0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/539 Thanks! 1 00:00:09,210 --> 00:00:11,309 OK, welcome, everybody. 2 00:00:11,310 --> 00:00:13,439 Um, the next talk will 3 00:00:13,440 --> 00:00:15,569 be How Hecker's Grind 4 00:00:15,570 --> 00:00:17,729 and MMO RPG by taking 5 00:00:17,730 --> 00:00:20,019 it apart, an introduction to 6 00:00:20,020 --> 00:00:22,239 reverse engineering network protocols. 7 00:00:22,240 --> 00:00:24,389 So and now I would like to you 8 00:00:24,390 --> 00:00:25,649 know, I would like you to give a very 9 00:00:25,650 --> 00:00:27,749 warm and welcoming applause to our very 10 00:00:27,750 --> 00:00:29,999 nice speaker, I think. 11 00:00:39,560 --> 00:00:40,609 Oh, thank you. 12 00:00:40,610 --> 00:00:42,679 I'm here to talk about how 13 00:00:42,680 --> 00:00:44,749 to grind an MMO RPG if you don't know 14 00:00:44,750 --> 00:00:46,399 what an RPG is. 15 00:00:46,400 --> 00:00:48,559 I won't ever get into that shortly. 16 00:00:48,560 --> 00:00:50,689 But just for reference, who does 17 00:00:50,690 --> 00:00:52,819 not know what an RPG is? 18 00:00:52,820 --> 00:00:53,820 Never heard of it. 19 00:00:56,970 --> 00:00:58,140 Wow, amazing. 20 00:00:59,490 --> 00:01:01,409 OK, well, then I'll get this show on the 21 00:01:01,410 --> 00:01:03,539 road, I'm going spring, I'm a software 22 00:01:03,540 --> 00:01:04,889 engineer and if you want to know 23 00:01:04,890 --> 00:01:07,349 something else, I have a Web page fisheye 24 00:01:07,350 --> 00:01:09,879 in which I encourage you to visit. 25 00:01:09,880 --> 00:01:11,969 So what am I going to 26 00:01:11,970 --> 00:01:14,069 talk about? I will first give a short 27 00:01:14,070 --> 00:01:15,719 introduction about the game. 28 00:01:15,720 --> 00:01:17,779 I decided to not to 29 00:01:17,780 --> 00:01:19,619 look into Runes of Magic. 30 00:01:19,620 --> 00:01:22,659 Who has heard of this game, huh? 31 00:01:22,660 --> 00:01:24,929 Oh, that's a lot more people 32 00:01:24,930 --> 00:01:26,339 than I expected, to be honest. 33 00:01:26,340 --> 00:01:28,139 I heard it's quite popular in Germany, 34 00:01:28,140 --> 00:01:30,299 but now you never know. 35 00:01:30,300 --> 00:01:32,429 So I'm going to briefly touch 36 00:01:32,430 --> 00:01:34,679 it and mainly to to it to tell 37 00:01:34,680 --> 00:01:36,509 you why. 38 00:01:36,510 --> 00:01:38,069 It's interesting to look at a game like 39 00:01:38,070 --> 00:01:40,619 this. I will also tell you my motivation 40 00:01:40,620 --> 00:01:42,209 and family will get right into the 41 00:01:42,210 --> 00:01:43,289 technical stuff. 42 00:01:43,290 --> 00:01:45,569 And I'm going to show to tell you 43 00:01:45,570 --> 00:01:46,949 how I capture traffic. 44 00:01:46,950 --> 00:01:48,689 And I started poking at it, looking at 45 00:01:48,690 --> 00:01:49,919 it, analyzing it. 46 00:01:49,920 --> 00:01:51,809 I've written tools to help me. 47 00:01:51,810 --> 00:01:53,549 And I've also talking to a lawyer 48 00:01:53,550 --> 00:01:55,659 because, well, it's a 49 00:01:55,660 --> 00:01:57,359 it's a strange world this time. 50 00:01:57,360 --> 00:01:59,519 So I wanted to be sure 51 00:01:59,520 --> 00:02:00,479 I was safe. 52 00:02:00,480 --> 00:02:02,459 And after that, first time for some Q&A. 53 00:02:03,700 --> 00:02:05,409 So but first, I want to thank some 54 00:02:05,410 --> 00:02:07,629 people, the first person is 55 00:02:07,630 --> 00:02:09,728 someone who has a blog about Jeunes of 56 00:02:09,729 --> 00:02:11,169 magic research. 57 00:02:11,170 --> 00:02:13,269 As far as I know, he never released 58 00:02:13,270 --> 00:02:14,979 something but done. 59 00:02:14,980 --> 00:02:16,989 I was really like, I I'm stuck. 60 00:02:16,990 --> 00:02:19,329 I not him. He had a really good, 61 00:02:19,330 --> 00:02:21,279 helpful reply. So I was like, oh, thank 62 00:02:21,280 --> 00:02:23,599 you to everybody expects. 63 00:02:23,600 --> 00:02:26,709 It's very nice to me and 64 00:02:26,710 --> 00:02:28,149 I will cover it. So don't worry. 65 00:02:28,150 --> 00:02:29,919 But I'm happy it exists. 66 00:02:29,920 --> 00:02:31,749 The reason I'm giving this talk is 67 00:02:31,750 --> 00:02:33,819 because in previous year if I was to talk 68 00:02:33,820 --> 00:02:35,949 about cyber necromancy but reverse 69 00:02:35,950 --> 00:02:38,109 engineering debt protocols and I 70 00:02:38,110 --> 00:02:39,819 was like, wow, that's interesting. 71 00:02:39,820 --> 00:02:41,409 If people are interested in that sort of 72 00:02:41,410 --> 00:02:43,719 stuff, maybe, maybe I should contribute 73 00:02:43,720 --> 00:02:45,679 to this as well, because it is about 74 00:02:45,680 --> 00:02:47,619 protocols. And in this case, a server is 75 00:02:47,620 --> 00:02:48,609 still alive. 76 00:02:48,610 --> 00:02:51,099 But on the other hand, this game 77 00:02:51,100 --> 00:02:52,449 is really not trivial. 78 00:02:52,450 --> 00:02:54,579 So, well, as I said, 79 00:02:54,580 --> 00:02:56,949 I talk to lawyers are not a Dutch 80 00:02:56,950 --> 00:02:59,079 lawyer who's a really friendly guy, and 81 00:02:59,080 --> 00:03:00,969 I can highly recommend his blog. 82 00:03:00,970 --> 00:03:03,069 In fact, he he will be he 83 00:03:03,070 --> 00:03:05,859 won't be be writing something about 84 00:03:05,860 --> 00:03:08,169 about my questions and about his view 85 00:03:08,170 --> 00:03:09,609 on the matter on his blog. 86 00:03:09,610 --> 00:03:11,619 So if you can read Dutch, Google his name 87 00:03:11,620 --> 00:03:13,269 and you will find it. 88 00:03:13,270 --> 00:03:15,639 And of course, no, nothing is complete 89 00:03:15,640 --> 00:03:17,709 without either and already debug. 90 00:03:17,710 --> 00:03:20,049 If you haven't heard of the tools, 91 00:03:20,050 --> 00:03:21,819 I'm not sure what you're doing here 92 00:03:21,820 --> 00:03:24,069 because they were really good and 93 00:03:24,070 --> 00:03:25,929 you should check them out. 94 00:03:25,930 --> 00:03:28,089 So but first, what is an MMO 95 00:03:28,090 --> 00:03:30,729 RPG? Oh, it's an abbreviation 96 00:03:30,730 --> 00:03:32,889 and you can read it, but it basically 97 00:03:32,890 --> 00:03:35,169 means it's an online game and the online 98 00:03:35,170 --> 00:03:37,299 game means you have a character and 99 00:03:37,300 --> 00:03:38,929 it's usually something of a fantasy. 100 00:03:38,930 --> 00:03:41,469 Feme an elf I visit 101 00:03:41,470 --> 00:03:43,419 of Oz want. 102 00:03:43,420 --> 00:03:45,489 And the idea of these 103 00:03:45,490 --> 00:03:47,619 games is are subscription based or 104 00:03:47,620 --> 00:03:48,549 free to play. 105 00:03:48,550 --> 00:03:50,769 So in the first case you pay every 106 00:03:50,770 --> 00:03:52,959 month a certain amount and in the 107 00:03:52,960 --> 00:03:54,969 order and in your report, you just you 108 00:03:54,970 --> 00:03:56,679 can, you can play it for free but fail 109 00:03:56,680 --> 00:03:58,329 micro transactions to. 110 00:03:58,330 --> 00:04:00,789 Yeah. To ensure that developers can eat. 111 00:04:00,790 --> 00:04:02,619 The goal of the game is to create a 112 00:04:02,620 --> 00:04:04,739 virtual character like Fits Alfredsson 113 00:04:04,740 --> 00:04:06,939 or whatever, and you improve it 114 00:04:06,940 --> 00:04:09,489 and you improve it by by gaining levels, 115 00:04:09,490 --> 00:04:11,709 by finding items, if you will, 116 00:04:11,710 --> 00:04:13,899 by completing quests, because Quest gives 117 00:04:13,900 --> 00:04:15,489 you a level typically. 118 00:04:15,490 --> 00:04:17,708 And then the main the 119 00:04:17,709 --> 00:04:19,898 main reason to play this game is because 120 00:04:19,899 --> 00:04:21,069 you want to get stronger. 121 00:04:21,070 --> 00:04:23,199 You want to do more content you 122 00:04:23,200 --> 00:04:24,119 want. Yeah. 123 00:04:24,120 --> 00:04:25,479 You want to do stuff. 124 00:04:25,480 --> 00:04:27,159 You want to show the world your virtual 125 00:04:27,160 --> 00:04:29,409 person is interesting and 126 00:04:29,410 --> 00:04:30,969 the game is socially involved. 127 00:04:30,970 --> 00:04:32,799 A team player involved, you can't do 128 00:04:32,800 --> 00:04:35,169 generally do stuff by 129 00:04:35,170 --> 00:04:37,389 yourself. You need others, you need 130 00:04:37,390 --> 00:04:38,409 friends. 131 00:04:38,410 --> 00:04:40,539 And a level of friendship 132 00:04:40,540 --> 00:04:42,699 you need is an entirely different 133 00:04:42,700 --> 00:04:44,349 matter, but you can't do it alone. 134 00:04:44,350 --> 00:04:46,749 And secondly, these games are designed 135 00:04:46,750 --> 00:04:47,749 to suck up time. 136 00:04:47,750 --> 00:04:50,199 They are designed to get you coming 137 00:04:50,200 --> 00:04:52,389 back. We really want you to 138 00:04:52,390 --> 00:04:53,629 to get in the world. 139 00:04:53,630 --> 00:04:56,469 I want you to keep playing and 140 00:04:56,470 --> 00:04:58,659 and you can do it by playing, but you can 141 00:04:58,660 --> 00:05:00,609 also do it with different means, which I 142 00:05:00,610 --> 00:05:02,019 will show you now. 143 00:05:04,030 --> 00:05:06,039 So what does the game look like, the game 144 00:05:06,040 --> 00:05:07,569 I'm covering, it looks like fierce if 145 00:05:07,570 --> 00:05:09,669 you've never played it before, it's old 146 00:05:09,670 --> 00:05:12,339 by now, but who knows, 147 00:05:12,340 --> 00:05:13,399 it's free to play. 148 00:05:13,400 --> 00:05:15,739 So you can you can just go 149 00:05:15,740 --> 00:05:17,119 download it, install it. 150 00:05:17,120 --> 00:05:18,399 You can do whatever you want with it. 151 00:05:19,450 --> 00:05:21,100 Wow. That's what I did anyway. 152 00:05:22,240 --> 00:05:24,369 It has a Taiwanese developer on a German 153 00:05:24,370 --> 00:05:26,799 publisher, and you really see it back in 154 00:05:26,800 --> 00:05:29,469 India in the way the game is created, 155 00:05:29,470 --> 00:05:31,659 because the term grinding means you 156 00:05:31,660 --> 00:05:33,729 you repeat some activity over and 157 00:05:33,730 --> 00:05:35,889 over again. And that's exactly what they 158 00:05:35,890 --> 00:05:38,289 do. I've heard Taiwanese developers, 159 00:05:38,290 --> 00:05:40,479 Asians really, really will 160 00:05:40,480 --> 00:05:42,549 love this stuff and this game 161 00:05:42,550 --> 00:05:43,559 does it quite well. 162 00:05:44,920 --> 00:05:47,199 So what does this game came off really, 163 00:05:47,200 --> 00:05:49,809 really quick, quick now 164 00:05:49,810 --> 00:05:51,109 in line, if you will. 165 00:05:51,110 --> 00:05:53,109 You are fully human after all. 166 00:05:53,110 --> 00:05:54,399 Do you have a lot of classes? 167 00:05:54,400 --> 00:05:56,649 The interesting part about this game is 168 00:05:56,650 --> 00:05:58,839 you can play a wizard warrior. 169 00:05:58,840 --> 00:06:00,909 And that unique combination gives 170 00:06:00,910 --> 00:06:02,709 you several skills. 171 00:06:02,710 --> 00:06:04,779 And I find it interesting and 172 00:06:04,780 --> 00:06:06,999 it is one of the things that drew me 173 00:06:07,000 --> 00:06:08,319 to this game you can do. 174 00:06:08,320 --> 00:06:10,509 Crafting an instance is like a team 175 00:06:10,510 --> 00:06:12,669 level, if you will, that you can join up 176 00:06:12,670 --> 00:06:14,469 together and destroy monsters and whatnot 177 00:06:14,470 --> 00:06:16,839 to get the items you need to possess. 178 00:06:16,840 --> 00:06:19,079 And you can do really interesting things 179 00:06:19,080 --> 00:06:20,199 with the items here. 180 00:06:20,200 --> 00:06:21,939 You can customize them in any way you 181 00:06:21,940 --> 00:06:23,769 want. Well, there's a pet system. 182 00:06:23,770 --> 00:06:24,879 You can have a pet. 183 00:06:24,880 --> 00:06:26,949 You have. You have, you have and how 184 00:06:26,950 --> 00:06:28,929 you can do all sort of things. 185 00:06:28,930 --> 00:06:30,969 And all this stuff is encoded in a 186 00:06:30,970 --> 00:06:32,529 protocol. And I was wondering how the 187 00:06:32,530 --> 00:06:33,530 hell does it work? 188 00:06:34,540 --> 00:06:36,799 So to give you an idea of what 189 00:06:36,800 --> 00:06:38,089 what's tennesee, it's not important. 190 00:06:38,090 --> 00:06:40,539 The idea is the item to the left 191 00:06:40,540 --> 00:06:42,819 is what you find an item 192 00:06:42,820 --> 00:06:45,039 to do it at which you can create of it. 193 00:06:45,040 --> 00:06:47,289 So what this means is the left fingers. 194 00:06:47,290 --> 00:06:48,729 You're lucky if you find it. 195 00:06:48,730 --> 00:06:50,949 Let's put us first, but you can't use 196 00:06:50,950 --> 00:06:52,119 it. It does nothing. 197 00:06:52,120 --> 00:06:53,949 It's useless and item to the right. 