ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sun Jun 25, 2017 8:50 pm

All times are UTC




Post new topic  Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Sun Jun 26, 2016 9:58 pm 

Joined: Sun Jun 26, 2016 9:53 pm
Posts: 5
Hi!

I'd like to make a private server of a certain MMORPG. I think this is possible, because I have the game files, up to the patch I wish to use, and the wonderful community of the Zenhax forum.
Of course, nothing is free, so I am willingly to pay. The fee we can discuss in private, and I am fairly flexible.

Please, reply or pm me if you think you're capable of doing this for me.

Regards,
Jack


Top
   
PostPosted: Mon Jun 27, 2016 12:56 am 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 90
Having just the game files does not mean that you can create a private server. It also requires packet information from the server which requires access to the live game at the time. Unless the game is coded in a shitty language that allows you to see how packets are directly handled in the client, you won't be able to figure out the other half without live data.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Mon Jun 27, 2016 11:56 am 

Joined: Sun Jun 26, 2016 9:53 pm
Posts: 5
I see, well as the game has a patch client, and I could actually log onto the game, I may be able to extract said packet information.
Do you by any chance know a way to do such a thing? Because honestly, I have no idea what packet information is.


Top
   
PostPosted: Tue Jun 28, 2016 8:47 pm 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 90
Packet information is the data transmitted between the server and your client. There are incoming packets (sent from the server to your client) and outgoing packets (sent from your client to the server). In terms of getting good data, you would want to make timed captures while doing certain things, such as buying an item from a vendor, selling an item to a vendor, chatting in the various chat channels, attacking something, using abilities / spells etc. You want to gather as much information as possible and have it organized to make things easier to go through later.

As for how to do it, it depends on the game. Some games have no encryption on packets so you can easily see all the traffic flow. While other games have it protected so it involves more work. The recommendation I give to anyone about hooking packet stuff is to hook the functions that the game uses to handle the packets instead of hooking Winsock directly. This way you can bypass the encryption layer altogether if there is one.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Wed Jun 29, 2016 3:11 pm 

Joined: Sun Jun 26, 2016 9:53 pm
Posts: 5
Thanks for clearing up what packet information is, even giving me examples on what to capture, but could you elaborate on "to hook the functions that the game uses to handle the packets instead of hooking Winsock directly"? I still don't understand how to get or record the packet data. For you to get a better idea on what I'm trying to accomplish, I'll pm you the name of the game I am trying to clone.


Top
   
PostPosted: Wed Jun 29, 2016 6:39 pm 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 90
You need to inject code into the game client to intercept the packet information.

Generally packets will be handled in a manner such as:

(Client To Server)
- Client receives input from the user to do something, such as talk to an npc.
- Client generates a packet that will be sent to the server informing it the client wants to talk to the given npc.
- Packet is encoded/encrypted/compressed. (Optional for the client to do these steps.)
- Packet is sent to the server.

(Server To Client)
- Server receives the packet from the client.
- Server decodes/decrypts/decompresses the packet. (Optional if the game uses these.)
- Server processes the packet as needed.
- Server generates a response packet to react to the clients packet. (Either accepting or declining their request to talk to an npc.)
- Packet is encoded/encrypted/compressed. (Optional for the client to do these steps.)
- Packet is sent to the client.

At this point the client would then receive the incoming packet and:
- Packet is received from the server.
- Packet is decoded/decrypted/decompressed. (Optional if the game uses these.)
- Packet is analyzed by the client to understand how to process it, usually an id near the start of the packet data.
- Packet is processed by the client.

And a cycle is formed of this happening constantly. Things can be different depending on the game and how its coded and so on but this is a generalization of what happens.

In terms of hooking, instead of applying hooks on the Winsock functions for actual networking, you would hook the game functions that handle the packets.

For example, in my examples above, I would look to place hooks at certain points of the packet flow.
For Client To Server, I would place a hook on the function that begins to prepare the finished packet for sending before it is encoded/encrypted/compressed. With that, I would have access to the packet before it is sent to the server allowing me to alter the packet, drop it entirely, etc.
For Server To Client, I would place a hook right after the decoded/decrypted/decompressed handling. At this point, I would have access to the incoming packets from the server before the game processes them. This would allow me to again, alter the packet data, drop it entirely, etc.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Wed Jun 29, 2016 8:49 pm 

Joined: Sun Jun 26, 2016 9:53 pm
Posts: 5
Thank you for the amazing detailed explaination on how packets are handled, and providing me more insight on how things work in general. I didn't get it before, but now it seems so clear.

I think at the moment the only question I have left is how do I actually hook up the game functions and read the packet information?

I do understand things happen with every interaction I make in the game, such as trading, walking, using spells etc, but I never really see the ones and zeros on my game's screen. Where is this packet information hidden, and how do I find it/record it?

