And with Scapy it is possible to inject packets and hijack the communication. In this demo we arent actually going to play the game but just use its infrastructure as a way to test these tools and techniques.
Ball Drop Server : This program listens for TCP socket connections and uses the data from the incoming connections in a networked multiplayer ball drop game. Ball Drop Client : Starts a network client that connects to a server on port , sends any keystrokes pressed. The 2 bytes after the ip-address seems to be our port. Lets convert it remember : thats a normal value again, so we have to reverse it original : D0 07 reversed : 07 D0 dec : The port of the first worldserver seems to be So I guess you could do the rest of the packet on your own Thats the last packet I'll discuss here lol Now after you've chosen the server, the client connects to this see ip and ports we found out above and we get the character list.
But lets see what really happens after the client successfully connected to the worldserver. The client seems to send a packet to the worldserver. This is our value from above that we got from the server after we successfully logged in, remember? And now the server sends it again to the worldserver???
Well yeah, thats kinda an authentication-method most mmorpgs use. Now the server checks whether this information is right or not. In our example Thats called sessionid most websites which have a login-interface also use this kind of authentication, but of course if can vary.
Now after the client has chosen a worldserver he would like he connects to it and sends his sessionid. Well since the login server and the worldserver are "seperated from each other" or basically two different applications the world server does need this value to check whether someone really logged in before and got this sessionid. Since the loginserver stored our sessionid in a database or whereever the worldserver just checks whether the sessionid is available.
Normally the sessionid is deleted when the client disconnects from the game, the server or whatever. I won't update the encryption chapter since its basically the same for everything. If you know how to decrypt one packet, you basically know how to decrypt every packet of one game. Analyzing Packets The Encryption Well I won't be writing to much in here, since you can't tell just from looking at the packets what kind of encryption it is.
Well of course you can, but not in all cases. I will just write some hints down. Like lets assume we capture a login-packet of a mmorpg. At first do some checks, like the one with the first 2 bytes beeing the length and so on. Well next you can redo the sniff at the login process and see if the bytes do change of course use the same username and password as before.
Using that method you can say whether the encryption is static or not. Next do the checks like the one sniffing more login packets where you use fictive usernames and password which vary in length and see if some values change.
Well now you could do some basic analysis. Like lets assume we have a login packet which looks like this we used the username and password as before "myusername" and "mypassword" : 22 00 66 77 1A 0E 02 04 12 05 19 16 1A 12 77 77 77 77 77 77 1A 0E 07 16 04 04 00 18 05 13 77 77 77 77 77 77 Now we see the first two bytes and do the length check.
Ok its works, it seems to be the packet length. Now do the check with the other username and passwords You will notice that the first four bytes do not change. That means starting from the 5.
I hope you know how to use a HexEditor for the next steps well thats what I do, you can also use notepad. Lets write down the packet beginning at the 5. Seems to be strange huh? Lets write down our username and password under the exact positions of both values the 77 does seem to be placeholders, since their the same everywhere right? My Hex-Editor looks like this : Wow whats that? Our username and password does exactly fit into the encrypted packet data.
How to test it? Start your calculator the windows one ;D and be sure "Hex" is checked. Now type in the first byte of the value which could be your username. In our case its 1A. So we type 1A into the calculator. Our result is Strange isn't it? Now lets do the check. Take the next byte of our encrypted data.
In our case its 0E. You should get 79 now which is the hex value for "y". Well it seems we have a static XOR-Encryption using the key 77 here. So you'll be able to decrypt all the packet data of our game using the XOR method and the key An implementation into a programming language could look like this Code:.
Oh dude, thanks for that Its the best Tutorial so far. This is what everyone is begging of, thank you! Sorry for my question, but what's the password for the rapidshare file? Oh sorry for that What did you like? What not? Did i mess up with something? What should I have mentioned more? Any ideas for other tutorials i could write? An real excellent Tutorial. I think this Tut will help alot of ppl. Keep it up! EDIT: Quote:.
Net] Setup erstellen ». The time now is User Name: Password: Remember Me? Register for your free account! Forgot your password? Recent Entries. Best Entries. Best Blogs. Search Blogs. Page 1 of Last ». I hope it's not to complicated and I didn't mix up to much things. I hope you enjoyed it. PS: Please don't ask me to help you on cracking the encryption of the game XY, just try it yourself. Thanks to x]vIrus[x for his great wScreenshot tool which i used for this tutorial to take the screencaptures.
Please excuse mistakes either in grammar or in the tutorial itself. Fehler sind alle MIR! Was brauche ich? Pakte sniffen abfangen 4. Nun starte den Windows Taschenrechner. Pakete sniffen abfangen Lasst uns nun ein paar Pakete sniffen. Starte also diesen. Klicke auf den "Target Program" Button. Nachdem die Seite komplett geladen wurde, sieht die Messgrafik bei mir so aus; Dieses muss bei euch nicht genauso aussehen, es kann variieren.
