Jump to content

Recommended Posts

Posted

VersionPacket with a parameter of -3 if i remember right, will send a response containing all of that information. Though it can be easily blocked/tampered with in the case of private servers running an extender :)

Posted
On 11/6/2018 at 12:51 AM, pada said:

VersionPacket with a parameter of -3 if i remember right, will send a response containing all of that information. Though it can be easily blocked/tampered with in the case of private servers running an extender :)

Could you elaborate further?
Are you talking about "0E SendProtocolVersion"?

Posted

Yes, 0x0E, with a version of -3 will respond with a packet of a bunch of info, logged in users, shops, server binary build dates, uptime petition info, ect. theres also a version you can send to crash the server with a special key if its enabled in l2server.ini :D

Posted (edited)
2 hours ago, pada said:

Yes, 0x0E, with a version of -3 will respond with a packet of a bunch of info, logged in users, shops, server binary build dates, uptime petition info, ect. theres also a version you can send to crash the server with a special key if its enabled in l2server.ini :D

Very interesting, do you have to be previously logged in and use the blowfish key and all that stuff?
Or can you just send it as it publicly?

 

Do you send it to the auth server at 2606 or to the game server at 7777?


I did some research and this is what I understand:

 

After being authenticated with the login server and getting a successful "PlayOk" connection packet from a "RequestServerLogin", the first thing the client does is to send the "ProtocolVersion" packet to the game server.

 

So... Is there a way to do it without authenticating to be able to craft this packet with the "-3" protocol version value?

 

After a second research... I can see the "ProtocolVersion" packet doesn't has any auth at all, it's just the very first packet before actually attempting to authenticate with the game server with the info obtained from the login server.

 

How would you exactly send this crafted packet with the custom protocol version?

I have tried with someone else without luck.

Edited by Rayduxz
Posted

can just send a raw tcp packet to the L2Server with that opcode/-3, thats all. Some private servers block the packet, but any retail ncsoft server will respond

Posted
3 hours ago, pada said:

can just send a raw tcp packet to the L2Server with that opcode/-3, thats all. Some private servers block the packet, but any retail ncsoft server will respond

Tried wtih "0E FF FF FF FD" to "64.25.37.140" (Chronos) at port "7777".
I get an answer with nothing.

Posted

It should be something like 07 00 0E FF FF FF FD for the raw bytes sent, as you have to send packets size as well before opcode

Posted (edited)
3 hours ago, pada said:

It should be something like 07 00 0E FF FF FF FD for the raw bytes sent, as you have to send packets size as well before opcode

 

What I send.
 

2091	6.246859	10.0.1.115	64.25.37.140	TCP	61	61705 → 7777 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=7

0000   a0 3d 6f 10 4f b4 60 45 cb a4 f3 08 08 00 45 00
0010   00 2f 71 c2 40 00 80 06 00 00 0a 00 01 73 40 19
0020   25 8c f1 09 1e 61 f0 7d 78 6a 3e cc b0 9b 50 18
0030   fa f0 71 39 00 00 07 00 0e ff ff ff fd


What I get.

 

2100	6.430947	64.25.37.140	10.0.1.115	TCP	60	7777 → 61705 [RST, ACK] Seq=1 Ack=8 Win=0 Len=0

0000   60 45 cb a4 f3 08 a0 3d 6f 10 4f b4 08 00 45 00
0010   00 28 11 5d 40 00 73 06 85 5b 40 19 25 8c 0a 00
0020   01 73 1e 61 f1 09 3e cc b0 9b f0 7d 78 71 50 14
0030   00 00 d6 f6 00 00 00 00 00 00 00 00

 

So... Yeah. Not sure what I'm doing wrong.

 

So I apparently forgot this is a RAW socket, hold on.

Edited by Rayduxz
Posted (edited)

So... Someone else tried with a RAW socket in PHP and...

 

Message sent:

 

07 00 0E FD FF FF FF


Answer received:
 

90 00 2e 01 00 00 00 4f 08 00 00 4f 08 00 00 42 08 00 00 08 01 00 00 30 00 2c 00 38 00 31 00 39 00 31 00 2c 00 32 00 35 00 34 00 37 00 37 00 38 00 2c 00 31 00 36 00 37 00 33 00 00 00 ed d5 00 00 08 e5 00 00 eb e8 00 00 00 00 00 00 02 00 00 00 4f 00 63 00 74 00 20 00 32 00 32 00 20 00 32 00 30 00 31 00 38 00 00 00 31 00 35 00 3a 00 31 00 39 00 3a 00 35 00 32 00 00 00 98 00 00 00 a6 23 f4 fe 00 00 00 00 00 00 00 00 00 00 00 00 00


HEX to ASCII:
 

.OOB0,8191,254778,1673íÕåëèOct 22 201815:19:52¦#ôþ

 

So far we have:
 

  • Bytes 7~9 is max players
  • Bytes 15~17 is current players
  • Bytes 19~21 is player shops
     

 

Does anyone in here got the packet structure to decode this response?

Edited by Rayduxz
Posted (edited)

cdddddSdddddSSddddd is the response format, it should be  opcode, unk, maxplayers, currentplayers, playing, privatestores, iobuffersize+uptime, currentnpccount, currentworldobjectcount, lastworldobjectcount, unk, unk ,builddate, buildtime, protocolversion, inspectorcrc, unk, unk, unk

Edited by pada
  • Thanks 1
Posted
8 minutes ago, pada said:

cdddddSdddddSSddddd is the response format


Thank you a lot! But even with this we don't know what is all this data about, only a few ones as stated above.

 

Do you also happen to know them all?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...