PlayStation 2

From HashNet Wiki
Revision as of 23:06, 7 September 2020 by Hashsploit (talk | contribs) (Medius Universe Information Server (MUIS))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The PlayStation 2 is a video game console created by Sony.

DNAS

"DNAS" (Dynamic Network Authentication System) is a proprietary authentication system created by Sony Computer Entertainment Inc. ("SCEI").

DNAS retrieves information about a user’s hardware and software for authentication,
copy protection, account blocking, system, rules, or game management and other purposes.

The information collected does not identify the user personally. A publisher can combine
this information with personally identifying information from the publisher’s records if
the user provides the personally identifying information. Before providing any personal
information to a publisher please be sure to review the publisher’s privacy policy and
terms and conditions of use. Do not provide personally identifying information to a
publisher unless you accept the conditions of use and terms of their privacy policy.

SCEI, Sony Computer Entertainment America ("SCEA") and their affiliates cannot guarantee
the continuous operation of the "DNAS" servers. SCEA shall not be liable for any delay or
failure of the "DNAS" servers to perform.

On April 4, 2016; SCEI discontinued the official DNAS servers, thus forcefully taking down hundreds of multiplayer game titles with it.

Official DNAS server domains:

  • gate1.us.dnas.playstation.org
  • gate1.jp.dnas.playstation.org
  • gate1.eu.dnas.playstation.org

Status Codes

DNAS status code definitions:

  • -101 to -108: Authentication
  • -201 to -204: Downloading
  • -401 to -404: Hardware
  • -601 to -625: Network
  • -701 to -703: Unique ID
  • -800 to -1099: Unexpected

Possible resolutions for errors -402 or -403:

  • Most likely mod chip related. Try disabling the mod chip.

Possible resolutions for errors -611 or -612:

