[Question] Packet Encryption

Page 1 of 4 1 23 Last »
01/27/2010 23:56 Thiesius#1
Hello guys,

I have question about encryption
Aparently decrypt/encrypt doesn't work (with this key?), so I was thinking, that you might help me out . I used encryption from SyronX's source (BakaBug's).

Image describes: Hook, Nothing, Decrypted, Encrypted again
[Only registered and activated users can see links. Click Here To Register...]


Code:
//...
//Declarations: 
//DWORD SendPacketMain = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",SendPacketMain_+1,0x007FFFFF);
//BYTE *TKey = (BYTE*)*((DWORD*)(PacketSendMain+0xCA));
//BYTE TableKey;
//BYTE Header;
//BYTE tmp;

//....
//INSIDE FUNCTION
TableKey = ((*TKey)-1) & 0x3F;
Header = buf[2];
		DecryptTable(TableKey,(unsigned char *)&Header,1);
		DecryptTable(TableKey,(unsigned char*)buf+2,nSentBytes-2);
		DecryptPacketAES((char*)buf);
//.....
		EncryptPacketAES((char*)buf);
		EncryptTable(TableKey,(unsigned char*)buf+2,nSentBytes-2);
//....
By the way, wouldn't be easier to hook HackShield functions? The one which is called to check if functions aren't hooked and the second one, which is called when server asks for CRC(or some hash I dunno) of specified engine functions.... Of course clientless wouldn't work....
01/28/2010 19:59 meak1#2
u didnt need send function only recv ;D
if u want write a bot ;/
01/28/2010 20:53 BorSti#3
correct but iam trying aswell to sniff send again xD
01/28/2010 20:57 meak1#4
a friend mean that only changing the decrypt and encrypt table , encrypt to decrypt and decrypt to encrypt^^ but i can ask him next time how he got it ;p
01/29/2010 17:12 Thiesius#5
I know that I don't basicly need hooking the send function, but what if I don't know packet structures? How can I know (yea I know few packet structures) which format I should use when I want to response with send after recv? Tracing the packet forging functions in engine? That can take ages :D.

I don't want only bot.... I want both - send and recv - functions hooked so I can sniff.

I had 2 Methods of bypassing:
First one works for 2-10 minuts... Then server CRC check pwns me.
Second one: I made it today... I disabled HShield driver (Not with Registry key security - that is pretty nooby and doesn't always work) so I can load engine into olly. I patched hackshield memory checking functions... So now I'm logged in and waiting for expell. I think there is one more function, which generate CRC.

Now it's 35 minuts from my login. I haven't been disconnected yet.
EDIT:
Hmmm 2 hours 30 mins and no C/L yet.
01/30/2010 11:27 BorSti#6
Quote:
Originally Posted by Thiesius View Post
I know that I don't basicly need hooking the send function, but what if I don't know packet structures? How can I know (yea I know few packet structures) which format I should use when I want to response with send after recv? Tracing the packet forging functions in engine? That can take ages :D.

I don't want only bot.... I want both - send and recv - functions hooked so I can sniff.

I had 2 Methods of bypassing:
First one works for 2-10 minuts... Then server CRC check pwns me.
Second one: I made it today... I disabled HShield driver (Not with Registry key security - that is pretty nooby and doesn't always work) so I can load engine into olly. I patched hackshield memory checking functions... So now I'm logged in and waiting for expell. I think there is one more function, which generate CRC.

Now it's 35 minuts from my login. I haven't been disconnected yet.
EDIT:
Hmmm 2 hours 30 mins and no C/L yet.
nice report !
01/30/2010 11:36 katze123#7
yep... but what can you do if you bypassed it? normally hook the functions as before? ;D
01/30/2010 12:48 Thiesius#8
3 hours without Expell. Then I got C/L because I didn't realize that I can't do router cache cleanup when I'm connected :].

It should be possible to hook anything now, I guess. Atleast Send and Recv works....
[Only registered and activated users can see links. Click Here To Register...]
01/30/2010 13:25 katze123#9
very nice ;D but uhm... with intercept you get expelled after 30-300 minutes :(
maybe with this bypass not? tell me :D
01/30/2010 14:55 Thiesius#10
Yup, I also thought so... It's possible, that there is another different function which checks the functions again and send a CRC/hash to server. At evening I will start Kal and let it run over the night.... Will see.... If there is another function, then I should patch it too :) .

Basicly Hackshield "Memory Manipulation" check is every 2-3 mins (Maybe it's that one which was kicking us after 30-300 mins, but now it's more frequented and loads a error message from config too...) and HShield "Check if all hackshield functions are OK" every 3-5 mins.
01/30/2010 15:06 katze123#11
hmm... yes while we hooked the functions with intercept we got expelled, but maybe now you don't get an expell because you bypassed something which was checking this... really nice work ;)
01/30/2010 15:37 bloodx#12
There are some way's to bypass the "Intercept" block.

But u dont really need Intercept o.O
01/30/2010 16:55 Thiesius#13
Intercept only replace original instructions with jump to your modified function.

So I setup Time logging on every 0x05 packet sent. Will see how long it will stay without expell (if there will be any). I hope noone will play with router or internet connection settings again (Probabilty is high for some reasons....)
01/30/2010 17:11 katze123#14
yes i know that there is a way without intercept ;)

good luck thiesius
01/30/2010 17:20 Thiesius#15
Thanks. I hope I won't have to patch any more functions.... Because if there is that "3rd one", it would probably take some time to trace it and fix it.
Page 1 of 4 1 23 Last »