RCE and stuff

02/16/2010 12:24 biocloc#1

Hello KalComy,

I hope you people can help me,
i am currently checking and learning RCE

i debugging atm a bit the KalEngine
and found out where the Recv,Sending function is

PHP Code:


			
    push ebp

    mov ebp, esp

    sub esp, 18

and i checked old INT source so i saw the SearchPattern Func doesnt changed at all same like the asm part...

but what i ask me at all is ... how you guys came on this values?...

Code:

DWORD SendPacketMain_ = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",[COLOR="Red"]0x00400000,0x007FFFFF[/COLOR]);
DWORD SendPacketMain  = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",[COLOR="red"]SendPacketMain_+1,0x007FFFFF[/COLOR]);
DWORD SendPacketBack  = SendPacketMain + [COLOR="red"]0x06[/COLOR];

i marked the offsets red which i mean,
hope you can help me, to understand it ( and to learn more about RCE )
thanks

.biocloc.

02/16/2010 16:57 Thiesius#2

SearchPattern is used to find a byte array (or better - sequence of asm opcodes). It scans a memory for given pattern and returns address, where the pattern was found (if it was).

0x00400000,0x007FFFFF
It will scan memory address space between 0x00400000 and 0x007FFFFF.

If address is found, then intercept or any other hooking, detouring function can be used now.

Intercept replaces originals bytes with non-conditional jump to your hook-function.

SendPacketBack = SendPacketMain + 0x06
It's used to jump back to original function when hook-function has finished all given tasks.

02/16/2010 18:54 biocloc#3

got send func working / sniff too but something is seriously or just the packets got changed as example 2nd Password login == 0x75 ??? , i remember there was 0x88 ... i think something is wrong

however now i need to check how i can bypass the Hackshield Manipulation, because all 2-3minutes i get this manipulation error // or know someone how to fix? would be great for hints.

02/16/2010 20:23 Thiesius#4

Yea they changed some packet types. But I don't know how many of them were actually changed...

To get some info about Memory Manipulation error, you can view my topic [Only registered and activated users can see links. Click Here To Register...]

There is some info. Well I'm still signed for that thing, but I haven't been working on it in last days. I have some things to do.
If you want to reverse HShield, then be my guest :D

02/16/2010 21:14 meak1#5

Quote:

Originally Posted by biocloc

got send func working / sniff too but something is seriously or just the packets got changed as example 2nd Password login == 0x75 ??? , i remember there was 0x88 ... i think something is wrong

however now i need to check how i can bypass the Hackshield Manipulation, because all 2-3minutes i get this manipulation error // or know someone how to fix? would be great for hints.

a tipp: u dont need send for bot^^

02/16/2010 22:10 biocloc#6

@meak i am not only talking about KAL , i am talking about complete RCE Scene :>
but how do you mean i doesn't need SendToServer ??

@Thiesus yeah i can comunicate with you about HShield, but if i am correct the hackshield have a 3minute connect status which me allow 3minutes debug hShield()
but don't know if it still works. But don't think so that it will help ;/

// oh by the way, i think something is wrong @SendFunc... they never will change Packet Headers would take to much time

02/16/2010 22:32 katze123#7

but they changed e.g. 2nd pw from 0x88 to 0x75 :)

02/16/2010 22:40 Thiesius#8

@SendFunc is alright... you can trace a packet forging function in olly... you will see.
Read the above mentioned topic for some Hshield and engine info (that might give you some clues, how does it currently work), or PM me...

02/16/2010 22:41 biocloc#9

and move , move+stop to 0x11 // 0x12 , wasnt say() 0x11?

just think there is a mistake @source... because can't believe it, think i will use FingerPrints i like it more...

@Thiesius, i checked your thread.

well going sleep now see ya guys

02/16/2010 23:27 MoepMeep#10

They really changed the headers ;)

02/17/2010 17:43 meak1#11

i mean u didnt need to hook send , only use ;O