TransWikia.com

Understanding packet byte structures with OllyDbg

Reverse Engineering Asked by majidarif on December 8, 2020

I have written a small dll that detours the function that decrypts and encrypts game packets allowing me to see the packets being sent and received.

Packets like login are easy to structure because it usually only contains username and password, character selection too is somewhat easy, some in-game packets like movement is also easy to understand because it just contains some x, y data.

But problem is there is a few other packets that are more than 1000 bytes long and there is really no way of knowing what each byte mean, like let us say the packet received as soon as you enter the world. Few parts of the packet is showing characterId, name, some stats, inventory data but there are some parts that are just 00 00 00 00 and I don’t know what to make of them of even if how many bytes they are actually.

So when hooking the client with olly, I try to step through when receiving packets to find where it actually structures the bytes. But to no avail.

Question: Is there a better way to finding how many bytes are structured on the packet?

Example:

Login Packet
char 16 
char 16

Doesnt matter really what is it for, as long as I know how many bytes it should be.

Cheers,

edit

Saw this tutorial but in IDA… will try later and give feedback here.

binary analysisdisassemblyidaollydbg

2 Answers

You may try set memory breakpoint on access (read/write) on this data and see how program parse this bytes. (set breakpoint in dump window, press F9, wait when program stop, analyze program behavior -> f8 f8 f8 f8 f8 ...) . I am recommend use OllyDbg 2.01 - this is version has color highlight for breaks in dump window. sorry for my bad english

Answered by DOD on December 8, 2020

Keep in mind that buffer after recv command might contain several packets ( or just part of one packet ). PS: most of games have similar packets structure, like: [packet id][len][crc][..data..] So, after receiving first packet, you are able to split all raw data in future to separate packets.

To my mind your 1000 bytes+ packet might be a list of mobsitems on the map, their movement etc.

Answered by helloworld on December 8, 2020

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP