After spending many hours on reverse engineering Black Desert Online I noticed that this would be a groovy weblog topic.

So, have fun reading :)

Introduction

What is BDO?

Black Desert Online (BDO) is a fairly contempo MMORPG. It was kickoff released 2015 in south korea, the Eu/U.s.a. release followed in 2016.

Black Desert Online

Information technology's like most other MMORP's but with some different aspects. I won't get into details, it should be like shooting fish in a barrel to observe out nearly BDO by yourself.

I just want to mention one matter: There is merely one central market, so there is no P2P detail exchange nor selling.

Why BDO?

  • I play it.

What exercise I desire?

  • Make clean upward with some speculation:
    • How does the RNG work?
    • How the heck is the (market) bidding working?!
  • Increase available tools for players:
    • Statistics for marketplace sales
    • Notifications for marketplace items

Basic Research

Before we start looking into opposite engineering BDO, it'southward helpful to run into what other people did so far.

And so, what can we look into?
There are basically two sources for obtaining data:

  • the server
  • the client

Some data maybe exclusively available on the server. One big candidate for that is the RNG.

(My) rule of thumb is to start with the easiest option bachelor (easiest for me) and switch to the next when you're stuck. Which is in our case the client every bit nosotros can just download the complete customer.

The information in the customer tin can be split further into some categories:

  • Static data (files)
    • Executable lawmaking
    • Assets / resource
  • Dynamic data
    • Procedure memory
    • Network data
    • Saved data (in our example most likely but on the server)

With that in mind we wait through tools for BDO and attempt to guess where they got their data from.

  • Map world wide web.somethinglovely.net/bdo

  • BDO Database bddatabase.net
    Database with Items, Quests and everything else

  • Alchemy / Cooking Calculator and Node Director world wide web.bdodae.com
    Recipes for alchemy / cooking and margin adding (requires current marketplace prices of items).

  • BDO Planner (Gear) bdoplanner.com

  • Fail Stack Optimizer www.blackd.de/failstacks

Available Data

The existing tools suggest that it must be possibly to extract, at least to some degree, static assets data from BDO (or they have plenty of time to retype all data). But none of them seems to have alive data. Then it's unlikely BDO offers an (possibly undocumented) API for their data.

So I started looking effectually in the game folder to discover the data some of the tools are using. The search revealed that everything except binaries, enshroud and logs resides in .PAZ files.

Discover PAZ File Format

So first of all information technology's a good thought to find out if this is a common file format.

Detecting a files format:

  • Using file control on Linux or BSD / OS X.
    -> Not available on Windows :(

  • Try uncompressing the file: Open with e.g. seven-aught.
    -> Non a valid file or unknown past 7-goose egg.

  • Search the net for '.PAZ' file extension.
    -> Looks like a BDO specific file format. (Keep in listen that BDO uses it'due south own game engine.)
    After scrolling farther through the search results I found some tools for unpacking those files:

    • Unpacker:
      https://github.com/kukdh1/PAZ-Unpacker

    • BDO (PAZ) Modding Tools:
      https://world wide web.undertow.club/threads/black-desert-online-modding-tools.9197/

So now we could unpack the static game assets. As I'yard currently not interested in the static stuff I'll merely put it on my listing of things I found out almost BDO and go on digging effectually. This could be handy afterward, who knows.

Adulterous tools tend to work with the process memory and could tell u.s.a. how easy it is to featherbed the Anti-cheat software. And maybe they already accept access to some of the information I'm interested in.

Searching around revealed no bachelor cheats except some bots. Besides I don't like cheaters I definitely won't support people selling Cheats / Bots so I won't link them here.

Simply there are some people who claim that virtually of the game logic is executed on the client, such as:

  • position (moving speed / high)
  • skill cooldown

That would be horrible and as I know too many companies / programmer declining with such stuff it'due south non that unlikely. So I'll put that on my list of things I want to prove.

Earlier because the Process Retentiveness every bit your starting point you should definitely have a await at the Anti-cheat software which is in example of BDO is XIGNCODE3:

BDO XIGNCODE3

Looking at their list of features seems like they are undefeatable, but thats what every Anti-cheat software wants you to think (they want to sell information technology). Searching on crook forums gives as a more than realistic list of features (Source):

They tin detect:
-API hooks
-Filenames
-Files on your drive via USN Periodical & Prefetch
-API telephone call return addresses
-Sigs of detected cheats
-Windowtitles
-Strings
-DNS cache entrys
-Icon hashes
-linked modules
-code injection at runtime

For simply process memory analysing purposes that should be no big problem, but beside the detections they merits to protect the game against manipulation:

Reject game process memory accessing
Refuse game procedure handle accessing
Reject game process message transmission
Reject game process keyboard/mouse input transmission
Reject game window GDI accessing
Pass up debug interrupt handler modification
Reject calling kernel function directly
Reject stealth procedure/module/commuter
Reject kernel/user mode debugging

Those on the other paw are looking like a show stopper. I may write an commodity on Anti-cheat software and go into some details on how they are basically working and how they can be bypassed.

