Online Game plug-ins (2)

　　 3. How to analyze the intercepted packets?

First, we will save the packet intercepted by WPE as a text file, and then open it, then we will see the following data (here we will explain the data sent by the PK store client in jinyongqun Xiaoxiao as an example ):

First file: send-> 0000 E6 56 0d 22 7E 6B E4 17 13 13 12 12 12 13 67 1bsend-> 0010 17 12 dd 34 12 12 12 12 12 12 17 12 0e 12 12 12 12 9bsend-> 0000 E6 56 1E F1 29 06 17 12 3B 0e 17 1asend-> 0000 E6 56 1B C0 68 12 12 12 5asend-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 12send-> 0000 E6 56 17 C9 12

The second file: send-> 0000 83 33 68 47 1B 0e 81 72 76 76 77 76 77 76 02 7esend-> 0010 72 77 07 1C 77 77 77 77 72 77 77 77 6dsend-> 0000 83 33 7b 94 4C 63 72 77 5E 6B 72 f3send-> 0000 83 33 7E A5 21 77 77 77 3fsend-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77send-> 0000 83 33 72 AC 77

We found that the data format of the primary key store two times is the same, but the content is different. We are the same NPC of the primary key. Why is it different? In the past, the packets transmitted by Jin yongqun and Xia were encrypted before being transmitted on the network. The problem we faced was how to decrypt the ciphertext into plain text and analyze it again.

Because data packet encryption is usually an exclusive or operation, let's talk about what is exclusive or. In short, the difference or is "0 for the same, 1 for the different" (this is for Binary bitwise). For example, 0001 and 0010 for the same or, we compare the values by bit and obtain the variance or result of 0011. The calculation method is as follows: The 0001 bits of 4th are 0, and the 4th bits of are 0. They are the same, then, the 4th bits of the XOR result follow the principle that "the same is 0, the difference is 1", and the 3rd bits of 3rd of BITs are 0, bits of BITs are 0, if the 3rd bits of the XOR result are 0, 2nd bits of 2nd bits of 2nd are 0, 1st bits of 1st are 1, then the bits of the XOR result are 0, then the 1st bits of the XOR result get 1, and the combination is 0011. The exclusive or operation will encounter many problems in the future. You can familiarize yourself with the operation and be familiar with the analysis.

Next, let's continue to look at the two files above. According to common sense, data in data packets will not all have values. During Game Development, some bytes will be reserved to facilitate future expansion, that is to say, there will be some "00" bytes in the data packet. Observe the above file and we will find that there are many "12" and many "77" in file 2 ", so does this mean we are talking about "00? Let's get started with this reasoning!

We compare file 1 with "12", and file 2 with "77". Of course, it is very troublesome to use your hands, we use the "M2M 1.0 plus sealing package analysis tool" for computation. The following result is displayed:

First file: 1 send-> 0000 F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09send-> 0010 05 00 CF 26 00 00 00 00 05 00 1C 00 00 892 send -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 083 send-> 0000 F4 44 09 D2 7A 00 00 00 484 send-> 0000 F4 44 10 da 01 dB 6C 79 f6 05 02 27 35 01 00 005 send-> 0000 F4 44 05 dB 00

The second file: 1 send-> 0000 F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09send-> 0010 05 00 70 6B 00 00 00 00 05 00 00 00 00 1A2 send -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 843 send-> 0000 F4 44 09 D2 56 00 00 00 484 send-> 0000 F4 44 10 da 01 B8 6C 79 f6 05 02 27 35 01 00 005 send-> 0000 F4 44 05 dB 00

Haha, most of the two files are the same, which indicates that our reasoning is correct. The above is the plaintext we need!

The next step is to figure out the meaning of some key bytes, which requires intercepting a large amount of data for analysis.

