packet logger

Page 2 of 2 1 2
06/12/2009 15:28 plixbugmenot#16
I am pretty sure the easiest way is to log packets is to find the code in the client that encrypts the packets and hook it. can't be that hard to find... start at the sockets and work your way up! Same for decryption, hook the client! why do the hard work when you can use the excisting code in the client. lazyness ftw :p

EDIT: Oh great, that is exactly what you did... nevermind :D
06/15/2009 10:48 BuBucekTop#17
plixbugmenot, you can participate in finding crypto-algorythm if it seams so easy to you.
06/16/2009 01:28 plixbugmenot#18
I'm talking about intercepting the data BEFORE encryption... somewhere the objects/values that are sent to the server must get serialized and encrypted through a function call... for example SendAndEncrypt(Object* myObject). If you find that function and hook it, then you don't have to find the decryption algorithm. And if you want to make a standalone client you can probably extract the encryption algo in asm and use it in your own program. Don't make things harder then they need to be!

(hard part is finding the function(s) that serialize/encrypt)

You know, you just made me want to figure this thing out, let's fire up my disassembler.
06/17/2009 11:01 BuBucekTop#19
Ha. It's the most interesting part - to find encryption algo. Is far as I've discovered - client uses GNET::Octets for storing the encrypted data, but I'm stuck in findning where plain data being encrypted...
06/17/2009 22:06 silkytail#20
since someone still wondering - here's [Only registered and activated users can see links. Click Here To Register...]
06/18/2009 00:24 plixbugmenot#21
I took a little peek under the hood, and I found this

.data:0093A110 class GNET::CompressARCFourSecurity

.data:0093A110 class GNET::CompressARCFourSecurity

these are both RTTI type descriptors :)

I saw those called pretty close to some ws_32.send calls. Coincidence? I don't think so.

But who cares about those, when you have the objects that get used for sending data. You don't even have to reverse engineer the packet data, nor decrypt it.

I'm talking about these:

GNET::ChatMessage
GNET::WorldChat
GNET::RoleStatusAnnounce

and maybe more interesting for trade hacks:

GNET::TradeAddGoods_Re
GNET::TradeStart_Re
GNET::TradeRemoveGoods_Re

and there are lots more, for walking, fighting, etc

Just find the constructor of these objects, add breakpoints, and you can figure the other stuff out yourself I think :)

ohyeah, receiving data, I don't know exactly how that works, but I am pretty sure it will clear itself up when you dig into these GNET objects. I'm guessing there is actually a callback to these objects when receiving data.

Just throwing in some ideas ;)


EDIT:

I went a little deeper, I chose 1 object, GNET::ChatRoomCreate, and did some debugging, this is what I found.

Code:
005C86C0 [COLOR="Green"]CONSTRUCTOR of chatRoomCreate, gets normal string of the name of the chatroom[/COLOR]

v

sub_5B3B30, [COLOR="Green"]ENCRYPTION starts here, all data that gets send passes through here, this means walking, battling, skills etc
this is a function of a baseclass, either GNET::MARSHALL or GNET::PROTOCOL I know this because ecx gets passed [/COLOR]

v

sub_5B3B70, [COLOR="Green"]this is a function of an object at offset 0AC, this could be the encryption object?[/COLOR]

calls CALL DWORD PTR DS:[EDX] [COLOR="Green"]///these are just here[/COLOR]

v

somefunc  [COLOR="Green"]///to show how the data gets at the socket[/COLOR]

v

00431490
{

	00431507  |.  FFD5          CALL EBP [COLOR="Green"]//copy data into socket to send[/COLOR]
}
BUT I am not sure if there is really encryption going on, no breakpoints hit on the RCFOUR code while I was testing. They might be just serializing the data in some compressed binary format, which would make more sense anyway
06/18/2009 11:36 BuBucekTop#22
Quote:
sub_5B3B30, ENCRYPTION starts here
plz, post fragments of dizasm, because we have different versions of client exe.

