0000 00 40 2b 6d d2 bf 00 13 2f 67 97 54 08 00 45 00
0010 00 4b d7 f2 40 00 6f 06 79 8f d3 14 b0 41 0c b6
0020 2a 1f 71 48 08 11 de 8b e5 a4 5b 36 6e 62 50 18
0030 44 07 72 93 00 00 9f 25 81 6d a9 30 e0 58 a0 9f
0040 51 84 f8 fe ef e7 2e 53 33 0f d9 d9 79 15 ab 84
0050 7b 55 a4 cd 19 1f 36 80 e3

need to analysis this data from the server to the client......'

HERE IS THE DATA ABOUT THE PROTOCOL......


packet.ip.version = 4; /* version of IP used */
packet.ip.ihl = 20; /* Internet Header Length (IHL) */
packet.ip.tos = 0; /* Type Of Service (TOS) */
packet.ip.tot_len = htons(75); /* total length of the IP datagram */
packet.ip.id = d7f2; /* identification */
packet.ip.frag_off = 0; /* fragmentation flag */
packet.ip.ttl = 111; /* Time To Live (TTL) */
packet.ip.protocol = 06; /* protocol used (TCP in this case) */
packet.ip.check = 798f; /* IP checksum */
packet.ip.saddr = inet_addr("mine"); /* source address */
packet.ip.daddr = inet_addr("server"); /* destination address */

packet.tcp.source = htons(2065); /* source port */
packet.tcp.dest = htons(29000); /* destination port */
packet.tcp.seq = 1; /* sequence number */
packet.tcp.ack_seq = 1; /* acknowledgement number */
packet.tcp.fin = 0; /* FIN flag */
packet.tcp.syn = 0; /* SYN flag */
packet.tcp.rst = 0; /* RST flag */
packet.tcp.psh = 1; /* PSH flag */
packet.tcp.ack = 1; /* ACK flag */
packet.tcp.urg = 0; /* URG flag */
packet.tcp.window = htons(17415); /* window */
packet.tcp.check = 7293; /* TCP checksum */


35 bytes need to be analysis..................

9f 25 81 6d a9 30 e0 58 a0 9f
51 84 f8 fe ef e7 2e 53 33 0f d9 d9 79 15 ab 84
7b 55 a4 cd 19 1f 36 80 e3

need to know how to do this so i can analysis all data being sent form and to the server.

You cannot just "analyze" bytes being sent over a TCP connection without additional info, unless it's really obvious what that data is (e.g. text). You have to identify what server you are connecting to, and start from there. I'm guessing you know what server you are connecting to, so start by sharing that information. If you don't know what you're connecting to, 29000 is a port anything or anyone can use, it's most often used in gameservers (I think StarSiege uses it as a default).

Then you can either look for the server's network data format if it's public info, or download an SDK or source code and start from there to reverse engineer it. Or you can host your own server and run some tests, try to generate network variables that might be transfered, etc.

But just "analyzing" random binary data without more info, doesn't produce useful information, maybe some statistic data at best.

When you get an IP packet, the 'clue' to what resides in its payload ( data portion ) is the number which identifies the protocol. Can be TCP/UDP/ICMP or something custom desigened, provided there is a protocol handler for it. Since TCP is a standardized protocol, we know the contents of it.

Now again comming to the TCP packet, the clue to what is in the payload is the port number. If it is a standard one such as HTTP (80) then again we know what the packet contains. And so on. In your case it is 2006 which from google is dlsrpn or Data Link Switch Read Port Number. Rest you need to know what the packet exacly is, what is about etc ( some sort of RFC explanation ).

This is what has been said in your other thread. But I wonder what your real intentions are with an unknown packet.

2006 is the source (client) port, and hence typically random and thus meaningless. 29000 is the serverport. I suspect less noble intentions as well, and since 29000 is typically used for gameservers I could think of a thing or two he might be trying ;). Care to enlighten us on your intentions jonny?

need to analysis this data from the server to the client......'

packet.tcp.source = htons(2065); /* source port */
packet.tcp.dest = htons(29000); /* destination port */ Well??

packet.ip.saddr = inet_addr("mine"); /* source address */
packet.ip.daddr = inet_addr("server"); /* destination address */

packet.tcp.source = htons(2065); /* source port */
packet.tcp.dest = htons(29000); /* destination port */

I trust the bytes more than him :) Also, in his previous example the lower port differed, but 29000 was the constant one.

I can shed a little light on this....

"jonny" is a moderately talented linguistically impaired script kiddie who has been hacking an online golf game called shot-online based in Korea for some months.

Initially, the system was very open and "jonnybravo" used and made available to legions of skiddies some scripts to hack the game client. They implemented a fix called "Hackshield", which has moved jonny to (in his own mangled words) "see what fun expolits are going on now".

I suppose I could be wronging the poster here. I suspect not, however.

Hi jonny. I may not be able to use m4d sploits, but I can use google.

No surprises there, except that 29000 is indeed used for a gameserver, I wonder why that heuristic almost always flies. Thanks for the heads up. Judging by his posts though he's either *very* linguistically impaired, or you give him too much credit by calling him moderately talented.

Hi jonny, and good luck to you. As a gamedev myself, I hope one of these days you get what is coming to you.

no its not for hacking purposes. for personal use. a project im workin on.

as the server sends the data back to the client im trying to read what the server is accessing in the client from reverse engerring the client. now i understand the entire protocol and whats being sent im just trying to recontruct the packet in a server loop (client loop). it also produces text as well but where the encryption takes place can change the hex bec of each ip and port number. (its own protocol)

here is my question that needs to be answered....

u sniff a packet u read all that needs to be read how do u know what data is being sent back in forth thru the hex that it uses. here is what im trying to find....

code the packet, and add the header and handle the buffer.

header not hard buffer is and handle would be someting i would create thru what i see doing in the server...