Sonntag, 17. März 2013

Analyzing the character creation

Now that we have a server working for logins it's time to start analyzing the packets. Since we currently only reach the character creation screen I took the time to analyze the packet sent by the client to the server when creating the client. This packet already has a wide range of variety so I started looking at creating a male, human burglar from Bree.

You can take a look at this analysis at the following page:
http://bwgypyth.appspot.com/packet.jsp?packet=305

I was already able to identfy some parts of the packet, e.g. hairtype, headtyp, mouthtype, etc. There are some interesting things to be seen in the different packets. First of all the packet differs even on same input data. Take you look at:

http://bwgypyth.appspot.com/packet.jsp?packet=9001

This is exactly the same action as performed in the other packet (creating a male, human burglar from Bree) but is padded with addition unknown data. So first of all we needed to identify the magic number in the packet that tells the server to create a character. Since we are assuming that we are facing an opcode based network protocol I was looking for a repeating sequence, named opcode.
For now we assume that opcodes are either 4 bytes long (or 2 bytes prefixed by the number of opcodes in the packet). 0x01 0x00 0x01 0x04 was the first data packet (after the 20 bytes of header code) in the the shortest captures. This opcode also appeared in all captures, so I assume this is the opcode to start a character creation.
This opcode (which appears to be the last opcode in the packet) is followed by 147 bytes of data for a male humanoid burglar character. Take a look at the data I gathered and please verify my assumptions. The best way to do this is by comparing the data (e.g. by using Meld which is an awesome diff viewer).

 Another interesting catch is that female humanoid characters are created using shorter packets (only 128 Bytes). One of the reasons seems to be that the GUI lacks a method to add facial hair which seems also to be lacking in the packet (dwarf ladies might be different, I haven't checked that yet).

 Have fun browsing the packets. I'm planning on investigating this packet further and keep you updated.
Eingestellt von um

2 Kommentare:

  1. Anonym18. März 2013 um 10:57

    dwarf ladies don't exist :D!

    AntwortenLöschen
  2. Anonym19. März 2013 um 08:13

    Hey this padding is explaind fast... you can ignore it. look at the header 08 00 00 06. This 0x18 0x00 0x00 0x00 0xED 0xFF keeps saying that: ACKNo. ED FF from client has a length (include header bytes) of 18 bytes. The parser can overread it, it's neccessary when server has to check for correct packet length and reorder packets, if something wasn't transfered correct.


    -T-

    AntwortenLöschen

Abonnieren Kommentare zum Post (Atom)