Valhalla Legends Forums Archive | General Discussion | Reversing a new game protocol

AuthorMessageTime
dlStevens
Well, I started at trying to reverse Silkroad Online's game protocol (http://www.silkroadonline.net/) and I started off by packet logging, and testing sending the packets, from a program I created..

From the server to the client, I receive 43 Bytes
Server -> Client
[code]
0000  25 00 00 50 00 00 0e d4 67 c7 e2 10 b4 7c 17 02  %..P....g....|..
0010  00 00 00 14 00 00 00 8f 9d da 6a fc c6 10 a4 61  ..........j....a
0020  d2 ce 68 4d 25 9f 71 bd 3a 5b 51                ..hM%.q.:[Q
[/code]

Then, the game client sends 18 bytes
Client -> Server
[code]
0000  0c 00 00 50 51 af 19 63 1d 36 06 41 e9 78 5e c6  ...PQ..c.6.A.x^.
0010  3c 0e                                            <.
[/code]

Well, I then tested connecting my program to the server and got...
Server->Client (43 bytes)
[code]
0000  25 00 00 50 00 00 0e ea 3d 10 b1 55 21 68 e2 8b  %..P....=..U!h..
0010  00 00 00 d7 00 00 00 b8 a0 e5 58 13 ba fd 45 41  ..........X...EA
0020  08 98 56 cb 08 73 71 e4 c5 1c 0a                ..V..sq....
[/code]

and then I send my 18 bytes..
Client->Server
[code]
0000  0c 00 00 50 b3 c4 26 7f 5c 58 fb f5 6a 6e c2 0f  ...P..&.\X..jn..
0010  1b a0                                            ..
[/code]

Right after I send that, my connection dropped, so I checked and as you can see, my 18 bytes doesn't match what the client has... (I didn't mess up, it changes) So my question is... How would I figure out what the correct 18 bytes are? and Why would the 18 bytes change? This is even before I actually get to the game, this is to receive the news and updates, so it's not my username/password and theirs no cdkey).

I don't expect the actual, exact answer, since I figure no one here has probably reversed, let alone looked at this game, I was just curious to hear opinions.

Oh and, here are the other 3 Packet logs from the client to the server (each 18 bytes)
[code]
(Packet Log 1) Client->Server: 0c 00 00 50 64 bb 2d 41 2f 2a de 4d 1d cb b7 e3 f7 84
(Packet Log 2) Client->Server 0c 00 00 50 8c e8 4c 33 59 48 b8 2b c5 78 8b 11 29 c0
(Packet Log 3) Client->Server: 0c 00 00 50 51 af 19 63 1d 36 06 41 e9 78 5e c6 3c 0e
[/code]

Any help would be greatly appreciated! Thanks!
- Dale

EDIT: Actually, staring at my packet logs on here, it occurred to me, the 43 bytes I receive above from the server to the actual client, are different then the 43 bytes that I receive through my client, could the 18 bytes be modified according to that?
April 27, 2008, 12:52 AM
UserLoser
it's called disassembly and debugger
April 27, 2008, 1:16 AM
Ringo
hm, at a glance, looks like its somthing like:
[code]
(WORD) Lengh of packet (discluding header)
(DWORD) Somthing maybe containing the packet id (0x50 maybe?) and maybe a checksum for out going data
(VOID) data
[/code]
It might be, that the data is compressed or encrypted, but with out seeing a dumb of the whole logon, its just a stab in the dark.
Is all the data like that, or is parts of it plain text?
April 27, 2008, 2:08 AM
dlStevens
At this part, its all like that, but as I get later into other packets I get data plain text

