Determining Version Without Wireshark or GRFTools
Moderator: Moderators
-
- Plain Yogurt
- Posts: 68
- Joined: 11 Jun 2011, 01:47
- Noob?: No
Determining Version Without Wireshark or GRFTools
I've come across a few servers that won't work with Wireshark and trying Grftools clientinfo.xml as a backup won't work either.
By guessing common versions, and master versions, I've had some of them work(though they always need recvpackets updated).
But it's annoying trying 40+ combinations blindly and never *really* knowing if you've exhausted your possibilities(obviously there are well over a thousand possible combos).
I've had the best luck with guessing version 16 and 24 with master 2,8 or 14. I think that works about 1/3 of the time.
I figure there's some third way, probably involving a hex editor. Which I'm comfortable with. I just have no idea what and where to look.
I'm not talking about custom packet encryption, either. Though the version and master version aren't in their normal locations in the login packets, everything works once I blindly discover the version numbers. I figure the answer is buried somewhere in the way JVC can make sense of the packet differences. I just have no idea how this correlates.
They also seem to have the grfs compressed with something custom(certainly nothing PEID can identify). It's just a few servers but it's irritating me because I know it's just outside the range of what I can figure out on my own <,<
By guessing common versions, and master versions, I've had some of them work(though they always need recvpackets updated).
But it's annoying trying 40+ combinations blindly and never *really* knowing if you've exhausted your possibilities(obviously there are well over a thousand possible combos).
I've had the best luck with guessing version 16 and 24 with master 2,8 or 14. I think that works about 1/3 of the time.
I figure there's some third way, probably involving a hex editor. Which I'm comfortable with. I just have no idea what and where to look.
I'm not talking about custom packet encryption, either. Though the version and master version aren't in their normal locations in the login packets, everything works once I blindly discover the version numbers. I figure the answer is buried somewhere in the way JVC can make sense of the packet differences. I just have no idea how this correlates.
They also seem to have the grfs compressed with something custom(certainly nothing PEID can identify). It's just a few servers but it's irritating me because I know it's just outside the range of what I can figure out on my own <,<
-
- Developers
- Posts: 1798
- Joined: 05 Dec 2008, 05:42
- Noob?: Yes
Re: Determining Version Without Wireshark or GRFTools
Provide an example of these login packets (using random username and password)?VashTheStampede wrote:I'm not talking about custom packet encryption, either. Though the version and master version aren't in their normal locations in the login packets, everything works once I blindly discover the version numbers.
-
- Plain Yogurt
- Posts: 68
- Joined: 11 Jun 2011, 01:47
- Noob?: No
Re: Determining Version Without Wireshark or GRFTools
This looks like it leaves the master version, but the version is missing o_O
Bo-RO
Username: Hammer
Password: Time
This one even has 64 00, but 4b is 75.. so not possible.
Bo-RO
Username: Hammer
Password: Time
Code: Select all
00000000 04 02 c7 0a 94 c2 7a cc 38 9a 47 f5 54 39 7c a4 ......z. 8.G.T9|.
00000010 d0 39 64 00 4b 00 00 00 48 61 6d 6d 65 72 00 00 .9d.K... Hammer..
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030 54 69 6d 65 00 00 00 00 00 00 00 00 00 00 00 00 Time.... ........
00000040 00 00 00 00 00 00 00 00 0d
Last edited by VashTheStampede on 28 Aug 2011, 15:13, edited 1 time in total.
-
- Plain Yogurt
- Posts: 68
- Joined: 11 Jun 2011, 01:47
- Noob?: No
Re: Determining Version Without Wireshark or GRFTools
Here's another example. It's from HeavenRo.
Username:Heaven
Pass: HeavenPass
I'm used to searching for 64 00 ->version
But it ain't here.
Username:Heaven
Pass: HeavenPass
Code: Select all
00000000 04 02 82 d1 2c 91 4f 5a d4 8f d9 6f cf 7e f4 cc ....,.OZ ...o.~..
00000010 49 2d b0 02 14 00 00 00 48 65 61 76 65 6e 00 00 I-...... Heaven..
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030 48 65 61 76 65 6e 50 61 73 73 00 00 00 00 00 00 HeavenPa ss......
00000040 00 00 00 00 00 00 00 00 02 31 39 32 2e 31 36 38 ........ .192.168
00000050 2e 30 2e 31 30 30 00 f6 14 34 30 36 31 38 36 66 .0.100.. .406186f
00000060 61 62 63 35 36 0a 00 abc56..
But it ain't here.
-
- Developers
- Posts: 1798
- Joined: 05 Dec 2008, 05:42
- Noob?: Yes
Re: Determining Version Without Wireshark or GRFTools
VashTheStampede wrote:Here's another example. It's from HeavenRo.
possible login packets may start with 64 00 or 02 B0
Re: Determining Version Without Wireshark or GRFTools
Looks like the packet 0x2b0
Struct:
So...
Version -> 20
ClientType -> 2
isHanGameUser -> 0
Struct:
Code: Select all
// packet: 0x2b0
// len: 85
struct PACKET_CA_LOGIN_HAN {
/* this+0x0 */ short PacketType
/* this+0x2 */ unsigned long Version
/* this+0x6 */ unsigned char ID[24]
/* this+0x1e */ unsigned char Passwd[24]
/* this+0x36 */ unsigned char clienttype
/* this+0x37 */ char m_szIP[16]
/* this+0x47 */ unsigned char m_szMacAddr[13]
/* this+0x54 */ unsigned char isHanGameUser
}
Version -> 20
ClientType -> 2
isHanGameUser -> 0
-
- Noob
- Posts: 3
- Joined: 27 Aug 2010, 08:44
- Noob?: No
Re: Determining Version Without Wireshark or GRFTools
hi.
