Discussion L2OFF Private and Official Servers Player Count

[Sukinae]

As the title says,

 

How do you externally without privileges get the player count of a L2OFF private server and also the official servers?

Example at this website: http://l2.laby.fr/status/

[pada]

VersionPacket with a parameter of -3 if i remember right, will send a response containing all of that information. Though it can be easily blocked/tampered with in the case of private servers running an extender :)

[Sukinae]

On 11/6/2018 at 12:51 AM, pada said:

VersionPacket with a parameter of -3 if i remember right, will send a response containing all of that information. Though it can be easily blocked/tampered with in the case of private servers running an extender :)

Could you elaborate further?
Are you talking about "0E SendProtocolVersion"?

[pada]

Yes, 0x0E, with a version of -3 will respond with a packet of a bunch of info, logged in users, shops, server binary build dates, uptime petition info, ect. theres also a version you can send to crash the server with a special key if its enabled in l2server.ini :D

[Sukinae]

2 hours ago, pada said:

Yes, 0x0E, with a version of -3 will respond with a packet of a bunch of info, logged in users, shops, server binary build dates, uptime petition info, ect. theres also a version you can send to crash the server with a special key if its enabled in l2server.ini :D

Very interesting, do you have to be previously logged in and use the blowfish key and all that stuff?
Or can you just send it as it publicly?

 

Do you send it to the auth server at 2606 or to the game server at 7777?

I did some research and this is what I understand:

 

After being authenticated with the login server and getting a successful "PlayOk" connection packet from a "RequestServerLogin", the first thing the client does is to send the "ProtocolVersion" packet to the game server.

 

So... Is there a way to do it without authenticating to be able to craft this packet with the "-3" protocol version value?

 

After a second research... I can see the "ProtocolVersion" packet doesn't has any auth at all, it's just the very first packet before actually attempting to authenticate with the game server with the info obtained from the login server.

 

How would you exactly send this crafted packet with the custom protocol version?

I have tried with someone else without luck.

Edited November 7, 2018 by Rayduxz

[pada]

can just send a raw tcp packet to the L2Server with that opcode/-3, thats all. Some private servers block the packet, but any retail ncsoft server will respond

[Sukinae]

3 hours ago, pada said:

can just send a raw tcp packet to the L2Server with that opcode/-3, thats all. Some private servers block the packet, but any retail ncsoft server will respond

Tried wtih "0E FF FF FF FD" to "64.25.37.140" (Chronos) at port "7777".
I get an answer with nothing.

[pada]

It should be something like 07 00 0E FF FF FF FD for the raw bytes sent, as you have to send packets size as well before opcode

[Sukinae]

3 hours ago, pada said:

It should be something like 07 00 0E FF FF FF FD for the raw bytes sent, as you have to send packets size as well before opcode

 

What I send.
 

2091	6.246859	10.0.1.115	64.25.37.140	TCP	61	61705 → 7777 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=7

0000   a0 3d 6f 10 4f b4 60 45 cb a4 f3 08 08 00 45 00
0010   00 2f 71 c2 40 00 80 06 00 00 0a 00 01 73 40 19
0020   25 8c f1 09 1e 61 f0 7d 78 6a 3e cc b0 9b 50 18
0030   fa f0 71 39 00 00 07 00 0e ff ff ff fd

What I get.

 

2100	6.430947	64.25.37.140	10.0.1.115	TCP	60	7777 → 61705 [RST, ACK] Seq=1 Ack=8 Win=0 Len=0

0000   60 45 cb a4 f3 08 a0 3d 6f 10 4f b4 08 00 45 00
0010   00 28 11 5d 40 00 73 06 85 5b 40 19 25 8c 0a 00
0020   01 73 1e 61 f1 09 3e cc b0 9b f0 7d 78 71 50 14
0030   00 00 d6 f6 00 00 00 00 00 00 00 00

 

So... Yeah. Not sure what I'm doing wrong.

 

So I apparently forgot this is a RAW socket, hold on.

Edited November 8, 2018 by Rayduxz

[Sukinae]

So... Someone else tried with a RAW socket in PHP and...

 

Message sent:

 

07 00 0E FD FF FF FF

Answer received:
 

90 00 2e 01 00 00 00 4f 08 00 00 4f 08 00 00 42 08 00 00 08 01 00 00 30 00 2c 00 38 00 31 00 39 00 31 00 2c 00 32 00 35 00 34 00 37 00 37 00 38 00 2c 00 31 00 36 00 37 00 33 00 00 00 ed d5 00 00 08 e5 00 00 eb e8 00 00 00 00 00 00 02 00 00 00 4f 00 63 00 74 00 20 00 32 00 32 00 20 00 32 00 30 00 31 00 38 00 00 00 31 00 35 00 3a 00 31 00 39 00 3a 00 35 00 32 00 00 00 98 00 00 00 a6 23 f4 fe 00 00 00 00 00 00 00 00 00 00 00 00 00

HEX to ASCII:
 

.OOB0,8191,254778,1673íÕåëèOct 22 201815:19:52¦#ôþ

 

So far we have:
 

• Bytes 7~9 is max players
• Bytes 15~17 is current players
• Bytes 19~21 is player shops
   

 

Does anyone in here got the packet structure to decode this response?

Edited November 8, 2018 by Rayduxz

[pada]

cdddddSdddddSSddddd is the response format, it should be  opcode, unk, maxplayers, currentplayers, playing, privatestores, iobuffersize+uptime, currentnpccount, currentworldobjectcount, lastworldobjectcount, unk, unk ,builddate, buildtime, protocolversion, inspectorcrc, unk, unk, unk

Edited November 8, 2018 by pada

[pada]

in the KR fafurion client, the S related to uptime is changed to d

[Sukinae]

8 minutes ago, pada said:

cdddddSdddddSSddddd is the response format

Thank you a lot! But even with this we don't know what is all this data about, only a few ones as stated above.

 

Do you also happen to know them all?

[pada]

see the edit, all i have reversed so far

[Sukinae]

4 minutes ago, pada said:

see the edit, all i have reversed so far

 

Very much appreciated my friend.