73 65 72 73 20 63 6f 75 6c 64 20 62 65 20 72 65 sers could be re
0230 63 65 69 76 65 64 20 73 69 6c 6b 20 61 20 6c 69 ceived silk a li
0240 74 74 6c 65 20 62 69 74 20 6c 61 74 65 20 62 65 ttle bit late be
0250 63 61 75 73 65 20 6f 66 20 74 68 65 20 73 79 73 cause of the sys
0260 74 65 6d 20 64 65 6c 61 79 2e 3c 2f 66 6f 6e 74 tem delay.....We will res
0280 74 6f 72 65 20 53 69 6c 6b 20 74 6f 20 61 6c 6c tore Silk to all
0290 20 75 73 65 72 73 20 74 68 61 74 20 68 61 76 65 users that have
02a0 20 6d 61 64 65 20 63 6f 6d 70 6c 65 74 65 64 20 made completed
02b0 70 61 79 6d 65 6e 74 73 20 62 75 74 20 64 69 64 payments but did
02c0 20 6e 6f 74 20 72 65 63 65 69 76 65 20 53 69 6c not receive Sil
02d0 6b 20 64 75 72 69 6e 67 20 74 68 65 20 74 69 6d k during the tim
02e0 65 20 6f 66 20 69 6e 73 70 65 63 74 69 6f 6e 2e e of inspection.
02f0 20 54 68 69 73 20 73 69 6c 6b 20 77 69 6c 6c 20 This silk will
0300 62 65 20 72 65 73 74 69 74 75 74 65 64 20 77 69 be restituted wi
0310 74 68 69 6e 20 61 20 63 6f 75 70 6c 65 20 6f 66 thin a couple of
0320 20 64 61 79 73 2e 0d 0a 0d 0a 57 65 20 61 70 6f days.....We apo
0330 6c 6f 67 69 7a 65 20 66 6f 72 20 74 68 65 20 70 logize for the p
0340 72 6f 62 6c 65 6d 73 20 74 68 69 73 20 6d 61 79 roblems this may
0350 20 68 61 76 65 20 63 61 75 73 65 64 2e d8 07 04 have caused....
0360 00 16 00 10 00 35 00 22 00 40 fd eb 26 36 00 5b .....5.".@..&6.[
0370 57 65 65 6b 6c 79 20 49 6e 73 70 65 63 74 69 6f Weekly Inspectio
0380 6e 5d 20 57 65 65 6b 6c 79 20 53 65 72 76 65 72 n] Weekly Server
0390 20 49 6e 73 70 65 63 74 69 6f 6e 20 43 6f 6d 70 Inspection Comp
03a0 6c 65 74 65 64 6b 01 3c 62 3e 3c 66 6f 6e 74 20 letedk.Wee
03c0 6b 6c 79 20 53 65 72 76 65 72 20 49 6e 73 70 65 kly Server Inspe
03d0 63 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 3c ction Completed<
03e0 2f 66 6f 6e 74 3e 3c 2f 62 3e 0d 0a 0d 0a 49 6e /font>....In
03f0 20 6f 72 64 65 72 20 74 6f 20 6d 61 69 6e 74 61 order to mainta
0400 69 6e 20 61 20 70 6c 65 61 73 61 6e 74 20 67 61 in a pleasant ga
0410 6d 69 6e 67 20 61 6e 64 20 73 6d 6f 6f 74 68 20 ming and smooth
0420 70 61 74 63 68 69 6e 67 20 65 78 70 65 72 69 65 patching experie
0430 6e 63 65 2c 20 77 65 65 6b 6c 79 20 73 65 72 76 nce, weekly serv
0440 65 72 20 69 6e 73 70 65 63 74 69 6f 6e 20 6f 66 er inspection of
0450 20 61 6c 6c 20 73 65 72 76 65 72 73 20 68 61 73 all servers has
0460 20 62 65 65 6e 20 63 6f 6d 70 6c 65 74 65 64 2e been completed.
0470 0d 0a 0d 0a 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c ....Time o
0490 66 20 43 6f 6d 70 6c 65 74 69 6f 6e 3c 2f 66 6f f Completion</fo
04a0 6e 74 3e 20 3a 20 41 70 72 20 32 32 2c 20 32 30 nt> : Apr 22, 20
04b0 30 38 20 31 36 3a 30 35 20 53 69 6c 6b 72 6f 61 08 16:05 Silkroa
04c0 64 20 53 74 61 6e 64 61 72 64 20 54 69 6d 65 3c d Standard Time<
04d0 2f 62 3e 0d 0a 0d 0a 3c 62 3e 3c 66 6f 6e 74 20 /b>....[Pa
04f0 74 63 68 5d 3c 2f 66 6f 6e 74 3e 3c 2f 62 3e 0d tch].
0500 0a 2d 20 44 61 74 61 62 61 73 65 20 62 61 63 6b .- Database back
0510 75 70 d8 07 04 00 16 00 10 00 0a 00 38 00 40 dc up..........8.@.
0520 b3 11 0d 00 50 61 79 70 61 6c 20 4e 6f 74 69 63 ....Paypal Notic
0530 65 e7 01 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f e..Paypal
0550 4e 6f 74 69 63 65 3c 2f 66 6f 6e 74 3e 3c 2f 62 Notice....Paypal is n
0570 6f 77 20 77 6f 72 6b 69 6e 67 20 6e 6f 72 6d 61 ow working norma
0580 6c 6c 79 20 61 6e 64 20 74 72 61 6e 73 61 63 74 lly and transact
0590 69 6f 6e 73 20 63 61 6e 20 70 72 6f 63 65 65 64 ions can proceed
05a0 20 6e 6f 72 6d 61 6c 6c 79 2e 0d 0a 0d 0a 3c 66 normally.....<f
05b0 6f 6e 74 20 ont
[/code]

April 27, 2008, 2:18 AM

warz

You really don't need to guess at this kind of stuff. Like UserLoser mentioned - check this out in a debugger, disassemble files you think are related, etc. SRSLY.

April 27, 2008, 4:43 AM

dlStevens

Yeah, I've looked at it in IDA an OllyDbg but, I'm just trying to get as much out of a packet log as possible.. since I'm not really that experienced in disassembly.. But I probably should since my purpose in this is to learn..

April 27, 2008, 5:08 AM

UserLoser

wrong forum too

April 27, 2008, 6:36 AM

Ringo

[quote author=Dale link=topic=17470.msg177935#msg177935 date=1209262706]
At this part, its all like that, but as I get later into other packets I get data plain text
[/quote]
o, they are probly hash's or encrypted blocks (or maybe compressed data if the lenghs are not constant) of password's and what ever else gets authed.
So as ul mentioned, debugging is probly the best way through that, if they are not common algorithms.

April 27, 2008, 8:09 AM

dlStevens

[quote author=Ringo link=topic=17470.msg177947#msg177947 date=1209283763]
[quote author=Dale link=topic=17470.msg177935#msg177935 date=1209262706]
At this part, its all like that, but as I get later into other packets I get data plain text
[/quote]
o, they are probly hash's or encrypted blocks (or maybe compressed data if the lenghs are not constant) of password's and what ever else gets authed.
So as ul mentioned, debugging is probly the best way through that, if they are not common algorithms.
[/quote]

Well, while I was researching I read that Silkroad uses the Blowfish algorithm, but I just haven't found out if it's encrypting these packets as well as the game packets, or just game packets.

April 27, 2008, 4:56 PM

Valhalla Legends Forums Archive | General Discussion | Reversing a new game protocol