Cerberus - HackMD

# Cerberus Exploration iRO Login: `128.241.92.36:6800` Local: `192.168.1.70` ## Packet Reference The following packet patterns have been observed while starting to fool around with the client against a server. Packets start with a u16 to determine the command type. Notation for the flow of some of these packets, which may look like `U->L` to denote "User to Login server", uses the following symbols: - `U` - User, the player's client - `L` - Login server - `C` - Character server - `M` - Map server TODO: Implement a visual structure like http://blockdiag.com/en/nwdiag/packetdiag-examples.html ### Login Server Flow ### Character Server Flow - SUPPORTED - 0x0065 - U->C - Client says hello with info from login server - SUPPORTED - 0xXXXX - C->U - Character server responds with a packet containing only the account ID - 0x082d - C->U - Char server provides a slot or character list? - 0x09a1 - U->C - Client asks for character list with only one 09a1 call, and no other content - 0x0b72 - C->U - Character server tells details about all characters in the list.. not sure if paginated - 0x09a1 - U->C - UNKNOWN - Client sends a packet with multiple 0x09a1's inside it .. 11 of them? - SUPPORTED - 0x0187 - U->C - Ping with account - SUPPORTED - 0x0187 - C->U - Ping response with account (same as previous one received) - 0x0066 - U->C - Login with character? - 0x0071 - C->U - Forward to map server ### 0x0187 - U->C or C->U - Ping ### 0x0064 - U->L - Login, Authenticate This is the first packet sent from the client once launched, providing the username/password credentials. TODO: Determine what the MD5 and other hashing schemes look like |Offset|Type|Notes| |-|-|-| |0|u16|Packet type, 0x0064 |2|u32?|UNKNOWN, example value `18`.. maybe version of client or protocol, because it's the "first" value provided in this entire conversation |6|[char; 24]|username, null terminated |30|[char; 24]|password, null terminated |54|u8|UNKNOWN, example value of `1` Example Data: ``` 0000 64 00 12 00 00 00 67 6e 30 6d 65 31 32 33 00 00 d.....gn0me123.. 0010 00 00 17 01 00 00 0b 01 00 00 16 01 00 00 61 73 ..............as 0020 64 66 61 73 64 66 00 23 00 00 1c 01 00 00 1a 01 dfasdf.#........ 0030 00 00 1a 01 00 00 01 ....... ``` ### 0x0081 - L->U - Disconnected from Character server Response when you already have a session started. |Offset|Type|Notes| |-|-|-| |0|u16|0x0081 |2|u8|Reason for disconnect, [check values here](https://github.com/gvanderest/cerberus/commit/a1543b6480c0690b661c9924498d08d5e3699a5e#diff-42cb6807ad74b3e201c5a7ca98b911c5fa08380e942be6e4ac5807f8377f87fcR96) until the project structure stabilizes Example Data: ``` 0000 81 00 08 ... ``` ### 0x0ae0 - L->U - Credentials Error If you send an invalid username or password, it returns the following |Offset|Type|Notes| |-|-|-| |0|u16|Packet type, 0x0ae0 |2|[u8; 28]|UNKNOWN Hex: ``` 0000 e0 0a 54 14 00 00 2b 00 00 00 00 00 00 00 2d 00 ..T...+.......-. 0010 00 2d 00 00 20 00 00 3a 00 00 00 00 00 00 .-.. ..:...... ``` ### 0x0a4d - L->U - Successful login Which may be a success message, paired with some kind of session or encryption key TODO: At this point, the user has authenticated, and they should probably have their session logged somewhere to be allowed to use the character servers. |Offset|Type|Notes| |-|-|-| |0|u16|Packet type, 0x0a4d |2|u16|Packet length (success + server list total) |4|u32|Login ID1, example: `ca ae 97 fa` |8|u32|Account ID, example: `1d bb 5d 00` |12|u32|Login ID2, example: `00 00 00 00` |16|[u8; 4]|Last login IP, unused, all zeroes |21|26 bytes|Last login time, unused, all zeroes |20|u8|Gender?, 0 = male, 1 = female |47|[u8; 16]|Some kind of session identifier or encryption key?