198 00:06:53,950 --> 00:06:55,839 You can enhance it and you can. 199 00:06:55,840 --> 00:06:58,209 And it is useful to identify 200 00:06:58,210 --> 00:06:59,769 what you would use if you play this game 201 00:06:59,770 --> 00:07:01,869 like I have a year and a half ago 202 00:07:01,870 --> 00:07:02,870 or something. 203 00:07:04,630 --> 00:07:06,759 So what I did, I intended to do 204 00:07:06,760 --> 00:07:08,469 fish. I was curious. 205 00:07:08,470 --> 00:07:10,569 I mean, fish was the first time 206 00:07:10,570 --> 00:07:12,609 I ever touched spoiler alert. 207 00:07:12,610 --> 00:07:14,589 It's going to be the last because fish 208 00:07:14,590 --> 00:07:16,539 things really took up time. 209 00:07:16,540 --> 00:07:18,309 But I was wondering, how does it work? 210 00:07:18,310 --> 00:07:19,569 What does make a stick? 211 00:07:19,570 --> 00:07:21,309 And I was like, it's my PC. 212 00:07:21,310 --> 00:07:23,459 You give me an executable Foreland 213 00:07:23,460 --> 00:07:25,809 and fifteen gigs of data. 214 00:07:25,810 --> 00:07:27,489 What does it do on my PC? 215 00:07:27,490 --> 00:07:28,579 What does it send out? 216 00:07:28,580 --> 00:07:30,849 What I wanted to know, does 217 00:07:30,850 --> 00:07:33,339 it send something of my configuration. 218 00:07:33,340 --> 00:07:35,439 I was like, this is interesting 219 00:07:35,440 --> 00:07:36,579 to figure out. 220 00:07:36,580 --> 00:07:38,539 And of course the time is now because 221 00:07:38,540 --> 00:07:40,689 while the game is active now 222 00:07:40,690 --> 00:07:42,309 so you can capture whatever traffic you 223 00:07:42,310 --> 00:07:43,359 want, you can. 224 00:07:43,360 --> 00:07:45,489 Yeah, you can basically you can just do 225 00:07:45,490 --> 00:07:47,739 whatever you want. And if he decides to. 226 00:07:47,740 --> 00:07:49,479 Yeah. To take the service online, it's 227 00:07:49,480 --> 00:07:50,479 much, much harder. 228 00:07:50,480 --> 00:07:52,629 So I was like, I'm going to do it now. 229 00:07:52,630 --> 00:07:54,759 And to be honest, also I got bored 230 00:07:54,760 --> 00:07:56,289 of playing the game. So I was like, what 231 00:07:56,290 --> 00:07:58,389 the hell, let's just let's just take 232 00:07:58,390 --> 00:07:59,390 it apart. 233 00:08:00,430 --> 00:08:02,469 So the first step you need to do is you 234 00:08:02,470 --> 00:08:03,699 need to capture packet's. 235 00:08:03,700 --> 00:08:05,889 I don't I was like, how am I going 236 00:08:05,890 --> 00:08:07,809 to do fish without the game knowing that 237 00:08:07,810 --> 00:08:09,159 I'm going to do. I know he isn't. 238 00:08:09,160 --> 00:08:11,439 I've got some games essentially 239 00:08:11,440 --> 00:08:13,539 contain things like who gets to scan your 240 00:08:13,540 --> 00:08:15,309 memory first? Can you deal Alpha? 241 00:08:15,310 --> 00:08:16,339 Do whatever. 242 00:08:16,340 --> 00:08:18,579 I want to figure out that you're playing 243 00:08:18,580 --> 00:08:19,929 the game as intended. 244 00:08:19,930 --> 00:08:22,209 And I was like, I don't know 245 00:08:22,210 --> 00:08:23,799 how good those developers are. 246 00:08:23,800 --> 00:08:25,059 I don't I don't know what they're 247 00:08:25,060 --> 00:08:27,159 sending. So I was like, you know what? 248 00:08:27,160 --> 00:08:28,839 I'm just going to take another computer 249 00:08:28,840 --> 00:08:30,969 from your heart problem and I'm 250 00:08:30,970 --> 00:08:32,408 just going to capture on it. 251 00:08:32,409 --> 00:08:34,538 So you have tests to be done. 252 00:08:34,539 --> 00:08:35,949 I'm sure everyone knows it. 253 00:08:35,950 --> 00:08:38,109 And it's also a nice tool called Tsipi 254 00:08:38,110 --> 00:08:40,599 Flow. And what it does is you 255 00:08:40,600 --> 00:08:43,779 can just insert your doing far from TCP 256 00:08:43,780 --> 00:08:45,759 IP flow and you get a text file with the 257 00:08:45,760 --> 00:08:47,139 TCP data. 258 00:08:47,140 --> 00:08:49,389 That's really useful because I don't like 259 00:08:49,390 --> 00:08:51,489 reading TCP battles myself. 260 00:08:51,490 --> 00:08:53,739 So what you do is it looks 261 00:08:53,740 --> 00:08:56,169 like this. You can just tell 262 00:08:56,170 --> 00:08:58,209 them to dump everything from a certain 263 00:08:58,210 --> 00:08:59,769 network into a fall. 264 00:08:59,770 --> 00:09:01,599 And it's really useful to filter on a 265 00:09:01,600 --> 00:09:04,119 network because you don't want these new 266 00:09:04,120 --> 00:09:06,339 DNS requests similar to your own 267 00:09:06,340 --> 00:09:07,509 systems to be blocked. 268 00:09:07,510 --> 00:09:09,279 You just want to dump everything that 269 00:09:09,280 --> 00:09:11,109 goes to the network of the publisher. 270 00:09:11,110 --> 00:09:13,209 And the nice part is you can 271 00:09:13,210 --> 00:09:15,009 use who is to find out what the change 272 00:09:15,010 --> 00:09:17,409 is. So you really know quite fast 273 00:09:17,410 --> 00:09:19,539 what's interesting and what is not. 274 00:09:19,540 --> 00:09:21,729 And then you courtship on 275 00:09:21,730 --> 00:09:22,629 which kept your phone. 276 00:09:22,630 --> 00:09:24,909 You just say, OK, let's 277 00:09:24,910 --> 00:09:27,139 let's look at the file and you 278 00:09:27,140 --> 00:09:29,139 have something like the stuff below. 279 00:09:29,140 --> 00:09:31,119 So what it does is it has a source IP 280 00:09:31,120 --> 00:09:33,189 destination and two points and it just 281 00:09:33,190 --> 00:09:35,559 shows, OK, if this is the data offset 282 00:09:35,560 --> 00:09:38,019 of what I found, it's really simple. 283 00:09:38,020 --> 00:09:40,419 Well, if we look at the one 284 00:09:40,420 --> 00:09:43,149 I'm logging into the game, 285 00:09:43,150 --> 00:09:44,859 you get something like this. 286 00:09:44,860 --> 00:09:46,659 And if you look at it, you're like, 287 00:09:46,660 --> 00:09:48,279 that's a lot of data. 288 00:09:48,280 --> 00:09:50,469 But the important thing you start 289 00:09:50,470 --> 00:09:52,449 to note, I started to notice there's a 290 00:09:52,450 --> 00:09:54,639 lot of zeros in their eyes. 291 00:09:54,640 --> 00:09:56,769 I mean, it's odd. 292 00:09:56,770 --> 00:09:58,869 And I logged in with the for 293 00:09:58,870 --> 00:10:01,179 a username for each password. 294 00:10:01,180 --> 00:10:02,950 And what I noticed was 295 00:10:04,420 --> 00:10:06,639 that there are still zeros in Farfel. 296 00:10:06,640 --> 00:10:08,859 I'm pretty sure I have crafted a really 297 00:10:08,860 --> 00:10:11,739 interesting super high tech 298 00:10:11,740 --> 00:10:13,869 encryption algorithm and I'm going to 299 00:10:13,870 --> 00:10:14,779 find it out. 300 00:10:14,780 --> 00:10:16,929 Right, because that's what we do. 301 00:10:16,930 --> 00:10:18,909 And the other part of it, I noticed this, 302 00:10:18,910 --> 00:10:21,159 the first four bytes of 303 00:10:21,160 --> 00:10:23,549 every packet are the length of 304 00:10:23,550 --> 00:10:25,839 of that piece, because if you just 305 00:10:25,840 --> 00:10:27,139 look at it, default. 306 00:10:27,140 --> 00:10:29,289 But a first it's 16 for 16 307 00:10:29,290 --> 00:10:31,659 bytes. And by the finger on the bottom, 308 00:10:31,660 --> 00:10:34,209 there are 14 any data, 14 bytes 309 00:10:34,210 --> 00:10:36,369 shoulder. And it also 310 00:10:36,370 --> 00:10:37,959 gives another clue because it's little. 311 00:10:37,960 --> 00:10:40,629 And then you can immediately tell because 312 00:10:40,630 --> 00:10:42,219 everyone recognizes little and. 313 00:10:42,220 --> 00:10:43,220 Right. 314 00:10:44,420 --> 00:10:46,939 So if we continue with this 315 00:10:46,940 --> 00:10:49,129 and we just trip out this side because 316 00:10:49,130 --> 00:10:51,409 we don't care anymore about what you see, 317 00:10:51,410 --> 00:10:53,149 it this is what I get phone and log in 318 00:10:53,150 --> 00:10:55,519 with for AIDS and for it 319 00:10:55,520 --> 00:10:57,829 now doesn't look very interesting. 320 00:10:57,830 --> 00:11:00,059 So I decided I'm going to look for 321 00:11:00,060 --> 00:11:01,589 a for peace. 322 00:11:01,590 --> 00:11:03,859 Now, what you see is the 323 00:11:03,860 --> 00:11:05,929 underlying numbers 324 00:11:05,930 --> 00:11:08,149 are the numbers have changed when, 325 00:11:08,150 --> 00:11:09,889 as you can see the pickup lengths, which 326 00:11:09,890 --> 00:11:12,049 I assume try to buy the first four, 327 00:11:12,050 --> 00:11:14,299 but just by making educated guesses, 328 00:11:14,300 --> 00:11:16,249 because that's what you do and stuff like 329 00:11:16,250 --> 00:11:18,379 this. And what you see is don't change. 330 00:11:18,380 --> 00:11:20,809 So I guess it's pretty likely. 331 00:11:20,810 --> 00:11:22,939 OK, well, all the other packets rooms are 332 00:11:22,940 --> 00:11:25,349 sort of changing in and yeah, 333 00:11:25,350 --> 00:11:27,679 I'm I'm not sure, but 334 00:11:27,680 --> 00:11:30,439 I can make an educated guess because 335 00:11:30,440 --> 00:11:31,940 the data of the 336 00:11:33,450 --> 00:11:35,539 you can see that it's four times or 337 00:11:35,540 --> 00:11:37,789 five a and if you look at the previous 338 00:11:37,790 --> 00:11:39,889 slides at the second packet of 339 00:11:39,890 --> 00:11:42,439 the ten first, first four times 340 00:11:42,440 --> 00:11:43,339 twenty one. 341 00:11:43,340 --> 00:11:46,139 So that's likely the username. 342 00:11:46,140 --> 00:11:48,349 Well and I tested this fairly 343 00:11:48,350 --> 00:11:49,639 because I was like, OK, now I'm going to 344 00:11:49,640 --> 00:11:51,829 do six, eight and indeed you 345 00:11:51,830 --> 00:11:53,749 shoot six and it's actually patted 346 00:11:53,750 --> 00:11:56,029 Servicios because you love me. 347 00:11:56,030 --> 00:11:58,069 They want me to do this stuff. 348 00:11:58,070 --> 00:12:00,709 So if you continue with this, you see 349 00:12:00,710 --> 00:12:02,329 this can't be hard. 350 00:12:02,330 --> 00:12:04,979 But instead of looking at the actual 351 00:12:04,980 --> 00:12:06,799 encryption data mangling however you want 352 00:12:06,800 --> 00:12:09,049 to call it, what I did was I was 353 00:12:09,050 --> 00:12:10,139 just making a guess. 354 00:12:10,140 --> 00:12:12,349 The password is always add offsets 355 00:12:12,350 --> 00:12:14,449 50 and 60 and and 356 00:12:14,450 --> 00:12:16,579 a password. You see, it is all 357 00:12:16,580 --> 00:12:18,829 it is not broken at all 358 00:12:18,830 --> 00:12:21,019 because if you just look at the 359 00:12:21,020 --> 00:12:23,839 difference between each both friends, 360 00:12:23,840 --> 00:12:26,329 I was like, hmm, fits only skips 361 00:12:26,330 --> 00:12:29,119 one or two off or seven. 362 00:12:29,120 --> 00:12:30,559 It's not random at all. 363 00:12:30,560 --> 00:12:33,379 So I'm making a guess here. 364 00:12:33,380 --> 00:12:34,519 I was like, I know. 365 00:12:34,520 --> 00:12:36,859 And the five is sixteen points 366 00:12:36,860 --> 00:12:39,289 and but if I write and the five 367 00:12:39,290 --> 00:12:41,509 has hex digits I know it's 32 368 00:12:41,510 --> 00:12:42,499 but. Right. 369 00:12:42,500 --> 00:12:44,359 So let's try. 370 00:12:44,360 --> 00:12:46,309 So I tried it and if you, if you 371 00:12:46,310 --> 00:12:48,259 calculate any five hatchell for it you 372 00:12:48,260 --> 00:12:50,269 will get seventy four blah blah blah. 373 00:12:50,270 --> 00:12:52,799 And if you try to this to the password 374 00:12:52,800 --> 00:12:54,349 the seven and a for the difference 375 00:12:54,350 --> 00:12:56,879 between them is free and f7 376 00:12:56,880 --> 00:12:58,489 for the difference between them it's 377 00:12:58,490 --> 00:12:59,449 free. 378 00:12:59,450 --> 00:13:00,409 Hmm. 379 00:13:00,410 --> 00:13:01,699 That can't be a coincidence. 380 00:13:01,700 --> 00:13:04,099 Right. Well if he continues his guessing 381 00:13:04,100 --> 00:13:06,589 game you will do the 382 00:13:06,590 --> 00:13:08,959 fourth, the four digit is a seven. 383 00:13:08,960 --> 00:13:11,179 After that there's a free and individuals 384 00:13:11,180 --> 00:13:13,279 you will see at the password repeats 385 00:13:13,280 --> 00:13:15,779 F7 for you over there and 386 00:13:15,780 --> 00:13:18,019 you will see for that then contains free 387 00:13:18,020 --> 00:13:20,239 seven. So the next two 388 00:13:20,240 --> 00:13:22,549 parts are indeed F 389 00:13:22,550 --> 00:13:23,809 seven. So 390 00:13:24,900 --> 00:13:26,989 I was like, I'm pretty sure if 391 00:13:26,990 --> 00:13:29,399 I use and the five because well 392 00:13:29,400 --> 00:13:31,519 the difference, we don't know how it's 393 00:13:31,520 --> 00:13:33,859 encoded, but what we do know is 394 00:13:33,860 --> 00:13:36,409 we understand that the difference between 395 00:13:36,410 --> 00:13:38,509 the bytes, if you will, 396 00:13:38,510 --> 00:13:40,849 it is the same, it's exactly the same 397 00:13:40,850 --> 00:13:43,039 show, which usually means to use 398 00:13:43,040 --> 00:13:45,529 super high level cryptography. 