Users browsing this thread: 1 Guest(s)
Thread Rating:
  • 2 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
World-list packet description.
06-17-2009, 09:53 AM, (This post was last modified: 07-30-2009, 07:02 AM by Morpheus.)
#1
World-list packet description.
Architect gives some classes about how world-list works on a real client.

NEWEST EXPLANATION

This explanation is more exactly & updated (from yesterday) and could be more comprehensive as is almost simple "machine" readable code Tongue

For a World list packet generation, we need:

26 hex bytes: Packet lenght & crypto things

unsigned int 2 bytes: length of the char data
unsigned int 3 bytes: length of the char data - 4

Quote:Lenght of the data is calculated as sum of :
14 bytes of userdata
1 byte 00
1 byte lenght of charname
1 byte 00
N bytes charname

unsigned int 2 bytes: "02 00"

unsigned int 2 bytes: <sum of chars on all servers>

##for each char##

14 bytes hex block:
- unsigned int 3 bytes: number of bytes to the right, till charname starts (pointer to charname lenght position)
- unsigned int 4 bytes: id of character
- unsigned int 4 bytes: "00 00 00 00"
- unsigned int 1 byte: char status flag
Quote:00 -> character normal
01 -> character in transit
02 -> character banned
03 -> character incomplete


- unsigned int 2 bytes: server ID where char is in

##for each char (part 2)##

2 + N bytes hex block:
- unsigned int 2 bytes: lenght of charname+1
- N bytes hex block: 00 + charname


unsigned int 2 bytes: <number of worlds available>
unsigned int 1 byte: "00"

##for each world##

32 bytesMAX hex block :

- unsigned int 2 bytes: serverID
- unsigned int 1 byte: "00"
- hex block N bytes: world name
- hex block 20-N zero bytes: Padding/Zeros till world name+zeros = 20 bytes
- unsigned int 1 byte: world status flag
Quote:00 -> World down
01 -> World open
02 -> World Admin only
03 -> World Closed
04 -> World down
05 -> World full

unsigned int 1 byte: server style flag
Quote:01 --> PVE World
02 --> PVP World)

-unsigned int 6 bytes: "F1 1D 07 00 01 00" unknown but static, maybe world server id
-unsigned int 1 byte: World Population flag
Quote:31 --> Low
32 --> Med
33 --> High

Rest parts of the packet are crypto things and that's Rajko world xD.

OLD EXPLANATION
Old explanation, just for history record.

This is part of the group of packets sent in the process of login through login server, just before contacting margin server.

Note: real charnames are replace by "--" and username by "uu" for security reasons.