<br />Example: `TPZMgc02C0iARyrU` |63|u8|UNKNOWN, zero |64|...|Server list as separate packets (see next section) ``` 0000 4d 0a a0 00 ca ae 97 fa 1d bb 5d 00 00 00 00 00 M.........]..... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 ...............T 0030 50 5a 4d 67 63 30 32 43 4f 69 41 52 79 72 55 00 PZMgc02COiARyrU. ``` #### Character server list packets Once authenticated, the server returns a list of character servers available for connecting to. The quirk here is that only the last two octets of the IP address and port are provided-- so the assumption is that all of this runs on the same subnet and the IPs are very similar. If you wanted to host in a different configuration, I'm not sure how you'd accomplish it at this time. |Offset|Type|Notes| |-|-|-| |0|[u8; 4]|IP of character server| |4|u16|Port of character server, example: `0x1194` (`4500` in decimal) |6|[char; 20]|Server name, null-terminated, like `Cerberus\0...` |26|u16|Population, example: `0x0615` (`1557` in decimal) |28|u32|UNKNOWN, all zeroes, could be status of realm being up/down or open/closed and other flags The pattern appears to repeat based on the number of servers within the single packet, and will require some "peek"ing at the data to determine if there are more or not on the client-side. ``` 0000 80 f1 5c 2b 94 11 43 68 61 6f 73 00 00 00 00 00 ..\+..Chaos..... 0010 00 00 00 00 00 00 00 00 00 00 15 06 00 00 00 00 ................ 0020 80 f1 5c 32 94 11 54 68 6f 72 00 00 00 00 00 00 ..\2..Thor...... 0030 00 00 00 00 00 00 00 00 00 00 9b 00 00 00 00 00 ................ 0040 80 f1 5c 43 94 11 46 72 65 79 61 00 00 00 00 00 ..\C..Freya..... 0050 00 00 00 00 00 00 00 00 00 00 2a 00 00 00 00 00 ..........*..... ``` ### 0x0065 - U->C - Authentication to Character Server After character selection, this was the first packet that was sent to the character server after connecting. |Offset|Type|Notes| |-|-|-| |0|u16|Packet type, 0x0065 |2|u32|Account ID |6|u32|Login ID1 |10|u32|Login ID2 |14|u16|UNKNOWN, all zeroes |16|u8|Gender, 0 = male, 1 = female ``` 0000 65 00 1d bb 5d 00 ca ae 97 fa 00 00 00 00 00 00 e...]........... 0010 00 . ``` ### 0xACCOUNT_ID - C->U - Response to Authentication to Character Server After the server receives the 0x0065 packet, this is the response passed to the client, starting with an echo of the account_id from the previous packet. NOTE: It does not appear to follow the structure of all other packets seen so far, as it does not contain a header specific to the command. |Offset|Type|Notes| |-|-|-| |0|u32|account_id ``` 0000 1d bb 5d 00 ..]. ``` ### 0x082d - C->U - Character list? |Offset|Type|Notes| |-|-|-| |0|u16|Packet type, 0x082d |2| 33 bytes of content after header.. so maybe gender at the end ``` 0000 2d 08 1d 00 09 09 00 09 09 00 00 00 00 00 00 00 -............... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 09 0c ................ 