Ihr seht dort nun die abgefangenen Paketed packets. Probiert es einfach selber aus. Last uns versuchen mit dem Benutzernamen "myusername" und dem Passwort "mypassword" einzuloggen. Wir verwenden das nur zum testen der Pakete. Nun stoppen wir den Sniffing-Vorgang und schauen uns die ersten Pakete an, welche vom Client also dem Spiel zu dem Server geschickt wurden. Ich hoffe ihr wisst, was Hexdezimal ist. Wenn du einen Dezimalwert von 1 hast, ist sein Hexwert Das ist die normale Byte-Anordnung.
Bei einer umgekehrten Anordnung sieht alles Die ersten 2 Bytes sehen aus wie ein Wert. Also werden durch die ersten 2 Bytes die restigen Anzahl an Bytes des Pakets angegeben. Doch es kann auch an anderen Stellen z. Aber was ist mit dem Rest? Sniff nun weitere Login-Pakete, in dem du einen anderen Benutzernamen und ein anderes Passwort angibst welche ist egal. Ok wir wissen nun, dass 11 00 unser Befehl oder Kopf ist.
How to test this? Just sniff another login-packet in our game and change the username and password you enter to something else no matter what. The value should not change. Ok now we know 11 00 is our command or "header". You don't have to deal with this 2 bytes in dec, its just a hexadecimal header used for the packet protocol the developers created for the game. Like 11 00 is the login 12 00 is the getserverlist-packet and so on, you got what I mean? Wow we already discovered so much now lets continue.
There are so many 00s following our username in the HEX-Mode. Why's that? Well most games have a limit for the username and password the user can enter.
In most cases its either 12, 16, 24, 28 or 32 characters of length. So for an easier packet protocol they set the length of the buffers or variables for the username and password static Well the thing is you will have to deal with a lot of values Like you login and the server responds with some 4 byte values So you can discover their function.
Like the server responds with a 4 byte sessionID which the client next sends to the character server to authenticate himself, and so on. Analyzing Packets Extended Structure Analysis Ok since some people told me such a login-procedure is kinda easy I'd like to add an extended structure analysis chapter here. In the following example I will show or simulate a login-procedure with serverresponses and finally the "worldlist selection".
Well since most mmorpgs use more than one servers or "worlds" I will try to show you here, how most of the stuff is done basically. Well we start right under the login-procedur we analyzed in the chapter above. Now lets assume we sent our login packet.
So now we're waiting for the server to respond. What do we know? If our login is false, the server has to tell that the client so that the client can give us an error message, else it will give us an ok and let us through.
Now lets again assume we sent our login packet and received a packet from the server. Wow whats with the client? It says wrong password, did we type something wrong? I already colored the stuff we learned in the above tutorials. But whats the last 2 bytes for? Well thats probably a flag, telling the client whether the login was successful or not.
Just do some checks and log in with some fictive username which does not exist in the game and the packet could look like this : 04 00 12 00 01 00 Now the client tells you "This Accountname is not available, please register first. You can again reverse it and transform it from hex to dec using your calculator. Basically you don't have to do it since you already see what values it'll be, but if you're still not that good in hexadecimal use the calculator.
So thats the flags we know for now : original : 01 00 reversed : 00 01 dec : 1 original : 02 00 reversed : 00 02 dec : 2 So thats basically a server variable transformed into a WORD 2 bytes. So when we have a successful login the flag maybe 00 00 and would tell the client "hey the login was successful, go on". But since we still don't know what the flag would look like when we had a successful login, we go on and test it.
The first two bytes indicate the length. I already colored the stuff we know once again. Ok what could this new value be? We still don't know Lets reverse it and transform it into dec using our calc.
Well we don't know it yet Just write down the original 4 bytes and look for it in the next packets. So we could be able to analyze the function of this 4 bytes. Get ingame and redo, or continue the sniffing.
Ok now we have the worldserver-selection screen in our game. Lets check the new packets we captured. Mh the client seems to send something to the server after our above packet 12 Well that could be a request to get the worldserverlist. The packet looks like this : 02 00 13 00 Seems to be nothing great in here, just the length and the flag. Thats the way the serverlist is requested by the client.
Next we see a packet we received from the server. WPE shows our total size And the first two bytes tell us Well lets see, what do we know?
We see the length, and the header, but what is next? There are three names in plaintext Thats our servernames.
So we have 3 servers. Now it seems that the 5. We have 3 here so the hex for 3 is
0コメント