Permission for Progression

TheComputerist · 08/31/2013, 03:07

I'll spare you the horrible story on my troubles with RE and understanding Conquer from IDA and Ollydbg.

I've looked into the play.exe of Conquer and the AutoPatch. I'm under the impression that the play.exe is just a debug check of a persons computer and compatibility issue. I've already managed to bypass the (what I hope is the only) level of Update checking, hint: " blacknull".

Is there anything I should know from the play.exe or AutoPatch that might be critical to the performance of the Conquer client before I try to hit it next by finding WSA calls and send + recvs to actually (attempt to) get a Logging system going ?

Lateralus · 08/31/2013, 04:28

There's really no reason why you can't hook those calls now from what I know. The only check is the blacknull string passed from the autopatch file as a parameter check, which you've mentioned you've bypassed.

TheComputerist · 08/31/2013, 04:57

Thanks I see you're point when you mentioned hooking those calls. I've already located them(As in the single function's that utilizes them for sending and receiving traffic).
I just needed some reassurance that if I was to hook them that I wouldn't spend a couple of hours searching within the conglomerate **** ton of calls that those functions get through reference (as in the hierarchy of code that lead to a call to rather it be send, sendto, and recvfrom) for some error that might had been caused by the AutoPatch not passing extra information to Conquer.exe (which I doubted since it made little sense to me seeing that it was a process within itself and not a child window that might have had memory access to the AutoPatch).

Since I do not want to spam the forum with individual questions, I guess I'll ask here. I ended up reading an article about the Encryption Conquer uses. Which specified 2 keys for login/ Auth and then the 2 new keys for actual in-game play(At least that's what I think I read it to be). Does that still stands to this date? (I'll take a guess and say yes since I've noticed that all network related logic end up going down into one of 4 functions before being sent to server. I'm not sure about recvfrom for now.).

{ Angelius } · 08/31/2013, 06:42

Quote:

Originally Posted by TheComputerist

I've already managed to bypass the (what I hope is the only) level of Update checking, hint: " blacknull".

Correct. but by blacknull'ing Conquer.exe you discarded 1 important step of the process of connecting to the server which will result in your account getting banned.

When AutoPatch.exe is launched it sends the current client version in plain text to the server and then the server verifies it and replays back with the string "READY" if the version matches, Otherwise the replay is "UPDATE".

Conquer.exe does pretty much the same thing.

TheComputerist · 08/31/2013, 07:03

I see, well that could had ended tragically for me. Not that I was going to use this for a bot luckily, I'm just trying to make a private server for experience, but regardless. Time to hop on wireshark. So it must be the server that keeps track via IP(going to check the packets to see)? And on a side note, What can you tell me encryption wise. I know you won't give me the keys(obviously) but is it just a big system that uses switching encrypted headers to check for what to do with the packet?

Does this seem right?

.?.a..p...t...E.
.,[email protected]......
s..`%C........P.
...]..5777

p...t..? .a....E.
.-.\@.o. [.&R.W...
.%8...n ~..!C.P
...... ..REA DY

I think that might be the packet you where telling me about.
I believe I found the function that does this whole thing. But sadly I found it in the AutoPatch not the Conquer.exe so I don't know of how much use it might be to me (_410C80)

{ Angelius } · 09/02/2013, 05:28

Quote:

Originally Posted by TheComputerist

Does this seem right?

.?.a..p...t...E.
.,[email protected]......
s..`%C........P.
...]..5777

p...t..? .a....E.
.-.\@.o. [.&R.W...
.%8...n ~..!C.P
...... ..REA DY

I think that might be the packet you where telling me about.
I believe I found the function that does this whole thing. But sadly I found it in the AutoPatch not the Conquer.exe so I don't know of how much use it might be to me (_410C80)

Yes that's it... The one in conquer.exe doesn't really matter unless you are planing on going client-less.
If the purpose of this whole thing is to make a private server then the AutoPatch.exe doesn't matter and blacknull'ing conquer.exe is OK as long as you block any outgoing connections from it (Except for ports 5816/9959).

About the Encryption you should search the forum a bit and i am sure you will find all the information you need.

phize · 09/02/2013, 13:00

Quote:

Originally Posted by { Angelius }

Correct. but by blacknull'ing Conquer.exe you discarded 1 important step of the process of connecting to the server which will result in your account getting banned.

When AutoPatch.exe is launched it sends the current client version in plain text to the server and then the server verifies it and replays back with the string "READY" if the version matches, Otherwise the replay is "UPDATE".

Conquer.exe does pretty much the same thing.

I've been running the client with blacknull argument forever now without any issues.

CptSky · 09/02/2013, 16:17

Quote:

Originally Posted by { Angelius }

Correct. but by blacknull'ing Conquer.exe you discarded 1 important step of the process of connecting to the server which will result in your account getting banned.

When AutoPatch.exe is launched it sends the current client version in plain text to the server and then the server verifies it and replays back with the string "READY" if the version matches, Otherwise the replay is "UPDATE".

Conquer.exe does pretty much the same thing.

The AutoPatch server will deal with that. I don't think it communicates to the AccServer / MsgServer to say that the client is valid or not... It might have been added recently if it does.

TheComputerist · 09/03/2013, 03:37

I recently(today) blacknull'ed my 5777 client and the client asked me to update my CO2 client(to 5778). So I guess this is a verification that yes the client does check again after AutoPatch checks the client version.
I blacknull'ed my client again and logged in with the recently updated client and I didn't get instantly banned. But guess what! After about 10 minutes the account I used to log in get's a 1 day ban for suspicion of using a bot. I'm not too sure what to make of this.

(Hope someone out there trying to make a bot finds this useful. As for me, I can't find the **** encryption function of the client.)

{ Angelius } · 09/03/2013, 09:55

Quote:

Originally Posted by phize

I've been running the client with blacknull argument forever now without any issues.

On realco, on the latest patch, by just blacknulling the exe? i don't think so.

Quote:

Originally Posted by CptSky

The AutoPatch server will deal with that. I don't think it communicates to the AccServer / MsgServer to say that the client is valid or not... It might have been added recently if it does.

Trust me It does. Now i am not sure when that shit was added but its there and you can load the AutoPatch.exe/Conquer.exe into olly and search/breakpoint on one of these strings UPDATE/READY.

Quote:

Originally Posted by TheComputerist

I recently(today) blacknull'ed my 5777 client and the client asked me to update my CO2 client(to 5778). So I guess this is a verification that yes the client does check again after AutoPatch checks the client version.
I blacknull'ed my client again and logged in with the recently updated client and I didn't get instantly banned. But guess what! After about 10 minutes the account I used to log in get's a 1 day ban for suspicion of using a bot. I'm not too sure what to make of this.

The 10 minutes could extend to 30 minutes before the account is restricted and you don't have to be online for it to ban you.

Quote:

Originally Posted by TheComputerist

As for me, I can't find the damn encryption function of the client.

There you have it Cast_Encrypt:

Spoiler

PHP Code:



CPU Disasm
Address   Hex dump          Command                                  Comments
007C4230  /$  B8 08000000   MOV EAX,8                                ; conquer.007C4230(guessed Arg1,Arg2,Arg3,Arg4,Arg5,Arg6,Arg7)
007C4235  |.  E8 36400700   CALL 00838270                            ; Allocates 8. bytes on stack
007C423A  |.  837C24 24 00  CMP DWORD PTR SS:[ARG.7],0
007C423F  |.  8B4424 20     MOV EAX,DWORD PTR SS:[ARG.6]
007C4243  |.  53            PUSH EBX
007C4244  |.  55            PUSH EBP
007C4245  |.  8B6C24 1C     MOV EBP,DWORD PTR SS:[ARG.3]
007C4249  |.  56            PUSH ESI
007C424A  |.  8B30          MOV ESI,DWORD PTR DS:[EAX]
007C424C  |.  57            PUSH EDI
007C424D  |.  0F84 EA000000 JE 007C433D
007C4253  |.  85ED          TEST EBP,EBP
007C4255  |.  0F84 CA010000 JZ 007C4425
007C425B  |.  8B7C24 2C     MOV EDI,DWORD PTR SS:[ARG.5]
007C425F  |.  90            NOP
007C4260  |>  4D            /DEC EBP
007C4261  |.  85F6          |TEST ESI,ESI
007C4263  |.  0F85 9E000000 |JNZ 007C4307
007C4269  |.  0FB60F        |MOVZX ECX,BYTE PTR DS:[EDI]
007C426C  |.  8D5F 01       |LEA EBX,[EDI+1]
007C426F  |.  C1E1 18       |SHL ECX,18
007C4272  |.  8BC3          |MOV EAX,EBX
007C4274  |.  0FB610        |MOVZX EDX,BYTE PTR DS:[EAX]
007C4277  |.  C1E2 10       |SHL EDX,10
007C427A  |.  0BCA          |OR ECX,EDX
007C427C  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
007C4280  |.  40            |INC EAX
007C4281  |.  C1E2 08       |SHL EDX,8
007C4284  |.  0BCA          |OR ECX,EDX
007C4286  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
007C428A  |.  0BCA          |OR ECX,EDX
007C428C  |.  40            |INC EAX
007C428D  |.  40            |INC EAX
007C428E  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
007C4292  |.  894C24 10     |MOV DWORD PTR SS:[LOCAL.1],ECX
007C4296  |.  0FB608        |MOVZX ECX,BYTE PTR DS:[EAX]
007C4299  |.  40            |INC EAX
007C429A  |.  C1E2 10       |SHL EDX,10
007C429D  |.  C1E1 18       |SHL ECX,18
007C42A0  |.  0BCA          |OR ECX,EDX
007C42A2  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
007C42A6  |.  40            |INC EAX
007C42A7  |.  0FB640 01     |MOVZX EAX,BYTE PTR DS:[EAX+1]
007C42AB  |.  C1E2 08       |SHL EDX,8
007C42AE  |.  0BD0          |OR EDX,EAX
007C42B0  |.  0BD1          |OR EDX,ECX
007C42B2  |.  8B4C24 28     |MOV ECX,DWORD PTR SS:[ARG.4]
007C42B6  |.  895424 14     |MOV DWORD PTR SS:[LOCAL.0],EDX
007C42BA  |.  51            |PUSH ECX
007C42BB  |.  8D5424 14     |LEA EDX,[LOCAL.1]
007C42BF  |.  52            |PUSH EDX
007C42C0  |.  E8 FBE00700   |CALL 008423C0
007C42C5  |.  8B4C24 18     |MOV ECX,DWORD PTR SS:[LOCAL.1]
007C42C9  |.  8BC1          |MOV EAX,ECX
007C42CB  |.  C1E8 18       |SHR EAX,18
007C42CE  |.  8807          |MOV BYTE PTR DS:[EDI],AL
007C42D0  |.  8BD1          |MOV EDX,ECX
007C42D2  |.  C1EA 10       |SHR EDX,10
007C42D5  |.  8BC3          |MOV EAX,EBX
007C42D7  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C42D9  |.  40            |INC EAX
007C42DA  |.  8BD1          |MOV EDX,ECX
007C42DC  |.  C1EA 08       |SHR EDX,8
