C++/CLI Packet sniffer

Page 1 of 2

10/04/2014 23:50 donn#1

I've started working on this:

[Only registered and activated users can see links. Click Here To Register...]

As I said, it's made in C++/CLI, it will first be just a packet sniffer, it can turn into anything else later on. It's undetected, since it involves no hooking to Conquer process at all.

For the beginning, I need a few ideas on how to organize the packets output, so it would be easier to read and analyze.

Any further questions or suggestions are welcomed. The only thing that I'm keeping secret for now is the method used for intercepting the packets.

10/05/2014 13:26 Best Coder 2014#2

[Only registered and activated users can see links. Click Here To Register...]

Am I getting warmer or colder?

10/05/2014 17:55 donn#3

Cooler. You know you can't decrypt CO2 packets without injecting your own DH key exchange. So just a sniffer is not enough, you also need to re-write those packets.

10/05/2014 18:33 Best Coder 2014#4

Quote:

Originally Posted by donn

Cooler. You know you can't decrypt CO2 packets without injecting your own DH key exchange. So just a sniffer is not enough, you also need to re-write those packets.

If the client can decrypt the packets, so can a third party program. But okay, is [Only registered and activated users can see links. Click Here To Register...] colder or warmer then? :o

10/05/2014 18:35 donn#5

Warmer. It's WFP indeed.

Quote:

Originally Posted by Best Coder 2014

If the client can decrypt the packets, so can a third party program.

Still, I need to own the private key if I want to send my own packets.

10/05/2014 19:39 Best Coder 2014#6

Quote:

Originally Posted by donn

Warmer. It's WFP indeed.

Still, I need to own the private key if I want to send my own packets.

[Only registered and activated users can see links. Click Here To Register...]

10/05/2014 21:43 donn#7

And since it's a packet sniffer, does anyone knows what packet is that:

Spoiler

Code:

Type : 2711 | Length : 815 |

	27 03 97 0A 1C 03 00 00 B7 F1 93 4F 2E 90 8B 42 E1 19 FB E1 	|	'..........O...B....
	BF 84 64 8D 1F 5A E3 31 DE 53 0A B1 DB 40 5F 19 E3 90 EE 6C 	|	..d..Z.1.S...@_....l
	20 20 C4 7B 67 9E A0 FF 57 B5 79 7F 26 2E 25 A1 04 A9 41 C1 	|	  .{g...W.y.&.%...A.
	49 18 D0 28 03 07 3D 7B 4D B1 B8 61 4A FE 93 CF 7E 80 F6 CD 	|	I..(..={M..aJ...~...
	A1 F9 22 01 96 68 17 4E D9 08 46 1C 48 8C D7 B3 62 76 BF 4E 	|	.."..h.N..F.H...bv.N
	A3 FA 06 87 7E 25 CC 68 4C 23 50 AB B8 CC 23 11 46 DD 92 45 	|	....~%.hL#P...#.F..E
	54 31 EC 2C EF 5E 79 2B 5A 13 77 76 22 E2 30 C0 D1 E4 29 EE 	|	T1.,.^y+Z.wv".0...).
	8B 7F 36 58 9D 87 5F EA B1 E9 A5 56 3E 0B CB 0D 60 7C A6 B0 	|	..6X.._....V>...`|..
	79 58 7A 82 6F BF 00 E4 EA 0B 8C DE B9 10 FA 0A D8 C7 BE 66 	|	yXz.o..............f
	62 51 FF 5E 81 83 6F 33 03 95 AA 0E 42 EE 8A 08 00 0E 06 31 	|	bQ.^..o3....B......1
	2A C1 4F C3 94 7F EF 84 1B 40 4A FF F0 71 CA 40 D6 04 EF 98 	|	*.O......@J..q.@....
	54 41 CC 81 ED 82 6C 93 17 2B DD 53 DD 5F 18 8E 7E DB 4C F1 	|	TA....l..+.S._..~.L.
	E5 96 6E 30 4E 24 CE 20 6E 5E D5 E9 D5 08 56 33 63 DA 14 F7 	|	..n0N$. n^....V3c...
	ED DB 6F 4C FE 70 4E 75 8C 33 AC CC 64 94 65 75 95 D1 E2 D9 	|	..oL.pNu.3..d.eu....
	D5 EC CA 75 E3 F0 B9 F7 22 74 2F 5A 41 2A 31 F9 46 F2 83 AD 	|	...u...."t/ZA*1.F...
	DA 82 0F A4 FB 2C F1 E8 DE 01 6F E3 CF 0B 14 FA 9B C1 35 46 	|	.....,....o.......5F
	32 AC 40 E0 55 69 51 B5 20 65 B3 16 5C E4 7D 7C 3C 85 5B 17 	|	2.@.UiQ. e..\.}|<.[.
	CD CD 52 55 48 AB F1 3B 7A CD D4 83 79 AF 4E 6D 3B 24 A5 5C 	|	..RUH..;z...y.Nm;$.\
	C3 8D 0C 27 34 14 C8 58 D6 D6 92 C0 4E 83 76 B5 1E 8A 2F A4 	|	...'4..X....N.v.../.
	96 17 95 22 7F EB 0A 44 74 E3 87 CA 91 83 72 C6 F3 B6 C6 6C 	|	..."...Dt.....r....l
	C3 93 25 09 CF 49 6B 2A EA 08 48 2E C2 E1 2C 5E 20 11 51 09 	|	..%..Ik*..H...,^ .Q.
	69 02 26 0D 02 05 ED B8 A8 E7 77 CE F1 FD 5F 0B 09 23 C1 56 	|	i.&.......w..._..#.V
	43 0B D4 8B D1 5B 5B 88 40 FE 84 35 06 42 64 36 E4 2E 4A 32 	|	C....[[.@..5.Bd6..J2
	95 F7 61 2F 9F 14 E0 09 33 BD E4 CA 73 C2 60 F4 43 85 E3 E7 	|	..a/....3...s.`.C...
	47 19 7C 1A D0 EF AC 8E 7E B4 78 27 1D BD 31 68 4C EC 64 26 	|	G.|.....~.x'..1hL.d&
	A1 AC 6A 68 8E 0C 4D F1 01 5E 4F BC F0 57 9B 1B EC DE F7 1E 	|	..jh..M..^O..W......
	AA 6F AC 8A 22 4C 42 FA 9B F4 C0 9A 8B 73 0F 70 1D B9 06 32 	|	.o.."LB......s.p...2
	DE F4 AF D9 19 3A 47 67 30 DC 2C 92 33 C4 5D 92 18 2D 03 68 	|	.....:Gg0.,.3.]..-.h
	BA DB 13 2A 35 9F 03 59 B0 B5 CE F7 57 DE B1 80 FF DA 83 80 	|	...*5..Y....W.......
	CC 64 45 A2 B7 29 F6 7A 5A 2C C8 A6 F3 1B 49 41 18 5E 5D C7 	|	.dE..).zZ,....IA.^].
	22 63 99 1A 34 AB 5B DF 17 10 DC FA 8F CD 6B 8F 81 02 EB 0C 	|	"c..4.[.......k.....
	AE 2F E0 13 51 EE F6 00 A1 E6 17 4A E6 B8 57 20 87 C3 EB AD 	|	./..Q......J..W ....
	6F 52 A6 9A EF 78 21 9F EB 10 06 92 9B 7C 5D 7B 60 D8 8B A7 	|	oR...x!......|]{`...
	5D 96 C2 7C B8 FA DE C8 6E BE 76 4D 92 38 03 5C 26 8C 5C 38 	|	]..|....n.vM.8.\&.\8
	12 7B F3 3F 22 0B 68 D0 9E 21 AD BB DE 24 EC 43 01 9C C3 E7 	|	.{.?".h..!...$.C....
	07 B6 84 31 FB 2E 54 EE A6 5E F3 0F 34 EF B5 9E 47 0B 88 9E 	|	...1..T..^..4...G...
	A5 26 69 9E 24 2B 70 13 5B 5C 47 FD 7C CD 7D E8 BF 31 93 2D 	|	.&i.$+p.[\G.|.}..1.-
	80 36 66 0F A9 FF C9 FF 1F 69 F6 28 54 78 35 1F 31 26 36 1E 	|	.6f......i.(Tx5.1&6.
	2B C2 74 2C 6E 2B F6 BF 3D DC 35 A0 7C 3E EA 03 0E BA C3 56 	|	+.t,n+..=.5.|>.....V
	35 3E F4 8F 03 A5 0A 0C 12 EC D9 E2 E8 DF 67 38 F2 36 4B 74 	|	5>............g8.6Kt
	C0 D4 C5 A3 00 00 00 54 51 43 6C 69 65 6E 74                	|	.......TQClient