Code:
0000  82 63 0B 00 00 00 00 00 00 00 00 00 00 BB 00 F3    .c..............
0010  01 1F 00 00 00 21 00 C0 D0 00 00 59 00 00 00 55    .....!.....Y...U
0020  02 00 00 02 00 00 1C 00 0A 6F 1F 00 00 00 00 00    .........o......
0030  00 15 00 00 1A 00 35 37 1F 00 00 00 00 00 00 15    ......57........
0040  00 0A 00 -- -- -- -- -- -- -- -- -- 00 0C 00 --    ...---------...-
0050  -- -- -- -- -- -- -- -- -- -- 00 03 00 00 15 00    ----------......
0060  52 65 63 75 72 73 69 6F 6E 00 00 00 00 00 00 00    Recursion.......
0070  00 00 00 00 01 01 F1 1D 07 00 01 00 31 00 16 00    ............1...
0080  53 79 6E 74 61 78 00 00 00 00 00 00 00 00 00 00    Syntax..........
0090  00 00 00 00 01 01 F1 1D 07 00 01 00 31 00 17 00    ............1...
00A0  56 65 63 74 6F 72 2D 48 6F 73 74 69 6C 65 00 00    Vector-Hostile..
00B0  00 00 00 00 01 01 F1 1D 07 00 01 00 31 36 01 61    ............16.a
00C0  FE F7 69 8E 47 6A 3F 58 57 66 85 99 90 44 F4 AD    ..i.Gj?XWf...D..
00D0  C1 2F CE 0D 19 92 1C 07 16 27 D9 76 1B 46 61 53    ./.......'.v.FaS
00E0  C8 0A 73 88 8D E1 19 34 F5 4D 8D AE BD 8D 08 6E    ..s....4.M.....n
00F0  8C CF D7 8B 9A 11 3B 3C 95 C4 88 0F 60 B0 76 91    ......;<....`.v.
0100  46 8F F2 F4 B3 80 DB 97 9D FB 1A B0 BA D6 2A E5    F.............*.
0110  B4 8C 3A F8 8E B1 DB AD EE 27 DD 9F B5 F2 3F 42    ..:......'....?B
0120  C3 18 EA 20 24 75 AC 26 AB E6 F3 14 D7 1B 15 AA    ... $u.&........
0130  EA 0E 1C 4A 64 4C 2D 66 6B 29 65 FE C7 F0 4F 01    ...JdL-fk)e...O.
0140  85 D5 9B 00 uu uu uu uu uu uu uu uu uu uu uu 00    ....uuuuuuuuuuu.
0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0160  00 00 00 00 00 00 01 00 00 00 00 85 DB 37 4A 00    .............7J.
0170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0190  11 B3 FC 9C B8 FF C0 B1 3D F8 4C FA DF 1E 6F E1    ........=.L...o.
01A0  3E 47 0A AA 99 3D DA 3C 47 F2 21 07 A8 20 69 88    >G...=.<G.!.. i.
01B0  DD 52 A5 9C 68 4A 05 C1 6D C0 07 DA 10 C8 A2 7C    .R..hJ..m......|
01C0  28 AA 9E 56 DF 16 D1 E8 E0 15 3E 21 29 A9 AA 82    (..V......>!)...
01D0  27 90 CA 30 5A D5 EC 40 82 5F 49 F8 CB 0B D4 CC    '..0Z..@._I.....
01E0  4D E6 DF 87 02 16 28 C1 AC D8 72 E9 6E 7B 70 B3    M.....(...r.n{p.
01F0  39 29 C9 2B 27 60 00 41 52 83 E4 2F 24 18 40 93    9).+'`.AR../$.@.
0200  D1 81 B2 2F 38 5E 55 A3 D9 1D 1B 53 00 A3 90 13    .../8^U....S....
0210  81 6C 74 E7 41 8F 9A 29 B1 74 07 51 B1 72 39 EB    .lt.A..).t.Q.r9.
0220  0B 73 42 18 55 52 C8 68 7F 47 FF 3D 24 C7 D2 D8    .sB.UR.h.G.=$...
0230  6C DC AA 68 6D 5F 64 BE E2 44 8A C8 B0 1F A7 4B    l..hm_d..D.....K
0240  01 E9 57 02 F1 31 C7 6C 45 08 81 19 FB 15 D2 F1    ..W..1.lE.......
0250  8B 8B E3 85 CD 35 FD 0C 00 uu uu uu uu uu uu uu    .....5...uuuuuuu
0260  uu uu uu uu 00                                     uuuu.

At first sight it could look complex, but it can be almost put into pieces very easily.

Let's go to top:

first part is useless at first, because is not really known how to treat em, refering to:

Code:
0010  01 1F 00 00 00 21 00 C0 D0 00 00 59 00 00 00 55
0020  02 00

It must be a signature of some kind, including some ciphered info, apart from timestamp, for example.

Following with interesting things:

User characters codes

Code:
<><>  <> <> 00 02 00 00 1C 00 0A 6F 1F 00 00 00 00 00    .........o......
0030  00 15 00 00 1A 00 35 37 1F 00 00 00 00 00 00 15    ......57........
0040  00 0A 00 -- -- -- -- -- -- -- -- -- 00 0C 00 --    ...---------...-
0050  -- -- -- -- -- -- -- -- -- -- 00 <> <> <> <> <>    ----------......