This is the sending routine
Code:
.text:0059F960                 push    ebx
.text:0059F961                 push    esi
.text:0059F962                 mov     esi, ecx        ; eci = ecx = streamIO
.text:0059F964                 push    edi
.text:0059F965                 push    0               ; flags
.text:0059F967                 mov     eax, [esi+10h]  ; data
.text:0059F96A                 mov     ecx, [eax+4]    ; data buffer
.text:0059F96D                 mov     edx, [eax+8]    ; data length
.text:0059F970                 mov     eax, [esi+4]    ; socket
.text:0059F973                 mov     ebx, ecx
.text:0059F975                 sub     edx, ebx
.text:0059F977                 push    edx             ; len
.text:0059F978                 push    ecx             ; buf
.text:0059F979                 push    eax             ; s
.text:0059F97A                 call    ds:__imp_send
.text:0059F980                 mov     ebx, eax
.text:0059F982                 test    ebx, ebx
.text:0059F984                 jle     short loc_59F9B1 ; jump if send error
.text:0059F986                 mov     edi, [esi+10h]
.text:0059F989                 mov     esi, [edi+4]
.text:0059F98C                 add     ebx, esi
.text:0059F98E                 cmp     esi, ebx
.text:0059F990                 jz      short loc_59F9EC
.text:0059F992                 mov     ecx, [edi+8]
.text:0059F995                 sub     ecx, ebx
.text:0059F997                 push    ecx             ; Size
.text:0059F998                 push    ebx             ; Src
.text:0059F999                 push    esi             ; Dst
.text:0059F99A                 call    ds:memmove
.text:0059F9A0                 mov     eax, [edi+8]
.text:0059F9A3                 sub     esi, ebx
.text:0059F9A5                 add     esp, 0Ch
.text:0059F9A8                 add     eax, esi
.text:0059F9AA                 mov     [edi+8], eax
.text:0059F9AD                 pop     edi
.text:0059F9AE                 pop     esi
.text:0059F9AF                 pop     ebx
.text:0059F9B0                 retn
.text:0059F9B1 ; ---------------------------------------------------------------------------
.text:0059F9B1
.text:0059F9B1 loc_59F9B1:                             
.text:0059F9B1                 call    ds:WSAGetLastError
.text:0059F9B7                 cmp     ebx, 0FFFFFFFFh
.text:0059F9BA                 jnz     short loc_59F9C3
.text:0059F9BC                 cmp     eax, 2733h
.text:0059F9C1                 jz      short loc_59F9EC
.text:0059F9C3
.text:0059F9C3 loc_59F9C3:                             ;
.text:0059F9C3                 mov     ecx, [esi+10h]
.text:0059F9C6                 push    eax
.text:0059F9C7                 push    offset aPolloutErrnoD ; "Pollout: errno=%d \n"
.text:0059F9CC                 push    80h             ; Count
.text:0059F9D1                 mov     edx, [ecx+4]
.text:0059F9D4                 push    offset byte_97F5B4 ; Dest
.text:0059F9D9                 mov     [ecx+8], edx
.text:0059F9DC                 call    ds:__imp__snprintf
.text:0059F9E2                 mov     eax, [esi+8]
.text:0059F9E5                 add     esp, 10h
.text:0059F9E8                 mov     byte ptr [eax+4], 1
.text:0059F9EC
.text:0059F9EC loc_59F9EC:                             
.text:0059F9EC                 pop     edi
.text:0059F9ED                 pop     esi
.text:0059F9EE                 pop     ebx
.text:0059F9EF                 retn
as you can see in mov eax, [esi+10h] ; data we have to find where this data being created and encrypted.
06/18/2009 11:37 BuBucekTop#23
Quote:
sub_5B3B30, ENCRYPTION starts here
plz, post fragments of dizasm, because we have different versions of client exe.