  • Related to a firewall issue or network with closed ports.
  • Try opening the suggested ports.
Code Name Description
-101 sceDNAS2_SS_SERVER_BUSY DNAS server is busy. "DNAS Error (-101) The network authentication server is busy. Please try again later."
-102 sceDNAS2_SS_BEFORE_SERVICE DNAS authentication service period has not started for this title. "DNAS Error (-102) This software title is not in service."
-103 sceDNAS2_SS_OUT_OF_SERVICE DNAS authentication service period has ended for this title. "DNAS Error (-103) This software title is not in service."
-104 sceDNAS2_SS_END_OF_SERVICE All DNAS services have stopped. "DNAS Error (-104) The network authentication server is not in service."
-105 sceDNAS2_SS_SESSION_TIME_OUT Session timeout. "DNAS Error (-105) Connection to the network authentication server has timed out. Please try again later."
-106 sceDNAS2_SS_INVALID_SERVER DNAS library (PS2) received an invalid server response. "DNAS Error (-106) A network authentication system error has occurred."
-107 sceDNAS2_SS_INTERNAL_ERROR DNAS library (PS2) internal error while authentication DNAS server. "DNAS Error (-107) A network authentication system error has occurred."
-108 sceDNAS2_SS_EXTERNAL_ERROR DNAS server received corrupted data. "DNAS Error (-108) A network authentication system error has occurred."
-201 sceDNAS2_SS_DL_NODATA This title does not have a data download service. "DNAS Error (-201) A download error has occurred."
-202 sceDNAS2_SS_DL_BEFORE_SERVICE Data download service has not started for this title. "DNAS Error (-202) A download error has occurred."
-203 sceDNAS2_SS_DL_OUT_OF_SERVICE Data download service has ended for this title. "DNAS Error (-203) A download error has occurred."
-204 sceDNAS2_SS_DL_NOT_UPDATED No new download data. "DNAS Error (-204) A download error has occurred."
-401 sceDNAS2_SS_INVALID_PS2 Invalid PS2 hardware. "DNAS Error (-401) A PS2 hardware information error has occurred."
-402 sceDNAS2_SS_INVALID_MEDIA Invalid disc. "DNAS Error (-402) A PS2 disc information error has occurred."
-403 sceDNAS2_SS_INVALID_AUTHDATA Invalid or corrupted disc authentication data. "DNAS Error (-403) A PS2 disc information error has occurred."
-404 sceDNAS2_SS_INVALID_HDD_BINDING Current PS2 and HDD combination is different than registered combination. "DNAS Error (-404) A PS2 hardware information error has occurred."
-601 GLUE_ABORT An network connection was aborted. "DNAS Error (-601) A network error has occurred." Please double-check your network connection and/or network configuration.
-602 NET_PROXY Proxy server error. "DNAS Error (-602) A network error has occurred." Please double-check your network connection and/or network configuration.
-603 NET_TIMEOUT Connection timed out. "DNAS Error (-603) Connection timed out." Please try connection again at a later time.
-610 NET_SSL An SSL session error occured. "DNAS Error (-610) A network error has occurred." Please double-check your network connection and/or network configuration.
-611 NET_DNS_HOST_NOT_FOUND The DNS resolver did not recognize the DNAS server host name. "DNAS Error (-611) A network error has occurred." Please double-check your network connection and/or network configuration.
-612 NET_DNS_TRY_AGAIN The DNS resolver cannot be found. "DNAS Error (-612) A network error has occurred." Please double-check your network connection and/or network configuration.
-613 NET_DNS_NO_RECOVERY The DNS resolver response is invalid. "DNAS Error (-613) A network error has occurred." Please double-check your network connection and/or network configuration.
-614 NET_DNS_NO_DATA The DNS resolver found no IP address for the DNAS server host name. "DNAS Error (-614) A network error has occurred." Please double-check your network connection and/or network configuration.
-615 NET_DNS_OTHERS Other DNS resolver-related errors. "DNAS Error (-615) A network error has occurred." Please double-check your network connection and/or network configuration.
-616 NET_EISCONN A server connection already exists from this client IP address. "DNAS Error (-616) A network error has occurred." Please double-check your network connection and/or network configuration.
-617 NET_ETIMEOUT A network timeout occurred. "DNAS Error (-617) A network error has occurred." Please double-check your network connection and/or network configuration.
-618 NET_ECONNREFUSED The connection was refused (the server is not running). "DNAS Error (-618) A network error has occurred." Please double-check your network connection and/or network configuration.
-619 NET_ENETUNREACH The network destination is unreachable. "DNAS Error (-619) A network error has occurred." Please double-check your network connection and/or network configuration.
-620 NET_ENOTCONN The network connection is down. "DNAS Error (-620) A network error has occurred." Please double-check your network connection and/or network configuration.
-621 NET_ENOBUFS An out-of-memory error occured. "DNAS Error (-621) A network error has occurred." Please double-check your network connection and/or network configuration.
-622 NET_EMFILE Unable to create any more network connections. "DNAS Error (-622) A network error has occurred." Please double-check your network connection and/or network configuration.
-623 NET_EBADF The title requested a network connection using an invalid value. "DNAS Error (-623) A network error has occurred." Please double-check your network connection and/or network configuration.
-624 NET_EINVAL The title requested a network function using invalid options. "DNAS Error (-624) A network error has occurred." Please double-check your network connection and/or network configuration.
-625 NET_OTHERS Other network-related errors. "DNAS Error (-625) A network error has occurred." Please double-check your network connection and/or network configuration.
-626 "Connection to the DNAS server failed." The server and port the client attempted connecting to is closed.
-701 sceDNAS2_SS_ID_NOUSE The title does not use the unique *category* ID feature. "DNAS Error (-701) A software category error has occurred."
-702 sceDNAS2_SS_ID_CAT_NOT_EXIST The specified unique *category* ID category does not exist. "DNAS Error (-702) A software category error has occurred."
-703 sceDNAS2_SS_ID_NOT_JOIN_TO_CAT The title does not belong to the specified unique *category* ID category. "DNAS Error (-703) A software category error has occurred."
832 Unregistered title ID. Incorrect title ID in SYSTEM.CNF. Using the wrong regional DNAS library, thus talking to the wrong DNAS server. Using the production server (debug=0) without DNS redirection.
-848 Unregistered title ID. Incorrect title ID in SYSTEM.CNF. Using the wrong regional DNAS library, thus talking to the wrong DNAS server. Using the production server (debug=0) without DNS redirection.
-848 Wrong authentication data or passphrase.
-833 Region Error.
-840 Server is down, try again later.
-864 Invalid media, Invalid DNAS Disc ID, Media Error e.g. using CD-R and DVD-R discs against the production server, or using manufactured discs against the development server.
-880 PS2 hardware incompatibility.
-881 PS2 hardware incompatibility.

