Reverse Thinking-World of Warcraft Packet Analysis (2)

Author: sodimethyl Source: http://blog.csdn.net/sodme statement: This article can be reproduced, reproduced, spread without the consent of the author, but any reference to this article must indicate the author, source and the statement information of the bank. Thank you!

The packet analysis method is simple and simple, that is: comparison! We need to constantly compare and analyze packets from different perspectives, and make full use of your imagination to constantly intercept the packages you need for comparison. We should not only compare the horizontal (similar), but also compare the vertical (different classes. For the same package, we need to study it repeatedly.

A beginner in packet analysis generally does not know where to start packet analysis. Based on experience, this article will show you which types of packages will be analyzed and how to perform a preliminary analysis on the packets. It should be pointed out that packet analysis is a very interesting but also a test of patience. Usually, half a day of packet analysis, it will keep you in sight, such as "B0 EF 58 02 10 72 .... "and other network data, with headaches, dizziness, so there is not enough psychological preparation, please do not try it easily. Haha.

The basic premise for packet analysis is: you should understand and be familiar with the TCP protocol, and know what the packet "bonding" is. Of course, only a small part of the packets we normally intercept are "bonded" in terms of quantity. However, if you do not understand it, it may mislead and confuse your analysis ideas. For more details about "stick package", refer to my other articleArticle"How to handle the exception (includingCode) (Http://blog.csdn.net/sodme/archive/2005/07/10/419233.aspx )".

In the previous article about World of Warcraft packet analysis (http://blog.csdn.net/sodme/archive/2005/06/18/397371.aspx), I analyzed the architecture and login logic of warcraft according to the process of connecting the client to the server and disconnecting the event and some data packets in the login process. In this article, I will combine the analysis of chat packets to explain the general structure of World of Warcraft packets.

First, let's explain our goal: the general structure of packets. What content does the general structure of the package contain? Generally, the general structure of a package includes at least two aspects: 1. How does one package indicate its length? Which field represents the packet length? (Or: How to indicate the start and end of a packet) 2. Which field is used to indicate different packet types?

Is there a "field" indicating the "length" of all game packets? The answer is no. Some games do not adopt this method, and their practice sets a special package start and package end sign. However, from the perspective of applications, we recommend the "length" method, because regardless of the processing efficiency at the bottom of the network and the processing convenience of upper-layer applications, it is better to use the "length" field to identify a complete logical package. After determining the general structure of packets, we can analyze the detailed structure of specific types of packets (such as chat and walking.

For data packet analysis, in the black box analysis stage, the selected data packet must be of this nature, that is, when the client does not encrypt the data packet before it is sent, we already know some of the content in this packet. Such a package can be used as a breakthrough in packet analysis. In this case, it is not difficult to understand the "chat packet" as the first analysis object, because we know what we say and what we typed, however, after being processed by the client, what we said may have been encrypted or the verification code added to the network. From the perspective of black box analysis, what we can do is to continuously compare, judge, and summarize various "chat packages.

OK. Open your commview. Let's start with "chat packets.

The prerequisite for analyzing the "chat package" is that we can normally determine which type of data packet is chat. Do not mistakenly treat walking or other data packets as chat data packets. To reduce the difficulty of analysis, we recommend that you analyze packets when there are few or no players in the game. In this way, no one will be disturbed. Second, your network traffic will be much smaller and it is easier to determine packets.

Step 1: Determine the port used by the client to communicate with the server, and then set the server port in the commview's rules-> ports to intercept all data packets that communicate with the port. How to determine the server port: Do not use other network communication tools, open commview, enter the game, capture packets, and observe the communication port. During packet analysis, especially during initial packet analysis, your network communication should be as single as possible, that is, do not open other communication software except games. However, after you confirm the IP address and port of the server, you can use other network software as usual.