007C42DF  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C42E1  |.  8848 01       |MOV BYTE PTR DS:[EAX+1],CL
007C42E4  |.  8B4C24 1C     |MOV ECX,DWORD PTR SS:[LOCAL.0]
007C42E8  |.  40            |INC EAX
007C42E9  |.  40            |INC EAX
007C42EA  |.  8BD1          |MOV EDX,ECX
007C42EC  |.  C1EA 18       |SHR EDX,18
007C42EF  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C42F1  |.  40            |INC EAX
007C42F2  |.  8BD1          |MOV EDX,ECX
007C42F4  |.  C1EA 10       |SHR EDX,10
007C42F7  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C42F9  |.  40            |INC EAX
007C42FA  |.  8BD1          |MOV EDX,ECX
007C42FC  |.  83C4 08       |ADD ESP,8
007C42FF  |.  C1EA 08       |SHR EDX,8
007C4302  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C4304  |.  8848 01       |MOV BYTE PTR DS:[EAX+1],CL
007C4307  |>  8B4C24 1C     |MOV ECX,DWORD PTR SS:[ARG.1]
007C430B  |.  8A01          |MOV AL,BYTE PTR DS:[ECX]
007C430D  |.  32043E        |XOR AL,BYTE PTR DS:[EDI+ESI]
007C4310  |.  41            |INC ECX
007C4311  |.  894C24 1C     |MOV DWORD PTR SS:[ARG.1],ECX
007C4315  |.  8B4C24 20     |MOV ECX,DWORD PTR SS:[ARG.2]
007C4319  |.  8801          |MOV BYTE PTR DS:[ECX],AL
007C431B  |.  88043E        |MOV BYTE PTR DS:[EDI+ESI],AL
007C431E  |.  46            |INC ESI
007C431F  |.  41            |INC ECX
007C4320  |.  83E6 07       |AND ESI,00000007
007C4323  |.  894C24 20     |MOV DWORD PTR SS:[ARG.2],ECX
007C4327  |.  85ED          |TEST EBP,EBP
007C4329  |.^ 0F85 31FFFFFF \JNZ 007C4260
007C432F  |.  8B4424 30     MOV EAX,DWORD PTR SS:[ARG.6]
007C4333  |.  5F            POP EDI
007C4334  |.  8930          MOV DWORD PTR DS:[EAX],ESI
007C4336  |.  5E            POP ESI
007C4337  |.  5D            POP EBP
007C4338  |.  5B            POP EBX
007C4339  |.  83C4 08       ADD ESP,8
007C433C  |.  C3            RETN
007C433D  |>  85ED          TEST EBP,EBP
007C433F  |.  0F84 E0000000 JZ 007C4425
007C4345  |.  8B7C24 2C     MOV EDI,DWORD PTR SS:[ARG.5]
007C4349  |.  8DA424 000000 LEA ESP,[LOCAL.5]
007C4350  |>  4D            /DEC EBP
007C4351  |.  85F6          |TEST ESI,ESI
007C4353  |.  0F85 9E000000 |JNZ 007C43F7
007C4359  |.  0FB60F        |MOVZX ECX,BYTE PTR DS:[EDI]
007C435C  |.  8D5F 01       |LEA EBX,[EDI+1]
007C435F  |.  C1E1 18       |SHL ECX,18
007C4362  |.  8BC3          |MOV EAX,EBX
007C4364  |.  0FB610        |MOVZX EDX,BYTE PTR DS:[EAX]
007C4367  |.  C1E2 10       |SHL EDX,10
007C436A  |.  0BCA          |OR ECX,EDX
007C436C  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
007C4370  |.  40            |INC EAX
007C4371  |.  C1E2 08       |SHL EDX,8
007C4374  |.  0BCA          |OR ECX,EDX
007C4376  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
007C437A  |.  0BCA          |OR ECX,EDX
007C437C  |.  40            |INC EAX
007C437D  |.  40            |INC EAX
007C437E  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
007C4382  |.  894C24 10     |MOV DWORD PTR SS:[LOCAL.1],ECX
007C4386  |.  0FB608        |MOVZX ECX,BYTE PTR DS:[EAX]
007C4389  |.  40            |INC EAX
