Determining Version Without Wireshark or GRFTools

Discussion about everything RO and OpenKore related. This place is NOT for ANY kind of support questions.

Moderator: Moderators

Message
Author
VashTheStampede
Plain Yogurt
Plain Yogurt
Posts: 68
Joined: 11 Jun 2011, 01:47
Noob?: No

Determining Version Without Wireshark or GRFTools

#1 Post by VashTheStampede »

I've come across a few servers that won't work with Wireshark and trying Grftools clientinfo.xml as a backup won't work either.
By guessing common versions, and master versions, I've had some of them work(though they always need recvpackets updated).
But it's annoying trying 40+ combinations blindly and never *really* knowing if you've exhausted your possibilities(obviously there are well over a thousand possible combos).
I've had the best luck with guessing version 16 and 24 with master 2,8 or 14. I think that works about 1/3 of the time.

I figure there's some third way, probably involving a hex editor. Which I'm comfortable with. I just have no idea what and where to look.

I'm not talking about custom packet encryption, either. Though the version and master version aren't in their normal locations in the login packets, everything works once I blindly discover the version numbers. I figure the answer is buried somewhere in the way JVC can make sense of the packet differences. I just have no idea how this correlates.
They also seem to have the grfs compressed with something custom(certainly nothing PEID can identify). It's just a few servers but it's irritating me because I know it's just outside the range of what I can figure out on my own <,<

EternalHarvest
Developers
Developers
Posts: 1798
Joined: 05 Dec 2008, 05:42
Noob?: Yes

Re: Determining Version Without Wireshark or GRFTools

#2 Post by EternalHarvest »

VashTheStampede wrote:I'm not talking about custom packet encryption, either. Though the version and master version aren't in their normal locations in the login packets, everything works once I blindly discover the version numbers.
Provide an example of these login packets (using random username and password)?

VashTheStampede
Plain Yogurt
Plain Yogurt
Posts: 68
Joined: 11 Jun 2011, 01:47
Noob?: No

Re: Determining Version Without Wireshark or GRFTools

#3 Post by VashTheStampede »

This looks like it leaves the master version, but the version is missing o_O
Bo-RO
Username: Hammer
Password: Time

Code: Select all

00000000  04 02 c7 0a 94 c2 7a cc  38 9a 47 f5 54 39 7c a4 ......z. 8.G.T9|.
00000010  d0 39 64 00 4b 00 00 00  48 61 6d 6d 65 72 00 00 .9d.K... Hammer..
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000030  54 69 6d 65 00 00 00 00  00 00 00 00 00 00 00 00 Time.... ........
00000040  00 00 00 00 00 00 00 00  0d
This one even has 64 00, but 4b is 75.. so not possible.
Last edited by VashTheStampede on 28 Aug 2011, 15:13, edited 1 time in total.

VashTheStampede
Plain Yogurt
Plain Yogurt
Posts: 68
Joined: 11 Jun 2011, 01:47
Noob?: No

Re: Determining Version Without Wireshark or GRFTools

#4 Post by VashTheStampede »

Here's another example. It's from HeavenRo.
Username:Heaven
Pass: HeavenPass

Code: Select all

00000000  04 02 82 d1 2c 91 4f 5a  d4 8f d9 6f cf 7e f4 cc ....,.OZ ...o.~..
00000010  49 2d b0 02 14 00 00 00  48 65 61 76 65 6e 00 00 I-...... Heaven..
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000030  48 65 61 76 65 6e 50 61  73 73 00 00 00 00 00 00 HeavenPa ss......
00000040  00 00 00 00 00 00 00 00  02 31 39 32 2e 31 36 38 ........ .192.168
00000050  2e 30 2e 31 30 30 00 f6  14 34 30 36 31 38 36 66 .0.100.. .406186f
00000060  61 62 63 35 36 0a 00                             abc56..
I'm used to searching for 64 00 ->version
But it ain't here.

EternalHarvest
Developers
Developers
Posts: 1798
Joined: 05 Dec 2008, 05:42
Noob?: Yes

Re: Determining Version Without Wireshark or GRFTools

#5 Post by EternalHarvest »

VashTheStampede wrote:Here's another example. It's from HeavenRo.
possible login packets may start with 64 00 or 02 B0

User avatar
kLabMouse
Administrator
Administrator
Posts: 1301
Joined: 24 Apr 2008, 12:02

Re: Determining Version Without Wireshark or GRFTools

#6 Post by kLabMouse »

Looks like the packet 0x2b0
Struct:

Code: Select all

// packet: 0x2b0
// len: 85
struct PACKET_CA_LOGIN_HAN {
  /* this+0x0 */ short PacketType
  /* this+0x2 */ unsigned long Version
  /* this+0x6 */ unsigned char ID[24]
  /* this+0x1e */ unsigned char Passwd[24]
  /* this+0x36 */ unsigned char clienttype
  /* this+0x37 */ char m_szIP[16]
  /* this+0x47 */ unsigned char m_szMacAddr[13]
  /* this+0x54 */ unsigned char isHanGameUser
} 
So...
Version -> 20
ClientType -> 2
isHanGameUser -> 0

