PROGRAMMERS: Analyzing yahoo packets...

[zappa_engine]

NOTE: This post is for programmers, tinkerers.

So I noticed a post on the Chessy forum about the Yahoo Packet Analyzer and had a solution based on something else already included within YtoICS code.

About YPA though, I was testing the YPA program and logged into the chess game rooms and noticed it would capture some packets but not all. What I saw and was familiar with was the Create Room code, 2 other misc codes, and I tried to find more familiar packet codes by joining a game in progress. Unfortunately, it didn't really capture any more packets like game_in_progress (0x30) or moves or game_status packets so some functionally is missing. I'm guessing those are table opcodes it doesn't capture but it'll display the room op codes. Actually when I think about it more, it doesn't capture all room updates either because seat updates happen often and I didn't see any of those. So its packet capturing abilities are not fully realized... Maybe I don't know how to use the program though.

Now, within STUCI, there is a subroutine called op_debug. There is also a table listing opcodes and the functions that are called by them. If an opcode is received without a function to point to, it will give you a warning within the ICS interface. In these warnings it gives you an opcode number too. You can add this opcode and point it to the subroutine op_debug in the code. Next time, the warning won't be displayed but instead you'll get the parameters that were passed by the opcode so you can analyze it. The op_debug subroutine output is hard to read though. I suggest adding one line to the debug code so it'll display unprintable data in a format you can read now.
Where the code in op_debug says:
$d->Purity(1);
Add a line that also says:
$d->Useqq(1);

It'll output unreadable characters with \ and their code or normal perl code \n \t \r etcetc.

There, now if you want to analyze some of the unimplemented opcodes, just change the routine they point to from op_unimplemented to op_debug.

Ummm, I think that's it. So have fun with it...

[matematiko]

Thanks a lot zappa....I'll give it a try.

[zappa_engine]

Did I miss any opcodes? These are how Yahoo describes thier own opcodes.

[matematiko]

The Yahoo Chess Protocol was well documented by Chris Howie. I do not even remember how I got this file but it seems it was not included in YtoICS distributions. In case you don't have it I am uploding it here. I have discovered few more opcodes and I have talked about them in this forum.

I hope this file is helpful to you and YtoICS Reborn team.

[zappa_engine]

The info I posted is direct source code from Yahoo's flash player as well. But notice it has some missing opcodes not mentioned in JAVA implementation. Also noting that there are two protocols and things might be a little different.

[matematiko]

The info I posted is direct source code from Yahoo's flash player as well. But notice it has some missing opcodes not mentioned in JAVA implementation. Also noting that there are two protocols and things might be a little different.

They are the same...just different description and different numeric system....Chris used an hexadecimal representation while the one showed are in decimal.....Yahoo Game Owner programmer used the corresponding ascii symbol and so on.

What do you mean by "Yahoo's Flash PLayer" ?

[zappa_engine]

What do you mean by "Yahoo's Flash PLayer" ?

Link to Yahoo's flash player: http://games.yahoo.com/launchGame/ch&pr ... playgame=1

[spadehelp2010]

Hi All,

I was interesting in creating a card counter for yahoo spades. I reviewed this post (and part 2) and found them very helpful. I tried to download the zip file so I can get some ideas on how things work but it's invalid. So if someone can provide the zip or point me in the right direction as to how to decipher the packets that would be helpful. I know how to use a decompiler (Mocha), IDA PRO (for exe files), wireshark, and can understand most programming languages, (java, javascript, perl, c,c++, etc). So any help that would make my life much easier would be appreciated.

THanks,

[unemployed]

http://uploading.com/files/9a25m18a/Wireshark%2B%
since i can not upload my 700 mb file the above one should suffice ..
i hope u will master it with different protocols and filters .
for me this topic is locked

[matematiko]

The author of YtoICS, made a nice document explaining how the java clients connect with Yahoo game servers, it also explains the handshake process, the encryption and decryption and also it explains most of the Room opcodes and Table opcodes. This document was made for Chess but most of the opcodes are valid for other games, of course there are other opcodes used in other games but not in chess.

Since I could not find the document in sourceforget.net, I uploaded to mediafire, I do not claim any credit. All in that document is the work of Chris Howie.


Click here to Download The Yahoo! Chess Protocol


Regards,

[spadehelp2010]

Thank you so much guys for the info. Thanks for going through the trouble of uploading it via other sources. The wireshark pdf will come in handy when I am really trying to dissect the packets. Matematikos obviously the document you provided will save me a lot of frustration and give me momentum to keep trying (I know you didn't write it but you provided it). I have started to write some java code to encrypt and decrypt the messages. and I have a few questions: let me know if I should move it to a pm.


I know this is a lot, so whenever you get around to looking at it. I will appreciate it. Thank you.

1. Big Endian. So basically the MSB (byte) is read first. If my (symmetric) key is 64:a6:42:b4:65:ff:05:48 and the MSB is 48 and my LSB is 64 then 65:ff:05:48 (1711211848) will be used for client to server and 64:a6:42:b4 (1688617652) for server to client communication?

2. Multiply the key by 83. Is there any logic to this number or may it be different in my case. Should I loop through my function from 1 to 100 and see which values make sent?

3. XOR the current character with the key value. just doesn't make logical sense when I look at the numbers. I am XORing a very big number with a small number.

I get strange results. So if this is the ciphertext "fc:48:58:df:2e:c8:dd:35:9a:31:59:8c". I get the following results:

Number of tokens: 12

ciphertext[0] =fc
decimal = 252
xor = 296662692
plaintext[0] =11aeb6a4

ciphertext[1] =48
decimal = 72
xor = -1146806592
plaintext[1] =bba51ec0

ciphertext[2] =58
decimal = 88
xor = -695671232
plaintext[2] =d688e640

ciphertext[3] =df
decimal = 223
xor = -1906140905
plaintext[3] =8e629917

ciphertext[4] =2e
decimal = 46
xor = 704109558
plaintext[4] =29f7dbf6

ciphertext[5] =c8
decimal = 200
xor = -1688451136
plaintext[5] =9b5c47c0

ciphertext[6] =dd
decimal = 221
xor = 1592461125
plaintext[6] =5eeb0745

ciphertext[7] =35
decimal = 53
xor = -969705859
plaintext[7] =c633767d

ciphertext[8] =9a
decimal = 154
xor = 1118788034
plaintext[8] =42af59c2

ciphertext[9] =31
decimal = 49
xor = -1629882439
plaintext[9] =9ed9f7b9

ciphertext[10] =59
decimal = 89
xor = -2136260287
plaintext[10] =80ab4141

ciphertext[11] =8c
decimal = 140
xor = -1215948220
plaintext[11] =b7861a44

[matematiko]

Hello,

It will make more sense if you were looking at the code.
Please download YtoICS latest version and try to correlate what you read in the protocol document and what you see in the code...it will make things lots easier. Of course this version does not work any more because does not implement a way ti display the CAPTCHA letters and because few other things Yahoo has change since.

YtoICS 0.0.4 was the latest version and it can be found here:
http://sourceforge.net/projects/ytoics/ ... p/download

Regards ,