[code]
0000  10 00 01 20 00 00 0d 00 47 61 74 65 77 61 79 53  ... ....GatewayS
0010  65 72 76 65 72 00                                erver.
[/code]

and even later

[code]
0000  24 07 0d 60 00 00 00 04 34 00 5b 45 78 74 72 61  $..`....4.[Extra
0010  20 49 6e 73 70 65 63 74 69 6f 6e 5d 20 45 78 74  Inspection] Ext
0020  72 61 20 53 65 72 76 65 72 20 49 6e 73 70 65 63  ra Server Inspec
0030  74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 ff 00  tion Completed..
0040  3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79  <b><font color=y
0050  65 6c 6c 6f 77 3e 45 78 74 72 61 20 53 65 72 76  ellow>Extra Serv
0060  65 72 20 49 6e 73 70 65 63 74 69 6f 6e 20 43 6f  er Inspection Co
0070  6d 70 6c 65 74 65 64 3c 2f 66 6f 6e 74 3e 3c 2f  mpleted</font></
0080  62 3e 0d 0a 0d 0a 45 78 74 72 61 20 73 65 72 76  b>....Extra serv
0090  65 72 20 69 6e 73 70 65 63 74 69 6f 6e 20 6f 66  er inspection of
00a0  20 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d  <b><font color=
00b0  79 65 6c 6c 6f 77 3e 50 65 72 73 69 61 3c 2f 66  yellow>Persia</f
00c0  6f 6e 74 3e 3c 2f 62 3e 20 68 61 73 20 62 65 65  ont></b> has bee
00d0  6e 20 63 6f 6d 70 6c 65 74 65 64 2e 0d 0a 0d 0a  n completed.....
00e0  3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79  <b><font color=y
00f0  65 6c 6c 6f 77 3e 54 69 6d 65 20 6f 66 20 43 6f  ellow>Time of Co
0100  6d 70 6c 65 74 69 6f 6e 3c 2f 66 6f 6e 74 3e 20  mpletion</font>
0110  3a 20 41 70 72 20 32 32 2c 20 32 30 30 38 20 31  : Apr 22, 2008 1
0120  36 3a 35 30 20 53 69 6c 6b 72 6f 61 64 20 53 74  6:50 Silkroad St
0130  61 6e 64 61 72 64 20 54 69 6d 65 3c 2f 62 3e d8  andard Time</b>.
0140  07 04 00 16 00 10 00 38 00 08 00 40 98 1e 09 1b  .......8...@....
0150  00 50 61 79 70 61 6c 20 49 6e 73 70 65 63 74 69  .Paypal Inspecti
0160  6f 6e 20 43 6f 6d 70 6c 65 74 65 64 ef 01 3c 62  on Completed..<b
0170  3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 79 65 6c  ><font color=yel
0180  6c 6f 77 3e 50 61 79 70 61 6c 20 49 6e 73 70 65  low>Paypal Inspe
0190  63 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 3c  ction Completed<
01a0  2f 66 6f 6e 74 3e 3c 2f 62 3e 0d 0a 0d 0a 50 61  /font></b>....Pa
01b0  79 70 61 6c 20 69 73 20 6e 6f 77 20 77 6f 72 6b  ypal is now work
01c0  69 6e 67 20 6e 6f 72 6d 61 6c 6c 79 20 61 6e 64  ing normally and
01d0  20 74 72 61 6e 73 61 63 74 69 6f 6e 73 20 63 61  transactions ca
01e0  6e 20 70 72 6f 63 65 65 64 20 6e 6f 72 6d 61 6c  n proceed normal
01f0  6c 79 2e 0d 0a 0d 0a 3c 66 6f 6e 74 20 63 6f 6c  ly.....<font col
0200  6f 72 3d 79 65 6c 6c 6f 77 3e 48 6f 77 65 76 65  or=yellow>Howeve
0210  72 2c 20 73 6f 6d 65 20 6f 66 20 6f 75 72 20 75  r, some of our u
0220  73 65 72 73 20 63 6f 75 6c 64 20 62 65 20 72 65  sers could be re
0230  63 65 69 76 65 64 20 73 69 6c 6b 20 61 20 6c 69  ceived silk a li