399 00:13:45,530 --> 00:13:47,749 So of course, who doesn't? 400 00:13:47,750 --> 00:13:49,999 And and what 401 00:13:50,000 --> 00:13:52,249 I what I decided was I I was 402 00:13:52,250 --> 00:13:53,869 first I was just writing down. 403 00:13:53,870 --> 00:13:55,969 Right. Because you just assume 404 00:13:55,970 --> 00:13:58,189 that that f7 Afri goes to fast 405 00:13:58,190 --> 00:14:00,139 and the five stuff is just. 406 00:14:00,140 --> 00:14:02,569 Yeah, we've just basically guessed 407 00:14:02,570 --> 00:14:04,009 that we're used. 408 00:14:04,010 --> 00:14:06,229 But the next part was from 409 00:14:06,230 --> 00:14:08,629 how do you get from F seven to 410 00:14:08,630 --> 00:14:10,159 four, three, seven. 411 00:14:10,160 --> 00:14:12,419 And if you just if you just write 412 00:14:12,420 --> 00:14:14,179 down bits because that's what I do when 413 00:14:14,180 --> 00:14:16,459 I'm but I'm in and I don't know from 414 00:14:16,460 --> 00:14:18,259 what I started noticing is that only the 415 00:14:18,260 --> 00:14:19,969 top bits were different. 416 00:14:19,970 --> 00:14:22,039 And then I was like, I don't 417 00:14:22,040 --> 00:14:23,869 have to crypto skills to deal with this, 418 00:14:23,870 --> 00:14:25,999 but I remembered for the zero 419 00:14:26,000 --> 00:14:27,439 to zero lines. 420 00:14:27,440 --> 00:14:28,499 And how do you do it? 421 00:14:28,500 --> 00:14:29,609 So simple. 422 00:14:29,610 --> 00:14:31,729 You just plus a letter, you plus a 423 00:14:31,730 --> 00:14:33,559 number, you sort of get no more and you 424 00:14:33,560 --> 00:14:35,749 end up with zero because and 425 00:14:35,750 --> 00:14:37,519 so and it's zero. 426 00:14:37,520 --> 00:14:39,559 And if you just apply his knowledge 427 00:14:39,560 --> 00:14:42,169 because the first packet I got 428 00:14:42,170 --> 00:14:44,119 is I assumed as a key, I didn't know 429 00:14:44,120 --> 00:14:46,579 anything about it, but it changed 430 00:14:46,580 --> 00:14:48,679 and I just assumed the very first part as 431 00:14:48,680 --> 00:14:50,569 a key. And I plug it in as a twenty. 432 00:14:50,570 --> 00:14:52,939 You see at the top, if I insert 433 00:14:52,940 --> 00:14:55,129 a twenty, I take F7 seven plus twenty 434 00:14:55,130 --> 00:14:57,229 or twenty, I end up exactly what I 435 00:14:57,230 --> 00:14:58,339 expected. 436 00:14:58,340 --> 00:15:00,469 So this package 437 00:15:00,470 --> 00:15:02,719 improves. It might go a bit quicker, but 438 00:15:02,720 --> 00:15:04,819 the slides are in the system so you can 439 00:15:04,820 --> 00:15:06,889 look it up if you want a detail and 440 00:15:06,890 --> 00:15:08,269 I want to get this boring stuff out of 441 00:15:08,270 --> 00:15:10,519 the way. But the interesting part of this 442 00:15:10,520 --> 00:15:12,589 is you can do this 443 00:15:12,590 --> 00:15:14,599 by hand just by thinking about the data. 444 00:15:14,600 --> 00:15:16,639 What do you see? You see a lot of data 445 00:15:16,640 --> 00:15:19,399 that is not random at all. 446 00:15:19,400 --> 00:15:22,339 So I was like, hmm, that's interesting. 447 00:15:22,340 --> 00:15:23,569 So then you continue. 448 00:15:23,570 --> 00:15:25,399 You have an idea how to cryptography 449 00:15:25,400 --> 00:15:27,559 works. You have an idea how the rest 450 00:15:27,560 --> 00:15:28,719 of the game continues. 451 00:15:28,720 --> 00:15:31,279 So what you do is you start dumping 452 00:15:31,280 --> 00:15:33,049 a lot of stuff and you start looking at 453 00:15:33,050 --> 00:15:35,299 it. Right. And the things I saw 454 00:15:35,300 --> 00:15:37,579 was if you look at the last four 455 00:15:37,580 --> 00:15:40,549 numbers here, you see fit, just 456 00:15:40,550 --> 00:15:42,979 continue. So you get zero one to 457 00:15:42,980 --> 00:15:44,219 all the times to. 458 00:15:44,220 --> 00:15:46,379 It just goes on and on, so 459 00:15:46,380 --> 00:15:48,599 it's a sequence, no, because you need 460 00:15:48,600 --> 00:15:51,419 to anticipate something important 461 00:15:51,420 --> 00:15:53,399 and the number before it, it just goes 462 00:15:53,400 --> 00:15:55,589 from zero all the way to nine Affinitas 463 00:15:55,590 --> 00:15:58,229 sets again to zero one, et cetera. 464 00:15:58,230 --> 00:16:00,299 And I was like, hmm, maybe that's the 465 00:16:00,300 --> 00:16:02,429 key if you think because I know the key 466 00:16:02,430 --> 00:16:03,449 is Denverites. 467 00:16:03,450 --> 00:16:06,149 And indeed, it turned out the 468 00:16:06,150 --> 00:16:07,979 number just says first, the key you need 469 00:16:07,980 --> 00:16:10,079 to use is if it's if you 470 00:16:10,080 --> 00:16:11,889 obtain the key yourself. 471 00:16:11,890 --> 00:16:13,589 And that's basically all to it. 472 00:16:13,590 --> 00:16:15,389 But there are two numbers. 473 00:16:15,390 --> 00:16:16,319 I was like, what? 474 00:16:16,320 --> 00:16:18,659 What do I do if I looked random to me? 475 00:16:18,660 --> 00:16:20,909 Real numbers, if they 476 00:16:20,910 --> 00:16:23,249 don't differ by one every packet 477 00:16:23,250 --> 00:16:24,539 because it isn't random. 478 00:16:24,540 --> 00:16:26,729 And what I noticed was I 479 00:16:26,730 --> 00:16:28,019 didn't know anything at all. 480 00:16:28,020 --> 00:16:30,329 So I fired up and I 481 00:16:30,330 --> 00:16:32,879 said a few break points and after a 482 00:16:32,880 --> 00:16:35,009 bit of coffee and a bit of patient 483 00:16:35,010 --> 00:16:37,439 fell checksums and they have separate 484 00:16:37,440 --> 00:16:39,389 header and data checksums in this game. 485 00:16:40,570 --> 00:16:42,509 Hmm, that's interesting. 486 00:16:42,510 --> 00:16:44,849 I finally disvalue after 487 00:16:44,850 --> 00:16:47,069 a number which you will see it's 488 00:16:47,070 --> 00:16:49,529 always two is just a flag. 489 00:16:49,530 --> 00:16:51,659 If it's to the fact that it's encrypted, 490 00:16:51,660 --> 00:16:53,969 if it's free, it's a key, simple 491 00:16:53,970 --> 00:16:54,970 as that. 492 00:16:55,620 --> 00:16:57,659 But then I noticed some packets I could 493 00:16:57,660 --> 00:16:59,729 not understand and address, it never has 494 00:16:59,730 --> 00:17:01,879 any bailout. What I show 495 00:17:01,880 --> 00:17:04,139 you, what you see, so I was like, hmm, 496 00:17:04,140 --> 00:17:05,140 that's boying. 497 00:17:06,359 --> 00:17:08,759 If I get them, the client tries to answer 498 00:17:08,760 --> 00:17:11,098 them with a way to flag 499 00:17:11,099 --> 00:17:12,389 them was different. 500 00:17:12,390 --> 00:17:14,729 And then I know this 501 00:17:14,730 --> 00:17:16,318 is likely a keep alive. 502 00:17:16,319 --> 00:17:18,598 So thinking about what I saw, 503 00:17:18,599 --> 00:17:20,879 you see sequence numbers you see keep 504 00:17:20,880 --> 00:17:23,009 alive Becket's If it 505 00:17:23,010 --> 00:17:25,348 is likely they decide that Murie 506 00:17:25,349 --> 00:17:27,269 is the protocol of the future, haven't 507 00:17:27,270 --> 00:17:29,759 they decided that UDP is actually 508 00:17:29,760 --> 00:17:31,889 pretty hard to use correctly 509 00:17:31,890 --> 00:17:34,409 because things like reassembly 510 00:17:34,410 --> 00:17:36,209 of loss data is really useful? 511 00:17:36,210 --> 00:17:38,339 So my guess is they tried 512 00:17:38,340 --> 00:17:40,680 to invent your own TCP IP layer 513 00:17:41,870 --> 00:17:43,769 if he got the same problems as we got in 514 00:17:43,770 --> 00:17:46,139 in the 1980s. So I decided just to 515 00:17:46,140 --> 00:17:48,329 just to push it over TCP 516 00:17:48,330 --> 00:17:50,579 MediaMath, but then again, 517 00:17:50,580 --> 00:17:51,580 I will never know. 518 00:17:52,710 --> 00:17:54,899 So if you were and from 519 00:17:54,900 --> 00:17:56,939 now on, I'm going to ignore that Boeing 520 00:17:56,940 --> 00:17:59,039 had a we had to langtang the 521 00:17:59,040 --> 00:18:01,259 keys and flat, I'm also going 522 00:18:01,260 --> 00:18:03,929 to ignore the complete encryption stuff 523 00:18:03,930 --> 00:18:06,149 because I don't 524 00:18:06,150 --> 00:18:07,589 care anymore. I figured it out. 525 00:18:07,590 --> 00:18:08,489 It works. 526 00:18:08,490 --> 00:18:10,449 And I'm not going to continue to back the 527 00:18:10,450 --> 00:18:11,369 data itself. 528 00:18:11,370 --> 00:18:13,529 Now, what I noticed, if if I wasn't 529 00:18:13,530 --> 00:18:15,599 in this game, what you noticed is 530 00:18:15,600 --> 00:18:17,219 when I get a lot of the packets from the 531 00:18:17,220 --> 00:18:19,409 client to the server, which must mean the 532 00:18:19,410 --> 00:18:20,999 client is trying to tell the server we 533 00:18:21,000 --> 00:18:23,189 are moving in a direction, blah, we 534 00:18:23,190 --> 00:18:25,679 are at this coordinate or something 535 00:18:25,680 --> 00:18:27,509 along those lines. I don't know what it 536 00:18:27,510 --> 00:18:28,949 does, but I'm guessing I'm making 537 00:18:28,950 --> 00:18:30,479 educated guesses. Right. 538 00:18:30,480 --> 00:18:32,789 And it's served quite well up to now. 539 00:18:32,790 --> 00:18:34,889 So I'm just going to continue. 540 00:18:34,890 --> 00:18:37,049 What I noticed was if you do this, 541 00:18:37,050 --> 00:18:39,419 then those numbers didn't make any sense 542 00:18:39,420 --> 00:18:40,859 at all. And I know the game is a little 543 00:18:40,860 --> 00:18:42,569 at the end because the lengths are in the 544 00:18:42,570 --> 00:18:44,639 game. So what I did was I'm 545 00:18:44,640 --> 00:18:46,799 just trying I plug them in as a floating 546 00:18:46,800 --> 00:18:48,539 point number and certainly they made 547 00:18:48,540 --> 00:18:50,849 sense. Transfers are not 548 00:18:50,850 --> 00:18:53,039 random floating point numbers because the 549 00:18:53,040 --> 00:18:54,719 beauty of floating point numbers is if 550 00:18:54,720 --> 00:18:57,359 you take complete, complete 551 00:18:57,360 --> 00:18:59,579 nonsense and you try to make it a float, 552 00:18:59,580 --> 00:19:01,919 it will become a complete nonsense float. 553 00:19:01,920 --> 00:19:04,019 It will be a very huge number, a 554 00:19:04,020 --> 00:19:06,029 very small number, or it just says, I 555 00:19:06,030 --> 00:19:07,259 don't know, it's zero. 556 00:19:07,260 --> 00:19:09,359 And, you know, maybe it's not a float. 557 00:19:09,360 --> 00:19:11,519 So if you don't recognize it, it's 558 00:19:11,520 --> 00:19:12,520 likely a float. 559 00:19:15,380 --> 00:19:17,749 So I did a lot of Stelling 560 00:19:17,750 --> 00:19:20,149 and drank a lot of coffee, of course, 561 00:19:20,150 --> 00:19:22,189 and what I say is I understand the packet 562 00:19:22,190 --> 00:19:24,349 had its yeah, as you see, this 563 00:19:24,350 --> 00:19:25,459 isn't rocket science. 564 00:19:25,460 --> 00:19:27,969 All I did was I just created mega 565 00:19:27,970 --> 00:19:30,109 megabytes of logs and I tried to 566 00:19:30,110 --> 00:19:32,209 to to figure out a login process and 567 00:19:32,210 --> 00:19:33,289 went on from fanlight. 568 00:19:33,290 --> 00:19:34,819 You see it, you understand the packet, 569 00:19:34,820 --> 00:19:37,309 how to you will understand fettah 570 00:19:37,310 --> 00:19:39,289 types of packets and you wouldn't 571 00:19:39,290 --> 00:19:41,969 understand that some packets have some. 572 00:19:41,970 --> 00:19:43,099 Yes. 573 00:19:43,100 --> 00:19:45,349 You have to have a type and a subtype. 574 00:19:45,350 --> 00:19:47,149 And I think it has to do with the way 575 00:19:47,150 --> 00:19:49,249 packets are routed inside the game. 576 00:19:49,250 --> 00:19:50,989 But don't know. 577 00:19:50,990 --> 00:19:53,119 Then I got fed up because I don't 578 00:19:53,120 --> 00:19:55,009 know if you ever had more than a day 579 00:19:55,010 --> 00:19:57,559 about hex dumps, but 580 00:19:57,560 --> 00:19:59,899 yeah, that's a good point. 581 00:19:59,900 --> 00:20:02,329 So I was like, let's create a tool. 582 00:20:02,330 --> 00:20:03,769 Let's create a tool to do this boring 583 00:20:03,770 --> 00:20:05,489 stuff for us. 584 00:20:05,490 --> 00:20:06,419 That's what I did. 585 00:20:06,420 --> 00:20:08,339 I created a tool called Home Dump, and 586 00:20:08,340 --> 00:20:10,409 the name is inspired by 587 00:20:10,410 --> 00:20:13,369 Tsipi Dump because it can dump protocols. 