0020 00 00 00 ... ``` ### 0x09a1 - U->C - Ask for character list details? Client sent this packet once, which caused returning of a list of characters ``` 0000 a1 09 .. ``` ### 0x0b72 - C->U - Character list details? - zeny? - equipment? - job_id? - deletion status.. maybe? - From OpenKore: https://github.com/OpenKore/openkore/blob/master/src/Poseidon/RagnarokServer.pm - cID,exp,zeny,jobExp,jobLevel,opt1,opt2,option,stance,manner,statpt,hp,maxHp,sp,maxSp,walkspeed,jobId,hairstyle,weapon,level,skillpt,headLow,shield,headTop,headMid,hairPallete,hairColor,clothesColor,name,str,agi,vit,int,dex,luk,slot,rename,robe,slotAddon,renameAddon |Offset|Type|Notes| |-|-|-| |0|u16|`0x0b72` |2|u16|Packet length |4|...|.. Start of character info .. |4|u32|character_id| |8|u32|base experience| |12|u32|UNKNOWN |16|u32|UNKNOWN |20|u32|UNKNOWN, 0x1b wr4ck, 0x88 gh0st, 0x00 gn1me |24|u32|UNKNOWN |28|u32|UNKNOWN, 0x04.. 0x06.. 0x01 |32|u32|UNKNOWN |36|u32|UNKNOWN |40|u32|UNKNOWN |44|u32|UNKNOWN |48|u32|UNKNOWN |52|u16|stat points.. 0x02 for wr4ck, 0x04 for gh0st123, 0x30 for gn1me123, 0x01 for Evilynn |54|u32|current hp |58|u32|UNKNOWN |62|u32|max hp |66|u32|UNKNOWN |70|u32|current sp |74|u32|UNKNOWN |78|u32|max sp |82|u32|UNKNOWN |86|u32|UNKNOWN, 0x96 for wr4ck, 0x96 for gh0st123, 0x96 for gn1me123.. same for Evilynn |90|u32|hair style? 0x11 for wr4ck, 0x11 for gh0st123, 0x16 for gn1me123 |94|u16|UNKNOWN |96|u32|Base level |100|u32|UNKNOWN |104|u16|UNKNOWN |106|u16|UNKNOWN, 0x02 for gh0st123, 01 for wr4ck, 01 for gn1me123.. base level? already exists above.. |108|u32|Hair color palette, see below |112|[char;24]|Character name, null-terminated, ex: `gn0me123\0` |136|[u8;6]|Stats.. STR/AGI/VIT/INT/DEX/LUK |142|u16|Slot number.. 1-30 (0x00-0x1e).. might be a u32? |144|u16|rename?? |146|[char;16]|Map filename, null-terminated, ex: `iz_int.gat\0` |162|u8|Marked for deletion flag? |163|15 bytes|UNKNOWN |178|u8|Gender? 0x00 = female, 0x01 = male? |179|..|.. Next character, up to 3 total per packet .. Hair color pallettes: - 0x00 None - 0x01 Blonde/Yellow - 0x02 Purple - 0x03 Light Brown - 0x04 Green - 0x05 Blue - 0x06 White - 0x07 Dark Brown - 0x08 Red Current List.. ``` 0000 72 0b 11 02 4a e1 57 02 00 00 00 00 00 00 00 00 r...J.W......... 0010 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 30 00 28 00 00 00 00 00 00 00 28 00 ....0.(.......(. 0040 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 0b 00 ................ 0050 00 00 00 00 00 00 96 00 00 00 11 00 00 00 00 00 ................ 0060 01 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 ................ 0070 67 6e 30 6d 65 31 32 33 00 00 00 00 00 00 00 00 gn0me123........ 0080 00 00 00 00 00 00 00 00 01 01 01 01 01 01 00 00 ................ 0090 00 00 69 7a 5f 69 6e 74 2e 67 61 74 00 00 00 00 ..iz_int.gat.... 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 01 9f e4 57 02 00 00 00 00 00 00 00 00 00 .....W.......... 00c0 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 00 00 00 30 00 28 00 00 00 00 00 00 00 28 00 00 ...0.(.......(.. 00f0 00 00 00 00 00 0a 00 00 00 00 00 00 00 0a 00 00 ................ 0100 00 00 00 00 00 96 00 00 00 11 00 00 00 00 00 01 ................ 0110 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 67 ...............g 0120 6e 30 6d 65 35 35 35 00 00 00 00 00 00 00 00 00 n0me555......... 0130 00 00 00 00 00 00 00 01 01 01 01 01 01 01 00 00 ................ 0140 00 69 7a 5f 69 6e 74 2e 67 61 74 00 00 00 00 00 .iz_int.gat..... 0150 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 01 6c e8 57 02 00 00 00 00 00 00 00 00 00 00 ..l.W........... 0170 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 30 00 28 00 00 00 00 00 00 00 28 00 00 00 ..0.