DaniElectra
commented
6 days ago About the payload size, that represents the size of the data after decrypting it and before decompressing it. The value is extracted from the zlib total_out value from the stream. The payload size is still 2 bytes smaller, so I'm guessing the total_out value represents the size without the zlib magic?
This is an example from Minecraft Wii U (The raw payload size removes the AES-GCM tag from the end):
We've been looking at the data sent by the Wii U in
SendReport, and it seems like some parts of the wiki are incorrect with how this data is encoded?Here are all the
SendReportpayloads we've been working with:MK8
In this sample you can see it's using version 7, data type 0. So the
Monitoring data headerdecodes to:However the payload size seems to be wrong? Following the header there is actually 176 bytes, not 160. Though including them in the payload doesn't seem to actually change anything with the crypto/decompression, so it's not clear what those bytes are? Version 7 is PIA 3.10 so it shouldn't have the authentication tag like 5.7+ does, since it's using ECB and not GCM?
Splatoon
In this sample you can see it's using version 11, data type 0. So the
Monitoring data headerdecodes to:However the payload size seems to be wrong? Following the header there is actually 272 bytes, not 269. If these 3 bytes are not included in the payload, then the decryption fails, making the payload size in the header rather useless?
Minecraft
In this sample you can see it's using version 18, data type 0. So the
Monitoring data headerdecodes to:However the payload size seems to be wrong? The payload is actually 176 bytes, not 164. The GCM authentication tag is always 16 bytes at the end of the data, but using 164 bytes leaves 28 bytes as the authentication tag. This doesn't work. Using 176 bytes as the payload and the final 16 bytes as the authentication tag does work, so the payload size is again wrong
All
Additionally there seems to be some issues with the way the internal payload is documented as well. For example take this Minecraft payload:
According to the wiki following the header there should be the PIA version stored as a uint32, but this isn't the case. The PIA version is stored as 3 (4?) separate bytes, each representing a different part of the version. In this case it's
0x050900FFwhich would translate to5.9.0(ignoreFF?), but if this was treated as a uint32 the value would be84476159or8447.61.59The same is true for the NEX version, it is also stored as 3 (4?) individual bytes for each section. In this case that would be
0x030A00FFwhich would translate to3.10.0(ignoreFF?), but if this was treated as a uint32 the value would be50987263or5098.72.63The SDK version is stored as a uint32 though. It's stored as
0x00005335, or21301which translates correctly to2.13.1. So it seems like only some values are actually supposed to be treated as uint32's?EDIT: I've just looked at the encoding functions for the data content in Minecraft, I do see now that it serializes these fields as uint32s despite their structure. I see where that comes from now. However it may be beneficial to change the wiki anyway to document how the data is actually stored in the uint32?