JeffShadow90
Noob
Noob
Posts: 3
Joined: 27 Aug 2010, 08:44
Noob?: No

Re: Determining Version Without Wireshark or GRFTools

#7 Post by JeffShadow90 »

hi.
I would like to know in this cases how to figure out the master version because I can find out the version after 64 00 but the master version seems to be 00 °_° not possible..

the code:

Code: Select all

00000000  04 02 c7 0a 94 c2 7a cc  38 9a 47 f5 54 39 7c a4 ......z. 8.G.T9|.
00000010  d0 39 64 00 18 00 00 00  4a 65 66 66 53 68 61 64 .9d..... myusern
00000020  6f 77 39 30 00 1b 00 00  ca 1b 00 00 ca 1b 00 00 ame1.... ........
00000030  6d 65 74 61 6c 39 30 00  c2 1b 00 00 c2 1b 00 00 passwo. ........
00000040  c2 1b 00 00 c3 1b 00 00  0d                      ........ .

Technology
Super Moderators
Super Moderators
Posts: 801
Joined: 06 May 2008, 12:47
Noob?: No

Re: Determining Version Without Wireshark or GRFTools

#8 Post by Technology »

JeffShadow90 wrote:hi.
I would like to know in this cases how to figure out the master version because I can find out the version after 64 00 but the master version seems to be 00 °_° not possible..

the code:

Code: Select all

00000000  04 02 c7 0a 94 c2 7a cc  38 9a 47 f5 54 39 7c a4 ......z. 8.G.T9|.
00000010  d0 39 64 00 18 00 00 00  4a 65 66 66 53 68 61 64 .9d..... myusern
00000020  6f 77 39 30 00 1b 00 00  ca 1b 00 00 ca 1b 00 00 ame1.... ........
00000030  6d 65 74 61 6c 39 30 00  c2 1b 00 00 c2 1b 00 00 passwo. ........
00000040  c2 1b 00 00 c3 1b 00 00  0d                      ........ .
Just like OP's problem, the chunk you posted contains 2 packets:
0x204:

Code: Select all

04 02 c7 0a 94 c2 7a cc 38 9a 47 f5 54 39 7c a4 d0 39
0x64:

Code: Select all

64 00 18 00 00 00  4a 65 66 66 53 68 61 64 6f 77 39 30 00 1b 00 00  ca 1b 00 00 ca 1b 00 00 6d 65 74 61 6c 39 30 00  c2 1b 00 00 c2 1b 00 00 c2 1b 00 00 c3 1b 00 00  0d
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...

Mount Doom awaits us, fellowship of OpenKore!

VashTheStampede
Plain Yogurt
Plain Yogurt
Posts: 68
Joined: 11 Jun 2011, 01:47
Noob?: No

Re: Determining Version Without Wireshark or GRFTools

#9 Post by VashTheStampede »

b0 02 I just forgot I suppose. I hadn't encountered b0 02 before recently. I admit that I didn't re-check the guide as I thought I had memorized it and it doesn't look much different than it did years ago.

Riddle me this one then
00000000 b0 02 85 90 32 01 46 75 7a 7a 79 00 f1 bb e9 eb ....2.Fu zzy.....
00000010 b3 a6 db 3c 87 0c 3e 99 24 5e 0d 1c 06 b7 47 65 ...<..>. $^....Ge
00000020 74 42 65 6e 74 00 8b a6 1f 03 5a 7d 09 38 25 1f tBent... ..Z}.8%.
00000030 5d d4 cb fc 96 f5 01 6f 95 26 6e ce 2b 93 01 61 ]......o .&n.+..a
00000040 d7 c9 76 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc ..v.@x6. .I2..}I.
00000050 ad 4f 14 f2 44
Now by looking at the grf, I can get it's on version 20, but I don't see hex 14 until the third byte from the end, which strikes me as a coincidental value.
The username and pass(Fuzzy:Getbent) can be read unencrypted, so I don't think it's encrypted.
I can't even wager a guess on what part the master version is either.

Looking at it for even possible ranges, master could be 20 or 22 I guess, as those are the only values low enough at the end of the packet. The problem is you don't see hex 14 until the very end, which makes me wonder what's going on here o_O

EternalHarvest
Developers
Developers
Posts: 1798
Joined: 05 Dec 2008, 05:42
Noob?: Yes

Re: Determining Version Without Wireshark or GRFTools

#10 Post by EternalHarvest »

Network::Send::ServerType0 wrote: '02B0' => ['master_login', 'V Z24 a24 C H32 H26 C', [qw(version username password_rijndael master_version ip mac isGravityID)]],
http://perldoc.perl.org/functions/pack.html

Code: Select all

b0 02
85 90 32 01 # version
46 75 7a 7a 79 00 f1 bb e9 eb b3 a6 db 3c 87 0c 3e 99 24 5e 0d 1c 06 b7 # username
47 65 74 42 65 6e 74 00 8b a6 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 # password_rijndael
01 # master_version
6f 95 26 6e ce 2b 93 01 61 d7 c9 76 ee 40 78 36 # ip
fd 12 49 32 f6 9e 7d 49 dc ad 4f 14 f2 # mac
44 # isGravityID
password_rijndael isn't encrypted for some reason, so should be changed to "password" in openkore's template for that server.

Post Reply