Teeworlds - bridge

yo latenight hax0rs who wants to explain tw protocol to a 5yo?

a normal question would be better

i struggle making a screenshot xd

21:53

i just wonder where i can see what kind of packet it is. I was using tcpdump -X and searched for numbers defined in the protocol.h enum that was generated

21:53

that did not work out too well

21:54

NETMSGTYPE_CL_SAY seems to 24 and i have a chat message dump but i cant find number 24

21:54

well or 18 in hex encoding

21:55

or is it a 4 byte int and then not displayed as 18?

21:55

ah well that makes no sense idk

22:26

yay got screenshot working

22:27

so this is my yeee chat message any idea how to see that it is a chat message?

ChillerDragon: you can use the packet_decode from libtw2 tools

im not better at reading rust than c

23:11

or does it help me reading the packet when run?

it outputs the packet

23:12

in human readable form

how do i input it tho

the input is a bit excentric though

stdin?

need to prefix |

hex?

and suffix | after the hex

raw?

yes

23:12

hex

ok

23:12

sounds good

oh wait, coming from you it might be a 0.7 packet

23:13

don't have support for that

meh

23:14

i mean cool and all but a bit of a weird tool isnt it?

wdym?

what about a wireshark dissector instead

I tried doing that afterwards, but my motivation got lost midway

meh

23:15

i really miss a proper dissector for tw

I think @Learath2 started a packet dissector

ye ik

23:15

but he also does not seem to continue it

have you tried it? maybe it's at a stage where it's useful to you

i messed with fstds c dissector and nheirs lua implementation

23:16

was not too successful

23:16

oh wait

23:17

you are talking about using not implementing?

23:17

i havent seen learaths dissector

but it doesn't look like it's able to dissect at a level where you need it

it even has a huffman.c that looks promising

23:19

but heinrich do u know maybe how i can read the packets without a dissector?

23:19

like at least find out the type

give the bytes in a usable format please

23:20

maybe base64

wot

23:21

why is hex not useful?

or hex

23:21

but not an image

xd

23:21

fair

and preferably only the UDP payload

https://paste.zillyhuhn.com/LP

23:21

oop

23:22

thats all

23:22

also including my ip :D

23:22

idk how to only get udp payload with tcpdump

you already did that in the original screenshot

ikr

open it in wireshark, I guess

23:22

you can get the udp payload there

well

23:22

ye ik

23:24

working w gui applications is so annoying no clue how to copy stuff

try rightclick

that copies it all

ok, rightclick "Data" below "User Datagram Protocol" and select "Copy" → "as a Hex Stream"

23:27

does that work?

https://paste.zillyhuhn.com/Rk that should be a manual slice only with the udp data

23:27

idk

23:27

003d0200000031402318300140454545454545454545454545454545454545454545454545454545454545450000172996fedfda029bfedfda02280014000000000000000023

23:27

thats the result

23:27

could be it

23:27

yes

23:28

when compared to my manual slice it looks good

23:28

i realized that chat messages are usually prefixed with 300140 but idk where that comes from

now we can look into src/engine/shared/network.h

23:30

it says 7 bytes header

ye bcs chat is probably not connless

23:31

what is connless btw is it only in the beginning before there is a token?

flags is 0, ack is some uninteresting number, numchunks is 2

23:31

so we're expecting two chunks

23:31

no compression, so that's also good

23:32

connless: server info, masterserver communication

23:32

uhm

23:32

your token very much looks like it's just one byte

sounds secure

you might want to check the code that generates it, it's likely to be vulnerable to IP spoofing

23:33

anyway

not that i changed that xd

which server did you connect to?

do we have a security issue again?

23:34

uhm

23:34

ddnet7 i think

next byte is 40

23:35

that should be the message ID

yes ddnet7 confirmed

ah no, it's not

23:35

the chunk header

wait u lost me at the 1 byte token

we now see the chunk header 40 23 18

23:36

we check src/engine/shared/network.h again

23:38

flags is VITAL, size is 8, we also have a sequence number

23:38

so now the next byte should be the msgid

23:39

0x30 == 0b0011_0000

23:39

that should just be 0x30 = 48, lowest bit is system flag, since it's an even number it's apparently a game message

23:39

number 24

oh

we check build/src/generated/protocol.h

ye i was searching that 24

23:40

but i did not expect it to be a 30

it says CL_SAY

ye

23:40

i was looking for that

23:40

the systemflag got me

23:42

wait but how did u see 0b0011_0000 is 24?

23:42

isnt lowest bit 0 here?

23:42

ah

23:43

ye but its not counted

23:43

so its 0b0011_000

23:43

aah

0x30 = 48, and then I halfed that

but it is not a fixed offset is it? So i can not use tcpdump to check for 0x30 at this index

halved*

ye

23:44

got that part now i hope

it'll work in practice

23:44

is that enough?

yea sounds good

23:44

think i learned a lot thanks mate

you're welcome