007C438A  |.  C1E2 10       |SHL EDX,10
007C438D  |.  C1E1 18       |SHL ECX,18
007C4390  |.  0BCA          |OR ECX,EDX
007C4392  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
007C4396  |.  40            |INC EAX
007C4397  |.  0FB640 01     |MOVZX EAX,BYTE PTR DS:[EAX+1]
007C439B  |.  C1E2 08       |SHL EDX,8
007C439E  |.  0BD0          |OR EDX,EAX
007C43A0  |.  0BD1          |OR EDX,ECX
007C43A2  |.  8B4C24 28     |MOV ECX,DWORD PTR SS:[ARG.4]
007C43A6  |.  895424 14     |MOV DWORD PTR SS:[LOCAL.0],EDX
007C43AA  |.  51            |PUSH ECX
007C43AB  |.  8D5424 14     |LEA EDX,[LOCAL.1]
007C43AF  |.  52            |PUSH EDX
007C43B0  |.  E8 0BE00700   |CALL 008423C0
007C43B5  |.  8B4C24 18     |MOV ECX,DWORD PTR SS:[LOCAL.1]
007C43B9  |.  8BC1          |MOV EAX,ECX
007C43BB  |.  C1E8 18       |SHR EAX,18
007C43BE  |.  8807          |MOV BYTE PTR DS:[EDI],AL
007C43C0  |.  8BD1          |MOV EDX,ECX
007C43C2  |.  C1EA 10       |SHR EDX,10
007C43C5  |.  8BC3          |MOV EAX,EBX
007C43C7  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C43C9  |.  40            |INC EAX
007C43CA  |.  8BD1          |MOV EDX,ECX
007C43CC  |.  C1EA 08       |SHR EDX,8
007C43CF  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C43D1  |.  8848 01       |MOV BYTE PTR DS:[EAX+1],CL
007C43D4  |.  8B4C24 1C     |MOV ECX,DWORD PTR SS:[LOCAL.0]
007C43D8  |.  40            |INC EAX
007C43D9  |.  40            |INC EAX
007C43DA  |.  8BD1          |MOV EDX,ECX
007C43DC  |.  C1EA 18       |SHR EDX,18
007C43DF  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C43E1  |.  40            |INC EAX
007C43E2  |.  8BD1          |MOV EDX,ECX
007C43E4  |.  C1EA 10       |SHR EDX,10
007C43E7  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C43E9  |.  40            |INC EAX
007C43EA  |.  8BD1          |MOV EDX,ECX
007C43EC  |.  83C4 08       |ADD ESP,8
007C43EF  |.  C1EA 08       |SHR EDX,8
007C43F2  |.  8810          |MOV BYTE PTR DS:[EAX],DL
007C43F4  |.  8848 01       |MOV BYTE PTR DS:[EAX+1],CL
007C43F7  |>  8B4C24 1C     |MOV ECX,DWORD PTR SS:[ARG.1]
007C43FB  |.  8A01          |MOV AL,BYTE PTR DS:[ECX]
007C43FD  |.  41            |INC ECX
007C43FE  |.  894C24 1C     |MOV DWORD PTR SS:[ARG.1],ECX
007C4402  |.  8A0C3E        |MOV CL,BYTE PTR DS:[EDI+ESI]
007C4405  |.  88043E        |MOV BYTE PTR DS:[EDI+ESI],AL
007C4408  |.  32C1          |XOR AL,CL
007C440A  |.  8B4C24 20     |MOV ECX,DWORD PTR SS:[ARG.2]
007C440E  |.  46            |INC ESI
007C440F  |.  8801          |MOV BYTE PTR DS:[ECX],AL
007C4411  |.  41            |INC ECX
007C4412  |.  83E6 07       |AND ESI,00000007
007C4415  |.  894C24 20     |MOV DWORD PTR SS:[ARG.2],ECX
007C4419  |.  85ED          |TEST EBP,EBP
007C441B  |.^ 0F85 2FFFFFFF \JNZ 007C4350
007C4421  |.  8B4424 30     MOV EAX,DWORD PTR SS:[ARG.6]
007C4425  |>  5F            POP EDI
007C4426  |.  8930          MOV DWORD PTR DS:[EAX],ESI
007C4428  |.  5E            POP ESI
007C4429  |.  5D            POP EBP
007C442A  |.  5B            POP EBX
007C442B  |.  83C4 08       ADD ESP,8
007C442E  \.  C3            RETN

