Three: How to analyze our intercepted packet? First we save WPE intercepted packets as text files, then open it, then see the following data (here we use the data sent by the PK shop in Jin Yong Qun Xia to explain as an example): The first file : Send-> 0000 e6 56 0D 22 7e 6b E4 17 13 12 13 12 13 67 1Bsend-> 0010 17 12 DD 34 12 12 12 12 17 12 12 12 12 12 9Bsend-> 0000 E6 56 1e F1 29 06 17 12 3B 0e 17 1ASend-> 0000 E6 56 1B C0 68 12 12 12 5ASend-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 12send-> 0000 E6 56 17 C9 12 Second File: Send- > 0000 83 33 68 47 1B 0e 81 72 76 77 77 77 77 77 77 07 1C 77 77 77 77 72 77 72 77 77 77 6Dsend-> 0000 83 33 7B 94 4C 63 72 77 5E 6B 72 F3send-> 0000 83 33 7e A5 21 77 77 77 3fsend-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77send-> 0000 83 33 72 AC 77 We found that two PK shop small two data formats However, the content is not the same, we are the same NPC of PK, why will it be different? The package of Jin Yong Qun Xia Chuan is transmitted on the Internet. Then we face the problem to decrypt the secret text to make a clear text. Because the general packet encryption is different or the operation, this will talk about what is different or. Simply put, the same is "the same is 0, and it is 1" (this is for binary bitwise), and an example, 0001 and 0010 are different or, our bit by bit, the difference is 0011, The calculated method is that the fourth bit of the 4th bit of 0001 is 0, which is the same, and the 4th place of the different or the result is "the same as 0, different 1", the first 0,0001 The third bit of 3 bits of 0,0010 is 0, the third bit of the different or the result is 1 of 0,0001, the second bit of 0,0010 is 1, then the second place of the different or the result is 1 The first bit of 1,0010 of 0001 is 0, then the first bit of the different or the result is 1, and the combination is 0011. The different or the operation will encounter a lot in the future, everyone can be familiar with familiarity, skilled in the analysis.
Below we continue to look at the above two files, according to the common sense, the data of the packet is not all value, the game development will reserve some byte space to facilitate the future expansion, that is, the packet will exist. Some "00" bytes, observe the above documents, we will find a lot of "12" in the document, and there are many "77" in the file, then this is the "00" of us? We start to act! We divide the documents with "12" different or the document two and "77" are different or, of course, use the hand to work very much, we use the "M2M 1.0 Encrypted Packet Analysis Tool" to be more convenient. The following results were obtained: The first file: 1 SEND-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 CF 26 00 00 00 00 05 00 1C 00 00 00 892 SEND -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 083 Send-> 0000 F4 44 09 D2 7A 00 00 00 00 484 Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 005 Send- > 0000 F4 44 05 DB 00 second file: 1 SEND-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 70 6B 00 00 00 00 05 00 05 00 00 00 1A2 sent-> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 843 Send-> 0000 F4 44 09 D2 56 00 00 00 484 Send-> 0000 F4 44 10 da 01 B8 6C 79 F6 05 02 27 35 01 00 005 Send-> 0000 F4 44 05 db 00, this top of the two files are the same, indicating that our reasoning is correct, the above is the plain text we need! Next is to understand the meaning representing some key bytes, which requires a large number of data to analyze. First we will find that each packet begins with "F4 44", and the third byte is changing, but the change is very regular. Let's take a look at the length of each package. I found out? Yes, the third byte is the length of the package! By intercepting a large number of data packets, we judge the 4th byte representative instruction, that is, what is the operation of the client tells the server. For example, to the server requesting the battle command is "30", the movement command is "D4" in the battle. Next, we need to analyze the first package above "F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09 05 00 CF 26 00 00 00 05 00 1C 00 00 00 89", in this package What information is included? Which NPC you should notify the server, let's find what the code is looking for this store.
We re-PK a little Luo Luo (that is, the one outside the Dali Inn): send-> 0000 F4 44 1F 30 D4 75 F6 05 01 01 00 01 00 01 75 09send-> 0010 05 00 8A 19 00 00 00 11 00 02 00 00 00 C0 We are analyzed according to the common sense, although the NPC species in the game will not exceed 65535 (FFFF), but will not limit the scope of the word when developing, so it is not conducive to the expansion of the game, so we are in double words Look. By comparing the two packages of "small two" and "small Luo Luo", we put the goal in "6C 79 F6 05" and "CF 26 00 00". (It is easy to compare, but you can't be too late, huh, we will look at the back package, in the back bag, there should be an NPC code, such as mobile package, game allowance, server must know NPC mobile coordinates, broadcasting other players to watch the battle. In the back 4th package "Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 00 00" We also saw "6C 79 F6 05", the code in the initial discord store is it! (This analysis contains a lot of work, you can use WPE cut data from tax analysis) The first package analysis is temporarily here (there are still information, we don't need to clearly ", we look at 4 packs "Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 00 00", then cut the PK yellow dog's bag, (the dog will come out 2 oh) look at the format: Send- > 0000 F4 44 1A DA 02 0B 4B 7D F6 05 02 27 35 01 00 00send-> 0010 EB 03 F8 05 02 27 36 01 00 00 According to the above analysis, the yellow dog's code is "4b 7d F6 05" (100040011) However, how is the two yellow dog servers distinguished? Look at "EB 03 F8 05" (100140011), it is the last code plus 100,000, huh, so that the server can recognize two yellow dogs. We have confirmed that the packets intercepted by the enemy through the wild. Sure enough. Then, the format of this package should be more clear: the third byte is the length of the package, "DA" is instruction, the 5th byte is NPC, 10 bytes starting from the 7th byte representative An NPC information, more NPCs, more than 10 bytes. If you play the net gold, you will inevitably know that the randomness sometimes has a reinforcement, and we use the game to reinforce the NPC for each battle. By adding a package in the battle, we will find the server side to send such a package: F4 44 12 E9 EB 03 F8 05 02 00 00 00 00 00 00 00 5 - 8th byte NPC's code (here we are simply illustrated by the yellow dog code).
