Encrypted packets and sniffing

Hello! I'm trying to replace encrypted packages with ollyDBG and change them. Exe file is compiled into C++ and not encrypted so I was able to see all the functions through the IDE.

I started the game, ollyDBG and started catching the event "send" and noticed that all packets are encrypted except messages in the chat. Began to look for the function that encrypts data packets but so far without success.

How to find this function? Should I go up the functions or is there another way?

P.S. Encryption of packets occurs using Microsoft Base Cryptographic Provider v1.0.
Encryption methods:
[Only registered and activated users can see links. Click Here To Register...]

Sorry for my English:o

Quote:

Originally Posted by ZSavich Hello! I'm trying to replace encrypted packages with ollyDBG and change them. Exe file is compiled into C++ and not encrypted so I was able to see all the functions through the IDE. I started the game, ollyDBG and started catching the event "send" and noticed that all packets are encrypted except messages in the chat. Began to look for the function that encrypts data packets but so far without success. How to find this function? Should I go up the functions or is there another way? P.S. Encryption of packets occurs using Microsoft Base Cryptographic Provider v1.0. Encryption methods: [Only registered and activated users can see links. Click Here To Register...] Sorry for my English:o

You can use this tut to get inspired [Only registered and activated users can see links. Click Here To Register...]

How do you know packet are encrypted? Maybe you are just thinking they are.
In all the cases, try to watch the sent packets and guess how they are built by hooking the send function (could be WSASend(), Send(),..)

Quote:

Originally Posted by cookie69 You can use this tut to get inspired [Only registered and activated users can see links. Click Here To Register...] How do you know packet are encrypted? Maybe you are just thinking they are. In all the cases, try to watch the sent packets and guess how they are built by hooking the send function (could be WSASend(), Send(),..)

I tried to sniff traffic in WPE and saw that packets are different.
Only packets with a message in chat don't differ.
I will show you screenshots:
I sent two identical messages and received identical packages with my message.
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]

I dropped 22 gold and get different packages without 22.
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]

What is it can be and how to sniff the packets without disconnect from server?
P.S. Thank you very much for the Tutorial

First row, second byte from the right is 16 hex = 22 dec. The messages hardly differ; if they were properly encrypted, they should look nothing alike. Thus I think that they aren't encrypted, they probably just include some more parameters that you don't know of yet.

Quote:

Originally Posted by algernong First row, second byte from the right is 16 hex = 22 dec. The messages hardly differ; if they were properly encrypted, they should look nothing alike. Thus I think that they aren't encrypted, they probably just include some more parameters that you don't know of yet.

Wow. You are right. Thank you!

Quote:

Originally Posted by algernong First row, second byte from the right is 16 hex = 22 dec. The messages hardly differ; if they were properly encrypted, they should look nothing alike. Thus I think that they aren't encrypted, they probably just include some more parameters that you don't know of yet.

But when I get money, packets are already sent with different values.
I raise 12 gold.
[Only registered and activated users can see links. Click Here To Register...]
I raise 22 gold.
[Only registered and activated users can see links. Click Here To Register...]

Try around a little bit and try to understand the parameters of the packets and restore the protocol.
It looks very likely to me that the packets are absolutely unencrypted. You have to find out what the chhanging values are. It could be a timestamp, a checksum or something like a nonce ;)