This is the sending routine
Code:
.text:0059F960                 push    ebx
.text:0059F961                 push    esi
.text:0059F962                 mov     esi, ecx        ; eci = ecx = streamIO
.text:0059F964                 push    edi
.text:0059F965                 push    0               ; flags
.text:0059F967                 mov     eax, [esi+10h]  ; data
.text:0059F96A                 mov     ecx, [eax+4]    ; data buffer
.text:0059F96D                 mov     edx, [eax+8]    ; data length
.text:0059F970                 mov     eax, [esi+4]    ; socket
.text:0059F973                 mov     ebx, ecx
.text:0059F975                 sub     edx, ebx
.text:0059F977                 push    edx             ; len
.text:0059F978                 push    ecx             ; buf
.text:0059F979                 push    eax             ; s
.text:0059F97A                 call    ds:__imp_send
.text:0059F980                 mov     ebx, eax
.text:0059F982                 test    ebx, ebx
.text:0059F984                 jle     short loc_59F9B1 ; jump if send error
.text:0059F986                 mov     edi, [esi+10h]
.text:0059F989                 mov     esi, [edi+4]
.text:0059F98C                 add     ebx, esi
.text:0059F98E                 cmp     esi, ebx
.text:0059F990                 jz      short loc_59F9EC
.text:0059F992                 mov     ecx, [edi+8]
.text:0059F995                 sub     ecx, ebx
.text:0059F997                 push    ecx             ; Size
.text:0059F998                 push    ebx             ; Src
.text:0059F999                 push    esi             ; Dst
.text:0059F99A                 call    ds:memmove
.text:0059F9A0                 mov     eax, [edi+8]
.text:0059F9A3                 sub     esi, ebx
.text:0059F9A5                 add     esp, 0Ch
.text:0059F9A8                 add     eax, esi
.text:0059F9AA                 mov     [edi+8], eax
.text:0059F9AD                 pop     edi
.text:0059F9AE                 pop     esi
.text:0059F9AF                 pop     ebx
.text:0059F9B0                 retn
.text:0059F9B1 ; ---------------------------------------------------------------------------
.text:0059F9B1
.text:0059F9B1 loc_59F9B1:                             
.text:0059F9B1                 call    ds:WSAGetLastError
.text:0059F9B7                 cmp     ebx, 0FFFFFFFFh
.text:0059F9BA                 jnz     short loc_59F9C3
.text:0059F9BC                 cmp     eax, 2733h
.text:0059F9C1                 jz      short loc_59F9EC
.text:0059F9C3
.text:0059F9C3 loc_59F9C3:                             ;
.text:0059F9C3                 mov     ecx, [esi+10h]
.text:0059F9C6                 push    eax
.text:0059F9C7                 push    offset aPolloutErrnoD ; "Pollout: errno=%d \n"
.text:0059F9CC                 push    80h             ; Count
.text:0059F9D1                 mov     edx, [ecx+4]
.text:0059F9D4                 push    offset byte_97F5B4 ; Dest
.text:0059F9D9                 mov     [ecx+8], edx
.text:0059F9DC                 call    ds:__imp__snprintf
.text:0059F9E2                 mov     eax, [esi+8]
.text:0059F9E5                 add     esp, 10h
.text:0059F9E8                 mov     byte ptr [eax+4], 1
.text:0059F9EC
.text:0059F9EC loc_59F9EC:                             
.text:0059F9EC                 pop     edi
.text:0059F9ED                 pop     esi
.text:0059F9EE                 pop     ebx
.text:0059F9EF                 retn
as you can see in mov eax, [esi+10h] ; data we have to find where this data being created and encrypted.
06/18/2009 14:31 plixbugmenot#24
that's easy, I found that already :)