This part looks tricky but its easy to see, you will.

Decoding it by parts:

"00 02" at start means that there are 2 chars for this user (02) on the margin server, counting all the worlds that are there.

What's going with the other parts?

They correspond to the info about the players we mentioned first.
Its what is called as "array" (or a struct) of info from player data.
It should match this pattern:

Player: {globalid, localid, name,status, IDServerIn}

So if we take a close look we cand see the matches and separate one of the chars... it makes this magic numbers (14 bytes):

00 00 1C 00 0A 6F 1F 00 00 00 00 00 00 15
<00 00 1C 00 0A 06 1F> stands for global + local id
<00 00 00 00> are unused bytes (or unknown yet)
<00> stands for status flag
Architect Wrote:flag can be set as 2 numbers. They must be in this list:
00 -> Character normal
01 -> Character in transit
02 -> Character banned
03 -> Character incomplete
<15> stands for server id which must match with a server id (see below)

We can repeat this with the other char, and we will see dif id's but the rest of the packet is the same.

Ok what's up with the rest of the part I posted? Look carefully, I didnt talked about name of the cars!
See what we have:

00 0A 00 -- -- -- -- -- -- -- -- -- 00 0C 00 -- -- -- -- -- -- -- -- -- -- -- 00

Again, its simply. We got 2 items as names so we take a division and analyze:

Note: Why I took this division? Because 00 xxxx 00 means a unicode string with text "xxxx" and the 0's are the delimiters as stard/end

00 0A 00 -- -- -- -- -- -- -- -- -- 00
<00>Separator from above
<0A>Characters to follow. That means '10' in hexadecimal, so chars must be 9 plus a \0 char (end-of-string on c)
<-- -- -- -- -- -- -- -- --> chars on the name
<00> end-of-string

Great, we got all the fields identified on a world-list data

Worlds available codes

Code:
<><>  <> <> <> <> <> <> <> <> <> <> 00 03 00 00 15 00    uuuuuuuuu......
0060  52 65 63 75 72 73 69 6F 6E 00 00 00 00 00 00 00    Recursion.......
0070  00 00 00 00 01 01 F1 1D 07 00 01 00 31 00 16 00    ............1...
0080  53 79 6E 74 61 78 00 00 00 00 00 00 00 00 00 00    Syntax..........
0090  00 00 00 00 01 01 F1 1D 07 00 01 00 31 00 17 00    ............1...
00A0  56 65 63 74 6F 72 2D 48 6F 73 74 69 6C 65 00 00    Vector-Hostile..
00B0  00 00 00 00 01 01 F1 1D 07 00 01 00 31

First part delimites the number of worlds available (which wont be more than 3 in real world list) with the "00 03" bytes and another "00" to delimit space between this and each world item.

As user codes, world codes got a patter which can be near to this one:

World: {id, name, style, status, populationLevel}

So we take one item from the list, the first one (32bytes):

00 15 00 52 65 63 75 72 73 69 6F 6E 00 00 00 00 00 00 00 00 00 00 00 01 01 F1 1D 07 00 01 00 31
<00 15> stands for server ID. this one is what the chars will be associated with.
<00> delimiter (text)
<52 65 63 75 72 73 69 6F 6E 00> name (Recursion) + end-of-string
<00 00 00 00 00 00 00 00 00 00> unknown yet or possible space for more chars for world name
<01> server status flag
Architect Wrote:Must be set to:
00 -> Server down
01 -> Server open
02 -> Admin only
03 -> Server closed
04 -> Server down(2)
05 -> Server full
<01> server style flag
Architect Wrote:Must be set to:
01 -> PvE server
02 -> PvP server
<F1 1D 07 00 01 00> unknown data (may be world internalid)
<31> server population load flag
Architect Wrote:Must be set to:
31 -> Low
32 -> Medium
33 -> High

Rest of the packet

At the moment, the rest of the packet is almost unknown, apart from username but, its a work-in-progress Big GrinTongue
Reply
06-17-2009, 01:53 PM, (This post was last modified: 06-17-2009, 04:02 PM by Neo.)
#2
RE: World-list packet description.
Woah Wink This is awesome. Cool..ok the rest part is the part that changes everytime...the first part , i think maybe it could be the same twofish decryption style like the world packets maybe.