I would like to know in this cases how to figure out the master version because I can find out the version after 64 00 but the master version seems to be 00 °_° not possible..
the code:
I would like to know in this cases how to figure out the master version because I can find out the version after 64 00 but the master version seems to be 00 °_° not possible..
the code:
Code: Select all
00000000 04 02 c7 0a 94 c2 7a cc 38 9a 47 f5 54 39 7c a4 ......z. 8.G.T9|.
00000010 d0 39 64 00 18 00 00 00 4a 65 66 66 53 68 61 64 .9d..... myusern
00000020 6f 77 39 30 00 1b 00 00 ca 1b 00 00 ca 1b 00 00 ame1.... ........
00000030 6d 65 74 61 6c 39 30 00 c2 1b 00 00 c2 1b 00 00 passwo. ........
00000040 c2 1b 00 00 c3 1b 00 00 0d ........ .
-
- Super Moderators
- Posts: 801
- Joined: 06 May 2008, 12:47
- Noob?: No
Re: Determining Version Without Wireshark or GRFTools
Just like OP's problem, the chunk you posted contains 2 packets:JeffShadow90 wrote:hi.
I would like to know in this cases how to figure out the master version because I can find out the version after 64 00 but the master version seems to be 00 °_° not possible..
the code:Code: Select all
00000000 04 02 c7 0a 94 c2 7a cc 38 9a 47 f5 54 39 7c a4 ......z. 8.G.T9|. 00000010 d0 39 64 00 18 00 00 00 4a 65 66 66 53 68 61 64 .9d..... myusern 00000020 6f 77 39 30 00 1b 00 00 ca 1b 00 00 ca 1b 00 00 ame1.... ........ 00000030 6d 65 74 61 6c 39 30 00 c2 1b 00 00 c2 1b 00 00 passwo. ........ 00000040 c2 1b 00 00 c3 1b 00 00 0d ........ .
0x204:
Code: Select all
04 02 c7 0a 94 c2 7a cc 38 9a 47 f5 54 39 7c a4 d0 39
Code: Select all
64 00 18 00 00 00 4a 65 66 66 53 68 61 64 6f 77 39 30 00 1b 00 00 ca 1b 00 00 ca 1b 00 00 6d 65 74 61 6c 39 30 00 c2 1b 00 00 c2 1b 00 00 c2 1b 00 00 c3 1b 00 00 0d
One ST0 to rule them all? One PE viewer to find them!
One ST_kRO to bring them all and in the darkness bind them...
Mount Doom awaits us, fellowship of OpenKore!
One ST_kRO to bring them all and in the darkness bind them...
Mount Doom awaits us, fellowship of OpenKore!
-
- Plain Yogurt
- Posts: 68
- Joined: 11 Jun 2011, 01:47
- Noob?: No
Re: Determining Version Without Wireshark or GRFTools
b0 02 I just forgot I suppose. I hadn't encountered b0 02 before recently. I admit that I didn't re-check the guide as I thought I had memorized it and it doesn't look much different than it did years ago.
Riddle me this one then
The username and pass(Fuzzy:Getbent) can be read unencrypted, so I don't think it's encrypted.
I can't even wager a guess on what part the master version is either.
Looking at it for even possible ranges, master could be 20 or 22 I guess, as those are the only values low enough at the end of the packet. The problem is you don't see hex 14 until the very end, which makes me wonder what's going on here o_O
Riddle me this one then
Now by looking at the grf, I can get it's on version 20, but I don't see hex 14 until the third byte from the end, which strikes me as a coincidental value.00000000 b0 02 85 90 32 01 46 75 7a 7a 79 00 f1 bb e9 eb ....2.Fu zzy.....
00000010 b3 a6 db 3c 87 0c 3e 99 24 5e 0d 1c 06 b7 47 65 ...<..>. $^....Ge
00000020 74 42 65 6e 74 00 8b a6 1f 03 5a 7d 09 38 25 1f tBent... ..Z}.8%.
00000030 5d d4 cb fc 96 f5 01 6f 95 26 6e ce 2b 93 01 61 ]......o .&n.+..a
00000040 d7 c9 76 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc ..v.@x6. .I2..}I.
00000050 ad 4f 14 f2 44
The username and pass(Fuzzy:Getbent) can be read unencrypted, so I don't think it's encrypted.
I can't even wager a guess on what part the master version is either.
Looking at it for even possible ranges, master could be 20 or 22 I guess, as those are the only values low enough at the end of the packet. The problem is you don't see hex 14 until the very end, which makes me wonder what's going on here o_O
-
- Developers
- Posts: 1798
- Joined: 05 Dec 2008, 05:42
- Noob?: Yes
Re: Determining Version Without Wireshark or GRFTools
http://perldoc.perl.org/functions/pack.htmlNetwork::Send::ServerType0 wrote: '02B0' => ['master_login', 'V Z24 a24 C H32 H26 C', [qw(version username password_rijndael master_version ip mac isGravityID)]],
Code: Select all
b0 02
85 90 32 01 # version
46 75 7a 7a 79 00 f1 bb e9 eb b3 a6 db 3c 87 0c 3e 99 24 5e 0d 1c 06 b7 # username
47 65 74 42 65 6e 74 00 8b a6 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 # password_rijndael
01 # master_version
6f 95 26 6e ce 2b 93 01 61 d7 c9 76 ee 40 78 36 # ip
fd 12 49 32 f6 9e 7d 49 dc ad 4f 14 f2 # mac
44 # isGravityID