(.......(... 01a0 00 00 00 00 0a 00 00 00 00 00 00 00 0a 00 00 00 ................ 01b0 00 00 00 00 96 00 00 00 14 00 00 00 00 00 01 00 ................ 01c0 00 00 00 00 00 00 00 00 00 00 07 00 00 00 45 76 ..............Ev 01d0 69 6c 79 6e 6e 31 32 33 34 00 00 00 00 00 00 00 ilynn1234....... 01e0 00 00 00 00 00 00 01 01 01 01 01 01 08 00 00 00 ................ 01f0 69 7a 5f 69 6e 74 2e 67 61 74 00 00 00 00 00 00 iz_int.gat...... 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0210 00 . ``` .. after asking for "more pages"? might be getting this as well.... might be related to rows or something, 3 per row? - wr4ck has .. - 196 exp.. 0xc4 - job 4 - str 1 - agi 3 - vit 7 - int 2 - dex 11 - luk 5 ``` 0000 72 0b b3 00 6d e8 57 02 c4 00 00 00 00 00 00 00 r...m.W......... 0010 00 00 00 00 1b 00 00 00 00 00 00 00 04 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 02 00 2a 00 00 00 00 00 00 00 2a 00 ......*.......*. 0040 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 0b 00 ................ 0050 00 00 00 00 00 00 96 00 00 00 11 00 00 00 00 00 ................ 0060 01 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 ................ 0070 77 72 34 63 6b 00 00 00 00 00 00 00 00 00 00 00 wr4ck........... 0080 00 00 00 00 00 00 00 00 01 03 07 02 0b 05 05 00 ................ 0090 00 00 70 72 74 5f 66 69 6c 64 30 38 61 2e 67 61 ..prt_fild08a.ga 00a0 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t............... 00b0 00 00 01 ... ``` Previous List.. ``` 0000 72 0b 62 01 4a e1 57 02 00 00 00 00 00 00 00 00 r.b.J.W......... 0010 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 30 00 28 00 00 00 00 00 00 00 28 00 ....0.(.......(. 0040 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 0b 00 ................ 0050 00 00 00 00 00 00 96 00 00 00 11 00 00 00 00 00 ................ 0060 01 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 ................ 0070 67 6e 30 6d 65 31 32 33 00 00 00 00 00 00 00 00 gn0me123........ 0080 00 00 00 00 00 00 00 00 01 01 01 01 01 01 00 00 ................ 0090 00 00 69 7a 5f 69 6e 74 2e 67 61 74 00 00 00 00 ..iz_int.gat.... 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 01 9f e4 57 02 00 00 00 00 00 00 00 00 00 .....W.......... 00c0 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 00 00 00 30 00 28 00 00 00 00 00 00 00 28 00 00 ...0.(.......(.. 00f0 00 00 00 00 00 0a 00 00 00 00 00 00 00 0a 00 00 ................ 0100 00 00 00 00 00 96 00 00 00 11 00 00 00 00 00 01 ................ 0110 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 67 ...............g 0120 6e 30 6d 65 35 35 35 00 00 00 00 00 00 00 00 00 n0me555......... 0130 00 00 00 00 00 00 00 01 01 01 01 01 01 01 00 00 ................ 0140 00 69 7a 5f 69 6e 74 2e 67 61 74 00 00 00 00 00 .iz_int.gat..... 0150 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 01 .. ``` ### 0xa109 - U->C - More character details please This suggests that there is pagination, as we received 11 more requests for character details. To try to prove this, I will check the client, as if there's a limit of 3 per packet of response.. we should see (11+1)*3 = 36 character slots visible in the client? 30 slots visible, I have characters in the slots.. |1|2|3|4|5| |-|-|-|-|-| |gn0me123|gn0me555| |wr4ck|||Evilynn1234|LOCK| |Rest are locked..