Conquer.exe|ASM

Spoiler

PHP Code:



0079A040  /$  55            PUSH EBP                                
0079A041  |.  8DAC24 60FDFF LEA EBP,[LOCAL.168]
0079A048  |.  81EC 34030000 SUB ESP,334
0079A04E  |.  A1 543A9D00   MOV EAX,DWORD PTR DS:[9D3A54]

....

0079A13A  |.  FF15 7CBA8A00 CALL DWORD PTR DS:[<&WS2_32.#4>]         ; \WS2_32.connect
0079A140  |.  8D4D 74       LEA ECX,[LOCAL.139]
0079A143  |.  51            PUSH ECX                                 ; /Arg5 => OFFSET LOCAL.139
0079A144  |.  53            PUSH EBX                                 ; |Arg4
0079A145  |.  8D8D 6CFFFFFF LEA ECX,[LOCAL.205]                      ; |
0079A14B  |.  51            PUSH ECX                                 ; |Arg3 => OFFSET LOCAL.205
0079A14C  |.  8D46 01       LEA EAX,[ESI+1]                          ; |
0079A14F  |.  53            PUSH EBX                                 ; |Arg2
0079A150  |.  50            PUSH EAX                                 ; |Arg1
0079A151  |.  FF15 A4BA8A00 CALL DWORD PTR DS:[<&WS2_32.#18>]        ; \WS2_32.select
0079A157  |.  85C0          TEST EAX,EAX
0079A159  |.  0F8E 92000000 JLE 0079A1F1
0079A15F  |.  8D45 7C       LEA EAX,[LOCAL.137]
0079A162  |.  50            PUSH EAX                                 ; /parg => OFFSET LOCAL.137
0079A163  |.  68 7E660480   PUSH 8004667E                            ; |cmd = FIONBIO
0079A168  |.  56            PUSH ESI                                 ; |socket
0079A169  |.  895D 7C       MOV DWORD PTR SS:[LOCAL.137],EBX         ; |
0079A16C  |.  FF15 74BA8A00 CALL DWORD PTR DS:[<&WS2_32.#10>]        ; \WS2_32.ioctlsocket
0079A172  |.  8D85 98010000 LEA EAX,[LOCAL.66]
0079A178  |.  53            PUSH EBX
0079A179  |.  50            PUSH EAX
0079A17A  |.  E8 E3DF0900   CALL <JMP.&MSVCR90.strlen>               ; Jump to MSVCR90.strlen
0079A17F  |.  59            POP ECX
0079A180  |.  50            PUSH EAX                                 ; |Arg3
0079A181  |.  8D85 98010000 LEA EAX,[LOCAL.66]                       ; |
0079A187  |.  50            PUSH EAX                                 ; |Arg2 => OFFSET LOCAL.66
0079A188  |.  56            PUSH ESI                                 ; |Arg1
0079A189  |.  FF15 6CBA8A00 CALL DWORD PTR DS:[<&WS2_32.#19>]        ; \WS2_32.send
0079A18F  |.  8D45 74       LEA EAX,[LOCAL.139]
0079A192  |.  50            PUSH EAX                                 ; /Arg5 => OFFSET LOCAL.139
0079A193  |.  53            PUSH EBX                                 ; |Arg4
0079A194  |.  53            PUSH EBX                                 ; |Arg3
0079A195  |.  8D85 6CFFFFFF LEA EAX,[LOCAL.205]                      ; |
0079A19B  |.  50            PUSH EAX                                 ; |Arg2 => OFFSET LOCAL.205
0079A19C  |.  8D46 01       LEA EAX,[ESI+1]                          ; |
0079A19F  |.  50            PUSH EAX                                 ; |Arg1
0079A1A0  |.  89B5 70FFFFFF MOV DWORD PTR SS:[LOCAL.204],ESI         ; |
0079A1A6  |.  89BD 6CFFFFFF MOV DWORD PTR SS:[LOCAL.205],EDI         ; |
0079A1AC  |.  C745 74 03000 MOV DWORD PTR SS:[LOCAL.139],3           ; |
0079A1B3  |.  895D 78       MOV DWORD PTR SS:[LOCAL.138],EBX         ; |
0079A1B6  |.  FF15 A4BA8A00 CALL DWORD PTR DS:[<&WS2_32.#18>]        ; \WS2_32.select
0079A1BC  |.  85C0          TEST EAX,EAX
0079A1BE  |.  7E 31         JLE SHORT 0079A1F1
0079A1C0  |.  53            PUSH EBX                                 ; /Arg4
0079A1C1  |.  68 FF000000   PUSH 0FF                                 ; |Arg3 = 0FF
0079A1C6  |.  8D85 94000000 LEA EAX,[LOCAL.131]                      ; |
0079A1CC  |.  50            PUSH EAX                                 ; |Arg2 => OFFSET LOCAL.131
0079A1CD  |.  56            PUSH ESI                                 ; |Arg1
0079A1CE  |.  FF15 88BA8A00 CALL DWORD PTR DS:[<&WS2_32.#16>]        ; \WS2_32.recv
0079A1D4  |.  8D85 94000000 LEA EAX,[LOCAL.131]
//Received string against UPDATE
0079A1DA  |.  68 D86E9100   PUSH 00916ED8                            ; /Arg2 = ASCII "UPDATE"
0079A1DF  |.  50            PUSH EAX                                 ; |Arg1 => OFFSET LOCAL.131
0079A1E0  |.  FF15 70B68A00 CALL DWORD PTR DS:[<&MSVCR90.strstr>]    ; \MSVCR90.strstr
0079A1E6  |.  59            POP ECX
0079A1E7  |.  85C0          TEST EAX,EAX
0079A1E9  |.  59            POP ECX
0079A1EA  |.  0F9585 830000 SETNZ BYTE PTR SS:[LOCAL.136+3]
0079A1F1  |>  3BF3          CMP ESI,EBX
0079A1F3  |.  74 07         JE SHORT 0079A1FC
0079A1F5  |.  56            PUSH ESI                                 ; /Arg1
0079A1F6  |.  FF15 94BA8A00 CALL DWORD PTR DS:[<&WS2_32.#3>]         ; \WS2_32.closesocket
0079A1FC  |>  8A85 83000000 MOV AL,BYTE PTR SS:[LOCAL.136+3]
0079A202  |.  5F            POP EDI
0079A203  |.  5E            POP ESI
0079A204  |.  EB 02         JMP SHORT 0079A208
0079A206  |>  32C0          XOR AL,AL
0079A208  |>  8B8D 9C020000 MOV ECX,DWORD PTR SS:[LOCAL.1]
0079A20E  |.  33CD          XOR ECX,EBP
0079A210  |.  5B            POP EBX
0079A211  |.  E8 14DE0900   CALL 0083802A
0079A216  |.  81C5 A0020000 ADD EBP,2A0
0079A21C  |.  C9            LEAVE
0079A21D  \.  C3            RETN

