Winsock Packet Editor (WPE)

This is the basic idea behind packet forging/editing/whatever. I'm pretty sure I've left something out and made errors. Any mistakes/suggestions/comments/queries can be sent to me via one of my contacts. Please contact me with your questions. It's the only way I can make this tutorial better. Also, after testing the first half (sending) to make sure it worked, I noticed that the lines run together anyway but the theory remains the same. There is nothing wrong the the filter section.

Welp, this is because everyone at WOGH was want in a tut...And I'm not much for introductions so let's just dive right in.

TetriNET is a free little Tetris-like game that's easy to learn packet editing off of. I don't like v2 much, so I stick with 1.13. :) You'll need a friend or two computers to follow with this tutorial (What did ya expect, we're editing packets here). You can figure out how to set it up on your own, this ain't a tut on TetriNET.

Packets are how a mutliplayer game communicates with whatever it's talking to (server, another game). Whenever you do something in the game, the game might send a packet out to the server saying what you did. Packets are how the server knows where you are and where you are moving to. It's how other people know as well. Without packets, you could move around in your game, but no one else would see you moving. When you browse the internet, your browser sends packets out asking for a website. The website it receives is also in packets. Messages you send over the internet are in packets. Everything you do on the internet uses packets of some sort.

What can you do with packets? That really depends on the game. With some games, you can have full control over everything. With others, packets can do next to nothing. How can you know what you can do? Experimentation is the only way. Once you figure out how to send the correct packets, you can try and see if the game reacts how you wanted. In Helbreath, if you send a packet saying you drop 10,000 gold but you only have 5 gold, you will drop your gold and the game will crash. It's somewhat what you wanted (dropped the gold), but not exactly.

That brings me to my next point. Will packets always work? No. It depends on how the game was programmed. By this, I mean the way the game/server handles packets. You can only find out what works and doesn't work by trying. Some things will appear to work, but actually won't work at all. In Helbreath, you can set a filter on incomming packets to always make whatever gold you pick up turn into 65,500 gold (or whatever). It appears like this works, but if you turn the filter off and drop your gold..When you pick it up again it will be normal. You didn't actually trick the server into thinking you had that much gold... In most multiplayer games, everything of importance will be checked against information the server has. You have to use packets in order to attempt to trick the server.

Okay, so launch up TetriNET and Winsock Packet Editor. Have your friend or other computer run TetriNET also. Decide who is going to be client/server and connect. In WPE, double-click the select game button. You now have a list of running processes on your computer. From this list, select TETRINET.EXE...since we're wanting to mess with TetriNET. Go ahead and double-click the trace button. A small form pops up with VCR-like controls.

The play button is for recording packets. Once you click this, any packets sent/received by TetriNET will be recorded inside WPE up to your maximum amount (defined in your WPE options). After clicking it, it turns into a pause button. You click this button to pause packet recording. Not too hard to figure out, eh? Next to this button is a red button that looks like it should be the record button (But it's not). This is the quit button. After you're done recording your packets, you click this button to view them.

Notice how the dialog now has three buttons. A floppy disk, trash bin, and some binoculers with a question mark. These are your save, erase, and search buttons. You can save the packets (In the seen layout) for future reference, erase them and start over, or search within then. This is simple stuff, no?

It's your standard hex view. If you don't know what hex is, I strongly suggest you read a tutorial you stupid moron. You may also notice a S or R by each line. The S means this line was sent out from TetriNET and the R means the line was received by TetriNET. Not hard... The different numbers on the left are just line numbers. 0000 is the first line, while 0020 is the second line..0030 is the third line..and so on.

I suggest, so you can follow with the tutorial, that you record some packets of you and your friend talking back and forth...But feel free to do what you like.

So we have some packets. What now? Let's take a look at what we've got.

You can obviously tell where the text you sent is. At a slightly closer inspection you can see that each line starts with a pline and then a number. Hm, so our TetriNET sends and get this every time someone speaks:

If you think a little about how they get the numbers, you'll soon realize that the 1 represents the first person to connect and the 2 represents the second player to connect. If you have more players connect, they'll be assigned 3, 4, 5, etc. The game doesn't actually send your name, it sends your player number. :) Now we know what we need to send to the game in order to forge a packet. How do we do this?

