Исследование протокола MU Online прикола ради
|
Введение
Некоторое время я играл в MMORPG MU online,
но оно мне быстро наскучило. Моя девушка до сих пор в нее рубится, так
что я решил получать кайф от этой игрушки другим способом. Протокол обмена между игровым клиентом и сервером - хорошая
область для удовлетворения своих исследовательских наклонностей .) Так
что, набив карманы штанов инструментами типа tcpdump и ethereal, я начал поиски.
|
Эта страница создана в образовательных целях!
Я не использую и не собираюсь использовать полученную информацию для
взлома MU Online или для вмешательства в игровой процесс.
|
Контакты
Вы можете свободно связываться со мной через dikiy@scn.ru или на IRC-сети RusNet (найдите меня с помощью команды'/nickserv info dikiy'). Я говорю по-русски и по-английски.
|
Links
The story
27 march 2006
Guy named MiKiOnE (mikione at o2.pl) find out algorithm for client-to-server communication
encoding. Good work!
Hi.. I back :P i found cript algorytm:
//code unsigned char T1;//temp unsigned char package[];//uncrypt unsigned char crypt[];//crypt unsigned char key[]={ 0xe7,0x6D,0x3a,0x89, 0xbc,0xb2,0x9f,0x73, 0x23,0xa8,0xfe,0xb6, 0x49,0x5d,0x39,0x5d, 0x8a,0xcb,0x63,0x8d, 0xea,0x7d,0x2b,0x5f, 0xc3,0xb1,0xe9,0x83, 0x29,0x51,0xe8,0x56}; int a; for(int b=0;b<=2;b++)crypt[b]=package[b]; // copy first 3 bits int a=4; int size; // size of package for(int i=0;i<=size;i++,a++) { if (a == 32)a=0; T1=crypt[i+2]^key[a]; package[i+3]=crypt[i+3]^T1; };
//end code
its very simple :P [i use softice to find it] with Greetings MiKiOnE
21 october 2004
New messages from RealKeeper. He found new message type - c4, next 2 bytes are message length (like c2).
- c137 - Trader info
- c460 - Trade cancelation
18 october 2004
New messages from RealKeeper, plus some other corrected.
14 october 2004
Guy named RealKeeper (realkeep.com) send me 2 new packets:
Thanks!
24 may 2004
Possibly, this is the last update. I show you the way I did this work.
I write Perl-program to represent tcpdump -Xqt (yes, you
need Unix or Linux or you should find windows ports) output in
human-readible format. Known messages is decoded, unknown - in hex
form. So, we can look on MU window and on program output and make a
decision about the meaning of unknown messages.
For example, you can run to coordinates 100,100 and cast some
spell, then run to 105,105 and cast some other spell .) As far I
remember, it is 'c11b' message, I don't check this.
You can get program here - MU-dumper. Typical usage:
$ tcpdump -s 10000 -w ./mu.dump
^C
$ tcpdump -Xqt -r ./mu.dump | ./MU-dumper | less
Typical output:
serv > me Move ID:152d @ 96,bf We meet 1 characters char pinoy_nga Dark Knight ID:1405 stand @ 8b,c3->88,c4 [0] Weared: Armor:scale Helm:scale Pants:scale Gloves:scale Boots:scale LeftHand: 0b RightHand:NONE Pet:NONE Wind:no [cpLLRRHAPGBf0080400000000800--C-H-A-R--N-A-M-E--XXYY6300] We meet 2 monsters: MOB Yeti ID:0517 @ 9b,c5->9b,c5 [000000|60] MOB Yeti ID:0534 @ 9a,c7->9a,c7 [000000|70] Guilds (01) : guild MaRiKiNa ID:[18e7] 33133333 33133333 33133111 33333333 33333333 11133133 33333133 33333133 Char ID:[1405] binded to guild ID:[18e7]
Move ID:152d @ 96,bf 44:020a19 44:020a19 Move ID:0531 @ 94,c5 Move ID:11cd @ 96,be me > serv ACK serv > me Move ID:133a @ a5,cb 2a:01f600 Damage: ID:04ec CRIT! hited on 92HP [04ec005c03] me > serv ACK serv > me Move ID:133a @ a5,cb 2a:01f000 Damage: ID:04ec hited on 68HP [04ec004400] me > serv ACK serv > me 2a:01ef00 Death: 04ec killed by 133a Skip C3 msg [2a653a29cf1d10ffc1e5d0] me > serv ACK
Good luck!
23 may 2004
Since my girlfriend account was robed and she stop playing, I don't care about this page. You can enter without password.
|
Поскольку аккаунт моей
девушки был обокраден, она прекратила играть. Больше эта страница мне
не интересна. Вы можете войти без пароля.
|
18 may 2004
Sque, please contact me via e-mail or IRC, need to talk.
11 may 2004
30 apr 2004 - I write some PHP-code for generating "message tables"
Some new messages:
26 apr 2004 - i recived by e-mail info about MU server download and setup:
------------------------------------------- Vendor has sent you this email from http://forum.zolik.net/index.php.
здесь (here) www.rzpatches.com/Mu97Server.exe
почитать про него можно тут (some reading about it) http://forum.ragezone.com/forumdisplay.php?f=82
Инструкция по установке тут (installation instruction) http://members.lycos.co.uk/metasha/
Поищи на микрософте (seek on microsoft) Mysql для него (mSql:) for it) sql2ksp3.exe - 55 Mb SQLEVAL.exe - 267 Mb --------------------------------------------
20 apr 2004 Some intersting results, I'm not ready to describe it. Some notes about message format: each message begin from c1, c2 or c3.
If message begins from c1, next byte is whole message length; if begins from c2 - next 2 bytes is message length.
13 apr 2004 - first look thru dumps. first results.
Server message with character list on account (for character select menu):
value |
length |
description |
---|
List header |
c1 xx f3 00 |
4 |
"charlist" message id |
char_num_total |
1 |
number of characters |
List item (repeated number of characters times) |
num |
1 |
number of character in list |
name |
11 |
name (padded with \x00) |
level |
1 |
level |
00 00 00 ff ff ff ff ff 00 00 00 f8 00 |
13 |
??? weared items, research needed (value = items of new DW) |
"Object stand (stop moving)" server message. I walk around and
write down the coordinates; laster search in dump and find "stand here"
message. After it I ask friend of mine walk around me and tell
coodrinates.
value |
length |
description |
---|
c108d4 |
3 |
"stand here" message id |
who_id |
1 |
id of character (or monster?) |
?? |
1 |
stand type? =) '7f' - for traced session character |
X |
1 |
first coordinate |
Y |
1 |
second coordinate |
arg |
1 |
rotation angel? something else? |
12 apr 2004 - Work is going on. I take some initial net flow dumps. In few simple steps was generated special-crafted dumps:
- run MU.EXE; wait 30 seconds
- click on connect; wait 30 seconds
- click on server cluster name; wait 30 seconds
- click on server; wait 30 seconds
- send account name & password; wait 30 seconds
- click on character and 'ok' button; wait 30 seconds
- leave the game
|