TheComputerist · 09/03/2013, 13:19

Quote:

Originally Posted by { Angelius }

There you have it Cast_Encrypt:

Spoiler

PHP Code:

CPU Disasm Address Hex dump Command Comments 007C4230 /$ B8 08000000 MOV EAX,8 ; conquer.007C4230(guessed Arg1,Arg2,Arg3,Arg4,Arg5,Arg6,Arg7) 007C4235 |. E8 36400700 CALL 00838270 ; Allocates 8. bytes on stack 007C423A |. 837C24 24 00 CMP DWORD PTR SS:[ARG.7],0 007C423F |. 8B4424 20 MOV EAX,DWORD PTR SS:[ARG.6] 007C4243 |. 53 PUSH EBX 007C4244 |. 55 PUSH EBP 007C4245 |. 8B6C24 1C MOV EBP,DWORD PTR SS:[ARG.3] 007C4249 |. 56 PUSH ESI 007C424A |. 8B30 MOV ESI,DWORD PTR DS:[EAX] 007C424C |. 57 PUSH EDI 007C424D |. 0F84 EA000000 JE 007C433D 007C4253 |. 85ED TEST EBP,EBP 007C4255 |. 0F84 CA010000 JZ 007C4425 007C425B |. 8B7C24 2C MOV EDI,DWORD PTR SS:[ARG.5] 007C425F |. 90 NOP 007C4260 |> 4D /DEC EBP 007C4261 |. 85F6 |TEST ESI,ESI 007C4263 |. 0F85 9E000000 |JNZ 007C4307 007C4269 |. 0FB60F |MOVZX ECX,BYTE PTR DS:[EDI] 007C426C |. 8D5F 01 |LEA EBX,[EDI+1] 007C426F |. C1E1 18 |SHL ECX,18 007C4272 |. 8BC3 |MOV EAX,EBX 007C4274 |. 0FB610 |MOVZX EDX,BYTE PTR DS:[EAX] 007C4277 |. C1E2 10 |SHL EDX,10 007C427A |. 0BCA |OR ECX,EDX 007C427C |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 007C4280 |. 40 |INC EAX 007C4281 |. C1E2 08 |SHL EDX,8 007C4284 |. 0BCA |OR ECX,EDX 007C4286 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 007C428A |. 0BCA |OR ECX,EDX 007C428C |. 40 |INC EAX 007C428D |. 40 |INC EAX 007C428E |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 007C4292 |. 894C24 10 |MOV DWORD PTR SS:[LOCAL.1],ECX 007C4296 |. 0FB608 |MOVZX ECX,BYTE PTR DS:[EAX] 007C4299 |. 40 |INC EAX 007C429A |. C1E2 10 |SHL EDX,10 007C429D |. C1E1 18 |SHL ECX,18 007C42A0 |. 0BCA |OR ECX,EDX 007C42A2 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 007C42A6 |. 40 |INC EAX 007C42A7 |. 0FB640 01 |MOVZX EAX,BYTE PTR DS:[EAX+1] 007C42AB |. C1E2 08 |SHL EDX,8 007C42AE |. 0BD0 |OR EDX,EAX 007C42B0 |. 0BD1 |OR EDX,ECX 007C42B2 |. 8B4C24 28 |MOV ECX,DWORD PTR SS:[ARG.4] 007C42B6 |. 895424 14 |MOV DWORD PTR SS:[LOCAL.0],EDX 007C42BA |. 51 |PUSH ECX 007C42BB |. 8D5424 14 |LEA EDX,[LOCAL.1] 007C42BF |. 52 |PUSH EDX 007C42C0 |. E8 FBE00700 |CALL 008423C0 007C42C5 |. 8B4C24 18 |MOV ECX,DWORD PTR SS:[LOCAL.1] 007C42C9 |. 8BC1 |MOV EAX,ECX 007C42CB |. C1E8 18 |SHR EAX,18 007C42CE |. 8807 |MOV BYTE PTR DS:[EDI],AL 007C42D0 |. 8BD1 |MOV EDX,ECX 007C42D2 |. C1EA 10 |SHR EDX,10 007C42D5 |. 8BC3 |MOV EAX,EBX 007C42D7 |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C42D9 |. 40 |INC EAX 007C42DA |. 8BD1 |MOV EDX,ECX 007C42DC |. C1EA 08 |SHR EDX,8 007C42DF |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C42E1 |. 8848 01 |MOV BYTE PTR DS:[EAX+1],CL 007C42E4 |. 8B4C24 1C |MOV ECX,DWORD PTR SS:[LOCAL.0] 007C42E8 |. 40 |INC EAX 007C42E9 |. 40 |INC EAX 007C42EA |. 8BD1 |MOV EDX,ECX 007C42EC |. C1EA 18 |SHR EDX,18 007C42EF |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C42F1 |. 40 |INC EAX 007C42F2 |. 8BD1 |MOV EDX,ECX 007C42F4 |. C1EA 10 |SHR EDX,10 007C42F7 |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C42F9 |. 40 |INC EAX 007C42FA |. 8BD1 |MOV EDX,ECX 007C42FC |. 83C4 08 |ADD ESP,8 007C42FF |. C1EA 08 |SHR EDX,8 007C4302 |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C4304 |. 