Reverse Engineering Packets?

[StickyTape]

Hi guys and gals,

I have a little project I’m working on, but I’m a little stuck. I don’t even think it’s possible to do what I want to do, but if anyone can help it’ll be you guys :P

Basically, I’ve got an old console game that used to have online play, but they took the servers down years ago, and I was hoping on getting it online again.

Then game itself is peer-to-peer I think, but it tries to connect to a main server with a lobby first. It’s this initial connection I’m looking at emulating/replicating.

I’ve found what address and what port it’s looking for, so I put an entry into my host file to route that data to another box. That box was running Wireshark and NetCat, and managed to capture 3 packets.

Now my questions are:

- Is it possible from seeing what packets go out, to work out what packets it’s wanting to receive?

- What software is best for ‘listening’, because although NetCat opens a port, I don’t really get any feedback from it as to what the game is trying to do or send it.

- I think I can decompile the executable, but is there any way of converting that code back to C so it’s useable?

Sorry for my n00biness. I am in a bit over my head, and I’m not expecting to ever get this thing working, but it’s kind of fun to try and I’m sure I’ll learn plenty along the way :P

P.S The original game ran on Sega SNAP (SEGA Network Application Package) server, which was later sold to Nokia and became Mobile SNAP that Nokia used (uses?) for its N-Gage Area. If any of you guys are l337 enough to get a copy of either server package, I’m sure it’d make the job a hell of a lot easier :D

P.S. I have Windows XP/7 or Backtrack 4

[Sparda]

Wireshark

What you are intending to do is entirely possible. However, as the original servers are down this ramps the difficulty up to eleven as there is no way of knowing what type of response the game expects to a given request. If the type of response required for a given request is not obvious you may have to resort to dissembling the game to figure out what sort of response it's looking for.

[digip]

Does the game offer the ability to do lan parties with a central PC as the HOST or Game Server (sans the main internet server)? Most games do. If so, port forward the ports it needs on your routerto act as the server, and tell people to add your ISP IP Address as the game server or if needed add the original game servers address to their hosts file to point to yoru IP Address in place of the main websites address that the game tries to connect to.

[StickyTape]

Weird. I came back to look at this topic the other day, and I couldn't find it. I assumed it'd been deleted. Come back today, and it's back. How strange! :P

Wireshark

What you are intending to do is entirely possible. However, as the original servers are down this ramps the difficulty up to eleven as there is no way of knowing what type of response the game expects to a given request. If the type of response required for a given request is not obvious you may have to resort to dissembling the game to figure out what sort of response it's looking for.

That's the thing, I don't if the request is obvious or not :P Here are the 3 packets:

No.     Time        Source                Destination           Protocol Info
      8 7.109084    192.168.0.32          192.168.0.27          TCP      funkproxy > cslistener [SYN] Seq=0 Win=4096 Len=0 MSS=1460

Frame 8 (60 bytes on wire, 60 bytes captured)
Internet Protocol, Src: 192.168.0.32 (192.168.0.32), Dst: 192.168.0.27 (192.168.0.27)
Transmission Control Protocol, Src Port: funkproxy (1505), Dst Port: cslistener (9000), Seq: 0, Len: 0

0000  00 c0 ca 38 ef 9b 00 08 74 9f dd 1b 08 00 45 00   ...8....t.....E.
0010  00 2c 00 03 00 00 1d 06 1c 3e c0 a8 00 20 c0 a8   .,.......>... ..
0020  00 1b 05 e1 23 28 00 38 a4 20 00 00 00 00 60 02   ....#(.8. ....`.
0030  10 00 39 39 00 00 02 04 05 b4 00 00               ..99........

No.     Time        Source                Destination           Protocol Info
      9 7.109146    192.168.0.27          192.168.0.32          TCP      cslistener > funkproxy [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460

Frame 9 (58 bytes on wire, 58 bytes captured)
Internet Protocol, Src: 192.168.0.27 (192.168.0.27), Dst: 192.168.0.32 (192.168.0.32)
Transmission Control Protocol, Src Port: cslistener (9000), Dst Port: funkproxy (1505), Seq: 0, Ack: 1, Len: 0

0000  00 08 74 9f dd 1b 00 c0 ca 38 ef 9b 08 00 45 00   ..t......8....E.
0010  00 2c 75 3f 40 00 80 06 04 01 c0 a8 00 1b c0 a8   .,u?@...........
0020  00 20 23 28 05 e1 c8 c8 de 95 00 38 a4 21 60 12   . #(.......8.!`.
0030  44 70 5d 59 00 00 02 04 05 b4                     Dp]Y......

No.     Time        Source                Destination           Protocol Info
     10 7.246104    192.168.0.32          192.168.0.27          TCP      funkproxy > cslistener [ACK] Seq=1 Ack=1 Win=4096 Len=0

Frame 10 (60 bytes on wire, 60 bytes captured)
Internet Protocol, Src: 192.168.0.32 (192.168.0.32), Dst: 192.168.0.27 (192.168.0.27)
Transmission Control Protocol, Src Port: funkproxy (1505), Dst Port: cslistener (9000), Seq: 1, Ack: 1, Len: 0

0000  00 c0 ca 38 ef 9b 00 08 74 9f dd 1b 08 00 45 00   ...8....t.....E.
0010  00 28 00 04 00 00 1d 06 1c 41 c0 a8 00 20 c0 a8   .(.......A... ..
0020  00 1b 05 e1 23 28 00 38 a4 21 c8 c8 de 96 50 10   ....#(.8.!....P.
0030  10 00 a9 86 00 00 00 00 00 00 00 00               ............

Don't know if that means anything to you?

I've managed to decompile the code to assembly, but I don't know what any of it means! :P Is there a way of getting assembly back to C?

Does the game offer the ability to do lan parties with a central PC as the HOST or Game Server (sans the main internet server)? Most games do. If so, port forward the ports it needs on your routerto act as the server, and tell people to add your ISP IP Address as the game server or if needed add the original game servers address to their hosts file to point to yoru IP Address in place of the main websites address that the game tries to connect to.

Unfortunately, it doesn't. The game was designed for dial-up only :(

Edited April 20, 2010 by StickyTape