Login

***Neo*** · (This post was last modified: 07-08-2009, 10:10 PM by Neo.)

World List Packet

Code:
82 43 0B 00 00 00 00 00 00 00 00 00 00 9F 00 D7

01 1F 00 00 00 21 00 1D D1 00 00 3D 00 00 00 39

02 00 00 01 00 00 0E 00 DE 13 1C 00 00 00 00 00

00 17 00 0A 00 41 72 63 68 69 74 65 6B 74 00 03

00 00 15 00 52 65 63 75 72 73 69 6F 6E 00 00 00

00 00 00 00 00 00 00 00 01 01 F1 1D 07 00 01 00

21 00 16 00 53 79 6E 74 61 78 00 00 00 00 00 00

00 00 00 00 00 00 00 00 01 01 F1 1D 07 00 01 00

31 00 17 00 56 65 63 74 6F 72 2D 48 6F 73 74 69

6C 65 00 00 00 00 00 00 01 01 F1 1D 07 00 01 00

31 

// Here starts the "copy" of the packet for sending to margin

36 

// encrypted blob 1

01 47 E2 4D 62 C0 78 14 B7 B2 EB 8D D7 F6

DC 0A 90 D4 95 19 1F AD D6 CA D6 BA ED B1 EF D2

D7 38 53 B8 79 4D F8 E1 BF 15 C5 7C 3B F1 98 80

A2 35 1E 35 16 CA E5 C1 A0 69 8C 05 22 02 10 9D

44 76 6C 3C 13 7A 76 6A FA 19 F0 AF 18 7D BF 81

28 CB E0 59 7E FE 25 E4 5E ED D3 FE 3A 0E 85 35

7E 72 36 59 10 38 51 A4 88 BF 9E 78 16 B2 F6 B9

44 55 68 A8 89 26 3F 25 03 6E 10 35 77 7F 47 4C

43 29 4F 01 90 1D 9B 00 

//Username (norajob here is the username).

6E 6F 72 61 6A 6F 62 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 

// TimeStamp little endian Format

2F 8B 54 4A 

00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 11 EC 42 1C 49 A5 51 6C 0C F8 31 72

D2 40 78 94 FA 24 57 94 42 F0 F0 75 3C 33 41 44

5F C8 16 61 5D 08 86 BB EF 83 61 49 FD A8 69 FA

1B E0 AC B2 90 4E 2F 93 64 44 A6 E1 23 3B 69 5D

B1 18 7A 9D F5 C7 F0 F4 03 33 97 1F 8A B0 8C 7F

C3 E3 13 4E 89 56 CA F0 B8 BB 00 95 68 30 67 44

EE 62 A7 C2 CB B5 33 FF 26 

// End copy of packet

// somewhere there is second encrypted blob 

60 00 8E B3 96 6E F8

A0 35 D1 2C E5 8F 9F BD 79 F5 5B EA 96 30 F5 92

0D 83 E3 64 08 9F CD EE E1 16 57 10 43 4A 9C 39

A0 51 6D 18 35 21 CE 97 28 EA F2 34 03 9B 05 48

49 38 5A B2 35 77 5E 7A 24 CF 02 39 82 57 E0 30

02 F5 BF 0B 56 B8 F3 06 97 65 EF 78 D2 91 EF B7

D5 65 F5 88 ED 64 43 AC 08 60 49 08 00 6E 6F 72

61 6A 6F 62 00

// Packet to Margin Server 1

Code:
81 3b 01 03 00 

// the part that is copied starts here

36 

// encrypted blob 1

01 9b a0 4f 1f 1a a5 d0 2f c4 1e 81 ef 08 67 44 8d 0a e9 7e 9d 1b e5 9d 56 58 

02 3b 76 40 fa 60 c2 68 71 c5 ae c6 cf af 8b ca 85 6f 86 1a 21 4c 93 05 a5 8e 54 3f 4a 34 7e 04 

85 aa f0 1e 13 54 2f 4b 16 c7 88 3c d4 f9 41 04 51 4b 13 81 68 dd cf 23 b0 4b dc 11 b4 b4 1f 6d 

da a5 a8 5a 57 ef 6c db f8 73 83 d4 37 fb df fc d4 db f5 bb b3 e7 9a 2a cc 8d 94 42 07 f4 a5 e7 

//Username

8e e6 01 8e 8d 23 fa 01 51 4e 79 00 

55 73 65 72 4E 61 6D 65 

00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 

// time stamp

ef f6 51 4a

 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 ab 1c 76 11 3f 67 0e 

21 61 0c 22 04 2c af 5d e8 ce bd 77 a0 26 41 03 eb f8 14 22 f7 55 3e 47 46 6e c6 42 1e 7b e9 b3 

f3 3b fe f1 7b 18 b0 ae 84 3f c8 ea da 52 fd d0 2e c4 30 73 5f 44 c4 6f 79 d2 2e 95 4c 3d 4c 1d 

28 0f 4a a6 4a c8 01 af be 67 f1 b1 d7 7a 20 25 9a 51 93 b2 46 2c 76 04 07 cb 10 19 26

This is the initial packet sent from client to the margin server.
We didnt have it decrypted yet, but one thing comes direct into the eye, when you compare this packet with a part of the wordlist packet.

After the 4th Byte (starting with 0x36), the complete packet is just a copy of a part of the world list.

The only thing that is 100% clear, is the username there (put in in a hex editor to see what i mean) and the timestamp.

The timestamp are the highlighted ef f6 51 4a bytes (little endian format, you have to read them backwads 4a 51 f6 ef and convert them to decimal to get the timestamp).

07-08-2009, 09:46 PM,

worldlist packet has 2 encrypted blobs, so if you dont post it along with this packet (of the same session), then whats the point in comparing...also, you should remove the packet length header, as it only confuses things

***Neo*** · 07-08-2009, 09:48 PM,

Yes you are right, i will post the other packet too.

07-08-2009, 09:52 PM,

and dont say "TURN IT BACKWARDS", just say its in little endian format (hex workshop has buttons to set little endian or big endian, and then in the pane on the right you can see the correct time or uint32 or whatever)

***Neo*** · 07-08-2009, 10:12 PM,

Yes its little endian, and hex workshop can set it..but this should describe the packet also for users the dont use hexworkshop or want to raw understand how that works...so in this case this is right, i only want to say how you can alternative convert this values in a valid timestamp Wink

.

Login
Username:
Password:	Lost Password?
	Remember me