Code:
.text:00431490 ; int __stdcall sub_431490(int, void *Src, size_t Size)
.text:00431490 sub_431490      proc near               ; CODE XREF: sub_431210+2Bp
.text:00431490                                         ; sub_431210+42p ...
.text:00431490
.text:00431490 arg_0           = dword ptr  4
.text:00431490 Src             = dword ptr  8
.text:00431490 Size            = dword ptr  0Ch
.text:00431490
.text:00431490                 push    ebx
.text:00431491                 mov     ebx, [esp+4+Size]
.text:00431495                 push    ebp
.text:00431496                 push    esi
.text:00431497                 mov     esi, ecx
.text:00431499                 push    edi
.text:0043149A                 mov     edi, [esp+10h+arg_0]
.text:0043149E                 mov     eax, [esi+4]
.text:004314A1                 mov     ebp, [esi+8]
.text:004314A4                 mov     edx, [esi+0Ch]
.text:004314A7                 sub     ebp, eax
.text:004314A9                 sub     edi, eax
.text:004314AB                 lea     ecx, [ebx+ebp]
.text:004314AE                 cmp     ecx, edx
.text:004314B0                 jbe     short loc_4314E0
.text:004314B2                 dec     ecx
.text:004314B3                 mov     dword ptr [esi+0Ch], 2
.text:004314BA                 shr     ecx, 1
.text:004314BC                 jz      short loc_4314CA
.text:004314BE
.text:004314BE loc_4314BE:                             ; CODE XREF: sub_431490+38j
.text:004314BE                 mov     edx, [esi+0Ch]
.text:004314C1                 shl     edx, 1
.text:004314C3                 shr     ecx, 1
.text:004314C5                 mov     [esi+0Ch], edx
.text:004314C8                 jnz     short loc_4314BE
.text:004314CA
.text:004314CA loc_4314CA:                             ; CODE XREF: sub_431490+2Cj
.text:004314CA                 mov     ecx, [esi+0Ch]
.text:004314CD                 push    ecx             ; NewSize
.text:004314CE                 push    eax             ; Memory
.text:004314CF                 call    ds:__imp_realloc
.text:004314D5                 add     esp, 8
.text:004314D8                 mov     [esi+4], eax
.text:004314DB                 add     eax, ebp
.text:004314DD                 mov     [esi+8], eax
.text:004314E0
.text:004314E0 loc_4314E0:                             ; CODE XREF: sub_431490+20j
.text:004314E0                 mov     eax, [esp+10h+arg_0]
.text:004314E4                 test    eax, eax
.text:004314E6                 jz      short loc_43151D
.text:004314E8                 mov     eax, [esi+4]
.text:004314EB                 mov     edx, [esi+8]
.text:004314EE                 mov     ebp, ds:memmove
.text:004314F4                 add     edi, eax
.text:004314F6                 sub     edx, edi
.text:004314F8                 push    edx             ; Size
.text:004314F9                 lea     eax, [edi+ebx]
.text:004314FC                 push    edi             ; Src
.text:004314FD                 push    eax             ; Dst
.text:004314FE                 call    ebp ; memmove
.text:00431500                 mov     ecx, [esp+1Ch+Src]
.text:00431504                 push    ebx             ; Size
.text:00431505                 push    ecx             ; Src
.text:00431506                 push    edi             ; Dst
[COLOR="Red"].text:00431507                 call    ebp ; memmove[/COLOR]
.text:00431509                 mov     eax, [esi+8]
.text:0043150C                 add     esp, 18h
.text:0043150F                 add     eax, ebx
.text:00431511                 mov     [esi+8], eax
.text:00431514                 mov     eax, esi
.text:00431516                 pop     edi
.text:00431517                 pop     esi
.text:00431518                 pop     ebp
.text:00431519                 pop     ebx
.text:0043151A                 retn    0Ch
.text:0043151D ; ---------------------------------------------------------------------------
.text:0043151D
.text:0043151D loc_43151D:                             ; CODE XREF: sub_431490+56j
.text:0043151D                 mov     edx, [esp+10h+Src]
.text:00431521                 mov     eax, [esi+4]
.text:00431524                 push    ebx             ; Size
.text:00431525                 push    edx             ; Src
.text:00431526                 push    eax             ; Dst
.text:00431527                 call    ds:memmove
.text:0043152D                 mov     eax, [esi+4]
.text:00431530                 add     esp, 0Ch
.text:00431533                 add     ebx, eax
.text:00431535                 mov     eax, esi
.text:00431537                 mov     [esi+8], ebx
.text:0043153A                 pop     edi
.text:0043153B                 pop     esi
.text:0043153C                 pop     ebp
.text:0043153D                 pop     ebx
.text:0043153E                 retn    0Ch
.text:0043153E sub_431490      endp
pretty easy to find with ollydbg... break on the send call, follow ECX in dump(pointer to the data), set breakpoint on that memory location and find out what writes to that. The line in red does that :)

here is my elementclient and IDA database

Code:
http://rapidshare.com/files/245897680/ElementClientFiles.rar
and mov eax, [esi+10h] is NOT the data

Code:
mov     esi, ecx //ESI = THIS ptr

mov     eax, [esi+10h] //go to offset 10 in this instance of the class, dereference pointer
mov     ecx, [eax+4] //go to offset 4 from the eax pointer, dereference it, here is the pointer to the data in ecx

push    edx             ; len
push    ecx             ; buf //give pointer to data to ws32_send(socket* s,char* buf,uint len);
push    eax             ; s
call    ds:__imp_send
06/27/2009 15:17 Vort#25
here is simple client
which logs shout chat
_http://slil.ru/27794994
enjoy ;)
07/01/2009 04:56 dedesayang#26
wew.. how to descrpt... ?
Page 2 of 2 1 2