Service Revival

The shutdown of DNAS has caused hundreds of multiplayer titles go offline with it. The community has went above and beyond to try to revive many game servers.

Since SCEI discontinued DNAS, there have been a few replacement services out there, such as:

Name Primary DNS Secondary DNS Website
Cristian 45.7.228.197 0.0.0.0 https://ps2online.com
Bobz 66.66.23.98 0.0.0.0 http://bobzent.info
Outbreak 173.198.207.99 0.0.0.0 http://obsrv.org
MGO 192.3.217.61 192.3.217.162 https://snake.savemgo.com
TM:BO 173.198.252.240 0.0.0.0 http://173.198.252.240
SWBFSpy 66.85.14.80 0.0.0.0 http://www.swbfgamers.com

These public services are running a DNAS replacement server, however it is far more convenient to run a Docker containerized version instead.

More information regarding game servers here: https://docs.google.com/spreadsheets/d/1bbxOGm4dPxZ4Vbzyu3XxBnZmuPx3Ue-cPqBeTxtnvkQ


Medius

Medius (SCE-RT) was a networking engine solution that most top-title games would have implemented for their multiplayer games as the underlying protocol. There is very little documentation regarding it therefore it's not fully understood and the only parts that we know of have to be reverse-engineered.

Medius uses Textbook RSA (512-bit) in conjunction with a custom RC4 or RCQ algorithm for encryption.

Here are some PDF's and documentation that explain parts of Medius for the PlayStation 2:

Medius Components

Medius servers are split into 6 major components:

Medius Universe Manager (MUM)

Keeps track of lobby rooms, game information, and players. This server generally runs on port 10076.

Medius Authentication Server (MAS)

Allows users to login, authenticate and obtain a session token to login to the Medius Lobby Server. This server generally runs on port 10075.

Medius Lobby Server (MLS)

Handles license agreement, announcements, global chat room, clans, create games, and join games. This server generally runs on port 10077 or sometimes 10078.

Medius Proxy Server (MPS)

Global chat room, clans, create games, and join games. This server generally runs on port 10078.

DME Game Server (Distributed Memory Engine)

The DME Game Server is a "Reliable UDP" server that handles connections between clients on a game's current status.

Medius Network Address Translation (NAT)

A UDP server used to give the client their IP Address.

Medius Universe Information Server (MUIS)

Server for providing the client with multiple other Medius stacks (MAS/MLS/MPS/DME). This server generally runs on port 10071.

Medius Protocol

All encrypted Medius packets are structured as follows:

(This is an example MAS login packet from a PlayStation 2 client)

Packet ID (1) Length (2) Checksum (4) Data (64)
92 40 00 f8 7a f7 34 25 c8 9a 6d a9 dd eb ab a8 3c a6 e6 b4 72 6d ef 51 23 00 de ea 43 d5 8f 22 50 3f af 9c 52 96 10 7c a4 be a9 57 8a ae 49 68 06 20 73 c6 24 a8 07 ad 44 d2 54 29 8d 58 b6 3c da 3b e4 33 8c 57

The first byte (e.g. 0x92) is the encrypted Packet ID, which has 0x80 added to the original (unencrypted) Packet ID value to indicate it's encrypted. The following two bytes (e.g. 0x40 0x00) (in little-endian) refer to the length of packet's payload data. After that, there are four bytes (e.g. 0xf8 0x7a 0xf7 0x34) which is the checksum of the payload data of the packet. Finally after that is the payload data.

