Encrypt/Decrypt Function

I think I've found the wrapper for send() at 00536FDB but I cannot find any calls just before the actual winsock send that would encrypt data. Am I looking in the wrong place?

You're looking at the right place. You just need to trace further back. The encrypt functions are a couple of calls before the WS2_32.send call

It doesn't seem to be a simple CALL XXX. I traced back until I found a case switch for packet IDs so I'm assuming that's way too far. I'm just gonna outright ask if anyone can give me the address. My guess is 00534F78.

Find a packet with type 0x43E, (Login request, first packet client > server), trace it back until you get out of the building of the packet, couple lines below there is call to location XXX, it'll call a function that calls the encrypting + sending

Quote:

Originally Posted by tanelipe Find a packet with type 0x43E, (Login request, first packet client > server), trace it back until you get out of the building of the packet, couple lines below there is call to location XXX, it'll call a function that calls the encrypting + sending

Okay, I'll try to do that but something puzzles me: if I found what looks to me like Conquer.Send(), i.e. the wrapper for ws2_32.Send(), then why isn't encrypt() inside? And if it's not inside then I would think I could simply trace back to where Conquer.Send() is called and a CALL encrypt() would be right there. Am I wrong for thinking it should be this simple?

I did alot of tracing for this when I was making a dll proxy for injection/interception, are you trying something similar?

Quote:

Originally Posted by *M* I did alot of tracing for this when I was making a dll proxy for injection/interception, are you trying something similar?

Yes, I'm doing this ultimately to make a proxy. I had tried doing this strictly with C# but then I found I couldn't decrypt server packets. I asked here and was lead to hooking, which after reading around I found could not be done in C#. So then I looked up what I would need to do this in C++, got the basic idea, then tried to find the winsock funtions in Conquer.exe. Found them now and (as the title hints) I'm looking for the encrypt() functions.

I had no experience with disassembling/reversing until a few days so I'm still learning the basics.

Why not just hook/intercept/whatever the functions that handles the outgoing/incoming packets before they're encrypted (outgoing) / after they're decrypted (incoming). Those functions can be used for sending packets or receiving packets too

In latest client

Quote:

Originally Posted by IAmHawtness Why not just hook/intercept/whatever the functions that handles the outgoing/incoming packets before they're encrypted (outgoing) / after they're decrypted (incoming). Those functions can be used for sending packets or receiving packets too

Ah, because I'm not sure how to find them. I figured the send function would be easiest because I could just trace back from any ws2_32.send call.

Quote:

Originally Posted by unknownone In latest client Code: Conquer.[.text+0x001361BB] = void CEncryptClient::Encrypt(uint8_t* bufMsg, int nLen, bool bMove=true); Conquer.[.text+0x00135B41] | Call to void Conquer.CEncryptClient::Encrypt(uint8_t* bufMsg, int nLen, bool bMove=true); Conquer.[.text+0x00136006] | Call to int WS2_32.send(int sockfd, const void* msg, int len, int flags);

I don't know what address ".text" is at...

Quote:

Originally Posted by Belth Ah, because I'm not sure how to find them. I figured the send function would be easiest because I could just trace back from any ws2_32.send call. I don't know what address ".text" is at...

".text" is just the entry point of the Conquer.exe, 0x401000 I think it is. As for the send packet function, check your PM inbox. You can try tracing forward from the sendpacket function to WS2_32.send, then you'll also know how to trace it back from WS2_32.send :)

Thank you very much for the spoon-feeding.

Search for "catch error in send msg." and "catch error in process msg" in memory.