588 00:20:13,370 --> 00:20:15,449 Now, what I did was the first 589 00:20:15,450 --> 00:20:17,729 the first input I get is a text file 590 00:20:17,730 --> 00:20:19,019 from the TCP flow. 591 00:20:19,020 --> 00:20:21,239 So what it does is it just takes 592 00:20:21,240 --> 00:20:23,529 the head off away from it and reassembled 593 00:20:23,530 --> 00:20:25,169 the stream of stuff and it does it in a 594 00:20:25,170 --> 00:20:27,329 file. And the second part is an example 595 00:20:27,330 --> 00:20:29,639 file which contains the definitions 596 00:20:29,640 --> 00:20:31,709 of the packets. As you will know, what it 597 00:20:31,710 --> 00:20:33,269 does is because we know the lengths, 598 00:20:33,270 --> 00:20:35,939 because GCP has this annoying tendency 599 00:20:35,940 --> 00:20:38,309 to bluffer stuff really annoying. 600 00:20:38,310 --> 00:20:40,589 So and sometimes you will just 601 00:20:40,590 --> 00:20:42,929 get a packet this incomplete or or 602 00:20:42,930 --> 00:20:45,029 the complete TCP packets you get contains 603 00:20:45,030 --> 00:20:46,619 three and a half packets and you have to 604 00:20:46,620 --> 00:20:48,749 remember who I need to understand to 605 00:20:48,750 --> 00:20:49,769 lot 12 bytes. 606 00:20:49,770 --> 00:20:52,079 I need to it's fairly annoying. 607 00:20:52,080 --> 00:20:54,449 So I want this tool to help me reference. 608 00:20:54,450 --> 00:20:56,099 And what it does is it's just assembles 609 00:20:56,100 --> 00:20:58,499 of packets, dusty decryption stuff 610 00:20:58,500 --> 00:21:00,989 and such, and it looks any extra mouthful 611 00:21:00,990 --> 00:21:02,879 and it'll continue. 612 00:21:02,880 --> 00:21:05,069 So what I show, this is what 613 00:21:05,070 --> 00:21:06,069 it looks like. 614 00:21:06,070 --> 00:21:08,219 I will look I will first do 615 00:21:08,220 --> 00:21:10,319 the packet at the at the bottom of the 616 00:21:10,320 --> 00:21:12,449 screen, the look and of packets first 617 00:21:12,450 --> 00:21:14,099 names are just what I came up with 618 00:21:14,100 --> 00:21:16,199 because I fought for help. 619 00:21:16,200 --> 00:21:17,759 And if you look at the top, right, you 620 00:21:17,760 --> 00:21:19,439 can just say Paquet name is again. 621 00:21:19,440 --> 00:21:21,509 It's the first field that is a 622 00:21:21,510 --> 00:21:23,069 is a U 32. 623 00:21:23,070 --> 00:21:24,959 The name is type and it has a fixed value 624 00:21:24,960 --> 00:21:27,299 of four. And the second is some 625 00:21:27,300 --> 00:21:29,069 value which I call our. 626 00:21:29,070 --> 00:21:31,619 And if you look at it right at 627 00:21:31,620 --> 00:21:33,929 the at the bottom right, you will see 628 00:21:33,930 --> 00:21:36,389 that we get zero for 629 00:21:36,390 --> 00:21:37,409 sure. 630 00:21:37,410 --> 00:21:39,599 So that's four because little 631 00:21:39,600 --> 00:21:41,729 endian ever will get sixty 632 00:21:41,730 --> 00:21:43,949 five. So what it does is, is 633 00:21:43,950 --> 00:21:46,199 dumpsites aspects is looking a failure 634 00:21:46,200 --> 00:21:48,419 type is four hours 65. 635 00:21:48,420 --> 00:21:50,669 So that's much more fun than having 636 00:21:50,670 --> 00:21:52,799 to try to first get 637 00:21:52,800 --> 00:21:54,419 rid of that annoying encryption, 638 00:21:54,420 --> 00:21:55,949 obfuscating, coding, whatever you want to 639 00:21:55,950 --> 00:21:58,769 call it. And the second part is suppose 640 00:21:58,770 --> 00:22:00,869 sometimes I add 641 00:22:00,870 --> 00:22:03,209 a field because I now know that 642 00:22:03,210 --> 00:22:05,369 it's not an hour code, but 643 00:22:05,370 --> 00:22:07,079 it is a Busfield or something that I can 644 00:22:07,080 --> 00:22:09,509 just apply this knowledge to my XML 645 00:22:09,510 --> 00:22:11,939 file. I can just say, OK, 646 00:22:11,940 --> 00:22:14,369 OK, there to please process for 200 647 00:22:14,370 --> 00:22:15,959 megabytes of pachyderms for me. 648 00:22:15,960 --> 00:22:18,119 And I will I will immediately start to 649 00:22:18,120 --> 00:22:20,249 see things because now I have 650 00:22:20,250 --> 00:22:21,839 a tool which helps me for it. 651 00:22:21,840 --> 00:22:23,999 And if I ever manage to figure out what a 652 00:22:24,000 --> 00:22:26,559 known field of the account name and 653 00:22:26,560 --> 00:22:28,739 I can just plug it in one or two and I 654 00:22:28,740 --> 00:22:30,839 will see things. So that's really 655 00:22:30,840 --> 00:22:32,999 useful. I really recommend to if you 656 00:22:33,000 --> 00:22:35,369 do this sort of stuff, think about making 657 00:22:35,370 --> 00:22:37,529 such tools. I know very well I know this 658 00:22:37,530 --> 00:22:39,629 old stuff, but we will get we 659 00:22:39,630 --> 00:22:41,309 will get on making custom stuff. 660 00:22:41,310 --> 00:22:42,869 It's always more fun. 661 00:22:42,870 --> 00:22:45,149 So as I as said, some packets 662 00:22:45,150 --> 00:22:47,459 can be nested. So if you have a packet 663 00:22:47,460 --> 00:22:49,139 which are called client requests and an 664 00:22:49,140 --> 00:22:50,759 idea of a client request, yes. 665 00:22:50,760 --> 00:22:52,619 It's always sent from the client to the 666 00:22:52,620 --> 00:22:54,809 server. It always has that fixed type. 667 00:22:54,810 --> 00:22:56,969 And content in this packet 668 00:22:56,970 --> 00:22:59,429 is a packet which says, I want to move. 669 00:22:59,430 --> 00:23:01,199 I want I want to quit the game. 670 00:23:01,200 --> 00:23:03,149 I want to say something to the game, what 671 00:23:03,150 --> 00:23:04,709 I want to do, whatever. 672 00:23:04,710 --> 00:23:06,839 So I was like, I can 673 00:23:06,840 --> 00:23:08,189 I can I yeah. 674 00:23:08,190 --> 00:23:09,789 I can get things in my pots. 675 00:23:09,790 --> 00:23:12,029 Right. Because everyone likes creating 676 00:23:12,030 --> 00:23:14,219 portions. So if you look at the data 677 00:23:14,220 --> 00:23:16,589 at the bottom right, you it's exactly 678 00:23:16,590 --> 00:23:18,839 the same packets as I was illustrated 679 00:23:18,840 --> 00:23:21,869 with a bit of floating point stuff 680 00:23:21,870 --> 00:23:24,089 and well that doesn't make any sense. 681 00:23:24,090 --> 00:23:26,579 But if you just if you just could 682 00:23:26,580 --> 00:23:28,619 create a definition and you just say, 683 00:23:28,620 --> 00:23:31,409 let's try float here and you will see 684 00:23:31,410 --> 00:23:33,749 values that make sense, you will very 685 00:23:33,750 --> 00:23:35,909 quickly get the basic idea of the 686 00:23:35,910 --> 00:23:38,429 protocol. Because if you understand 687 00:23:38,430 --> 00:23:40,529 the how does any idea what to make 688 00:23:40,530 --> 00:23:42,929 us have, you will know overcoached 689 00:23:42,930 --> 00:23:45,149 is right, but at least I hope 690 00:23:45,150 --> 00:23:47,399 so. I really hope that you don't blow 691 00:23:47,400 --> 00:23:48,899 trucks over and that's a shortcut. 692 00:23:48,900 --> 00:23:49,829 But who knows? 693 00:23:49,830 --> 00:23:52,079 But I must be some patriotism 694 00:23:52,080 --> 00:23:53,080 you can exploit fent. 695 00:23:54,580 --> 00:23:56,769 So when I was doing this, 696 00:23:56,770 --> 00:23:59,029 too, I made a grave mistake, I voted 697 00:23:59,030 --> 00:24:01,089 the C++ fatwahs done, 698 00:24:01,090 --> 00:24:02,559 you really shouldn't do it. 699 00:24:02,560 --> 00:24:04,639 And after this, I learned 700 00:24:04,640 --> 00:24:06,609 fighting and fighting is much more fun to 701 00:24:06,610 --> 00:24:09,489 do it's stuff. And and the reason 702 00:24:09,490 --> 00:24:11,739 I'm stressing this point is 703 00:24:11,740 --> 00:24:13,809 when I when you create tools like this, 704 00:24:13,810 --> 00:24:16,089 you want to add features because 705 00:24:16,090 --> 00:24:18,309 first you can deconstruct 706 00:24:18,310 --> 00:24:19,899 and stuff that's really cool. 707 00:24:19,900 --> 00:24:21,969 But you eventually you will 708 00:24:21,970 --> 00:24:24,249 learn that, for example, an account 709 00:24:24,250 --> 00:24:26,499 name is always, say, 64 710 00:24:26,500 --> 00:24:28,869 bytes or so to show the moment 711 00:24:28,870 --> 00:24:30,929 you start seeing one of them, you know, 712 00:24:30,930 --> 00:24:33,069 FISAs like these 64 by choice 713 00:24:33,070 --> 00:24:35,169 because they're always 64 bytes or has 714 00:24:35,170 --> 00:24:36,549 no reason to assume you don't. 715 00:24:36,550 --> 00:24:39,099 So you want to have constants. 716 00:24:39,100 --> 00:24:40,849 You also want enumerations because 717 00:24:40,850 --> 00:24:42,909 emotions are cool and everyone uses them. 718 00:24:42,910 --> 00:24:44,679 So what you want to do is you want to 719 00:24:44,680 --> 00:24:46,959 add, oh, look, in 720 00:24:46,960 --> 00:24:49,479 our login code, one is 721 00:24:49,480 --> 00:24:51,849 password allegan to us account 722 00:24:51,850 --> 00:24:53,529 and login free IDs, whatever. 723 00:24:53,530 --> 00:24:55,149 And you just want to see them. 724 00:24:55,150 --> 00:24:56,979 You do not you do not want to have to 725 00:24:56,980 --> 00:24:58,689 look them up at the same time. 726 00:24:58,690 --> 00:25:01,179 And also you will need structure types, 727 00:25:01,180 --> 00:25:02,199 at least I did. 728 00:25:02,200 --> 00:25:04,519 And the reason is that 729 00:25:04,520 --> 00:25:06,579 the item structure of this game is 730 00:25:06,580 --> 00:25:07,749 really complex. Right. 731 00:25:07,750 --> 00:25:09,539 We have seen and lots, lots of stuff on 732 00:25:09,540 --> 00:25:11,619 the screen. It has to go to your client 733 00:25:11,620 --> 00:25:13,689 in some way. So what I did was I wanted 734 00:25:13,690 --> 00:25:16,029 to add structure to this because 735 00:25:16,030 --> 00:25:18,519 all items will likely have exactly 736 00:25:18,520 --> 00:25:20,319 the same format because first, 737 00:25:20,320 --> 00:25:22,539 programmers are lazy and they 738 00:25:22,540 --> 00:25:24,339 should be. What you want to do is you 739 00:25:24,340 --> 00:25:25,839 want to figure it out one time and then 740 00:25:25,840 --> 00:25:27,789 you want to use this everywhere. 741 00:25:27,790 --> 00:25:29,139 So you need structure types. 742 00:25:29,140 --> 00:25:31,269 You you need arrays 743 00:25:31,270 --> 00:25:33,549 because everyone loves 744 00:25:33,550 --> 00:25:35,849 them. You you will see 745 00:25:35,850 --> 00:25:37,629 you will see the data if it belongs 746 00:25:37,630 --> 00:25:39,039 together. 747 00:25:39,040 --> 00:25:41,289 But the other interesting part is I want 748 00:25:41,290 --> 00:25:43,459 I have transformation support in what 749 00:25:43,460 --> 00:25:45,669 that does is I sometimes 750 00:25:45,670 --> 00:25:47,979 you will you find a package type 751 00:25:47,980 --> 00:25:51,429 or something and it's compressed because 752 00:25:51,430 --> 00:25:53,289 it's a network makes sense to confess 753 00:25:53,290 --> 00:25:55,539 stuff. So once you figure it out, 754 00:25:55,540 --> 00:25:57,609 I will get into that shortly how you 755 00:25:57,610 --> 00:25:59,709 can do this. But you want to be 756 00:25:59,710 --> 00:26:02,319 able to tell your dump to 757 00:26:02,320 --> 00:26:04,029 hide the data if it's coming, it's 758 00:26:04,030 --> 00:26:06,249 compressed with algorithm X, Y, 759 00:26:06,250 --> 00:26:08,739 Z and, you know, transform 760 00:26:08,740 --> 00:26:10,869 it for me. And if you implement it 761 00:26:10,870 --> 00:26:12,969 right in order, what you do not 762 00:26:12,970 --> 00:26:15,159 write this to and see if it's really easy 763 00:26:15,160 --> 00:26:17,649 to do because, well, 764 00:26:17,650 --> 00:26:19,719 it took me a few clever hacks to 765 00:26:19,720 --> 00:26:21,009 put it in. 766 00:26:21,010 --> 00:26:23,079 And also, you want annotations. 767 00:26:23,080 --> 00:26:25,179 And what I mean by, in fact, is if 768 00:26:25,180 --> 00:26:27,699 you log in to this game, it will it'll 769 00:26:27,700 --> 00:26:29,829 say, hi, you have completed 770 00:26:29,830 --> 00:26:32,169 quests, one, two, three, four. 771 00:26:32,170 --> 00:26:34,269 And I was like, I have no idea what. 772 00:26:34,270 --> 00:26:35,559 One, two, three, four is. 773 00:26:35,560 --> 00:26:37,719 So I was like, how did how can I 774 00:26:37,720 --> 00:26:38,829 learn this? 775 00:26:38,830 --> 00:26:40,839 I will get next to it in the next slide 776 00:26:40,840 --> 00:26:43,119 that you can really clever 777 00:26:43,120 --> 00:26:45,339 ways to look it up, but you want you 778 00:26:45,340 --> 00:26:47,229 to know if you have first. 