"The first packet (92) holds a public 512-bit RSA key the game created on the fly. But the packet is encrypted with Sony‘s public Medius RSA key. You need to crack that key or find a way to deactivate encryption in the game (patch). The second packet holds the session key for a RC like algorithm, it’s encrypted with the public key the server got from game. It’s a slightly modified variant of RC4 that is used for decryption from now on." -Fog23

So far what we know is the MAS Packet ID conversation goes like this:

  1. Client Connects
  2. Client: 0x12 [len 64] The contents is an RSA key generated by the PS2, which is encrypted using public-key of the server (512-bit Textbook RSA). The server's public-key is burned in the game client's iso.
  3. Server: 0x13 [len 64] The contents is a custom RC4 or RCQ "session key" used to encrypt/decrypt messages going forward, this message is encrypted via the public RSA key sent by the client.
  4. Client: 0x00 [len 73] Unknown. Encrypted RC4/RCQ key?
  5. Server: 0x14 [len 64] Unknown. Static key?
  6. Server: 0x07 [len 23] Server sends the client their own IP address. Starts with 0x01 0x08 0x00 0x00 0x01 0x00, followed by the client's IP address.
  7. Server: 0x1a [len 2] Continuation of 0x07 packet, just 0x01 0x00.
  8. Client: 0x0b [len 30] Set world id. Starts with 0x01 0x03 0x31 and at byte 27 0x01 (world id).
  9. Server: 0x0a [len 50] Set player id. Starts with 0x01 0x04, at byte 3 0x31 (world id) and at byte 31 0x32 (player id). The player id increments each time a player connects.
  10. Client: 0x0b [len 50] Unknown. Appears to be static. Starts with 0x01 0xa3 and at byte 43 0x02, at byte 47 0x01.
  11. Server: 0x0a [len 30] Unknown. Appears to be static. Starts with 0x01 0xa4.
  12. Client: 0x0b [len 82] Unknown. Starts with 0x04 0x0a at byte 3 0x31 (world id?), at byte 24 0x32 (player id), at byte 47 0x20 0x28 0x75 0x0F 0xCE 0x19 0x65 0x56 0x61 0x65 0x14 0x0B 0xF6 0xB4 0xC4 0x13 0x63 0xD3 0xD0 0x20 0x02 0x0F 0xE4 0x09 0xF4 0x4D 0xF5 0x36 0x76 0xB8 0xEF 0x50 0x93 0x00 0x00 0x00 (static key?).
  13. Client: 0x0b [len 104] Login details. Starts with 0x01 0x07, at byte 3 0x31 (world id), at byte 24 0x32 (player id), at byte 41 (username), at byte 73 (password).
  14. Server: 0x0a [len 198] Successful authentication, give client MLS address and access token. At byte 51 (MLS IP Address) followed by the port as a short (2 bytes), at byte 75 (NAT IP Address) followed by the port as a short (2 bytes).
  15. Client: 0x01 [len 0] Client sends disconnect packet.
  16. Client Disconnects


Custom RC4 Crypto

PlayStation 2 titles that use Medius are noticed to use a custom RC4 implementation, or RCQ for the encryption scheme after the RSA handshake completes.

Below are a couple of utilities that can be used to encrypt/decrypt Medius packets (custom RC4 works, RCQ works only partially).

You can also use the Medius Crypto Test Tool to verify if your own library implementation works.

Encryption example:

private void encrypt(byte[] input, int inOff, int length, byte[] output, int outOff) {
    for (int i = 0; i < length; ++i) {
        x = (x + 5) & 0xff;
        y = (y + engineState[x]) & 0xff;

        // Swap
        byte temp = engineState[x];
        engineState[x] = engineState[y];
        engineState[y] = temp;

        // Xor
        output[i + outOff] = (byte) (input[i + inOff] ^ engineState[(engineState[x] + engineState[y]) & 0xff]);
        y = (engineState[input[i + inOff]] + y) & 0xff;
    }
}

Decryption example:

private void decrypt(byte[] input, int inOff, int length, byte[] output, int outOff) {
    for (int i = 0; i < length; ++i) {
        y = (y + 5) & 0xFF;

        int v0 = engineState[y];
        byte a2 = (byte) (v0 & 0xFF);
        v0 += x;
        x = (byte) (v0 & 0xFF);

        v0 = engineState[x];
        engineState[y] = (byte) (v0 & 0xFF);
        engineState[x] = a2;

        byte a0 = input[i];

        v0 += a2;
        v0 &= 0xFF;
        int v1 = engineState[v0];

        a0 ^= (byte) v1;
        output[i] = a0;

        v1 = engineState[a0] + x;
        x = v1 & 0xFF;
    }
}


Packet IDs

The Packet ID type is the first byte in each packet that define what type of packet this is. If it's encrypted it will have 0x80 added to the original Packet ID.

