[Release] Spoofed download server (reverse engineering)

Page 1 of 2

03/27/2017 16:37 Gooby.#1

Hi,

So, you have a filter and DDoS protection but forgot to spoof download server and do not want to edit or mess with your executable files or CERT, this is the perfect option for you if you want to spoof your download server and hide your real server IP from all your players.

Working on

Spoiler

vSRO 188

vSRO 274

How it works

Spoiler

Prevent download packet to be sent to client

Read necessary information like (Files to patch)

Re-writing the packet and the information and replaces the IP&PORT

Sending the new packet to client, containing protected IP:PORT.

Client receives the packet and see the protected IP:PORT.

Whats needed

Spoiler

A SSA Filter.

A TCP proxy for download server, examples below

HaProxy, or C# proxy.

S->C (Reverse engineering)

Spoiler

PHP Code:

#region 0xA100_DOWNLOAD_SPOOF if(_pck.Opcode == 0xA100) { byte result = _pck.ReadUInt8(); if (result == 0x02) { byte ErrorCode = _pck.ReadUInt8(); if (ErrorCode == 0x02) { string ip = _pck.ReadAscii(); // ServerIP ushort port = _pck.ReadUInt16(); // ServerPort UInt32 version = _pck.ReadUInt32(); // Version byte flag = _pck.ReadUInt8(); // Flag Packet spoof = new Packet(0xA100, false, true); spoof.WriteUInt8(result); spoof.WriteUInt8(ErrorCode); spoof.WriteAscii("127.0.0.1"); // Spoofing part spoof.WriteUInt16("15881"); // Spoofing part spoof.WriteUInt32(version); // Version spoof.WriteUInt8(flag); while (flag == 0x01) { UInt32 FileID = _pck.ReadUInt32(); string FileName = _pck.ReadAscii(); string FilePath = _pck.ReadAscii(); UInt32 FileLen = _pck.ReadUInt32(); byte unk = _pck.ReadUInt8(); // Packed, no idea. flag = _pck.ReadUInt8(); spoof.WriteUInt32(FileID); spoof.WriteAscii(FileName); spoof.WriteAscii(FilePath); spoof.WriteUInt32(FileLen); spoof.WriteUInt8(unk); spoof.WriteUInt8(flag); } m_LocalSecurity.Send(spoof); Send(false); continue; } } } #endregion

Credit goes to

Spoiler

Ace
and...
[Only registered and activated users can see links. Click Here To Register...]

There is no backdoor in this code, Kappa :rolleyes:

03/27/2017 17:11 denise456#2

Thanks

03/27/2017 17:23 nemo08#3

nice

03/27/2017 17:34 hieulovehoa#4

Please <Debug> into .exe software

03/27/2017 18:11 Dracula Untold#5

Gooby = Goofie ? :)))

03/27/2017 18:11 kanift#6

idk why do u want to read whole packet till flag is zero instead of skip them :confused:

03/27/2017 18:16 Judgelemental#7

Quote:

Originally Posted by Gooby.

There is no backdoor in this code, Kappa :rolleyes:

In this one no :^)
In literally everything you release, yes. :^)

03/27/2017 18:22 hieulovehoa#8

Upgrade SUPERMIKE to version 3.1

03/27/2017 18:38 Gooby.#9

Quote:

Originally Posted by kanift

idk why do u want to read whole packet till flag is zero instead of skip them :confused:

Reading if flag is byte 1, reading all the files that needs to be patched in client @ Media.pk2 and so on. You must read all the files that must be patched or the response aka reverse engineering will not work.

Quote:

Originally Posted by Dracula Untold

Gooby = Goofie ? :)))

Yes? It's not a secret.

Quote:

Originally Posted by hieulovehoa

Upgrade SUPERMIKE to version 3.1

Contact me on Skype and I will send KRYLFILTER v10.

Quote:

Originally Posted by Judgelemental

In this one no :^)
In literally everything you release, yes. :^)

Only was detected for that backdoor, if you have more proof please share them.

03/27/2017 19:08 kanift#10

Quote:

Originally Posted by Gooby.

Reading if flag is byte 1, reading all the files that needs to be patched in client @ Media.pk2 and so on. You must read all the files that must be patched or the response aka reverse engineering will not work.

actually u dont have to read whole packet to manage it to work, it will create lag (because of loop) if there are huge amount of files, u can shorten the logic without loop try to handle patch response w/o loop :^)

03/27/2017 20:41 Gooby.#11

Quote:

Originally Posted by kanift

actually u dont have to read whole packet to manage it to work, it will create lag (because of loop) if there are huge amount of files, u can shorten the logic without loop try to handle patch response w/o loop :^)

It will not cause any lag.

03/27/2017 21:19 kanift#12

Quote:

Originally Posted by Gooby.

It will not cause any lag.

this answer is the result of why ur filter is sh*** if it runs its ok for u and no matter what will be happen afterwards, anyway imo thats an unnecessary show so good luck with other bad filter projects ^^.

03/28/2017 06:58 B1Q#13

Reverse engineering ? funny

and the loop is not necessary

03/29/2017 06:00 cardoso125874#14

"while (flag == 0x01)
{"

why this loop? unnecessary

04/08/2017 15:39 ramy_11_1#15

analyze the full packet is not necessary, you can use packet.GetBytes()
to write all remaining bytes into the new packet.

i using this code
it working well for me:

Code:

#region Download Packet
if (packet.Opcode == 0xA100 && Main.FDownloadPort > 0)
{
	try
	{
		Packet DownServ = new Packet(packet.Opcode, packet.Encrypted, packet.Massive);
		bool bo = true;
		int length = 0;

		byte num1 = packet.ReadUInt8(); // 0x02
		length++;

		if (num1 == 2)
		{
			byte num2 = packet.ReadUInt8(); // 0x02
			length++;

			if (num2 == 2)
			{
				string str1 = packet.ReadAscii(); // IP
				length += 2; // Ascii length
				length += str1.Length; // Ascii bytes length

				short num3 = packet.ReadInt16(); // Port
				length += 2; // port bytes length

				DownServ.WriteUInt8(num1);
				DownServ.WriteUInt8(num2);
				DownServ.WriteAscii(Main.FakeIP);
				DownServ.WriteUInt16(Main.FDownloadPort);

				int loop = bytes.Length - length;

				for (int i = 0; i < loop; i++)
				{
					DownServ.WriteUInt8(bytes[length]);
					length++;
				}

				this.gw_local_security.Send(DownServ);
				continue;
			}
		}
	}
	catch
	{
		this.Disconnect();
		continue;
	}
}
#endregion

Page 1 of 2