First, we will find that each packet starts with "F4 44", and the 3rd bytes are changed, but the changes are quite regular. Let's take a look at the length of each package. What did we find? By the way, the length of the package is 3rd bytes! By intercepting a large number of data packets, we can determine that 4th bytes represent commands, that is, the client tells the server what operations are performed. For example, request the combat command to the server is "30", and the combat moving command is "D4. Next, we need to analyze the first package above, "F4 44 1f 30 6C 79 F6 05 01 01 01 01 00 01 75 09 05 00 CF 26 00 00 00 00 05 00 1C 00 00 00 89 ", what information does this package contain? We should inform the server of the NPC of your PK. Let's look for the code of this store employee. We have another primary account, Mr. Luo (the one outside the Dali Inn ): send-> 0000 F4 44 1f 30 D4 75 F6 05 01 01 00 01 00 01 75 09send-> 0010 05 00 8A 19 00 00 00 00 11 00 02 00 00 00 C0 based on common sense analysis, although the number of NPCS in the game will not exceed 65535 (FFFF), it will not limit itself to the word range during development, which is not conducive to the expansion of the game, so let's look at it in double words. Through the comparison between the "Store" and "xiaoyunluo" packages, we put the goal on "6C 79 F6 05" and "CF 26 00 00. (It's easy to compare, but you can't be too dull, huh, huh) Let's look at the back of the package, there should be NPC code in the back of the package, such as moving the package, when a game allows watching, the server must know the coordinates of the NPC and broadcast them to other gamers. In the next 4th packets, "Send-> 0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00 00", we can see "6C 79 F6 05 ", it is preliminarily concluded that the store's code is it! (This analysis involves a lot of work. You can use WPE to cut data and analyze it yourself)

The analysis of the first package is now here (we do not need to be completely clear about the information contained)

Let's take a look at the 4th packets "send-> 0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00 00", and then intercept the PK Yellow Dog package, (two dogs will come out.) Check the package format: send-> 0000 F4 44 1A da 02 0b 4B 7d F6 05 02 27 35 01 00 00send-> 0010 EB 03 F8 05 02 27 36 01 00 00

According to the above analysis, the yellow dog code is "4B 7d F6 05" (100040011), but how can we identify the two yellow dog servers? Look at "Eb 03 F8 05" (100140011). It's the last code plus 100000. Haha, so the server can recognize the two yellow dogs. We confirmed it through the data packets intercepted by the enemy in the wild.

The package format should be clear: 3rd bytes indicates the package length, "da" indicates the instruction, and 5th bytes indicates the number of NPCs, the 10 bytes starting from 7th bytes represent the information of one NPC. If one more NPC is used, 10 more bytes are used.

If you have played online gold, you must know that random enemy reinforcements sometimes occur. We will use the game reinforcements to enable the reinforcements for every battle.

Through the interception of data packets in the battle, we will find that the server sends such a package: f4 44 12 E9 EB 03 F8 05 02 00 00 00 00 00 00 00 00 5th-8th bytes reinforce the NPC code (here we will simply use the yellow dog code as an example) ). Then, we will use the stand-alone proxy technology to spoof the client and server at the same time!

Now, the call to NPC is half done here. Next, let's continue to explain how to modify and send packets.
　4. How do I impersonate a "client" and send the packets we need to the "server?

Here we need to use a tool that is located between the client and the server. Its job is to receive and forward data packets. This tool is called a proxy. This is meaningless if the proxy simply receives and forwards data packets, but note that all data packets must be transmitted through it. This is of great significance. We can analyze the received data packets, forward them directly, or forward the packets after modification, or suppress the packets that are not forwarded, or even forge the packets we need to send them.

Next we will continue to explain how to spoof servers and clients at the same time, that is, to modify and forge packets. Through the analysis in the previous section, we already know the packaging format of multiple NPCs, so let's get started!

First, we need to find the packet sent by the client and find the combat feature, that is, to request the 1st packets of the battle. We will find the feature "F4 44 1f 30", which will not change, of course, you need to decrypt it and find it later. After the packet is found, the client is requesting a battle from the server. We will not move the packet and forward it. Continue to look down. The pattern to be searched is not very easy. We first look for "da", which is the command for the client to send packets of NPC information, so other packages may also contain "da ", it doesn't matter. Let's see if the first three bytes have "F4 44. After finding it, our work begins!

We are sure the number of NPCS to be played. This quantity cannot be very large because the length of the net gold package is expressed in one byte, so a packet can have 255 bytes. We have analyzed above that adding an NPC will increase by 10 bytes, therefore, we know that it is appropriate to set up 20 NPCs.

Then we need to analyze and calculate the original NPC code of the client, because the added NPC code should be added with 100000. Calculate the added NPC code and combine it into a new package. Note that the bytes representing the package length must be modified and then forwarded to the server, in this step, you should pay attention to algorithms when writing programs, so as not to cause large latency.

As we have completed the above process, it is easy to cheat the client.

After the preceding packet is sent, we construct the packet based on the newly added NPC code and send it to the client immediately. The format is "F4 44 12 E9 NPC code 02 00 00 03 00 00 00 00 00 00 00 ", construct such a package for each newly added NPC and send the package to the client in sequence. Then, the client will be cheated. It's easy.

In the future, we will not care about other things in the battle. Let's start fighting.