We need help with recvpackets extraction @bRO

[ever_boy_]

I added a filter to show only packets which were sent from me to map server, logged in, and got these packets:



Uploaded with ImageShack.us

In this case, could you point me out exactly where is the packet's ID?

[uPantcho]

Could you please tell exactly how to identify and capture send/receive's packets?

i used ROX recvpackets and looked into the packet sizes... since all the "random" packets were at the beginning wasnt hard to manually update the send/bro. then i just had to log in into the game and get one "sync ex" packet, captured the answer and estimated the others... (on the original recvpackets we had 2 list of 84 packets, now is just one big list of 168 packets)

[ever_boy_]

captured the answer

using wireshark? how do you know what's the packet's ID?

and why is it that the newest recvpackets has a bunch of packets above the "first" one (0081, from the debugged ragexe)?

[uPantcho]

i logged in, waited 10 minutes until the first sync ex was received, xored the last regular sync with the sync packet then i got the "current key" using this script:

Code: Select all

	use Math::BigInt;
	
	
	$enc_val1 = Math::BigInt->new('0x169973C5');
	# M
	$enc_val3 = Math::BigInt->new('0x64650F65');
	# A
	$enc_val2 = Math::BigInt->new('0x37657765');
	$rs = 0;	
		while ($rs <= 1000) {
		$rs++;
		$enc_val1 = $enc_val1->bmul($enc_val3)->badd($enc_val2) & 0xFFFFFFFF;
	
		# Xoring the Message ID
		$zas = ($enc_val1 >> 8 >> 8) & 0x7FFF;
		printf("%x\n", $zas)
		}

then i compared the next key with the sync ex answer (is easy to identify sync ex because has only 2 bytes and happens exactly 10 minutes after login)

i think the trouble youre having is because you dont know when the packets really starts. just use "frame.len > 54" as filter and look first to the 55 and 56 bytes (you should reverse their order to get the packet)

[Kaspy]

I added a filter to show only packets which were sent from me to map server, logged in, and got these packets:



Uploaded with ImageShack.us

In this case, could you point me out exactly where is the packet's ID?

[PT-BR]
Você fez esse filtro seguindo um tutorial? Se sim, qual seria?
Se não, como criou esse filtro?

[EN]
You made this filter following a tutorial? If so, what would?
If not, how has created this filter?

[ParanoidBR]

I added a filter to show only packets which were sent from me to map server, logged in, and got these packets:



Uploaded with ImageShack.us

In this case, could you point me out exactly where is the packet's ID?

[PT-BR]
Você fez esse filtro seguindo um tutorial? Se sim, qual seria?
Se não, como criou esse filtro?

[EN]
You made this filter following a tutorial? If so, what would?
If not, how has created this filter?

I suppose it's ip.addr == ip adress

[ever_boy_]

I added a filter to show only packets which were sent from me to map server, logged in, and got these packets:



Uploaded with ImageShack.us

In this case, could you point me out exactly where is the packet's ID?

[PT-BR]
Você fez esse filtro seguindo um tutorial? Se sim, qual seria?
Se não, como criou esse filtro?

[EN]
You made this filter following a tutorial? If so, what would?
If not, how has created this filter?

I suppose it's ip.addr == ip adress

id.addr = "map server IP" will show both sent and received packets.
ip.dst = "map server IP" will show sent packet's only.

[ROX_Leopardo]

i logged in, waited 10 minutes until the first sync ex was received, xored the last regular sync with the sync packet then i got the "current key" using this script:

Code: Select all

	use Math::BigInt;
	
	
	$enc_val1 = Math::BigInt->new('0x169973C5');
	# M
	$enc_val3 = Math::BigInt->new('0x64650F65');
	# A
	$enc_val2 = Math::BigInt->new('0x37657765');
	$rs = 0;	
		while ($rs <= 1000) {
		$rs++;
		$enc_val1 = $enc_val1->bmul($enc_val3)->badd($enc_val2) & 0xFFFFFFFF;
	
		# Xoring the Message ID
		$zas = ($enc_val1 >> 8 >> 8) & 0x7FFF;
		printf("%x\n", $zas)
		}

then i compared the next key with the sync ex answer (is easy to identify sync ex because has only 2 bytes and happens exactly 10 minutes after login)

i think the trouble youre having is because you dont know when the packets really starts. just use "frame.len > 54" as filter and look first to the 55 and 56 bytes (you should reverse their order to get the packet)

You used this script for make the Send or Receive file?
This script is the Send file right?

[ever_boy_]

i logged in, waited 10 minutes until the first sync ex was received, xored the last regular sync with the sync packet then i got the "current key" using this script:

I understood how you found the right key, using the script. But what's the best way to decrypt a given packet?
I can do the decryption by trial and error, but it takes too long...

i think the trouble youre having is because you dont know when the packets really starts.

That's exactly right. But now I'm able to find the packet's ID, thanks to you.

[uPantcho]

I understood how you found the right key, using the script. But what's the best way to decrypt a given packet?
I can do the decryption by trial and error, but it takes too long...

when you do the action that generates the target packet, just wait for the next sync (assuming that by that point you already have the sync packet) and compare

but some actions generates more than one packet at once so be careful with that