ID Name Description
0x00 RT_MSG_CLIENT_CONNECT_TCP Normal client connect request, contains Medius version and Game ID.
0x01 RT_MSG_CLIENT_DISCONNECT Normal client disconnect.
0x02 RT_MSG_CLIENT_APP_BROADCAST
0x03 RT_MSG_CLIENT_APP_SINGLE
0x04 RT_MSG_CLIENT_APP_LIST
0x05 RT_MSG_CLIENT_ECHO
0x06 RT_MSG_SERVER_CONNECT_REJECT
0x07 RT_MSG_SERVER_CONNECT_ACCEPT_TCP Login Client IP Address: The server sends the client their ip address. This might be used for NAT hole-punching down the line.
0x08 RT_MSG_SERVER_CONNECT_NOTIFY
0x09 RT_MSG_SERVER_DISCONNECT_NOTIFY
0x0a RT_MSG_SERVER_APP Generic data message to client from server.
0x0b RT_MSG_CLIENT_APP_TOSERVER Generic data message to server from client.
0x0c RT_MSG_UDP_APP
0x0d RT_MSG_CLIENT_SET_RECV_FLAG
0x0e RT_MSG_CLIENT_SET_AGG_TIME
0x0f RT_MSG_CLIENT_FLUSH_ALL
0x10 RT_MSG_CLIENT_FLUSH_SINGLE
0x11 RT_MSG_SERVER_FORCED_DISCONNECT
0x12 RT_MSG_CLIENT_CRYPTKEY_PUBLIC The client is requesting to start encryption. The contents is an RSA key generated by the PS2, which is encrypted using public-key of the server (512-bit Textbook RSA). The public-key is burned in the games iso.
0x13 RT_MSG_SERVER_CRYPTKEY_PEER The server is accepting encryption. The contents is a custom RC4 or RCQ "session key" used to encrypt/decrypt messages going forward, this message is encrypted via the RSA key in the client.
0x14 RT_MSG_SERVER_CRYPTKEY_GAME Game encryption key.
0x15 RT_MSG_CLIENT_CONNECT_TCP_AUX_UDP
0x16 RT_MSG_CLIENT_CONNECT_AUX_UDP
0x17 RT_MSG_CLIENT_CONNECT_READY_AUX_UDP
0x18 RT_MSG_SERVER_INFO_AUX_UDP
0x19 RT_MSG_SERVER_CONNECT_ACCEPT_AUX_UDP
0x1a RT_MSG_SERVER_CONNECT_COMPLETE Connection successful.
0x1b RT_MSG_CLIENT_CRYPTKEY_PEER
0x1c RT_MSG_SERVER_SYSTEM_MESSAGE
0x1d RT_MSG_SERVER_CHEAT_QUERY
0x1e RT_MSG_SERVER_MEMORY_POKE
0x1f RT_MSG_SERVER_ECHO
0x20 RT_MSG_CLIENT_DISCONNECT_WITH_REASON
0x21 RT_MSG_CLIENT_CONNECT_READY_TCP
0x22 RT_MSG_SERVER_CONNECT_REQUIRE
0x23 RT_MSG_CLIENT_CONNECT_READY_REQUIRE
0x24 RT_MSG_CLIENT_HELLO
0x25 RT_MSG_SERVER_HELLO
0x26 RT_MSG_SERVER_STARTUP_INFO_NOTIFY
0x27 RT_MSG_CLIENT_PEER_QUERY
0x28 RT_MSG_SERVER_PEER_QUERY_NOTIFY
0x29 RT_MSG_CLIENT_PEER_QUERY_LIST
0x2a RT_MSG_SERVER_PEER_QUERY_LIST_NOTIFY
0x2b RT_MSG_CLIENT_WALLCLOCK_QUERY
0x2c RT_MSG_CLIENT_WALLCLOCK_QUERY_NOTIFY
0x2d RT_MSG_CLIENT_TIMEBASE_QUERY
0x2e RT_MSG_SERVER_TIMEBASE_QUERY_NOTIFY
0x2f RT_MSG_CLIENT_TOKEN_MESSAGE
0x30 RT_MSG_SERVER_TOKEN_MESSAGE
0x31 RT_MSG_CLIENT_SYSTEM_MESSAGE
0x32 RT_MSG_CLIENT_APP_BROADCAST_QOS
0x33 RT_MSG_CLIENT_APP_SINGLE_QOS
0x34 RT_MSG_CLIENT_APP_LIST_QOS
0x35 RT_MSG_CLIENT_MAX_MSGLEN
0x36 RT_MSG_SERVER_MAX_MSGLEN
Graceful Disconnect (0x01)

The Graceful Disconnect packet is sent by the client to notify the server of a graceful disconnect.