779 00:26:47,230 --> 00:26:49,209 No, you need to look it up in a table and 780 00:26:49,210 --> 00:26:50,400 I want to see the 781 00:26:52,000 --> 00:26:53,889 human readable form because computers 782 00:26:53,890 --> 00:26:55,239 like one, two, three, four. 783 00:26:55,240 --> 00:26:57,039 And I want to know what is really in 784 00:26:57,040 --> 00:26:58,929 there. And you also want dynamic 785 00:26:58,930 --> 00:27:01,119 annotations and this game 786 00:27:01,120 --> 00:27:03,519 works. I'm I'm I'm actually 787 00:27:03,520 --> 00:27:04,509 just walking ahead now. 788 00:27:04,510 --> 00:27:06,669 But as the game works by over an object 789 00:27:06,670 --> 00:27:08,769 versus the surface as high as an object 790 00:27:08,770 --> 00:27:10,719 over there, everything that is not static 791 00:27:10,720 --> 00:27:12,579 is an object. And the ideas of the 792 00:27:12,580 --> 00:27:14,409 objects are random. 793 00:27:14,410 --> 00:27:15,789 You know, it's actually sequential. 794 00:27:15,790 --> 00:27:16,779 So that's not really random. 795 00:27:16,780 --> 00:27:18,819 But but you can't predict them. 796 00:27:18,820 --> 00:27:20,619 At least I can't. 797 00:27:20,620 --> 00:27:22,749 So what if what you do is it will 798 00:27:22,750 --> 00:27:23,769 just say hi. 799 00:27:23,770 --> 00:27:26,259 Hi. I want you to show object. 800 00:27:26,260 --> 00:27:27,909 One, two, three, object type one, two, 801 00:27:27,910 --> 00:27:30,579 three, four at at some position. 802 00:27:30,580 --> 00:27:32,439 And I'm going to call it object two. 803 00:27:32,440 --> 00:27:34,569 And what what a dynamic annotation 804 00:27:34,570 --> 00:27:36,429 in the tool does it everywhere. 805 00:27:36,430 --> 00:27:38,679 It's this object to it to say aha, 806 00:27:38,680 --> 00:27:40,929 that's that door because it knows 807 00:27:40,930 --> 00:27:43,029 it was a door so you can show 808 00:27:43,030 --> 00:27:44,229 that it's a door. 809 00:27:44,230 --> 00:27:46,030 I will give examples of this. 810 00:27:47,200 --> 00:27:49,539 But first, how are custom 811 00:27:49,540 --> 00:27:51,009 items ready. And I touched them 812 00:27:51,010 --> 00:27:52,089 previously. 813 00:27:52,090 --> 00:27:54,309 And one of the things you need to 814 00:27:54,310 --> 00:27:56,589 realize is games are typically 815 00:27:56,590 --> 00:27:58,749 and everything that we do, it's 816 00:27:58,750 --> 00:27:59,949 just numbers. Right. 817 00:27:59,950 --> 00:28:01,479 And there's a database and it has this 818 00:28:01,480 --> 00:28:03,789 number. So I was like, it's really useful 819 00:28:03,790 --> 00:28:06,219 when you start figuring out inventory 820 00:28:06,220 --> 00:28:08,499 management and you just click on 821 00:28:08,500 --> 00:28:10,479 items in your backpack and see what they 822 00:28:10,480 --> 00:28:13,149 do. You want to see this? 823 00:28:13,150 --> 00:28:15,789 I have this potion and I think 824 00:28:15,790 --> 00:28:16,869 the game must have it in. 825 00:28:16,870 --> 00:28:17,889 It's Datafolha. 826 00:28:17,890 --> 00:28:19,809 So what's the idea of the potion? 827 00:28:19,810 --> 00:28:21,429 It must have an identifier. 828 00:28:21,430 --> 00:28:23,319 And it turns out that if you just Google 829 00:28:23,320 --> 00:28:25,779 around a lot, the game has ways 830 00:28:25,780 --> 00:28:27,489 of just linking an object to another 831 00:28:27,490 --> 00:28:29,439 player so you can show someone, hi, I 832 00:28:29,440 --> 00:28:31,629 have this awesome short and they will sit 833 00:28:31,630 --> 00:28:33,309 and chat. And if they click, it's they 834 00:28:33,310 --> 00:28:35,649 will see a FELECIA model of it. 835 00:28:35,650 --> 00:28:37,719 And it turns out that so 836 00:28:37,720 --> 00:28:39,879 far Sphynx typically use exactly the same 837 00:28:39,880 --> 00:28:42,069 IDs, several websites, 838 00:28:42,070 --> 00:28:44,289 item databases, if you will, and 839 00:28:44,290 --> 00:28:45,939 they also use the same I.D. 840 00:28:45,940 --> 00:28:47,199 because why not? 841 00:28:47,200 --> 00:28:49,209 Why should we invent something else? 842 00:28:49,210 --> 00:28:51,819 So what I what I decided to do was 843 00:28:51,820 --> 00:28:53,819 first I used to make Benta. 844 00:28:53,820 --> 00:28:55,849 And what it does is you feed the data for 845 00:28:55,850 --> 00:28:58,379 minute and it turns out the internal 846 00:28:58,380 --> 00:29:00,539 tables of the game and it has some tools 847 00:29:00,540 --> 00:29:02,729 to do the 848 00:29:02,730 --> 00:29:04,349 interesting stuff of it. 849 00:29:04,350 --> 00:29:06,929 I also wrote my own because 850 00:29:06,930 --> 00:29:08,249 why not? 851 00:29:08,250 --> 00:29:10,049 And I was bored of looking at Hexton for 852 00:29:10,050 --> 00:29:11,219 a while, so I wanted to do something 853 00:29:11,220 --> 00:29:13,349 different. But it really helps if you 854 00:29:13,350 --> 00:29:15,359 know that an item you want, you are 855 00:29:15,360 --> 00:29:16,859 interested in because you pick it up or 856 00:29:16,860 --> 00:29:19,019 whatever you it helps if you know it has 857 00:29:19,020 --> 00:29:20,489 an idea. 858 00:29:20,490 --> 00:29:22,589 So and there are also interesting part 859 00:29:22,590 --> 00:29:24,809 of it is if you have hexogen support 860 00:29:24,810 --> 00:29:26,669 that you can just dump all packets hack's 861 00:29:26,670 --> 00:29:28,619 you can just search for it, because if 862 00:29:28,620 --> 00:29:30,719 you search in data for the ID, you 863 00:29:30,720 --> 00:29:32,939 will immediately identify OPAC or 864 00:29:32,940 --> 00:29:34,949 packets that do stuff with items. 865 00:29:34,950 --> 00:29:37,229 And it's so much easier even than 866 00:29:37,230 --> 00:29:38,940 just looking them one by one. 867 00:29:41,170 --> 00:29:43,239 So I was continuing 868 00:29:43,240 --> 00:29:45,429 and really, really nice and I got 869 00:29:45,430 --> 00:29:47,889 a package that was like no patronizes 870 00:29:47,890 --> 00:29:49,629 at all, but I like to do it. 871 00:29:49,630 --> 00:29:51,699 I print stuff and I just grab 872 00:29:51,700 --> 00:29:54,239 a pencil and a lot of coffee and 873 00:29:54,240 --> 00:29:56,989 and an evening and I start just 874 00:29:56,990 --> 00:29:59,059 just drawing lines and rotating things 875 00:29:59,060 --> 00:30:01,069 that I think how they work. 876 00:30:01,070 --> 00:30:02,079 That's what I used to do. 877 00:30:02,080 --> 00:30:04,269 And that's why I like to smell stuff so 878 00:30:04,270 --> 00:30:06,729 much. But one of the things I noticed 879 00:30:06,730 --> 00:30:09,009 was that the data 880 00:30:09,010 --> 00:30:10,029 looks random. 881 00:30:10,030 --> 00:30:11,859 It's yeah, I could have make heads or 882 00:30:11,860 --> 00:30:13,809 tails of it. I had a lot of characters, a 883 00:30:13,810 --> 00:30:16,069 lot of different sort of settings and 884 00:30:16,070 --> 00:30:18,159 just pieces 885 00:30:18,160 --> 00:30:20,439 of the name, whatever pieces of the 886 00:30:20,440 --> 00:30:22,419 pieces of the inventory, item, I.D., 887 00:30:22,420 --> 00:30:24,999 whatever, but not everything like 888 00:30:25,000 --> 00:30:27,189 this looks like something compressed. 889 00:30:27,190 --> 00:30:29,349 And what I did was I was 890 00:30:29,350 --> 00:30:31,029 like, I'm going to use my big friends 891 00:30:31,030 --> 00:30:33,189 already and Yida and I'm going to learn 892 00:30:33,190 --> 00:30:34,929 what the protocol does. 893 00:30:34,930 --> 00:30:37,119 And I think I'm reasonably 894 00:30:37,120 --> 00:30:39,279 certain they didn't invent this Fitch 895 00:30:39,280 --> 00:30:40,449 protocol itself. 896 00:30:40,450 --> 00:30:42,609 And it really takes a lot of time to take 897 00:30:42,610 --> 00:30:44,499 a lot of assembly and try to learn. 898 00:30:44,500 --> 00:30:46,679 And I'm a 899 00:30:46,680 --> 00:30:48,459 compression algorithm, but it's really 900 00:30:48,460 --> 00:30:49,569 fun to do. 901 00:30:49,570 --> 00:30:51,160 I think I think you should do it. 902 00:30:52,300 --> 00:30:54,549 But the problem is when I got this, 903 00:30:54,550 --> 00:30:56,829 it's I got hold of kilobytes of data 904 00:30:56,830 --> 00:30:58,869 and other fields I could identify. 905 00:30:58,870 --> 00:31:00,939 I had to inventory for path. 906 00:31:00,940 --> 00:31:03,139 But much of that is a lot. 907 00:31:03,140 --> 00:31:04,329 It's really a lot. 908 00:31:04,330 --> 00:31:06,399 My first computer didn't even have to put 909 00:31:06,400 --> 00:31:07,599 them out of memory. 910 00:31:07,600 --> 00:31:09,789 So I was like, hmm, I need 911 00:31:09,790 --> 00:31:12,229 some way to figure out how I can 912 00:31:12,230 --> 00:31:13,569 how do I continue? 913 00:31:13,570 --> 00:31:15,549 I don't know enough about this data. 914 00:31:17,240 --> 00:31:19,369 But first, I was actually quite fed 915 00:31:19,370 --> 00:31:21,409 up with my capturing Saddam. 916 00:31:21,410 --> 00:31:23,539 And the reason is photos 917 00:31:23,540 --> 00:31:25,579 are good. But his game, it's a 918 00:31:25,580 --> 00:31:26,929 distributed game, right? 919 00:31:26,930 --> 00:31:29,119 As in from multiple servers for a lot 920 00:31:29,120 --> 00:31:31,339 of back ads. And if you log 921 00:31:31,340 --> 00:31:33,199 in to the game, you go get redirects to 922 00:31:33,200 --> 00:31:35,479 another server and the 923 00:31:35,480 --> 00:31:37,309 server can decide, no, no, you're going 924 00:31:37,310 --> 00:31:39,409 to disserve and you need to look in 925 00:31:39,410 --> 00:31:40,789 again and you won't have a lot of 926 00:31:40,790 --> 00:31:42,709 connections and you need to look at a lot 927 00:31:42,710 --> 00:31:44,809 of states. So what I decided to do 928 00:31:44,810 --> 00:31:47,269 was I was like, I'm not interested 929 00:31:47,270 --> 00:31:49,549 in I want I want to capture this 930 00:31:49,550 --> 00:31:51,109 in a bit better fashion. 931 00:31:51,110 --> 00:31:53,449 So I decided I know how the basic 932 00:31:53,450 --> 00:31:54,769 protocol works. I'm going to write a 933 00:31:54,770 --> 00:31:55,869 proxy. 934 00:31:55,870 --> 00:31:57,529 This is what I did. 935 00:31:57,530 --> 00:31:59,479 And what I did was it's a tool. 936 00:31:59,480 --> 00:32:01,789 It just listens on TCP and it 937 00:32:01,790 --> 00:32:03,919 connects to the real server and it 938 00:32:03,920 --> 00:32:05,849 just formatted your data to the server. 939 00:32:05,850 --> 00:32:07,129 What's come back for once back to the 940 00:32:07,130 --> 00:32:09,259 client? And it's everything in a really 941 00:32:09,260 --> 00:32:11,059 nice logging file format. 942 00:32:11,060 --> 00:32:13,129 And I know they want me to do this 943 00:32:13,130 --> 00:32:15,439 because you can just set in a server, any 944 00:32:15,440 --> 00:32:17,809 phone you can say no, no, this is the 945 00:32:17,810 --> 00:32:19,279 IP you should be contacting. 946 00:32:20,930 --> 00:32:23,119 So I'm now at 947 00:32:23,120 --> 00:32:25,579 log stuff first keep alive. 948 00:32:25,580 --> 00:32:27,199 It does it. And if it sees a server 949 00:32:27,200 --> 00:32:29,209 redirect, it's like, no, no, you want to 950 00:32:29,210 --> 00:32:31,469 talk to me and three to it's 951 00:32:31,470 --> 00:32:33,889 nicely to its own IP address. 952 00:32:33,890 --> 00:32:36,169 And I thought, I don't know what else. 953 00:32:36,170 --> 00:32:38,029 I don't care. It just looks oh, this 954 00:32:38,030 --> 00:32:40,519 looks like an IP address even for 955 00:32:40,520 --> 00:32:42,649 even the private IP space. 956 00:32:42,650 --> 00:32:44,179 I'm just going to connect to it. 957 00:32:44,180 --> 00:32:46,639 So what? And this turned out to be only 958 00:32:46,640 --> 00:32:48,919 Hatemi. It's and it's undetectable 959 00:32:48,920 --> 00:32:50,719 as far as I know, because I didn't want 960 00:32:50,720 --> 00:32:52,759 this on my own or my gaming PC. 961 00:32:52,760 --> 00:32:54,919 I just want it on some on some Linux 962 00:32:54,920 --> 00:32:56,449 box in my network. 963 00:32:56,450 --> 00:32:58,669 And the nice part is you can do 964 00:32:58,670 --> 00:33:00,739 really cool stuff if I'm not 965 00:33:00,740 --> 00:33:01,699 getting into details. 966 00:33:01,700 --> 00:33:03,829 But I think 967 00:33:03,830 --> 00:33:05,329 you get the idea now because you can just 968 00:33:05,330 --> 00:33:07,399 rewrite packets and you can 969 00:33:07,400 --> 00:33:09,599 just lie about and you can use. 970 00:33:09,600 --> 00:33:10,939 I didn't see that packet. 971 00:33:10,940 --> 00:33:11,940 Goodbye. 972 00:33:12,680 --> 00:33:14,269 Of course I haven't tried this, 973 00:33:18,080 --> 00:33:20,149 so I have 974 00:33:20,150 --> 00:33:22,219 a stool. I can make nice locks, 975 00:33:22,220 --> 00:33:24,559 but answering to get involved is 400 976 00:33:24,560 --> 00:33:26,719 kind of batch of data and that excludes 977 00:33:26,720 --> 00:33:28,999 the data for decompresses. 