But for the electric current project I'thousand going to movement memory analysing at the cease of my list of things to endeavour.

Network Protocol

Next thing on my listing are the network protocols.

The easiest way to become a basic idea of what BDO is doing is looking at the network traffic itself. So I fired up Wireshark and scrolled through the packets. To minimize the unrelated traffic I ran BDO inside a VM, in my example VirtualBox.

BDO Launcher

My first target was the BDO Launcher:

BDO Launcher

Wireshark BDO Launcher

You may wonder what I was looking for in the traffic. My showtime step is to scan everything and try to spot interesting stuff, that may already give me some clues what BDO does.

What caught my eyes was the post-obit:

  • DNS
  • HTTP
  • TCP without HTTP
  • TLSv1.2 (most likely HTTPS)

Except the TCP only packets it looks MUCH like a spider web browser. This could be abundant, not for the information I'm looking for but maybe for understanding how the BDO infrastructure works.

I'll put the assay of the network traffic data in a separate article "Black Desert Online - Network Protocol Basics" then I don't go beyond the telescopic of an overview.

BDO Game

But there is more, the actual game I'm interested in:
(Note: I had to bypass an Anti-VM cheque, that will be covert in Executable Code.)

BDO Game

At present but 1 TCP connection is left that caught my attending:
(Note: There were still some HTTP and HTTPS requests, but they belong to XIGNCODE3 so I'll skip them hither.)

Wireshark BDO TCP Traffic

Wireshark has some bang-up functions for analysing traffic, for TCP they have "Follow -> TCP Stream":

Wireshark Analyse TCP Stream

Wireshark Analyse TCP Stream

That looks like rubbish, even when I scanned the whole stream I cloudn't find any apparently text.

That can have multiple reasons:

  • The stream is compressed.
  • The stream is encrypted.
  • The protocol uses a very foreign text encoding.

An like shooting fish in a barrel way to guess if they are using any kind of encryption is to gather multiple tcp streams and compare them. If they are using an (good) encryption it looks like pure randomness.

When I connected to the server multiple times it sends random looking information except the showtime v bytes, which could be the length of the packet and / or packet blazon. So this looks much like encryption to me, could be a primal exchange or something similar.

Maybe someone else already figured that out for me, turns out someone did:

  • BlackDesert-Network-Tools

But that code is from around the time of the public Eu/U.s. release, so it's possibly outdated. On the other hand they managed to decrypt the packets with Rijndael (AES).

That supports my theory of an encryption.

Comparing the current packets with the structure in the PacketParser.cs information technology'south pretty articulate that the packets i captured do not match that construction in whatsoever way.

Also the developer(southward) state in their open source BDO server project DesertProject:

Package cryptography was patched on May fourth (2016), awaiting for people willing to update this project.

That was the signal were I moved the Protocol Analysis down on my list of things to try.

Executable Lawmaking

Peradventure analysing the executable could give some hints on the used encryption and cardinal.

Equally I already came across the Anti-cheat software and an Anti-VM bank check it'south possible they protected their executable against analysis. The Anti-VM check fault directly shows that information technology is part if Themida:

Themida Anti-VM check

You may be interested in how I bypassed the Anti-VM bank check of Themida:

  • open regedit and
  • delete whatsoever cardinal (folder) containing VBOX in HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\,
  • empty the values of HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion and HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\Organization\VideoBiosVersion.

It's always a practiced idea to throw a protection analyser at the executable. ProtectionID and exeinfo are ordinarily doing great jobs:

ProtectionID BDO

exeinfo BDO

Both also detect Themida which makes your life hard doing reverse applied science of automobile code. Packer tend to non only obfuscate the executable but also protect information technology against debugging and sometimes even more. So that was the point I as well moved executable downwardly on my list.

Side by side step(s)

Now I'm out of things to try on the "easy" level on my list.

I decided to continue on analysing the executable as I had some ideas in mind to go on. Also I tried analysing packed executable code before and never succeeded so that'southward on of my long term goals I could now attain.

If you missed it, the adjacent article will be about basic network assay I already did at this betoken:

  • Black Desert Online - Network Protocol Basics