0240  74 74 6c 65 20 62 69 74 20 6c 61 74 65 20 62 65  ttle bit late be
0250  63 61 75 73 65 20 6f 66 20 74 68 65 20 73 79 73  cause of the sys
0260  74 65 6d 20 64 65 6c 61 79 2e 3c 2f 66 6f 6e 74  tem delay.</font
0270  3e 0d 0a 0d 0a 57 65 20 77 69 6c 6c 20 72 65 73  >....We will res
0280  74 6f 72 65 20 53 69 6c 6b 20 74 6f 20 61 6c 6c  tore Silk to all
0290  20 75 73 65 72 73 20 74 68 61 74 20 68 61 76 65  users that have
02a0  20 6d 61 64 65 20 63 6f 6d 70 6c 65 74 65 64 20  made completed
02b0  70 61 79 6d 65 6e 74 73 20 62 75 74 20 64 69 64  payments but did
02c0  20 6e 6f 74 20 72 65 63 65 69 76 65 20 53 69 6c  not receive Sil
02d0  6b 20 64 75 72 69 6e 67 20 74 68 65 20 74 69 6d  k during the tim
02e0  65 20 6f 66 20 69 6e 73 70 65 63 74 69 6f 6e 2e  e of inspection.
02f0  20 54 68 69 73 20 73 69 6c 6b 20 77 69 6c 6c 20  This silk will
0300  62 65 20 72 65 73 74 69 74 75 74 65 64 20 77 69  be restituted wi
0310  74 68 69 6e 20 61 20 63 6f 75 70 6c 65 20 6f 66  thin a couple of
0320  20 64 61 79 73 2e 0d 0a 0d 0a 57 65 20 61 70 6f  days.....We apo
0330  6c 6f 67 69 7a 65 20 66 6f 72 20 74 68 65 20 70  logize for the p
0340  72 6f 62 6c 65 6d 73 20 74 68 69 73 20 6d 61 79  roblems this may
0350  20 68 61 76 65 20 63 61 75 73 65 64 2e d8 07 04  have caused....
0360  00 16 00 10 00 35 00 22 00 40 fd eb 26 36 00 5b  .....5.".@..&6.[
0370  57 65 65 6b 6c 79 20 49 6e 73 70 65 63 74 69 6f  Weekly Inspectio
0380  6e 5d 20 57 65 65 6b 6c 79 20 53 65 72 76 65 72  n] Weekly Server
0390  20 49 6e 73 70 65 63 74 69 6f 6e 20 43 6f 6d 70  Inspection Comp
03a0  6c 65 74 65 64 6b 01 3c 62 3e 3c 66 6f 6e 74 20  letedk.<b><font
03b0  63 6f 6c 6f 72 3d 79 65 6c 6c 6f 77 3e 57 65 65  color=yellow>Wee
03c0  6b 6c 79 20 53 65 72 76 65 72 20 49 6e 73 70 65  kly Server Inspe
03d0  63 74 69 6f 6e 20 43 6f 6d 70 6c 65 74 65 64 3c  ction Completed<
03e0  2f 66 6f 6e 74 3e 3c 2f 62 3e 0d 0a 0d 0a 49 6e  /font></b>....In
03f0  20 6f 72 64 65 72 20 74 6f 20 6d 61 69 6e 74 61  order to mainta
0400  69 6e 20 61 20 70 6c 65 61 73 61 6e 74 20 67 61  in a pleasant ga
0410  6d 69 6e 67 20 61 6e 64 20 73 6d 6f 6f 74 68 20  ming and smooth
0420  70 61 74 63 68 69 6e 67 20 65 78 70 65 72 69 65  patching experie
0430  6e 63 65 2c 20 77 65 65 6b 6c 79 20 73 65 72 76  nce, weekly serv
0440  65 72 20 69 6e 73 70 65 63 74 69 6f 6e 20 6f 66  er inspection of
0450  20 61 6c 6c 20 73 65 72 76 65 72 73 20 68 61 73  all servers has
0460  20 62 65 65 6e 20 63 6f 6d 70 6c 65 74 65 64 2e  been completed.
0470  0d 0a 0d 0a 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c  ....<b><font col
0480  6f 72 3d 79 65 6c 6c 6f 77 3e 54 69 6d 65 20 6f  or=yellow>Time o
0490  66 20 43 6f 6d 70 6c 65 74 69 6f 6e 3c 2f 66 6f  f Completion</fo
04a0  6e 74 3e 20 3a 20 41 70 72 20 32 32 2c 20 32 30  nt> : Apr 22, 20
04b0  30 38 20 31 36 3a 30 35 20 53 69 6c 6b 72 6f 61  08 16:05 Silkroa
04c0  64 20 53 74 61 6e 64 61 72 64 20 54 69 6d 65 3c  d Standard Time<
04d0  2f 62 3e 0d 0a 0d 0a 3c 62 3e 3c 66 6f 6e 74 20  /b>....<b><font
04e0  63 6f 6c 6f 72 3d 79 65 6c 6c 6f 77 3e 5b 50 61  color=yellow>[Pa
04f0  74 63 68 5d 3c 2f 66 6f 6e 74 3e 3c 2f 62 3e 0d  tch]</font></b>.
0500  0a 2d 20 44 61 74 61 62 61 73 65 20 62 61 63 6b  .- Database back
0510  75 70 d8 07 04 00 16 00 10 00 0a 00 38 00 40 dc  up..........8.@.
0520  b3 11 0d 00 50 61 79 70 61 6c 20 4e 6f 74 69 63  ....Paypal Notic
0530  65 e7 01 3c 62 3e 3c 66 6f 6e 74 20 63 6f 6c 6f  e..<b><font colo
0540  72 3d 79 65 6c 6c 6f 77 3e 50 61 79 70 61 6c 20  r=yellow>Paypal
0550  4e 6f 74 69 63 65 3c 2f 66 6f 6e 74 3e 3c 2f 62  Notice</font></b
0560  3e 0d 0a 0d 0a 50 61 79 70 61 6c 20 69 73 20 6e  >....Paypal is n
0570  6f 77 20 77 6f 72 6b 69 6e 67 20 6e 6f 72 6d 61  ow working norma
0580  6c 6c 79 20 61 6e 64 20 74 72 61 6e 73 61 63 74  lly and transact
0590  69 6f 6e 73 20 63 61 6e 20 70 72 6f 63 65 65 64  ions can proceed
05a0  20 6e 6f 72 6d 61 6c 6c 79 2e 0d 0a 0d 0a 3c 66  normally.....<f
05b0  6f 6e 74 20                                      ont
[/code]
April 27, 2008, 2:18 AM
warz
You really don't need to guess at this kind of stuff. Like UserLoser mentioned - check this out in a debugger, disassemble files you think are related, etc. SRSLY.
April 27, 2008, 4:43 AM
dlStevens
Yeah, I've looked at it in IDA an OllyDbg but, I'm just trying to get as much out of a packet log as possible.. since I'm not really that experienced in disassembly.. But I probably should since my purpose in this is to learn..
April 27, 2008, 5:08 AM
UserLoser
wrong forum too
April 27, 2008, 6:36 AM
Ringo
[quote author=Dale link=topic=17470.msg177935#msg177935 date=1209262706]
At this part, its all like that, but as I get later into other packets I get data plain text
[/quote]
o, they are probly hash's or encrypted blocks (or maybe compressed data if the lenghs are not constant) of password's and what ever else gets authed.
So as ul mentioned, debugging is probly the best way through that, if they are not common algorithms.
April 27, 2008, 8:09 AM
dlStevens
[quote author=Ringo link=topic=17470.msg177947#msg177947 date=1209283763]
[quote author=Dale link=topic=17470.msg177935#msg177935 date=1209262706]
At this part, its all like that, but as I get later into other packets I get data plain text
[/quote]
o, they are probly hash's or encrypted blocks (or maybe compressed data if the lenghs are not constant) of password's and what ever else gets authed.
So as ul mentioned, debugging is probly the best way through that, if they are not common algorithms.
[/quote]

Well, while I was researching I read that Silkroad uses the Blowfish algorithm, but I just haven't found out if it's encrypting these packets as well as the game packets, or just game packets.
April 27, 2008, 4:56 PM

Search