978 00:33:29,000 --> 00:33:31,759 So the data you get a form of kilobytes 979 00:33:31,760 --> 00:33:34,009 gets a whole lot, really 980 00:33:34,010 --> 00:33:36,109 a lot. I was like, I'm pretty 981 00:33:36,110 --> 00:33:38,209 sure most of it is not relevant, but 982 00:33:39,230 --> 00:33:40,939 no idea what I could do. 983 00:33:40,940 --> 00:33:43,249 So what I did was I wanted 984 00:33:43,250 --> 00:33:45,289 to I need to influence data, right? 985 00:33:45,290 --> 00:33:47,089 If it's not kilobyte structure, I need to 986 00:33:47,090 --> 00:33:49,039 change things. And I need to I need to 987 00:33:49,040 --> 00:33:51,139 learn how to how to how the game 988 00:33:51,140 --> 00:33:52,129 reacts to it. 989 00:33:52,130 --> 00:33:53,959 So it was like, let's write the server. 990 00:33:56,200 --> 00:33:58,449 So what I did was I just 991 00:33:58,450 --> 00:34:00,279 I just put something together, it's 992 00:34:00,280 --> 00:34:02,169 really terrible, but it works good 993 00:34:02,170 --> 00:34:04,239 enough. And I had this idea, if I 994 00:34:04,240 --> 00:34:07,089 do know what, I'm going to plug a Python 995 00:34:07,090 --> 00:34:09,249 script language in it because Python 996 00:34:09,250 --> 00:34:10,599 is good. 997 00:34:10,600 --> 00:34:12,819 But I was like, if I just 998 00:34:12,820 --> 00:34:15,039 I broadcasted on some way of 999 00:34:15,040 --> 00:34:16,029 bites. 1000 00:34:16,030 --> 00:34:18,099 Well, well, well, we are well back to the 1001 00:34:18,100 --> 00:34:19,959 pachyderms we wanted to avoid. 1002 00:34:19,960 --> 00:34:22,178 So I was like, let's not do it because 1003 00:34:22,179 --> 00:34:24,369 we have this nice metaphor and 1004 00:34:24,370 --> 00:34:26,499 if we can use it to dump, we can 1005 00:34:26,500 --> 00:34:29,109 only use it to create packets 1006 00:34:29,110 --> 00:34:31,388 and we can go further 1007 00:34:31,389 --> 00:34:33,669 as ohmy projects like to do. 1008 00:34:33,670 --> 00:34:35,799 What I did was I created a tool called 1009 00:34:35,800 --> 00:34:38,079 MKR Def, also superstitious, but also 1010 00:34:38,080 --> 00:34:40,149 a very stupid idea because 1011 00:34:40,150 --> 00:34:42,039 who passes Ximo? 1012 00:34:42,040 --> 00:34:44,079 But then again what it does is it just 1013 00:34:44,080 --> 00:34:46,399 takes this fall and it creates 1014 00:34:46,400 --> 00:34:47,499 shortcode false. 1015 00:34:47,500 --> 00:34:50,229 One of the packets data itself 1016 00:34:50,230 --> 00:34:52,448 and packet false are just, they just 1017 00:34:52,449 --> 00:34:55,419 create classes and you can just 1018 00:34:55,420 --> 00:34:56,468 put in there. 1019 00:34:56,469 --> 00:34:59,349 Oh I want to, I want to chanta 1020 00:34:59,350 --> 00:35:01,749 and create object fish data 1021 00:35:01,750 --> 00:35:03,499 and I want to send it now in all of its 1022 00:35:03,500 --> 00:35:05,199 backing and encrypting and stuff. 1023 00:35:05,200 --> 00:35:07,269 It's all handled by this code and it 1024 00:35:07,270 --> 00:35:09,129 also creates python bindings. 1025 00:35:09,130 --> 00:35:11,469 So I can just hook them apart and 1026 00:35:11,470 --> 00:35:14,109 it's because I can say hi, I want you to 1027 00:35:14,110 --> 00:35:16,239 create object to fish and fish arguments 1028 00:35:16,240 --> 00:35:18,339 and it's boathouses to all the clients it 1029 00:35:18,340 --> 00:35:20,169 has. That's really awesome. 1030 00:35:20,170 --> 00:35:21,309 And you will see it soon. 1031 00:35:23,010 --> 00:35:25,089 So this is looks like. 1032 00:35:25,090 --> 00:35:27,189 No, I have Fischbeck a display yellow 1033 00:35:27,190 --> 00:35:29,079 text you. I'm sure you have no idea what 1034 00:35:29,080 --> 00:35:31,599 it does and what it and 1035 00:35:31,600 --> 00:35:33,379 what you can do is you can just telnet to 1036 00:35:33,380 --> 00:35:35,679 the stuff on Sombath, you can just copy 1037 00:35:35,680 --> 00:35:36,999 paste your text in there. 1038 00:35:37,000 --> 00:35:39,219 And what happens is the 1039 00:35:39,220 --> 00:35:41,349 what happens is you will see yellow text 1040 00:35:41,350 --> 00:35:43,389 on the client screen, but you can also 1041 00:35:43,390 --> 00:35:45,459 mess with the parameters because I'm 1042 00:35:45,460 --> 00:35:47,319 I'm not sure what's known for that. 1043 00:35:47,320 --> 00:35:49,059 So I'm going to type something else and 1044 00:35:49,060 --> 00:35:51,249 I'm going to look at what what what does 1045 00:35:51,250 --> 00:35:52,179 the client show? 1046 00:35:52,180 --> 00:35:54,339 And this is really fun to do because 1047 00:35:54,340 --> 00:35:56,499 you can just change things and 1048 00:35:56,500 --> 00:35:58,599 you can just observe what happens and you 1049 00:35:58,600 --> 00:36:00,789 really learn quickly about it. 1050 00:36:00,790 --> 00:36:02,889 And you are not you are not 1051 00:36:02,890 --> 00:36:04,059 harming anyone. Right. 1052 00:36:04,060 --> 00:36:06,549 Because the game servers, 1053 00:36:06,550 --> 00:36:08,229 whatever, they are just coming along, 1054 00:36:08,230 --> 00:36:09,399 they don't know what to do. It's because 1055 00:36:09,400 --> 00:36:10,400 it's your own self. 1056 00:36:12,670 --> 00:36:14,859 But there a snitch, I 1057 00:36:14,860 --> 00:36:16,929 was like, you know what, I'm just going 1058 00:36:16,930 --> 00:36:19,179 to to put this phone kilobytes 1059 00:36:19,180 --> 00:36:21,339 of data to the to the clients and 1060 00:36:21,340 --> 00:36:22,459 it crashes. 1061 00:36:22,460 --> 00:36:23,979 Yeah, yeah. 1062 00:36:23,980 --> 00:36:26,109 The client is if you've played this 1063 00:36:26,110 --> 00:36:27,289 game, you understand 1064 00:36:28,300 --> 00:36:30,299 maybe it wasn't. 1065 00:36:30,300 --> 00:36:31,479 Yes. 1066 00:36:31,480 --> 00:36:34,059 It could have used a bit more more 1067 00:36:34,060 --> 00:36:34,959 Q&A. 1068 00:36:34,960 --> 00:36:36,159 Maybe, but 1069 00:36:37,900 --> 00:36:40,059 but so what I did was I was like, 1070 00:36:40,060 --> 00:36:41,829 if I just put sleeps in there. 1071 00:36:41,830 --> 00:36:43,959 Well I took a lot of time, 1072 00:36:43,960 --> 00:36:46,149 but I managed to log in and just started 1073 00:36:46,150 --> 00:36:48,459 to remove stuff I hoped 1074 00:36:48,460 --> 00:36:50,109 was not important. 1075 00:36:50,110 --> 00:36:52,599 And step by step, I got to somewhere 1076 00:36:52,600 --> 00:36:54,819 I could log into the game world and I 1077 00:36:54,820 --> 00:36:57,489 could do my packets and 1078 00:36:57,490 --> 00:36:58,629 analysis. 1079 00:36:58,630 --> 00:37:00,729 So I'm not going to show you a small 1080 00:37:00,730 --> 00:37:02,889 demo. So please play with me the 1081 00:37:02,890 --> 00:37:05,319 starting line that doesn't crash, because 1082 00:37:05,320 --> 00:37:06,879 I won't say it has happened before 1083 00:37:06,880 --> 00:37:07,880 because it has. 1084 00:37:09,160 --> 00:37:11,259 But the package I'm going to show 1085 00:37:11,260 --> 00:37:13,099 is if you the game version of your 1086 00:37:13,100 --> 00:37:15,339 exercise and if you create an object 1087 00:37:15,340 --> 00:37:18,639 and you are and you are like a 1088 00:37:18,640 --> 00:37:20,499 player character, you can customize your 1089 00:37:20,500 --> 00:37:22,929 character a bit and the game uses 1090 00:37:22,930 --> 00:37:25,449 some packets and it tells you, OK, 1091 00:37:25,450 --> 00:37:27,519 it has to 1092 00:37:27,520 --> 00:37:29,889 have looks like this and that 1093 00:37:29,890 --> 00:37:32,199 of the debate style 1094 00:37:32,200 --> 00:37:34,689 is fat and what sort of stuff. 1095 00:37:34,690 --> 00:37:36,789 So eventually 1096 00:37:36,790 --> 00:37:38,799 I knew Fishbeck it does it but I don't 1097 00:37:38,800 --> 00:37:40,679 know what do for the 32 two. 1098 00:37:40,680 --> 00:37:41,680 Do what it does. 1099 00:37:42,930 --> 00:37:43,930 So. 1100 00:37:44,870 --> 00:37:46,159 Oh, my God, it's still up. 1101 00:37:47,170 --> 00:37:48,819 What I'm going to do is I'm going to 1102 00:37:48,820 --> 00:37:50,019 start my phone. 1103 00:37:50,020 --> 00:37:51,819 It's just a night in the open room 1104 00:37:51,820 --> 00:37:53,229 because I really suck at names. 1105 00:37:56,150 --> 00:37:58,309 And yet how open projects are popular 1106 00:37:58,310 --> 00:38:01,069 items like maybe for adaptiveness 1107 00:38:01,070 --> 00:38:02,779 one, so I'm going to give my friend 1108 00:38:02,780 --> 00:38:04,209 username password. 1109 00:38:04,210 --> 00:38:05,349 I hope it's feasible, 1110 00:38:06,350 --> 00:38:08,539 but as you can see, the shuffle starts 1111 00:38:08,540 --> 00:38:09,859 seeing stuff. 1112 00:38:09,860 --> 00:38:12,169 And we are yeah, we have our own server 1113 00:38:12,170 --> 00:38:14,539 with have nice name Solitude, because 1114 00:38:14,540 --> 00:38:16,379 it's not really an online game anymore, 1115 00:38:16,380 --> 00:38:17,380 is it? 1116 00:38:28,240 --> 00:38:30,519 So now I'm going to look in with 1117 00:38:30,520 --> 00:38:32,169 a reverse engineer, because that's what 1118 00:38:32,170 --> 00:38:34,269 we do, and in the meanwhile, you will 1119 00:38:34,270 --> 00:38:35,799 see the look on the back. 1120 00:38:35,800 --> 00:38:37,119 If that's why you need logging, you want 1121 00:38:37,120 --> 00:38:38,769 to show you want to know that stuff is 1122 00:38:38,770 --> 00:38:40,959 going on. I'm not going to talk about 1123 00:38:40,960 --> 00:38:42,279 what the packets are actually like. 1124 00:38:42,280 --> 00:38:44,409 I will be presenting a short one or one 1125 00:38:44,410 --> 00:38:46,479 the overview of the protocol and you 1126 00:38:46,480 --> 00:38:48,279 can get the rest of my GitHub. 1127 00:38:48,280 --> 00:38:49,809 But yeah. 1128 00:38:49,810 --> 00:38:52,059 Did I mention the game is how it is 1129 00:38:52,060 --> 00:38:53,799 now? As you can see, we're an engineer at 1130 00:38:53,800 --> 00:38:55,899 32. She freaks because 1131 00:38:55,900 --> 00:38:57,759 I can send whatever I want so I can send 1132 00:38:57,760 --> 00:38:58,760 guild names. 1133 00:38:59,690 --> 00:39:02,419 Charity fund groups. 1134 00:39:02,420 --> 00:39:04,169 And this is how the game is supposed to 1135 00:39:04,170 --> 00:39:05,170 look like, 1136 00:39:06,400 --> 00:39:08,579 and now I'm I'm I'm going to 1137 00:39:08,580 --> 00:39:09,959 zoom in on my face. 1138 00:39:11,180 --> 00:39:13,759 And yeah, I really haven't. 1139 00:39:13,760 --> 00:39:15,859 So now I'm just going to tell that to 1140 00:39:15,860 --> 00:39:17,659 the stuff and we're going to enter Python 1141 00:39:17,660 --> 00:39:18,779 stuff right now. 1142 00:39:18,780 --> 00:39:20,359 First, I'm going to set a variable 1143 00:39:20,360 --> 00:39:21,739 because it was a nice. 1144 00:39:22,870 --> 00:39:25,089 Then I'm going to set a lot of data 1145 00:39:25,090 --> 00:39:27,159 and this is the data I just sniffed from 1146 00:39:27,160 --> 00:39:29,349 somewhere, and I'm going to and 1147 00:39:29,350 --> 00:39:31,599 I'm going to modify it, but first 1148 00:39:31,600 --> 00:39:33,429 I'm just going to send it. 1149 00:39:33,430 --> 00:39:35,110 So what you see here? 1150 00:39:37,900 --> 00:39:40,149 If nothing happens, oh, 1151 00:39:40,150 --> 00:39:41,949 that's boring, but that's good, because 1152 00:39:41,950 --> 00:39:44,119 it's exactly the same data as I sent. 1153 00:39:44,120 --> 00:39:45,759 I created this character. 1154 00:39:45,760 --> 00:39:47,859 So now I'm just going to say I'm 1155 00:39:47,860 --> 00:39:49,719 a nine five. I have no idea what it does, 1156 00:39:49,720 --> 00:39:51,879 but I'm going to send it to two five 1157 00:39:51,880 --> 00:39:53,559 five because two five five is a nice 1158 00:39:53,560 --> 00:39:54,699 fellow or oh, 1159 00:39:56,490 --> 00:39:58,659 and usually just testing 1160 00:39:58,660 --> 00:39:59,769 extreme values. 1161 00:39:59,770 --> 00:40:01,719 If it's ten, make it to Hudnut. 1162 00:40:01,720 --> 00:40:04,089 If it's too not make it true free, it's 1163 00:40:04,090 --> 00:40:05,590 really helps to figure out 1164 00:40:07,510 --> 00:40:09,099 what kind of value with this. 1165 00:40:09,100 --> 00:40:11,109 So now I'm going to send it to two, five, 1166 00:40:11,110 --> 00:40:13,349 five and I'm going to send to object 1167 00:40:13,350 --> 00:40:14,859 to parents, pack it again. 1168 00:40:14,860 --> 00:40:17,079 And as you can see, my character has lost 1169 00:40:17,080 --> 00:40:18,080 all his hair. 1170 00:40:27,310 --> 00:40:29,139 No, I can't continue with this. 1171 00:40:29,140 --> 00:40:31,299 I can also send a known and 1172 00:40:31,300 --> 00:40:33,699 unknown character and now my beard 1173 00:40:33,700 --> 00:40:34,809 is another color. 