Nexon handles all of them in mainly 2 methods:ĬWvsContext::OnPacket for most opcodes < 140 (decimal). Getting used to the names Nexon uses might take some time.Ģ) Looking for that method in the client you're analyzing.įinding send-packets (which the client will receive) is not that hard. This is much faster than text-search.ġ) Locating the packet you need in the KMST client. I: Search for an integer value in assembly. This works in almost all sub-windows of IDA (method list, assembly, pseudocode.)ī: Search for a sequence of bytes (you may know it as AoB, but unlike CE this doesn't support variable bytes, sth. X: Find all references to the method you have marked with your cursor in asm/pseudocode. Of course there are more tabs like Hex View, Imports, Exports and later Pseudo Code.į5: Decompile the current method into pseudo C code. On the left, you'll see a list of all methods (usually ordered by address), in the middle there is an assembly view of the current function (the tab is called IDA View). Run IDA again and do the same for the v90 IDB. If the quick-start comes up, select Go and then open the KMST IDB. To start IDA, best use idaq.exe - That's the new QT version and it just looks much better than the old version. It has some common functions like CInPacket/COutPacket methods already named. If you are going to analyze v90, you can download a pre-made IDA database here.
Trial and Error is a very important concept for this.
#Use ida pro how to
Like I've promised I've created a little tutorial on how to get packets/opcodes out of an unpacked client using IDA.