Sukinae Posted November 5, 2018 Share Posted November 5, 2018 As the title says, How do you externally without privileges get the player count of a L2OFF private server and also the official servers? Example at this website: http://l2.laby.fr/status/ Link to comment Share on other sites More sharing options...
pada Posted November 6, 2018 Share Posted November 6, 2018 VersionPacket with a parameter of -3 if i remember right, will send a response containing all of that information. Though it can be easily blocked/tampered with in the case of private servers running an extender :) Link to comment Share on other sites More sharing options...
Sukinae Posted November 7, 2018 Author Share Posted November 7, 2018 On 11/6/2018 at 12:51 AM, pada said: VersionPacket with a parameter of -3 if i remember right, will send a response containing all of that information. Though it can be easily blocked/tampered with in the case of private servers running an extender :) Could you elaborate further? Are you talking about "0E SendProtocolVersion"? Link to comment Share on other sites More sharing options...
pada Posted November 7, 2018 Share Posted November 7, 2018 Yes, 0x0E, with a version of -3 will respond with a packet of a bunch of info, logged in users, shops, server binary build dates, uptime petition info, ect. theres also a version you can send to crash the server with a special key if its enabled in l2server.ini :D Link to comment Share on other sites More sharing options...
Sukinae Posted November 7, 2018 Author Share Posted November 7, 2018 (edited) 2 hours ago, pada said: Yes, 0x0E, with a version of -3 will respond with a packet of a bunch of info, logged in users, shops, server binary build dates, uptime petition info, ect. theres also a version you can send to crash the server with a special key if its enabled in l2server.ini :D Very interesting, do you have to be previously logged in and use the blowfish key and all that stuff? Or can you just send it as it publicly? Do you send it to the auth server at 2606 or to the game server at 7777? I did some research and this is what I understand: After being authenticated with the login server and getting a successful "PlayOk" connection packet from a "RequestServerLogin", the first thing the client does is to send the "ProtocolVersion" packet to the game server. So... Is there a way to do it without authenticating to be able to craft this packet with the "-3" protocol version value? After a second research... I can see the "ProtocolVersion" packet doesn't has any auth at all, it's just the very first packet before actually attempting to authenticate with the game server with the info obtained from the login server. How would you exactly send this crafted packet with the custom protocol version? I have tried with someone else without luck. Edited November 7, 2018 by Rayduxz Link to comment Share on other sites More sharing options...
pada Posted November 8, 2018 Share Posted November 8, 2018 can just send a raw tcp packet to the L2Server with that opcode/-3, thats all. Some private servers block the packet, but any retail ncsoft server will respond Link to comment Share on other sites More sharing options...
Sukinae Posted November 8, 2018 Author Share Posted November 8, 2018 3 hours ago, pada said: can just send a raw tcp packet to the L2Server with that opcode/-3, thats all. Some private servers block the packet, but any retail ncsoft server will respond Tried wtih "0E FF FF FF FD" to "64.25.37.140" (Chronos) at port "7777". I get an answer with nothing. Link to comment Share on other sites More sharing options...
pada Posted November 8, 2018 Share Posted November 8, 2018 It should be something like 07 00 0E FF FF FF FD for the raw bytes sent, as you have to send packets size as well before opcode Link to comment Share on other sites More sharing options...
Sukinae Posted November 8, 2018 Author Share Posted November 8, 2018 (edited) 3 hours ago, pada said: It should be something like 07 00 0E FF FF FF FD for the raw bytes sent, as you have to send packets size as well before opcode What I send. 2091 6.246859 10.0.1.115 64.25.37.140 TCP 61 61705 → 7777 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=7 0000 a0 3d 6f 10 4f b4 60 45 cb a4 f3 08 08 00 45 00 0010 00 2f 71 c2 40 00 80 06 00 00 0a 00 01 73 40 19 0020 25 8c f1 09 1e 61 f0 7d 78 6a 3e cc b0 9b 50 18 0030 fa f0 71 39 00 00 07 00 0e ff ff ff fd What I get. 2100 6.430947 64.25.37.140 10.0.1.115 TCP 60 7777 → 61705 [RST, ACK] Seq=1 Ack=8 Win=0 Len=0 0000 60 45 cb a4 f3 08 a0 3d 6f 10 4f b4 08 00 45 00 0010 00 28 11 5d 40 00 73 06 85 5b 40 19 25 8c 0a 00 0020 01 73 1e 61 f1 09 3e cc b0 9b f0 7d 78 71 50 14 0030 00 00 d6 f6 00 00 00 00 00 00 00 00 So... Yeah. Not sure what I'm doing wrong. So I apparently forgot this is a RAW socket, hold on. Edited November 8, 2018 by Rayduxz Link to comment Share on other sites More sharing options...
Sukinae Posted November 8, 2018 Author Share Posted November 8, 2018 (edited) So... Someone else tried with a RAW socket in PHP and... Message sent: 07 00 0E FD FF FF FF Answer received: 90 00 2e 01 00 00 00 4f 08 00 00 4f 08 00 00 42 08 00 00 08 01 00 00 30 00 2c 00 38 00 31 00 39 00 31 00 2c 00 32 00 35 00 34 00 37 00 37 00 38 00 2c 00 31 00 36 00 37 00 33 00 00 00 ed d5 00 00 08 e5 00 00 eb e8 00 00 00 00 00 00 02 00 00 00 4f 00 63 00 74 00 20 00 32 00 32 00 20 00 32 00 30 00 31 00 38 00 00 00 31 00 35 00 3a 00 31 00 39 00 3a 00 35 00 32 00 00 00 98 00 00 00 a6 23 f4 fe 00 00 00 00 00 00 00 00 00 00 00 00 00 HEX to ASCII: .OOB0,8191,254778,1673íÕåëèOct 22 201815:19:52¦#ôþ So far we have: Bytes 7~9 is max players Bytes 15~17 is current players Bytes 19~21 is player shops Does anyone in here got the packet structure to decode this response? Edited November 8, 2018 by Rayduxz Link to comment Share on other sites More sharing options...
pada Posted November 8, 2018 Share Posted November 8, 2018 (edited) cdddddSdddddSSddddd is the response format, it should be opcode, unk, maxplayers, currentplayers, playing, privatestores, iobuffersize+uptime, currentnpccount, currentworldobjectcount, lastworldobjectcount, unk, unk ,builddate, buildtime, protocolversion, inspectorcrc, unk, unk, unk Edited November 8, 2018 by pada 1 Link to comment Share on other sites More sharing options...
pada Posted November 8, 2018 Share Posted November 8, 2018 in the KR fafurion client, the S related to uptime is changed to d Link to comment Share on other sites More sharing options...
Sukinae Posted November 8, 2018 Author Share Posted November 8, 2018 8 minutes ago, pada said: cdddddSdddddSSddddd is the response format Thank you a lot! But even with this we don't know what is all this data about, only a few ones as stated above. Do you also happen to know them all? Link to comment Share on other sites More sharing options...
pada Posted November 8, 2018 Share Posted November 8, 2018 see the edit, all i have reversed so far Link to comment Share on other sites More sharing options...
Sukinae Posted November 8, 2018 Author Share Posted November 8, 2018 4 minutes ago, pada said: see the edit, all i have reversed so far Very much appreciated my friend. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now