Aaah i found something out too for this world packet :

Somwehre in the code there is the following:
Code:
01514E7900757365726E616D65000000000000000000000000000000000000000000000000000001000000003575384A00000000000000000000000000000000000000000000000000000000000000000017

The 3575384A is a timestamp, but it must be read backwards...means :

4A387535 , so we can fgenerate timestamp for this packet Wink

I dont try if this work , and if this is a part of the decryption, but i will test it Smile

So the first packet reply is a timestamp too in the backwards order.

After i tested to add only the timestamp, i got the "Server incopatible" message..that means, that the timestamp is only a part of the decryption of the two parts maybe.

Somewhere in this parts there must be a margin and client checksum i think.[/code]
Reply
06-29-2009, 04:53 AM,
#3
RE: World-list packet description.
are you trying to do launchpad ? you should ask the everquest 2 guys about that, they got a launchpad going...
Reply
06-29-2009, 02:46 PM, (This post was last modified: 06-29-2009, 02:48 PM by Neo.)
#4
RE: World-list packet description.
https://www.assembla.com/wiki/show/swgemu/Packets - is very helpful to understand the SOE Protocol (for launchpad only at MxO).

The Problem we have is that MxO use Launchpad for auth but there is an additional MxO Auth Server too.
Reply
07-01-2009, 01:00 AM,
#5
RE: World-list packet description.
Rajko, i think that the packet I descrived above, matches in some ways a struct on C++, like:

{integer,..., arrayofchars,arrayofServers,...}

Or even some object like "Character {data, name}" in that structure.

Could yo have a peek on it to confirm on c++? Maybe we could "decrypt" the parts that are unknown now and create a "real" auth server answer, following a pattern.

I'm thinking that it looks like some "struct.pack" structure on python, but not so sure about where to cut/paste to send to "struct.unpack".
Reply
07-01-2009, 01:57 AM,
#6
RE: World-list packet description.
you would have to reverse engineer it to get the entire prodecure...
and i cant even find the fucking thing, let alone do anything with it
Reply
07-26-2009, 01:33 PM,
#7
RE: World-list packet description.
after that gobbledy gook morpheous posted, thres 0x36 0x01 and then 80 bytes signature using pubkey.dat as verifier
this signature is of the md5 of the (5 bytes before first username) all the way up to 0x60 00.
0x60 00 means theres 96 bytes of encrypted data after
and its encrypted with twofish using AUTH_KEY as key and challenge as IV
inside is completely random data (but doesnt change unless i change username) i have no idea what it is, but if i change even one byte of it, things go boom, and it just hangs at loading character
after the encrypted data is just your username again etc
Reply
07-27-2009, 03:42 PM,
#8
RE: World-list packet description.
WORLDLIST (AS_AuthReply) ANALYZING COMPLETE.
AUTH FULLY FUNCTIONAL, CHECK OUT REALITY SVN
MOVING ON TO MARGIN (already know how key exchange is done, about to implement)
Reply
07-28-2009, 02:01 PM,
#9
RE: World-list packet description.
yes i saw it on the SVN yesterday and tried it out Big Grin
VERY VERY VERY VERY VERY GREAT WORKS DUDES!!!!!!!!!

I didnt had believe that this is possible lol...but you both are awesome.
Reply
07-28-2009, 09:00 PM,
#10
RE: World-list packet description.
World list structure (non crypto parts) updated.

Yay, more info discovered Big Grin. Little but less "unknown parts" now Big Grin
Reply


Forum Jump: