Reversing Spellborn
Started by Saltiel


Rate this topic
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5


249 posts in this topic
Polymo
Someone who thinks he can code
****


0
328 posts 39 threads Joined: Sep 2014
15-09-2014, 12:55 PM -
#41
I was able to reproduce what you found out about the packets, i'm exited :-)

For the --world cmdArg, i saw that it makes the client send the C2L_UNIVERSE_SELECTED immediately with the id you append to the cmdArg instead of the C2L_QUERY_UNIVERSE first.

 

can you share, what you send in S2C_WORLD_LOGIN? or better, a little insight on how you trace a packet through IDA and olly (would help immensely)?

I'm having a very hard time finding things through IDA (sometimes i think i found something, but i don't really know how to put everything in relation).

This post was last modified: 15-09-2014, 07:49 PM by Polymo.
Getty_
Junior Member
**


0
21 posts 1 threads Joined: Sep 2014
15-09-2014, 06:26 PM -
#42
Pretty awesome that more people are getting into this. Hope we will see soon some kind of files even if they wont get us too far into the game.

Good luck and keep having fun with the cracking.

Looking forward to the updates [Image: default_smile.png]

This post was last modified: 15-09-2014, 10:16 PM by Getty_.

Polymo
Someone who thinks he can code
****


0
328 posts 39 threads Joined: Sep 2014
16-09-2014, 11:02 AM -
#43
As i seem to not be able to get any further than what you documented (the world_login packet looks sooo huge), i took the time to note down some more ids:

<pre class="_prettyXprint">
C2S_WORLD_LOGIN_ACK = 4,
C2S_WORLD_LOGOUT = 5,
S2C_WORLD_LOGOUT_ACK = 6,
C2S_TRAVEL_WORLD = 7,
S2C_TRAVEL_WORLD_ACK = 8,
S2C_FORCED_LOGOUT = 9,
S2C_USER_ON_LOGIN = 10,
S2C_USER_ON_LOGOUT = 11,
S2C_USER_LEVELUP = 12,
S2C_USER_SET_CLASS = 13,
//nothing 14-16
S2C_PLAYER_ADD = 17,
S2C_NPC_ADD = 18,
S2C_PET_ADD = 19,
//nothing 20
S2C_LEVELOBJECT_REMOVE = 21,
S2C_GAME_ACTOR_ADD = 22,
S2C_INTERACTIVELEVELELEMENT_ADD = 23,
S2C_GAME_ACTOR_MOVE = 24,
S2C_GAME_INFO_ADD = 25,
S2C_GAME_INFO_REMOVE = 26,
S2C_CS_LOGIN = 27,
C2S_CS_CREATE_CHARACTER = 28,
S2C_CS_CREATE_CHARACTER_ACK = 29,
C2S_CS_DELETE_CHARACTER = 30,
S2C_CS_DELETE_CHARACTER_ACK = 31,
C2S_CS_SELECT_CHARACTER = 32,
S2C_CS_SELECT_CHARACTER_ACK = 33,
S2C_BASE_PAWN_REMOVE = 34,
S2R_PLAYERPAWN_MOVE = 35,
S2R_GAME_PLAYERPAWN_UPDATEROTATION = 36</pre>
This post was last modified: 16-09-2014, 11:43 AM by Polymo.
Saltiel
Retired dev
***


0
122 posts 3 threads Joined: Sep 2014
16-09-2014, 11:42 AM -
#44
Great! Sorry to not make a full answer but I don't have a lot of time currently. I have finished to decrypt the C2S_CS_CREATE_CHARACTER packet and have to update the doc which will try to answer to your questions. I have to find the time to do this ^^

Polymo
Someone who thinks he can code
****


0
328 posts 39 threads Joined: Sep 2014
16-09-2014, 02:02 PM -
#45
Whatever i send after the C2S_WORLD_PRE_LOGIN_ACK, the game just waits (maybe for another connected packet). Only after i send another random packet it complains that the first message is faulty (sometimes overflow, sometimes underflow).

Am i on the right track?

Saltiel
Retired dev
***


0
122 posts 3 threads Joined: Sep 2014
17-09-2014, 08:41 AM -
#46
Quick answer again sorry, I will try to explain as much as possible before updating the doc :

So after the prelogin, client wants a S2C_CS_LOGIN packet, if you send two dwords with 0 you will have the character creation screen.

 

About the packet tracing :

With IDA I do static analysis : Open SBPacket.dll in IDA, go in exports, ALT+T and search for PACKET_NAME (S2C_CS_LOGIN for instance). You will find all the methods related to it (CTRL+T => next find). Look for the ReadMessage method and explore it. What does it read ? It will tell you the layout of the packet (but not the meaning of each field).

For simple packet reading the ReadMessage method can be enough, but for bigger one it can be hard to understand what the data means without context.

In Sb_client.exe, SBGame.dll and SBBase.dll there is a lot of "callback" like onLogin etc attached to character classes etc. In "Imports" this time, search for your packet name, then go to the rdata section where it is imported (declared). Check for the XREF (cross references) to see where it is called in the code : voila, this is your context.

In general, d_mmos.dll include Sb_client.exe functions. So basically in Sb_client.exe you have plenty of function actually calling the callback after a message has been received. In the doc I will try to make a picture of all this stuff.

 

Then to perform dynamic analysis, I use Ollydbg. Breaking on the ReadMessage func is a good start because by looking in the call stack you can see who called this method (context!). Then I comment the assembly when I see something interesting to understand how the data is handled. If you do not find the ReadMessage function you want (because OllyDbg does not display all the exported name for one function, and as said in the doc, sometimes this is the same code for reading different packets) : use CFF Explorer. Load the SBPacket.dll, in export table find the function you want, and look at the RVA field. Then in OllyDbg, CTRL+F, check RVA radio button, select SBPacket DLL, and copy/paste the RVA found in CFF Explorer : voila!

I recommend you to use a modified version of OllyDbg, like the one available on legend of r4ndom. (but I don't know why syntax highlighting does not work for me...).

 

I recommend you to use this process for simple packets at first, because beginning directly with the character stuff can be scary! As you gain understanding about the global process, you will find more quickly what you need. It's really a "learn by doing stuff", and it's very exciting! So to begin I would recommend to not read my documentation because what is cool with TCoS is that  the learning curve for reversing it is linear-like. (it's easy at the beginning, and then character stuff is a bit harder).

I just wand to remind that I am not a professional reverser, it's my first time doing it so there is a big chance that there are other techniques more powerful than what I do!

 

Sorry for this short answer, I hope it can help. I have a lot of work these days so on my "spellborn time" I focus more on reversing than publishing doc/communicating, as the reversing is the critical part. [Image: default_wink.png] I should have time before the end of the week to update the doc, I hope.

 

P.S: thanks for the world tricks, save me a lot of clicking time!

This post was last modified: 17-09-2014, 08:51 AM by Saltiel.
Polymo
Someone who thinks he can code
****


0
328 posts 39 threads Joined: Sep 2014
17-09-2014, 11:54 AM -
#47
Thank you so much for that explanation, and i can now see the character creation myself too, for the first time ever [Image: default_blush.gif] so beautiful..

[Image: post-622-0-41145700-1410951249_thumb.jpg]

This post was last modified: 17-09-2014, 04:43 PM by Polymo.
Getty_
Junior Member
**


0
21 posts 1 threads Joined: Sep 2014
17-09-2014, 12:42 PM -
#48
Quote:<div>
Thank you so much for that explanation, and i can now see the character creation myself for the first time ever [Image: default_blush.gif] so beautiful..

[Image: attachicon.gif]sbcs.jpg


</div>
Daaamn. How awesome is that!

So whats next? I remember some kind of tutorial level. Is the data from it like the quests stored in the map and all you have to do is just load it or you need to emulate it?

Keep up the good work  [Image: default_thumbsup.gif]

This post was last modified: 17-09-2014, 12:43 PM by Getty_.

Polymo
Someone who thinks he can code
****


0
328 posts 39 threads Joined: Sep 2014
17-09-2014, 02:37 PM -
#49
Thanks to Saltiel's work. I just used his information.

And because of his last post, i think i have an idea where to search next.

This post was last modified: 17-09-2014, 02:37 PM by Polymo.
Slink
TCOS Rebirth Dev
**


0
24 posts 0 threads Joined: May 2013
18-09-2014, 12:30 AM -
#50
Think the maps will be stored on the client, the npc's presumably placed with S2C_NPC_ADD etc. etc.

 

Seeing character select for the first time in years was a sight for sore eyes [Image: default_smile.png] the C2S_CS_CREATE_CHARACTER packet looks pretty straight forward I'll try and document all the possible values once I get a free evening !



Forum Jump:


Users browsing this thread: 6 Guest(s)