It seems like I have a lot to learn, and if you're willingly to continue to support me that would be very much appreciated. I'll pm you my skype, so we can continue this conversation more freely.


Top
   
PostPosted: Thu Jun 30, 2016 3:52 am 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 90
The data transferred between the client and server is never visibly shown to an end-user. The idea is to keep things private/protected to help ensure the security of the game. Most online games use some form of encryption on their data to help keep things from getting into the wrong hands. That is, to say it is more of a deterrent than anything else.

I'll give you an example of an online games packet setup, keep in mind this is not used in every game and it will vary.

For this example, I will reference Final Fantasy XI.

--------------------------------------------------------------------------------------------------------

Final Fantasy XI has a specific packet setup that is used in every single packet:

Code:
struct PacketHeader
{
    unsigned char   PacketId;
    unsigned char   PacketSize;
    unsigned short  PacketSync;
    unsigned char   Payload[PacketSize * 2];
};


First and foremost, PacketId and PacketSize are 'packed' data. Meaning that the packet id can overflow into the packet size variable. This was their way of handling packets that go over 255 id. So for FFXI in order to get the proper id/size you would have to do:
Code:
packetId = (*(unsigned short*)packet) & 0x01FF;
packetSize = (*(unsigned char*)(packet + 1) & 0x0FE) * 2;

FFXI enables themselves to be able to store a packet size over 255 in a single byte by using a multiplication method of 2.
So if a packet states it has a size of 4, it really is 8 bytes long instead.

FFXI handles packets in a specific manner that makes things pretty nice and easy to deal with debugging wise. They store a list of function pointers in an array per-packet id for handling both incoming and outgoing packets. So something like this:
Code:
unsigned long IncomingHandlers[0x190];
unsigned long OutgoingHandlers[0x190];

// Store a packet handler for incoming packets with an id of 0x17..
IncomingHandlers[0x17] = &SomeFunctionToHandleIncoming0x17Packet;


In terms of the packet flow, FFXI has a flow of this:
Code:
// Monitor for incoming packets..
while (true)
{
    auto size = recv(...);
    if (size <= 0)
        continue;

    // Packet validation..
    //
    // Here FFXI will do some minor checks on the packet, such as the MD5 that is appended to the data to ensure
    // the packet was properly hashed. They will also check if the PacketSync number is correct and in sync properly.
    // They use the sync counter for packet fragmentation to a degree as well since FFXI uses UDP packets for most things.
    ValidatePacket(...);
   
    // Decompress the data.. (custom zlib implementation)
    // Decrypt the data.. (blowfish)
    DecompressAndDecrypt(...);
   
    // Now the packet is handled based on the id..
    auto packetId = (*(unsigned short*)packet) & 0x01FF;
    if (IncomingHandlers[packetId] != nullptr)
        IncomingHandlers[packetId](packet);
       
    // Other actions / cleanup etc..
}


In my project for this game, I hook the function where the packet is being decrypted/decompressed. This allows me to skip over the layer of encryption and compression, letting the game handle that hassle and enables me direct access to the real packet data after it's cleaned and ready to be processed. I can drop the packet entirely by removing it from the buffer, I can alter the packet, or add more things to it.

Hooking the actual game function requires reversing it and understanding how it is called. You need to ensure that you are handling the data properly, handling the stack properly, etc. so that you do not corrupt the data. If you fuck things up, you risk getting banned.

So for a packet example in this game, when you receive a chat packet from the server, it is structured like this:
Code:
struct ChatPacket
{
    unsigned char     PacketId;
    unsigned char     PacketSize;
    unsigned short    PacketSync;
   
    unsigned char     MessageType; // (Say, Shout, Linkshell, etc.)
    unsigned char     IsGmMessage; // True/False if the message is from a Game Master.
    unsigned short    ZoneId;      // The zone id the person is in when the chat message occurred.
   
    char              Name[16];    // The name of the person that sent the message.
    char              Message[...];// The message.
};


Here the Message is a 'dynamic' size that is 4 byte aligned upto a max of 236 characters long. On screen you will never know that this is how the data is sent from the server to the client. The most you will see is the message from the packet.

In order to do any of this you are going to have to understand how to reverse engineer things pretty well.

You are going to need to understand a handful of data transmission things too, such as bit packing and such for more in depth packets. Getting a hook into a game to dump their traffic is not that difficult, but analyzing the data and determining what it means is where the effort is.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Thu Jun 30, 2016 1:18 pm 

Joined: Sun Jun 26, 2016 9:53 pm
Posts: 5
I guess I'll start by reading up on reverse engeneering, and learn to analyze data. The forums here should provide me with enough information, although it seems like a real challenge going through it all.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 9 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited