lotro revenge: Oktober 2016

Sonntag, 30. Oktober 2016

HowTo: Understanding a packet header

Let's take a look at some of the packets we already know and understand. First of a few basics as a reminder:

each and every packet has a header and a body
the header is fixed size, the body is variable in size
the header is fixed in content, the body varies

For now let's focus on what we know about the header.

Bytes	Description	Length
0x00-0x01	The session ID. The server and the client each have a session ID.	2
0x02-0x03	The length of the packets body in bytes	2
0x04-0x07	The command (aka action aka OP code) this packet will perform	4
0x08-0x0B	The sequence number of the packet (necessary for ordering UDP packets)	4
0x0C-0x0F	The checksum of the packets body	4
0x10-0x11	Packet group number (e.g. 0xffeb, confirmed in the 08004002 packet)	4
0x12-0x13	Unclear, get increased by the server	4

Freitag, 28. Oktober 2016

HowTo: Capture decrypted packets

To get decrypted packets for further analysis, you can easily capture and decrypt them using the LOTRO-Tools.

First of all clone the git repository from https://gitlab.com/lotro/server.

Open the Solution "LOTRO-Tools.sln" in Monodevelop or Visual Studio.

Build the project LOTROPacketCaptureAndAutoDecryption and launch it from bin/Debug/LOTROPacketCaptureAndAutoDecryption.exe

Look into the subfolder decrypted_packets for available files. The files contain a single packet each. The filename is like the following:

4 digits represent the sequential number of captured packets
the text "client" says it was a packet sent by the client, the text "server" indicates it was a packet from the server
the last 8 digits describe the action to be performed by the packet

Examples:

0000_client-00010000 is the first package captured (sequence starts at 0000), was sent from the client and contains the action 00010000

0001_server-00040000 is the second package captured, was sent by the server and contains the action 00040000

HowTo: Use LOTRO-Tools on Linux

LOTRO-Tools was developed on Windows using winpcap. It fails on Linux because SharpPcap is erroneously looking for "libwpcap.so" (as it would look for wpcap.dll on Windows), while it should look for "libpcap.so" instead. You can work around that using

sudo ln -s /usr/lib/libpcap.so /usr/lib/libwpcap.so

HowTo: Capture the appropriate packets between the client and the server

To only capture the packets necessary for analysis of the game protocol (i.e. not the chat protocol), you can use the following pcap (e.g. Wireshark) filter:

!broadcast and !multicast and udp and !port 53 and !port 59511 and !port 161 and !port 2900 and !port 5355

HowTo: Disabling checksum checks in the LOTRO client

To test a local server that does not support checksumming, you can patch you lotroclient.exe

Go to position: 3B 4C 24 1C 75 6A 8B

Replace "75 6A" with "90 90"