I don't know, plz eMaIl me wit hax0rz fir thi$ l337 gamx0r

Heh, threw that in for RustdBolt.. :)

Now we need to send a packet. There are two ways to do this. One way requires a little more work, but you'll have to use that when making a trainer that messes with packets. I'll cover both. The first way is to double-click on one of the Ss or Rs in your packet window. This pops up a message box with the function used and the socket ID. You can close this box now. Go ahead and double-click the Send Packet button.

You should now be looking at something like this. Yours will be a little different if you double-clicked a S or a R (Open socket ID will be filled in). We know what we want to send, and we need to create a new packet, so double-click one of the Packet nº Xs in the list box. This opens the packet edit dialog.

In here, all you have to do is type your packet. If you need to adjust the size, click the size button. This will erase anything you have typed in before, so I suggest doing this before you start. You can also change the name of the packet from Packet nº X. Each character is 1 byte, so increase/decrease as needed. We know that the say command is pline, so lets try and forge what our friend says. Increase the bytes to 34 and type "pline 2 I'm dancin like a monkey!" (assuming 2 is your friend and not you) into the text area of the editor. The hex will show up automatically. Click quit and that'll save your packet. If you wish, you can click the floppy disk to save your packet list.

See the big arrow between the packet list and the packet order area? Select your packet and click that arrow. It adds your packet to the list of packets we're going to send. You can use the red X on this area to remove a single packet or the trash can to remove all packets. The same works in the packet list area.

Now we should have one packet in the packet order area. Our green meter should be at 1%. here's where we have two options for sending. Option one uses the stuff I said you could do earlier (Open socket ID). If you did the open socket ID part, select the "Open socket" checkbox. Your open socket ID should not be 0. If you're doing it the other way, here is what you need to do. You need to select the "New socket" checkbox. This will enable the IP address textbox, the port textbox, and disable the open socket textbox. Type in the IP address for the server and the IP address the game receives information on.

When you're done picking how you want to send the data, just click the play button. The status message will tell you how everything is going. After the packet is sent, the packet number and packet error labels will update giving you a final example.

Ask your friend if he saw anything. I'm betting money he didn't see anything until you typed another message...and the messages ran together. Why? Quit out of the send packet area and take a closer look at the packets you received.

By just looking at the ASCII closely, you'll notice that all lines have a . (period) after them...whether or not you/your friend put them there. Before you rush off and change your packet to add a period, lets take a look at the hex representation of your code. Hm, all lines end with FF. Eureka! (Translation: I've found it!) The programmer is using FF to tell when a packet is ended. Edit your packet to include FF (Edit on the hex part). It's the reason I said do 34 bytes instead of the 33 needed. The packet should now work correctly.

Congratulations, you've just forged your first correct packet (probably).

Further breakdown of the packets can yield all of the game's functions. From logging in to the special blocks used in play.
Anyways, on to filters..

Simple concept. Let's go ahead and open up the filter dialog by double-clicking the filter button.

This dialog is pretty much just like the packet list area from the send packet dialog. It just has a few more buttons. Only one of which you don't know already and really need to learn what it does. The button with the circle on it and the hard to read text (on my screen anyway), is your on/off button. This turns filters on and off..obviously. Let's create a filter. Double-click a Filter X line. This opens the edit filter dialog.

This is a bit different than the edit packet dialog. Leave all the options the same (You can change the name if you like). We're only going to work with the manilla area. The top line (search) is the packet received by the program. The bottom line (modify) is the hex you want to change. The hardest part about filters is just filling in the search information (And that's not even hard). Let's say we wanted to change our incomming messages to always be from player 2. All we would have to do is type in the pline part into the search area...and in the modify area we type in 2. Only catch is, this information must be in hex. How do we get this in hex? Two ways...Convert it manually or just look at your captured packets.

Notice I only used five areas in the search line. This is because "pline" is only five characters long. WPE ignores all other parts of the packet (since we didn't specify any other parts in the search line) and just searches for those first five characters. Also, in the modify area I just changed one block (block 7). This is because this is the only part of the packet we want to change is the player number. You must specify the ASCII code for 2 and not actually the number 2. You can get this by looking at your packets. What this packet does, is change any message received/sent into a message from player 2. Not exactly helpful, but you get the idea. When you're done messing with the filter, click quit. This saves your packet. Now click the checkbox next to your packet and click the off/on button. This just enabled the filter. You cannot use some other WPE features while a filter is on. Test it out. This is actually a better way to fake messages as you can just turn the filter on and type what you wanna say. It doesn't require you creating a new packet for every message