  • Bind Type: client
  • Packet ID: 0x01
  • Encrypted Packet ID: 0x01

Encrypted packet: [ID: 0x01, LENGTH: 0x03 [3], DATA LENGTH: 0x00 [0]]

00000000  01 00 00                                          |...|

Decrypted packet data: (without packet id, length, or checksum): [ID: 0x1c, LENGTH: 0x00 [0]]

00000000
Login RSA Request (0x12)

The Login RSA Request packet is sent by the client to initiate a connection to MAS, it uses the MAS's public key embedded in the ISO to encrypt a custom RC4 or RCQ key.

  • Bind Type: server
  • Packet ID: 0x12
  • Encrypted Packet ID: 0x92

It is the first packet sent by the client. This packet contains data encrypted using the MAS's RSA 512-bit public key, which we believe is stored in the game's ISO ELF file.

Raw Structure:

RSA Data (64)
6B 8F 99 EC 1B AF 06 D2 67 42 84 B5 30 5E E6 E3 8B 1D E7 33 1F 2F BF 31 DE 49 72 28 B7 C5 21 62 F1 8D AE 89 13 C4 0C 43 C0 E8 90 D1 4E EE 16 AD 07 C6 4F D9 28 1D 8B 97 2D 78 BE 78 D1 B2 90 CE

Encrypted packet: [ID: 0x9c, LENGTH: 0x46 [71], DATA LENGTH: 0x40 [64]]

00000000  92 40 00 f4 f8 7a f7 34  25 c8 9a 6d a9 dd eb ab  |[email protected]%..m....|
00000010  a8 3c a6 e6 b4 72 6d ef  51 23 00 de ea 43 d5 8f  |.<...rm.Q#...C..|
00000020  22 50 3f af 9c 52 96 10  7c a4 be a9 57 8a ae 49  |"P?..R..|...W..I|
00000030  68 06 20 73 c6 24 a8 07  ad 44 d2 54 29 8d 58 b6  |h. s.$...D.T).X.|
00000040  3c da 3b e4 33 8c 57                              |<.;.3.W|

Decrypted packet data: (without packet id, length, or checksum): [ID: 0x12, LENGTH: 0x40 [64]]

00000000  6b 8f 99 ec 1b af 06 d2  67 42 84 b5 30 5e e6 e3  |k.......gB..0^..|
00000010  8b 1d e7 33 1f 2f bf 31  de 49 72 28 b7 c5 21 62  |...3./.1.Ir(..!b|
00000020  f1 8d ae 89 13 c4 0c 43  c0 e8 90 d1 4e ee 16 ad  |.......C....N...|
00000030  07 c6 4f d9 28 1d 8b 97  2d 78 be 78 d1 b2 90 ce  |..O.(...-x.x....|


Login RSA Response (0x13)

The Login RSA Response packet is sent by the server to establish encrypted communication with the client. The response is a custom RC4 or RCQ key used later that is encrypted with the client's public RSA key that is sent in the Login RSA Request 0x12 packet.

  • Bind Type: server
  • Packet ID: 0x13
  • Encrypted Packet ID: 0x93

It is the first packet sent by the server.

