PDA

View Full Version : Any action? Can I help?



jaws
02-07-2006, 01:52 PM
Hi there,

I messed around a bit with ShowEQ back in the day and downloaded the EQ2 packet sniffer code a few days ago. I've been messing with it, but it seems like it doesn't properly recognize the message types from the server like I'd expect.

Has there been a change in the message ids since the last post of source here?

I'm a software developer (C++), and I'd be interested in helping out on a SEQ2 project as well if this project is still underway?

Thanks.

Cryonic
02-07-2006, 08:07 PM
If there have been any patches since there was last an update here (quite some time ago) then odds are SOE has changed both the network code and the memory map code and so the sniffer can't recognize it.

jaws
02-08-2006, 08:36 AM
Yeah, it's weird. It sort of works - but it's like the packet opcodes have changed. I spent a little time trying to figure them out, but was looking for an easy way out with a source update :-).

Back to the drawing board, it looks like!!

Acid1789
02-08-2006, 03:20 PM
Right now the packets change prety much every day. SoE has their heads up their asses and released yet another live update with 328492734923755234 bugs. This is only likely to get worse in the coming weeks with the release of KoS.


I have a working version of Everdump, I can try to post it later (if I remember).

zeppelin
04-18-2006, 05:00 AM
Right now the packets change prety much every day. SoE has their heads up their asses and released yet another live update with 328492734923755234 bugs. This is only likely to get worse in the coming weeks with the release of KoS.


I have a working version of Everdump, I can try to post it later (if I remember).Hi, Is anyone out there? I have unsuccessfully tried to email Acid, and no one seems to be active here. I even tried to use the donate button he set up, but the email is dead. Is this a dead project? Did SOE finally do something that made it impractical to move ahead?

Thanks,
zep

jcsmith562
06-13-2006, 10:15 AM
I'd definately be interested in checking out a working copy if you have one, as well.

zeppelin
06-13-2006, 01:44 PM
Don't hold your breath.... I tried everything I could think of to contact the developer, he disappeared with no response. Too bad too, but it looked like he was doing some cool stuff.

-z

petersy
11-24-2006, 02:53 PM
is it okay if I put up an animated avatar on my profile?

jbich
12-06-2006, 02:35 PM
I would be very interested in getting my hands on the source to the eq2 sniffer or everdump. Would anyone be willing to email me their a copy? The ftp site seems to be denying access to download the files :(

I don't care if it's a "working" version or not...

Much appreciated!

j

Skandragon
12-07-2006, 11:41 PM
I too would like the source, especially a way to extract the RSA / RC4 key from the eq2 client, and the packet decoders which are known.

Carpathian
12-25-2006, 10:43 PM
Here is the sourcecode for EverDump.

Skandragon
01-10-2007, 01:38 PM
I've worked on everdump for eq2 recently. everdump expects a pointer to a static structure which contains a pointer to the key. However, it seems Sony got a little smarter and no longer stores this in memory, but destroys it as soon as the rc4 encryption substitution tables are initialized.

Oh well, it was fun thinking there might be a way to get the key still.

Additionally, everdump's code is... well, let's just say I think he learned how to program while writing the code. Sony also hired him, which is why he removed the source.

Carpathian
01-11-2007, 05:49 PM
If you dig around enough, it might be possible to just hook the function which generates the hash table to get the key, using the detours library.

Skandragon
01-14-2007, 01:15 AM
Getting the key is not really the problem. I'm past that, working on understanding the protocol now. It's strange how everdump processes it -- either it really is that strange, with lots of layer crossovers, or that's just how the author processed things.

I also took the code posted here and merged it into my working source. It was a bit more advanced than I had, and (for instance) doesn't core dump or massively corrupt the stack.

It does, however, lose sync at some point, and it still doesn't use the last two bytes of every packet, which I am assuming to be some sort of check value.

purple
01-14-2007, 06:52 AM
Last two bytes of some packets (depending on the network opcode) are just a CRC check.

The underlying protocol layer is very similar between EQ and EQ2 I believe. The seq source might be some help in that. Hopefully it's not that ugly. If it is, at least I'm still around to be beat upon!

Actually processing the data though is game specific.

Carpathian
01-14-2007, 11:07 PM
I've done quite a bit of work as well, in regards to the EverQuest 1 protocol stream. Both of them, like purple said, do share the same underlying base. Which is what the file SonyProtocol.cpp handles. Depending on the protocol opcode it will either send it back to the ProtocolPacketHandler, if its a wrapped protocol packet, or it will pass the game specific packets to one of the EQ2Channels, typically the first one, the last three seem to never be used.

If you have any questions you can feel to ask me as well.

EQ2Chris
05-12-2007, 08:29 PM
Could you tell me how you are getting the key? I am interested in fixing EverDump (or rewriting it) but I am not sure how to go about getting the key after all the changes in the last year. If you dont want to post it here, could you email me through my profile?

Thanks!


Getting the key is not really the problem. I'm past that, working on understanding the protocol now. It's strange how everdump processes it -- either it really is that strange, with lots of layer crossovers, or that's just how the author processed things.

I also took the code posted here and merged it into my working source. It was a bit more advanced than I had, and (for instance) doesn't core dump or massively corrupt the stack.

It does, however, lose sync at some point, and it still doesn't use the last two bytes of every packet, which I am assuming to be some sort of check value.