| ``` 0000 a1 09 a1 09 a1 09 a1 09 a1 09 a1 09 a1 09 a1 09 ................ 0010 a1 09 a1 09 a1 09 ...... ``` ### 0x0071 - C->U - Handoff to Map Server This packet looks to be forwarding the user to the map server with details about which character, map, and ip/host? |Offset|Type|Notes| |-|-|-| |0|u16|`0x0071` |2|u32|character_id |6|[char;16]|Mapfile name, example: `iz_int.gat\0` |22|[u8;4]|Map server IP |26|u16|Map server port ``` 0000 71 00 4a e1 57 02 69 7a 5f 69 6e 74 2e 67 61 74 q.J.W.iz_int.gat 0010 00 00 00 00 00 00 80 f1 5c 2a 95 11 ........\*.. ``` ### 0x0187 - U->C or C->U - Ping I'm not sure what triggers sending these, but once the server received them it would immediately reply with the same content. |Offset|Type|Notes| |-|-|-| |0|u16|`0x0187` |2|u32|account_id ``` 0000 87 01 1d bb 5d 00 ....]. ``` ### 0x0a39 - Create a new Character ``` 0000 39 0a 67 6e 30 6d 65 35 35 35 00 00 00 00 00 00 9.gn0me555...... 0010 00 00 00 00 00 00 00 00 00 00 01 07 00 11 00 00 ................ 0020 00 00 00 01 .... ``` ### 0x0827 - Request to delete a character? Maybe? ``` 0000 27 08 9f e4 57 02 '...W. ``` ### 0x0828 Response to 0x0827 like "Successfully queued for deletion" ``` 0000 28 08 9f e4 57 02 01 00 00 00 05 00 00 00 (...W......... ``` ### 0x001c - U->M? - Using "say" This looks encrypted.. and may involve coordinates ``` 0000 1c 00 6d 1e d1 13 4d 20 7b 27 c6 08 14 38 43 59 ..m...M {'...8CY 0010 4e 3b 60 99 d2 df b8 14 aa e2 01 00 N;`......... ``` ### 0x008e - M->U - Someone said something near me! - u16 - 0x008e - u16 - Packet size as a whole including header, this field, and message length - [u8; X] - Message being said, format: "$name : $message" ``` 0000 8e 00 14 00 67 6e 30 6d 65 31 32 33 20 3a 20 4e ....gn0me123 : N 0010 69 63 65 2e ice. ``` ### Other packets From the eAthena packet reference. #### 0x0066 <character number>.B - Request to login with selected character. - Character Number: The selected characters' index. #### 0x0067 <character name>.24B <param etc>.11B - Create a character. Character Name: Character name. Parameters: needs to be checked #### 0x0068 <character ID>.l <mail address>.40B Request to delete a character. Character ID: The unique identifier for a character. Mail Address: The e-mail address used for verification. #### 0x0072 <account ID>.l <charactor ID>.l <login ID1>.l <login ID2>.l <sex>.b Request connection to map server. Account ID: Unique account identifier. Character ID: Unique character identifier. Login ID1: Session data. Login ID2: Session data. Sex: Account gender. #### 0x007d Finished loading map. #### 0x007e <client tick>.l // Send client tick.// Client Tick: Length of time online in milliseconds? ## References ### Game In General - https://ragnarokresearchlab.github.io/ ### Client - https://github.com/vthibault/roBrowser/ - https://github.com/gvanderest/rustarok ### Packet Structure - https://github.com/Fimbulwinter/Fimbulwinter/blob/master/src/Common/packets.hpp - http://ropd.wikidot.com/eathena-packets - https://openkore.com/wiki/packets - https://patch-diff.githubusercontent.com/raw/secretdataz/rathena/pull/6.diff - https://github.com/rathena/rathena/blob/master/src/char/packets.hpp - https://github.com/rathena/rathena/blob/master/src/common/packets.hpp ### File Formats - https://github.com/gvanderest/RagnarokFileFormats