RCE and stuff

[biocloc]

Hello KalComy,

I hope you people can help me,
i am currently checking and learning RCE

i debugging atm a bit the KalEngine
and found out where the Recv,Sending function is

PHP Code:

    push ebp
    mov ebp, esp
    sub esp, 18 


and i checked old INT source so i saw the SearchPattern Func doesnt changed at all same like the asm part...

but what i ask me at all is ... how you guys came on this values?...

Code:

DWORD SendPacketMain_ = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",[COLOR="Red"]0x00400000,0x007FFFFF[/COLOR]);
DWORD SendPacketMain  = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",[COLOR="red"]SendPacketMain_+1,0x007FFFFF[/COLOR]);
DWORD SendPacketBack  = SendPacketMain + [COLOR="red"]0x06[/COLOR];

i marked the offsets red which i mean,
hope you can help me, to understand it ( and to learn more about RCE )
thanks

.biocloc.

[Thiesius]

SearchPattern is used to find a byte array (or better - sequence of asm opcodes). It scans a memory for given pattern and returns address, where the pattern was found (if it was).

0x00400000,0x007FFFFF
It will scan memory address space between 0x00400000 and 0x007FFFFF.

If address is found, then intercept or any other hooking, detouring function can be used now.

Intercept replaces originals bytes with non-conditional jump to your hook-function.

SendPacketBack = SendPacketMain + 0x06
It's used to jump back to original function when hook-function has finished all given tasks.

[biocloc]

got send func working / sniff too but something is seriously or just the packets got changed as example 2nd Password login == 0x75 ??? , i remember there was 0x88 ... i think something is wrong

however now i need to check how i can bypass the Hackshield Manipulation, because all 2-3minutes i get this manipulation error // or know someone how to fix? would be great for hints.

[Thiesius]

Yea they changed some packet types. But I don't know how many of them were actually changed...

To get some info about Memory Manipulation error, you can view my topic

There is some info. Well I'm still signed for that thing, but I haven't been working on it in last days. I have some things to do.
If you want to reverse HShield, then be my guest

[meak1]

Quote:

Originally Posted by biocloc

got send func working / sniff too but something is seriously or just the packets got changed as example 2nd Password login == 0x75 ??? , i remember there was 0x88 ... i think something is wrong

however now i need to check how i can bypass the Hackshield Manipulation, because all 2-3minutes i get this manipulation error // or know someone how to fix? would be great for hints.

a tipp: u dont need send for bot^^

[biocloc]

@meak i am not only talking about KAL , i am talking about complete RCE Scene :>
but how do you mean i doesn't need SendToServer ??

@Thiesus yeah i can comunicate with you about HShield, but if i am correct the hackshield have a 3minute connect status which me allow 3minutes debug hShield()
but don't know if it still works. But don't think so that it will help ;/

// oh by the way, i think something is wrong @SendFunc... they never will change Packet Headers would take to much time

[katze123]

but they changed e.g. 2nd pw from 0x88 to 0x75

[Thiesius]

@SendFunc is alright... you can trace a packet forging function in olly... you will see.
Read the above mentioned topic for some Hshield and engine info (that might give you some clues, how does it currently work), or PM me...

[biocloc]

and move , move+stop to 0x11 // 0x12 , wasnt say() 0x11?

just think there is a mistake @source... because can't believe it, think i will use FingerPrints i like it more...

@Thiesius, i checked your thread.


well going sleep now see ya guys

[MoepMeep]

They really changed the headers

[meak1]

i mean u didnt need to hook send , only use ;O