Jump to content
Moopler Closing Read more... ×
Moopler
  • 0
ZoroL0ver2

Question Structured Sniffing Logger

Question

I was wonder exactly how you would get structured packet logs when you sniff. I've read you need to hook the client decode/encode functions to return the accurate data type so you know when types are 64, 32, 16, 8 or a string. Would you need the address for the encode/decode 1,2,4,8 etc? I'm trying to update MapleShark to return accurate packet structures.

Ex. 

Quote

[1234] 00 0100 0200 00000 "lolxd" 00

From what I've found, Dami's Packet Editor and Terminal's PE are able to achieve this. If someone could shine some light on how exactly I would go on about doing this or any useful information. That would be awesome.

Thanks.

Share this post


Link to post

10 answers to this question

Recommended Posts

  • 0

I don't know the exact technical details, but I might be able to shed some light on this.

Packet Editors such as DPI, Terminal's PE and XPI intercept the data (packets) from within the process (MapleStory). This is usually done by intercepting function calls that handle packets and show the packets in the UI of the packet editor. I am unsure how the Encode/Decode functions are being traced once a packet has been received, but it is possible to determine what function (Encode1,Encode2, EncodeBuffer, etc...) has been called or will be called next and format accordingly in the packet editor.

MapleShark does nothing with the MapleStory process, but instead intercepts traffic on the operating system level. This data is encrypted, but luckily for us MapleStory's encryption is incredibly weak and has been public for quite some time now. Seeing as MapleShark does not interfere with the MapleStory process, it cannot determine which data types are being used on the fly. However, you can use scripts to format packets, but you would have to know their structure in advance.

  • Like 1

Share this post


Link to post
  • 0

Structured logging isn't guaranteed to capture a full packet anymore if you rely on Encode* hooks, since maple has started writing raw data directly to the packet buffer/object without using one of their Encode* functions (inline'd i guess?) and it has been like this for quite a while now.

If you're okay with that fact, or want to add a little check to your packet queue/hooks for packet size to make sure everything is correct, you can go right ahead and simply hook every Encode* function and log the packet like that, but I would suggest just grabbing the header when the packet is created (to get the real header the easiest way) and then the data once it is being sent to get the full data.

This post is assuming more things haven't changed in the 6 months to a year I've been away from the maple scene.

Edited by Erotica

Share this post


Link to post
  • 0

I've got structured PE that works for current version. Here are the hooks I use:
 

COutPacket_COutPacket
CClientSocket_SendPacket

CInPacket_Decode1
CInPacket_Decode2
CInPacket_Decode4
CInPacket_Decode8
CInPacket_DecodeStr
CInPacket_DecodeBuffer
CInPacket_Decode_double

COutPacket_Encode1
COutPacket_Encode2
COutPacket_Encode4
COutPacket_Encode8
COutPacket_EncodeStr
COutPacket_EncodeBuffer
COutPacket_Encode_double

 

And as @Erotica said, you'll still be missing data.

What I do is check the current offset in the packet when one of the encode/decode functions gets hit, if there's a gap in data, fill it with raw data as a buffer.

Share this post


Link to post
  • 0

I made a packet editor in qt and sold a few copies of the source to some people on another forum. Perhaps the source is now posted public and you could try looking for it. Or I could look on my hdd If I still have it.

Share this post


Link to post
  • 0
18 hours ago, Crypt707 said:

Can you link me to the source please. :)

or if is still for sale let me know the price too.

Aasdf is once again trying to steal credit for my stuff, but I haven't released the source for QtPacket yet.

Share this post


Link to post
  • 0

Would anyone happen to still have Dami's PE source code? It was released but the links are unfortunately broken..

 

Edited by ZoroL0ver2

Share this post


Link to post
  • 0
On 28/03/2019 at 01:47, ZoroL0ver2 said:

Would anyone happen to still have Dami's PE source code? It was released but the links are unfortunately broken..

 

 

Idk what ur on about because AFAIK source was never available

Edited by souna

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×