Step 2, as described above, find a place where few or no one is in the game and start "talking to yourself. It is recommended that you use letters and numbers instead of Chinese. Because Chinese characters are dual-byte characters, while letters and numbers are single-byte characters, the packet capture software displays single-byte text information, however, for double-byte Chinese characters, the packet capture software may display garbled characters in some Chinese characters due to line breaks and other reasons, and it is not easy to directly see the Chinese content. If you insist on speaking Chinese, even do not block you, I recommend you a tool: String demander (: http://www.cnxhacker.com/Download/show/395.html), this software, you can query the Chinese corresponding encoding.

Step 3: Set the commview rules and make it take effect to start packet capture.

After observing the packets intercepted by the above process, we can find that the chat packets of World of Warcraft are in plain text! There is no need to make a fuss about this. Chat packets themselves do not cause damage to the key logic of the game, so it is not surprising that even the plaintext is displayed. However, we still do not trust our own eyes, so we cut several packets and found that the content in the packet is indeed plain text! However, other fields in the package are "ciphertext" that we cannot understand for a moment ".

It seems that the following thing is to study the "ciphertext" in these packets. Under normal circumstances, this "ciphertext" encryption method cannot be analyzed through packet analysis. However, we can still infer that it is generated with "ciphertext" Through packet analysis.AlgorithmRelated Questions. We can make the following comparative analysis: 1. Input "A" three times in a row, observe and save the packet data respectively; 2. Input "AA" three times in a row ", and respectively observe and save the packet data; 3. Input "AAA" three times in a row, and observe and save the packet data respectively.

For the input package case, we chose the letter "A" and Its ASCII code is 61. The input rule is: Enter three consecutive times in each case, and then increase the number of A letters one by one. Therefore, we found an interesting phenomenon: 1. The content of the packet is plain text; 2. Even if it is for the same speech content, such as "", the packages sent by the client are also different. 3. When the number of letters in a speech increases by 1, the total length of the packets increases by 1; 4. Except for the first 6 bytes of each packet and the talking bytes, the content of the other packets is the same each time. 5. The end byte of each chat packet is 0.

Therefore, we can try to draw the following conclusions: 1. The package is not compressed, and the encryption algorithm used by the package should be byte, the package length does not change so that it looks like a uniform length. 2. The package ends with 0 (although we don't know what it starts ); 3. The key used in the packet encryption algorithm is variable, that is, the ciphertext generated for the same data packet content varies according to the encryption key. After the client data is uploaded to the server, the server needs to decrypt the data. Therefore, the client-side encryption algorithm and the server-side decryption algorithm should share some of the first six bytes, using this as the decryption algorithm's key. If the six bytes do not contain the synchronized data required for packet encryption and decryption, the client and server should synchronize the data in other ways. However, I prefer the former, that is, these 6 bytes should contain the key information required for encryption and decryption.

Looking back at the interesting phenomenon we observed above, we thought about 2nd points. This should be the minimum function. That is to say, even if the client performs the same action, the package content in the package sent by the client is also different. In this way, the plug-in cannot simply resend the same package to achieve its goal.

After analysis, we still failed to determine the general structure of the Warcraft package. As a matter of fact, I feel that the purpose of this article has been achieved, that is, to show you the perspective and way of thinking of packet analysis. As for the specific results, I think it is really not important. It is certain that the packet structure of warcraft has been mastered. I will only publish my analysis results here: 1. The packet length field of warcraft is the first two bytes of each packet. Its representation is: the value of the first two bytes + 2. The reason for adding this 2 is that the packet length field occupies two bytes. 2. The packet type of warcraft is inferred to be the third and fourth bytes, And the type ID of common chat is "95 00 ".

Please do not send a letter to ask me about any content related to Warcraft packet cracking. I have already mentioned what I can say in this article. I did not write this series of articles to crack Warcraft, instead, we want to use such an excellent game as a case to show you what it deserves for us to learn and discuss in terms of packaging design, at the same time, it is only necessary to popularize common sense, tools, and ways of thinking about packet analysis to more friends.

PS: because each packet analysis involves a lot of content, once a conclusion is reached, it is necessary to record and summarize it in time and compare it with the previous summary, update relevant records and documents in a timely manner.