1174 00:40:34,810 --> 00:40:36,939 So I know now that the beard is somehow 1175 00:40:36,940 --> 00:40:38,889 linked to a lone wolf and the character 1176 00:40:38,890 --> 00:40:40,819 is linked to a number five. 1177 00:40:40,820 --> 00:40:42,189 But you can also do this. 1178 00:40:42,190 --> 00:40:44,679 You can also create arbitrary characters. 1179 00:40:46,160 --> 00:40:47,869 And I'm now going to quickly do that, 1180 00:40:47,870 --> 00:40:50,329 because sometimes, you know, that that 1181 00:40:50,330 --> 00:40:52,489 commands interactive stuff 1182 00:40:52,490 --> 00:40:53,419 over things. 1183 00:40:53,420 --> 00:40:55,939 So now I want to create a monster 1184 00:40:55,940 --> 00:40:57,709 and I'm going to do it. 1185 00:40:57,710 --> 00:40:59,759 And of course, I messed up. 1186 00:40:59,760 --> 00:41:01,039 You see, and we have friends 1187 00:41:03,460 --> 00:41:04,460 in your eyes. 1188 00:41:05,660 --> 00:41:07,039 But the good part is. 1189 00:41:08,900 --> 00:41:11,029 I figured that the object would come on 1190 00:41:11,030 --> 00:41:13,099 by by you 1191 00:41:13,100 --> 00:41:14,100 could just kill it. 1192 00:41:23,800 --> 00:41:26,529 And then I had this unknown nine to E 1193 00:41:26,530 --> 00:41:28,089 thing, and I didn't know what it was. 1194 00:41:28,090 --> 00:41:29,979 So I'm just going to send it and it 1195 00:41:29,980 --> 00:41:31,929 sparkles. Sparkling is good. 1196 00:41:33,410 --> 00:41:35,239 And sparkling in the game knows you can 1197 00:41:35,240 --> 00:41:36,719 look at it, so now if I look at it 1198 00:41:36,720 --> 00:41:38,929 myself, I guess I can 1199 00:41:38,930 --> 00:41:40,129 show Fishersville. 1200 00:41:40,130 --> 00:41:42,199 I if I ask you, you will see 1201 00:41:42,200 --> 00:41:45,079 for, I guess, an unknown one fact. 1202 00:41:45,080 --> 00:41:46,699 So I know. Aha. 1203 00:41:46,700 --> 00:41:49,099 On one f must mean you want to lose. 1204 00:41:49,100 --> 00:41:50,869 And now I'm supposed to center the 1205 00:41:50,870 --> 00:41:53,119 clients which kinds of cool items he has. 1206 00:41:54,530 --> 00:41:56,509 But that's about it for the demo. 1207 00:41:56,510 --> 00:41:58,579 Let's hope it doesn't die, so 1208 00:41:58,580 --> 00:42:00,139 now I'm quickly going to cover the 1209 00:42:00,140 --> 00:42:02,149 protocol because we're running out of 1210 00:42:02,150 --> 00:42:04,459 time. So how the game works 1211 00:42:04,460 --> 00:42:06,919 is you there are three layers of service 1212 00:42:06,920 --> 00:42:09,019 you have to look into over it and 1213 00:42:09,020 --> 00:42:10,819 it just says, hi, who are you? 1214 00:42:10,820 --> 00:42:11,989 A code name password. 1215 00:42:11,990 --> 00:42:13,909 And if it doesn't match, I go away. 1216 00:42:13,910 --> 00:42:15,499 If you make it through it, you get to a 1217 00:42:15,500 --> 00:42:17,719 portal server and a portal server, just 1218 00:42:17,720 --> 00:42:19,909 as first of all, the game servers you can 1219 00:42:19,910 --> 00:42:22,039 connect to. And if you connect to 1220 00:42:22,040 --> 00:42:23,689 a server, you end up with a specific 1221 00:42:23,690 --> 00:42:25,849 game. So you always have free 1222 00:42:25,850 --> 00:42:27,859 hops. And that's why I wrote the proxy 1223 00:42:27,860 --> 00:42:29,989 tool, because, well, it's 1224 00:42:29,990 --> 00:42:32,119 it's a much nicer if you if 1225 00:42:32,120 --> 00:42:34,309 someone so solve this problem for you. 1226 00:42:34,310 --> 00:42:36,199 Now, the other thing to note is, is this 1227 00:42:36,200 --> 00:42:38,479 game has a lot of commands and 1228 00:42:38,480 --> 00:42:41,029 really a lot of everything as a command. 1229 00:42:41,030 --> 00:42:43,519 If you join a team first 1230 00:42:43,520 --> 00:42:45,679 commands to sell you to tell 1231 00:42:45,680 --> 00:42:48,109 you hi, John went perfectly 1232 00:42:48,110 --> 00:42:50,269 first a command to tell you, OK, you 1233 00:42:50,270 --> 00:42:51,709 need to add fast to your message. 1234 00:42:51,710 --> 00:42:53,719 Look, that's a command to tell your oh, 1235 00:42:53,720 --> 00:42:55,219 your your player character. 1236 00:42:55,220 --> 00:42:57,409 You need to add this guild name has 1237 00:42:57,410 --> 00:42:58,819 a command to tell you, oh, the user 1238 00:42:58,820 --> 00:43:00,829 interface needs you at this guild name 1239 00:43:00,830 --> 00:43:02,509 Physick package that gets sent. 1240 00:43:02,510 --> 00:43:04,789 It says, oh, it's guilt by 1241 00:43:04,790 --> 00:43:06,829 the way, has fees and fees members and it 1242 00:43:06,830 --> 00:43:08,089 goes on and on. 1243 00:43:08,090 --> 00:43:09,859 And that's the nice thing about having a 1244 00:43:09,860 --> 00:43:11,929 server. You can just do it step by 1245 00:43:11,930 --> 00:43:13,819 step and see what happens when you send 1246 00:43:13,820 --> 00:43:16,009 it, because I don't know about you, 1247 00:43:16,010 --> 00:43:18,199 but if I get like forty, 1248 00:43:18,200 --> 00:43:20,359 forty packets, maybe 20 of 1249 00:43:20,360 --> 00:43:22,159 which are relevant, I don't know. 1250 00:43:22,160 --> 00:43:24,439 And if I can just send them myself using 1251 00:43:24,440 --> 00:43:26,689 the scripting stuff, it's much easier 1252 00:43:26,690 --> 00:43:28,819 to figure out because there are over 1253 00:43:28,820 --> 00:43:29,899 200 packets. 1254 00:43:29,900 --> 00:43:32,149 I know about one out of 50 1255 00:43:32,150 --> 00:43:34,309 of them. As I said, this object based 1256 00:43:34,310 --> 00:43:35,809 everything that's not static as an 1257 00:43:35,810 --> 00:43:37,909 object. So things like Dodsworth can 1258 00:43:37,910 --> 00:43:40,009 be removed, that object things you can 1259 00:43:40,010 --> 00:43:42,619 go to, objects and pieces, 1260 00:43:42,620 --> 00:43:45,319 bullshits, that sort of stuff, objects, 1261 00:43:45,320 --> 00:43:47,689 player, characters have appearances. 1262 00:43:47,690 --> 00:43:49,339 And that's just a physical appearance. 1263 00:43:49,340 --> 00:43:51,919 And you you have separate commands 1264 00:43:51,920 --> 00:43:54,529 over how Vecchia looks and positioning, 1265 00:43:54,530 --> 00:43:56,959 fighting. Everything has a command. 1266 00:43:56,960 --> 00:43:59,089 If you just look at the monster and 1267 00:43:59,090 --> 00:44:01,499 it looks back, it has a command. 1268 00:44:01,500 --> 00:44:03,769 If it changes Stanson, I'm a hostile, 1269 00:44:03,770 --> 00:44:04,819 I'm going to kick you. 1270 00:44:04,820 --> 00:44:05,989 It has a command. 1271 00:44:05,990 --> 00:44:08,089 It's if 1272 00:44:08,090 --> 00:44:10,159 it's going to hit you, it has a 1273 00:44:10,160 --> 00:44:12,319 command. If the hits match it, it has 1274 00:44:12,320 --> 00:44:13,209 a command. 1275 00:44:13,210 --> 00:44:14,389 It's really a lot. 1276 00:44:15,410 --> 00:44:17,989 So what I learned was this one 1277 00:44:17,990 --> 00:44:20,179 kilobyte character and for Pécas it 1278 00:44:20,180 --> 00:44:21,619 influences the UI. 1279 00:44:21,620 --> 00:44:23,329 And that's really cool because what you 1280 00:44:23,330 --> 00:44:25,549 can do is you can just put 1281 00:44:25,550 --> 00:44:27,979 in that, OK, we have we 1282 00:44:27,980 --> 00:44:30,109 have a bunch of data, right. 1283 00:44:30,110 --> 00:44:31,369 But then it's on the market about the 1284 00:44:31,370 --> 00:44:33,199 data. The game relates to objects to 1285 00:44:33,200 --> 00:44:35,389 play. You can move has nothing to do with 1286 00:44:35,390 --> 00:44:36,379 it. 1287 00:44:36,380 --> 00:44:38,479 And the question is which the client 1288 00:44:38,480 --> 00:44:40,009 knows which quests are pending. 1289 00:44:40,010 --> 00:44:42,139 So if you look in four hundred kilobytes, 1290 00:44:42,140 --> 00:44:44,159 just has a lot of bad bits because 1291 00:44:44,160 --> 00:44:46,309 everyone of bits to what it does 1292 00:44:46,310 --> 00:44:48,779 is it will just tell the client, OK, 1293 00:44:48,780 --> 00:44:51,229 if it's Quest you can it's not 1294 00:44:51,230 --> 00:44:53,389 it's not done yet and this quest is done. 1295 00:44:53,390 --> 00:44:55,279 Donnette and the clients figure out what 1296 00:44:55,280 --> 00:44:57,869 it needs to show. Some really interesting 1297 00:44:57,870 --> 00:44:59,899 security really sucks in this game. 1298 00:44:59,900 --> 00:45:01,979 If you make a mistake and sent 1299 00:45:01,980 --> 00:45:04,519 them by too much, it crashes. 1300 00:45:04,520 --> 00:45:05,959 That's bad, right? 1301 00:45:05,960 --> 00:45:08,119 If you if you mess up this character 1302 00:45:08,120 --> 00:45:10,549 info packets is you get 1303 00:45:10,550 --> 00:45:13,519 an exception on the stack. 1304 00:45:13,520 --> 00:45:15,749 Now, it's really cool because 1305 00:45:15,750 --> 00:45:17,689 we can we can execute code for this if we 1306 00:45:17,690 --> 00:45:19,189 can influence the server. 1307 00:45:19,190 --> 00:45:21,469 And I expect a server 1308 00:45:21,470 --> 00:45:22,789 isn't really much better. 1309 00:45:22,790 --> 00:45:24,949 But I didn't try it 1310 00:45:24,950 --> 00:45:27,049 because well, there's 1311 00:45:27,050 --> 00:45:28,999 also some information regarding it that 1312 00:45:29,000 --> 00:45:30,349 it tells you you'll make it worse. 1313 00:45:30,350 --> 00:45:32,509 It tells you your operating system, 1314 00:45:32,510 --> 00:45:33,859 stuff like that. 1315 00:45:33,860 --> 00:45:36,049 I don't know. I've maybe if he wanted to 1316 00:45:36,050 --> 00:45:38,149 have an idea of the of 1317 00:45:38,150 --> 00:45:40,129 what you or what your clients are, but I 1318 00:45:40,130 --> 00:45:41,130 can spoof them as. 1319 00:45:43,180 --> 00:45:45,489 So I was like, not a lot, 1320 00:45:45,490 --> 00:45:47,349 because I want to release this stuff, but 1321 00:45:47,350 --> 00:45:48,549 I sought legal help. 1322 00:45:48,550 --> 00:45:50,379 And the reason I did this is because I 1323 00:45:50,380 --> 00:45:52,809 don't like getting sued for 1324 00:45:52,810 --> 00:45:54,969 some guy who was who had a talk 1325 00:45:54,970 --> 00:45:57,249 or some sign on his suit for two billion 1326 00:45:57,250 --> 00:45:59,799 dollars. I don't want to give a talk 1327 00:45:59,800 --> 00:46:02,049 about being sued for two million years. 1328 00:46:02,050 --> 00:46:03,399 So I was like, I'm going to talk to a 1329 00:46:03,400 --> 00:46:05,949 lawyer. Most of them say, don't go to 1330 00:46:05,950 --> 00:46:07,149 my stupid. 1331 00:46:07,150 --> 00:46:08,349 That's boring. 1332 00:46:08,350 --> 00:46:10,419 So I met on a lot of hits and he was 1333 00:46:10,420 --> 00:46:12,549 really helpful because what he told 1334 00:46:12,550 --> 00:46:14,919 me was after a few months, 1335 00:46:14,920 --> 00:46:16,989 because he's one of the few person I know 1336 00:46:16,990 --> 00:46:18,999 who is also an engineer, sort of engineer 1337 00:46:19,000 --> 00:46:20,649 and he's also a lawyer. 1338 00:46:20,650 --> 00:46:21,729 Crazy combination. 1339 00:46:21,730 --> 00:46:24,069 But hey, all the benefits. 1340 00:46:24,070 --> 00:46:26,169 And he says, well, first you met 1341 00:46:26,170 --> 00:46:28,269 a really interesting as long 1342 00:46:28,270 --> 00:46:29,019 as you can. 1343 00:46:29,020 --> 00:46:31,359 Your goal should not be cheating 1344 00:46:31,360 --> 00:46:33,009 if you're going to cheating you. 1345 00:46:33,010 --> 00:46:34,479 Yeah. You you're acting illegally. 1346 00:46:34,480 --> 00:46:37,059 Right, because that's that's not good. 1347 00:46:37,060 --> 00:46:39,159 And if you do this in private, you 1348 00:46:39,160 --> 00:46:40,479 don't release anything. You can do 1349 00:46:40,480 --> 00:46:42,639 whatever you want, but your goal can 1350 00:46:42,640 --> 00:46:43,659 never be cheating. 1351 00:46:43,660 --> 00:46:45,189 So I want to express my goal. 1352 00:46:45,190 --> 00:46:46,190 Never was cheating. 1353 00:46:55,520 --> 00:46:58,039 So as he continued, he said, OK, 1354 00:46:58,040 --> 00:47:00,149 well, you shouldn't do 1355 00:47:00,150 --> 00:47:02,149 the shelf record, the other tools are OK 1356 00:47:02,150 --> 00:47:04,389 for nice fair points 1357 00:47:04,390 --> 00:47:06,889 if interesting, but to serve 1358 00:47:06,890 --> 00:47:08,989 well vacancy see this competition, 1359 00:47:08,990 --> 00:47:10,099 you know, and I was like, why? 1360 00:47:10,100 --> 00:47:11,900 It doesn't crush as often but. 1361 00:47:14,400 --> 00:47:16,289 Just the suggestion was, don't do it, 1362 00:47:16,290 --> 00:47:17,759 really, do not release it. 1363 00:47:17,760 --> 00:47:19,949 And I was like, I'm a bit ashamed of 1364 00:47:19,950 --> 00:47:22,019 what the code looks like and I do not 1365 00:47:22,020 --> 00:47:23,009 intend to release it. 1366 00:47:23,010 --> 00:47:24,899 And it's not because I don't love open 1367 00:47:24,900 --> 00:47:26,729 source and stuff, but I don't want to get 1368 00:47:26,730 --> 00:47:29,109 sued. And if anyone here has contacts 1369 00:47:29,110 --> 00:47:31,209 with 50 drifty, developer 1370 00:47:31,210 --> 00:47:33,329 or publisher of his game and say, OK, you 1371 00:47:33,330 --> 00:47:34,539 can do it, I will. 1372 00:47:34,540 --> 00:47:36,449 I will. And if they ever take the 1373 00:47:36,450 --> 00:47:38,519 official servers offline so 1374 00:47:38,520 --> 00:47:40,079 you can't play the game over immediately, 1375 00:47:40,080 --> 00:47:41,670 dump everything I have from GitHub. 