Raw Structure:

RSA Data (64)
E7 47 74 38 E0 23 4B B8 19 6D 57 4F 09 33 7B E7 A7 29 71 62 8C 55 1C 33 73 A6 8B E7 F1 F1 08 18 1E AA C2 41 9A FA 75 83 21 5E 79 77 5E 9D 6D BC 8D 44 25 45 EF 39 6F 29 C6 29 4C 69 FC 97 E1 77

Encrypted packet: [ID: 0x93, LENGTH: 0x46 [71], DATA LENGTH: 0x40 [64]]

00000000  93 40 00 73 a1 bb f9 45  93 0a 9e 59 40 35 b2 63  |[email protected]@5.c|
00000010  90 46 cd 56 f5 cc e6 59  98 bd dd 16 e9 2e c0 fd  |.F.V...Y........|
00000020  75 63 95 1c 74 88 da 4e  23 41 67 5e 3f 69 26 45  |uc..t..N#Ag^?i&E|
00000030  ad 8b 06 4a 0b 5d 3d 52  01 7f e1 b4 fc c1 b7 cd  |...J.]=R........|
00000040  48 43 cd db a3 b8 c1                              |HC.....|

Decrypted packet data: (without packet id, length, or checksum): [ID: 0x13, LENGTH: 0x40 [64]]

00000000  e7 47 74 38 e0 23 4b b8  19 6d 57 4f 09 33 7b e7  |.Gt8.#K..mWO.3{.|
00000010  a7 29 71 62 8c 55 1c 33  73 a6 8b e7 f1 f1 08 18  |.)qb.U.3s.......|
00000020  1e aa c2 41 9a fa 75 83  21 5e 79 77 5e 9d 6d bc  |...A..u.!^yw^.m.|
00000030  8d 44 25 45 ef 39 6f 29  c6 29 c6 29 4c 69 fc 97  |.D%E.9o).).)Li..|
00000040  e1 77                                             |.w|



Server Message (0x1c)

The Server Message packet is sent by the server to the client to show a message notification on screen.

  • Bind Type: server
  • Packet ID: 0x1c
  • Encrypted Packet ID: 0x9c

This packet is structured with the first byte referencing the message severity 0x9f (159). The message severity appears to be a value ranging from 0 to 255, followed by 3 unknown bytes that appear to be constants 0x02 0x01 0x01, followed by the message contents and finally terminated by two null bytes 0x00 0x00.

Raw Structure:

Severity (1) Unknown (3) Message (97*) Terminator (2)
0x9f 0x02 0x01 0x01 Notification test: Broadcasting message...Time=1594431135 (Fri Jul 10 18:32:15 2020) Severity=159 0x00 0x00

Encrypted packet: [ID: 0x9c, LENGTH: 0x6e [110], DATA LENGTH: 0x67 [103]]

00000000  9c 67 00 b8 61 0e 24 b6  e9 12 a1 61 b7 30 26 e4  |.g..a.$....a.0&.|
00000010  4e 6f b4 3d 81 7f 09 9b  35 7d 88 05 cc 1c 45 f0  |No.=....5}....E.|
00000020  88 94 75 7d 19 51 71 b7  81 49 26 8d 59 b1 ba 62  |..u}.Qq..I&.Y..b|
00000030  77 51 eb f7 af 75 ae ab  24 69 4f d6 12 25 18 c3  |wQ...u..$iO..%..|
00000040  14 05 40 f4 33 44 d7 81  ef 01 43 b3 50 70 93 a8  |[email protected]|
00000050  a4 97 5c 25 db bc 6c 89  4c 2d d6 b1 9a 76 37 6d  |..\%..l.L-...v7m|
00000060  a6 d5 56 4c 52 ea 48 46  fc cc 69 4d 03 b6        |..VLR.HF..iM..|

Decrypted packet data: (without packet id, length, or checksum): [ID: 0x1c, LENGTH: 0x67 [103]]

00000000  9f 02 01 01 4e 6f 74 69  66 69 63 61 74 69 6f 6e  |....Notification|
00000010  20 74 65 73 74 3a 20 42  72 6f 61 64 63 61 73 74  | test: Broadcast|
00000020  69 6e 67 20 6d 65 73 73  61 67 65 2e 2e 2e 54 69  |ing message...Ti|
00000030  6d 65 3d 31 35 39 34 34  33 31 31 33 35 20 28 46  |me=1594431135 (F|
00000040  72 69 20 4a 75 6c 20 31  30 20 31 38 3a 33 32 3a  |ri Jul 10 18:32:|
00000050  31 35 20 32 30 32 30 29  20 53 65 76 65 72 69 74  |15 2020) Severit|
00000060  79 3d 31 35 39 00 00                              |y=159..|

MAS Documentation

MLS Documentation

The beginning login process of MLS is very similar to MAS.