10/06/2014 07:49 schacka2#8

did u decrypth the packets?

10/06/2014 11:31 KraHen#9

This seems really similar to what Fang was working on. Good job nonetheless!

10/06/2014 19:38 donn#10

Well, I had no idea about what Fang was working on.
Thanks for appreciating it.

10/08/2014 14:46 donn#11

Question: is there some public private server source available, working on the last patch, so I can extract some packets info from it? I'm loosing a lot of time trying to find the new offsets for them, maybe there are already out there.

I searched, but failed to find one.

Nevermind, I'm slowly structuring them all.

10/15/2014 08:53 donn#12

If anyone is curios, I reached this point in development:

[Only registered and activated users can see links. Click Here To Register...]

and I decided to dump C++/CLI and go fully native C++ (thanks to CptSky support) so I'm re-coding it entirely.

GUI will be made in Qt (also using signals/slots for events processing).

10/15/2014 11:32 KraHen#13

Great success. :D TBH in your place I`d go with a service-based app for the routing, which would communicate through WebSockets with a web-based GUI application. :D

10/15/2014 12:00 donn#14

There's a slight problem going this way. Since I'm intercepting (in the real sense of the word), the packets sent from client to server or from server to client are actually stopped at the filter level.

At that point I'm decrypting/reading/interpreting/encrypting them and pass them forward.

If those steps are not done in a timely fashion, the packet TTL is exceeded, which in turn would cause the sender (either client or the server) to re-send those packets (it's how TCP works). If I go to a service app based implementation and web-based GUI, I'm afraid doing all those steps in a timely fashion will be close to impossible (or I might not be seeing the things correctly and I might be wrong).

10/15/2014 12:43 KraHen#15

Quote:

Originally Posted by donn

There's a slight problem going this way. Since I'm intercepting (in the real sense of the word), the packets sent from client to server or from server to client are actually stopped at the filter level.

At that point I'm decrypting/reading/interpreting/encrypting them and pass them forward.

If those steps are not done in a timely fashion, the packet TTL is exceeded, which in turn would cause the sender (either client or the server) to re-send those packets (it's how TCP works). If I go to a service app based implementation and web-based GUI, I'm afraid doing all those steps in a timely fashion will be close to impossible (or I might not be seeing the things correctly and I might be wrong).

Maybe remotely, locally with a ping of ~0 there should me minimal to no overhead, maybe 70ms max, although that could be a problem in these circumstances, I haven `t looked into it.

Page 1 of 2