1376 00:47:51,400 --> 00:47:53,589 So I wanted to thank you all the stuff 1377 00:47:53,590 --> 00:47:55,929 I've been talking about on my account, 1378 00:47:55,930 --> 00:47:57,669 and there's also a lot more stuff on 1379 00:47:57,670 --> 00:47:59,679 there because the items stuff is in a lot 1380 00:47:59,680 --> 00:48:01,029 of different repository. 1381 00:48:01,030 --> 00:48:02,739 But who knows? 1382 00:48:02,740 --> 00:48:04,629 But if you have any questions, now's the 1383 00:48:04,630 --> 00:48:06,699 time. And I also have email and stuff, 1384 00:48:06,700 --> 00:48:07,700 so. 1385 00:48:23,810 --> 00:48:25,909 Thank you for this very insightful talk. 1386 00:48:25,910 --> 00:48:28,199 We now have about 10 minutes for 1387 00:48:28,200 --> 00:48:29,599 a question and answer. 1388 00:48:29,600 --> 00:48:32,089 So if you want to ask a question, 1389 00:48:32,090 --> 00:48:33,979 proceed to this in our microphones. 1390 00:48:33,980 --> 00:48:36,139 And yeah, we start right now. 1391 00:48:38,200 --> 00:48:40,489 Yeah, that microphone there. 1392 00:48:40,490 --> 00:48:42,529 Hi, thanks for the talk. 1393 00:48:42,530 --> 00:48:44,479 Did you ever accidentally send packets to 1394 00:48:44,480 --> 00:48:46,369 the server and see you react in strange 1395 00:48:46,370 --> 00:48:49,099 ways? Uh, yes, I did. 1396 00:48:49,100 --> 00:48:50,939 And that sorry. 1397 00:48:50,940 --> 00:48:53,239 Sorry. Uh, everybody who is now 1398 00:48:53,240 --> 00:48:55,279 leaving just be a little bit more quiet 1399 00:48:55,280 --> 00:48:56,959 so everybody can get the question and 1400 00:48:56,960 --> 00:48:57,960 answer. Thank you. 1401 00:48:59,390 --> 00:49:00,709 But yes, I did. 1402 00:49:00,710 --> 00:49:03,049 And one of the things I wanted to know 1403 00:49:03,050 --> 00:49:05,209 is if if it really matters, 1404 00:49:05,210 --> 00:49:07,279 if the client sends all the data, 1405 00:49:07,280 --> 00:49:09,349 it does and it turns out it 1406 00:49:09,350 --> 00:49:11,299 doesn't. The code I'm definitely not 1407 00:49:11,300 --> 00:49:13,429 going to release because you know what 1408 00:49:13,430 --> 00:49:14,510 you can do with it, right? 1409 00:49:17,940 --> 00:49:19,349 OK, is there a question on that 1410 00:49:19,350 --> 00:49:22,169 microphone or no question. 1411 00:49:22,170 --> 00:49:24,030 OK, then another one there. 1412 00:49:25,440 --> 00:49:26,669 I wanted to know how long you been 1413 00:49:26,670 --> 00:49:27,569 working on this, like. 1414 00:49:27,570 --> 00:49:28,679 Was it last week? 1415 00:49:28,680 --> 00:49:30,159 And a caffeine fueled nightmare. 1416 00:49:30,160 --> 00:49:31,289 If you've been working on this for 1417 00:49:31,290 --> 00:49:33,389 several months now, this 1418 00:49:33,390 --> 00:49:35,549 project took two years, 1419 00:49:35,550 --> 00:49:37,899 but it was on and off because I 1420 00:49:37,900 --> 00:49:40,349 well, I did suffer from from 1421 00:49:40,350 --> 00:49:42,509 other interests like life and 1422 00:49:42,510 --> 00:49:43,349 stuff. 1423 00:49:43,350 --> 00:49:45,589 So it's it 1424 00:49:45,590 --> 00:49:47,070 was really ups and downs. 1425 00:49:48,330 --> 00:49:50,579 But all I can 1426 00:49:50,580 --> 00:49:52,859 say is that overall, I think if I could 1427 00:49:52,860 --> 00:49:54,600 do this full time, it was about 1428 00:49:55,620 --> 00:49:57,989 four to six months, I guess, because 1429 00:49:57,990 --> 00:50:00,329 if you once you get well, you 1430 00:50:00,330 --> 00:50:02,099 get into it, it really goes fast. 1431 00:50:03,950 --> 00:50:05,779 OK, there is a question from the 1432 00:50:05,780 --> 00:50:06,709 Internet. 1433 00:50:06,710 --> 00:50:08,539 Yeah, actually, there are two questions 1434 00:50:08,540 --> 00:50:09,619 right now. 1435 00:50:09,620 --> 00:50:11,809 The first one is if there 1436 00:50:11,810 --> 00:50:14,419 is any kind of end to end encryption 1437 00:50:14,420 --> 00:50:16,519 or authentication between the client 1438 00:50:16,520 --> 00:50:18,049 and the server. 1439 00:50:18,050 --> 00:50:18,949 Yes, sure. 1440 00:50:18,950 --> 00:50:20,479 And plus. 1441 00:50:20,480 --> 00:50:21,480 Yeah, OK. 1442 00:50:22,340 --> 00:50:25,009 And the second question is, if you could, 1443 00:50:25,010 --> 00:50:27,319 in theory, spawn items 1444 00:50:27,320 --> 00:50:29,489 on a real server, I knew that 1445 00:50:29,490 --> 00:50:30,490 the question was going, 1446 00:50:32,390 --> 00:50:34,459 yeah, well, what I want to say 1447 00:50:34,460 --> 00:50:35,899 about this is the following. 1448 00:50:35,900 --> 00:50:38,239 I, I know about players 1449 00:50:38,240 --> 00:50:39,949 within the game who have managed to 1450 00:50:39,950 --> 00:50:41,689 duplicate items and stuff. 1451 00:50:41,690 --> 00:50:42,949 You can do that of. 1452 00:50:42,950 --> 00:50:44,599 You could I don't know if you still can 1453 00:50:44,600 --> 00:50:46,159 because I don't play the game anymore. 1454 00:50:46,160 --> 00:50:48,079 And I have this idea if I don't want to 1455 00:50:48,080 --> 00:50:49,519 let me play the game anymore. 1456 00:50:49,520 --> 00:50:51,829 But you most of it 1457 00:50:51,830 --> 00:50:53,629 seem to be books on the server side, 1458 00:50:53,630 --> 00:50:55,999 because if the class is convinced he has 1459 00:50:56,000 --> 00:50:58,309 some item and surprise, 1460 00:50:58,310 --> 00:51:00,469 surprise, you can lie about that, then 1461 00:51:00,470 --> 00:51:02,569 I'm pretty I'm pretty sure it's not rock 1462 00:51:02,570 --> 00:51:03,829 solid. 1463 00:51:03,830 --> 00:51:05,689 I think you can do it. 1464 00:51:05,690 --> 00:51:07,759 But you just most people 1465 00:51:07,760 --> 00:51:09,889 find it out by just clicking an item 1466 00:51:09,890 --> 00:51:12,049 seven million times and you can scripting 1467 00:51:12,050 --> 00:51:13,369 the game in Lua. 1468 00:51:13,370 --> 00:51:15,229 And some people just make scripts to do 1469 00:51:15,230 --> 00:51:17,659 something 20 times in a row and a server 1470 00:51:17,660 --> 00:51:19,699 just gave up and said, OK, whatever. 1471 00:51:19,700 --> 00:51:20,700 So. 1472 00:51:21,980 --> 00:51:22,969 It has happened. 1473 00:51:22,970 --> 00:51:24,919 I don't know if it's fixed, but it has 1474 00:51:24,920 --> 00:51:25,920 happened. 1475 00:51:27,680 --> 00:51:29,329 And there more questions. 1476 00:51:29,330 --> 00:51:30,330 Yes, there, 1477 00:51:31,500 --> 00:51:32,500 hello. 1478 00:51:33,230 --> 00:51:35,679 Did you try those things on other 1479 00:51:35,680 --> 00:51:37,759 animals or is this 1480 00:51:37,760 --> 00:51:40,279 a unique case to this broken piece 1481 00:51:40,280 --> 00:51:41,629 of software? 1482 00:51:41,630 --> 00:51:43,519 No, what you can do is you can do is 1483 00:51:43,520 --> 00:51:45,139 basically on any game you want. 1484 00:51:45,140 --> 00:51:47,209 You can also, for example, if you have 1485 00:51:47,210 --> 00:51:49,339 an observer, you could use 1486 00:51:49,340 --> 00:51:51,799 some like these techniques because it 1487 00:51:51,800 --> 00:51:53,809 basically boils down to understanding the 1488 00:51:53,810 --> 00:51:56,319 data. And that's why I try to 1489 00:51:56,320 --> 00:51:58,519 to talk more about the approach 1490 00:51:58,520 --> 00:52:00,109 I took than the actual game, because the 1491 00:52:00,110 --> 00:52:02,239 game is less interesting 1492 00:52:02,240 --> 00:52:04,189 than the approach. So but if you're 1493 00:52:04,190 --> 00:52:06,139 volunteering, I would really like to know 1494 00:52:06,140 --> 00:52:07,940 how the Old Republic works. 1495 00:52:12,300 --> 00:52:13,710 OK, any more questions? 1496 00:52:14,980 --> 00:52:16,819 Yeah, on that microphone. 1497 00:52:16,820 --> 00:52:18,639 OK, interesting talk. 1498 00:52:18,640 --> 00:52:19,549 Thanks. 1499 00:52:19,550 --> 00:52:21,669 Uh, actually, I'm a game 1500 00:52:21,670 --> 00:52:23,739 developer and at the moment 1501 00:52:23,740 --> 00:52:24,740 I'm. 1502 00:52:25,980 --> 00:52:28,199 Yes, I'm trying to I'm 1503 00:52:28,200 --> 00:52:30,269 not a massive multiplayer game, but 1504 00:52:30,270 --> 00:52:32,669 an online game, so you have any advice 1505 00:52:32,670 --> 00:52:34,799 for me to make you your 1506 00:52:34,800 --> 00:52:35,800 work harder? 1507 00:52:39,090 --> 00:52:41,309 Yeah, well, one of the things I 1508 00:52:41,310 --> 00:52:43,529 think you should really consider is 1509 00:52:43,530 --> 00:52:45,959 people can and will do this given 1510 00:52:45,960 --> 00:52:47,709 first officially bored of the game, I 1511 00:52:47,710 --> 00:52:49,899 suppose. And one of the 1512 00:52:49,900 --> 00:52:51,959 and I think that what you should 1513 00:52:51,960 --> 00:52:52,949 do is you. 1514 00:52:52,950 --> 00:52:55,109 Yeah, if it were up to me, I would 1515 00:52:55,110 --> 00:52:56,999 just release the product and say, ha ha, 1516 00:52:57,000 --> 00:52:59,209 have fun. But do we do 1517 00:52:59,210 --> 00:53:01,259 it? And eventually you will figure it 1518 00:53:01,260 --> 00:53:03,089 out. Eventually you can learn how it 1519 00:53:03,090 --> 00:53:04,979 works and you should design with that in 1520 00:53:04,980 --> 00:53:07,439 mind. You should design one. 1521 00:53:07,440 --> 00:53:09,839 If some crazy person sounds 1522 00:53:09,840 --> 00:53:12,209 complete 20 times, 1523 00:53:12,210 --> 00:53:13,769 maybe I should check for it. 1524 00:53:13,770 --> 00:53:15,719 You should you should never trust data 1525 00:53:15,720 --> 00:53:17,459 the client, since you should always you 1526 00:53:17,460 --> 00:53:18,929 should always consider it as well. 1527 00:53:18,930 --> 00:53:20,579 Fish can be influenced. 1528 00:53:20,580 --> 00:53:22,769 You should always you should also think 1529 00:53:22,770 --> 00:53:24,659 about the fact that maybe someone did 1530 00:53:24,660 --> 00:53:26,519 something evil and the client never got 1531 00:53:26,520 --> 00:53:28,739 all data you sent you on 1532 00:53:28,740 --> 00:53:31,199 instantly kick it off your network. 1533 00:53:31,200 --> 00:53:32,760 I think you should design for that. 1534 00:53:35,340 --> 00:53:36,929 There is another question from the 1535 00:53:36,930 --> 00:53:37,529 Internet. 1536 00:53:37,530 --> 00:53:39,719 Yes, the question is, if 1537 00:53:39,720 --> 00:53:41,639 you have ever had contact with the 1538 00:53:41,640 --> 00:53:43,709 developer I'm sorry, 1539 00:53:43,710 --> 00:53:45,719 could you repeat if you've had contact 1540 00:53:45,720 --> 00:53:47,309 with the developer of the game? 1541 00:53:47,310 --> 00:53:49,289 No. Know, I know you didn't I didn't ask. 1542 00:53:49,290 --> 00:53:51,419 I tried to contact some 1543 00:53:51,420 --> 00:53:53,909 guys of the virtual communities. 1544 00:53:53,910 --> 00:53:56,369 Right. And everything I said and 1545 00:53:56,370 --> 00:53:58,769 I had this idea were connected somehow 1546 00:53:58,770 --> 00:54:01,319 because both being in German and stuff. 1547 00:54:01,320 --> 00:54:03,419 But the problem was I never could 1548 00:54:03,420 --> 00:54:05,519 find anything. And I do not know how 1549 00:54:05,520 --> 00:54:07,739 to contact the publisher because 1550 00:54:07,740 --> 00:54:09,689 it's really a large company based in 1551 00:54:09,690 --> 00:54:11,879 Berlin, really happy to Congress, isn't 1552 00:54:11,880 --> 00:54:14,249 there? And the 1553 00:54:14,250 --> 00:54:16,409 and well, I don't know where 1554 00:54:16,410 --> 00:54:18,659 to begin. So I was hoping maybe 1555 00:54:18,660 --> 00:54:20,789 someone here knows how I can get 1556 00:54:20,790 --> 00:54:21,839 in. 1557 00:54:21,840 --> 00:54:23,579 I don't have any experience with this 1558 00:54:23,580 --> 00:54:24,580 stuff. 1559 00:54:25,700 --> 00:54:27,010 Any more questions? 1560 00:54:28,980 --> 00:54:29,980 Last chance, 1561 00:54:31,530 --> 00:54:33,779 OK, then, yeah, thank you again 1562 00:54:33,780 --> 00:54:35,729 for sharing our you're awesome work with 1563 00:54:35,730 --> 00:54:37,199 us. Really nice.