8848 01 |MOV BYTE PTR DS:[EAX+1],CL 007C4307 |> 8B4C24 1C |MOV ECX,DWORD PTR SS:[ARG.1] 007C430B |. 8A01 |MOV AL,BYTE PTR DS:[ECX] 007C430D |. 32043E |XOR AL,BYTE PTR DS:[EDI+ESI] 007C4310 |. 41 |INC ECX 007C4311 |. 894C24 1C |MOV DWORD PTR SS:[ARG.1],ECX 007C4315 |. 8B4C24 20 |MOV ECX,DWORD PTR SS:[ARG.2] 007C4319 |. 8801 |MOV BYTE PTR DS:[ECX],AL 007C431B |. 88043E |MOV BYTE PTR DS:[EDI+ESI],AL 007C431E |. 46 |INC ESI 007C431F |. 41 |INC ECX 007C4320 |. 83E6 07 |AND ESI,00000007 007C4323 |. 894C24 20 |MOV DWORD PTR SS:[ARG.2],ECX 007C4327 |. 85ED |TEST EBP,EBP 007C4329 |.^ 0F85 31FFFFFF \JNZ 007C4260 007C432F |. 8B4424 30 MOV EAX,DWORD PTR SS:[ARG.6] 007C4333 |. 5F POP EDI 007C4334 |. 8930 MOV DWORD PTR DS:[EAX],ESI 007C4336 |. 5E POP ESI 007C4337 |. 5D POP EBP 007C4338 |. 5B POP EBX 007C4339 |. 83C4 08 ADD ESP,8 007C433C |. C3 RETN 007C433D |> 85ED TEST EBP,EBP 007C433F |. 0F84 E0000000 JZ 007C4425 007C4345 |. 8B7C24 2C MOV EDI,DWORD PTR SS:[ARG.5] 007C4349 |. 8DA424 000000 LEA ESP,[LOCAL.5] 007C4350 |> 4D /DEC EBP 007C4351 |. 85F6 |TEST ESI,ESI 007C4353 |. 0F85 9E000000 |JNZ 007C43F7 007C4359 |. 0FB60F |MOVZX ECX,BYTE PTR DS:[EDI] 007C435C |. 8D5F 01 |LEA EBX,[EDI+1] 007C435F |. C1E1 18 |SHL ECX,18 007C4362 |. 8BC3 |MOV EAX,EBX 007C4364 |. 0FB610 |MOVZX EDX,BYTE PTR DS:[EAX] 007C4367 |. C1E2 10 |SHL EDX,10 007C436A |. 0BCA |OR ECX,EDX 007C436C |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 007C4370 |. 40 |INC EAX 007C4371 |. C1E2 08 |SHL EDX,8 007C4374 |. 0BCA |OR ECX,EDX 007C4376 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 007C437A |. 0BCA |OR ECX,EDX 007C437C |. 40 |INC EAX 007C437D |. 40 |INC EAX 007C437E |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 007C4382 |. 894C24 10 |MOV DWORD PTR SS:[LOCAL.1],ECX 007C4386 |. 0FB608 |MOVZX ECX,BYTE PTR DS:[EAX] 007C4389 |. 40 |INC EAX 007C438A |. C1E2 10 |SHL EDX,10 007C438D |. C1E1 18 |SHL ECX,18 007C4390 |. 0BCA |OR ECX,EDX 007C4392 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 007C4396 |. 40 |INC EAX 007C4397 |. 0FB640 01 |MOVZX EAX,BYTE PTR DS:[EAX+1] 007C439B |. C1E2 08 |SHL EDX,8 007C439E |. 0BD0 |OR EDX,EAX 007C43A0 |. 0BD1 |OR EDX,ECX 007C43A2 |. 8B4C24 28 |MOV ECX,DWORD PTR SS:[ARG.4] 007C43A6 |. 895424 14 |MOV DWORD PTR SS:[LOCAL.0],EDX 007C43AA |. 51 |PUSH ECX 007C43AB |. 8D5424 14 |LEA EDX,[LOCAL.1] 007C43AF |. 52 |PUSH EDX 007C43B0 |. E8 0BE00700 |CALL 008423C0 007C43B5 |. 8B4C24 18 |MOV ECX,DWORD PTR SS:[LOCAL.1] 007C43B9 |. 8BC1 |MOV EAX,ECX 007C43BB |. C1E8 18 |SHR EAX,18 007C43BE |. 8807 |MOV BYTE PTR DS:[EDI],AL 007C43C0 |. 8BD1 |MOV EDX,ECX 007C43C2 |. C1EA 10 |SHR EDX,10 007C43C5 |. 8BC3 |MOV EAX,EBX 007C43C7 |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C43C9 |. 40 |INC EAX 007C43CA |. 8BD1 |MOV EDX,ECX 007C43CC |. C1EA 08 |SHR EDX,8 007C43CF |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C43D1 |. 8848 01 |MOV BYTE PTR DS:[EAX+1],CL 007C43D4 |. 8B4C24 1C |MOV ECX,DWORD PTR SS:[LOCAL.0] 007C43D8 |. 40 |INC EAX 007C43D9 |. 40 |INC EAX 007C43DA |. 8BD1 |MOV EDX,ECX 007C43DC |. C1EA 18 |SHR EDX,18 007C43DF |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C43E1 |. 40 |INC EAX 007C43E2 |. 8BD1 |MOV EDX,ECX 007C43E4 |. C1EA 10 |SHR EDX,10 007C43E7 |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C43E9 |. 40 |INC EAX 007C43EA |. 8BD1 |MOV EDX,ECX 007C43EC |. 83C4 08 |ADD ESP,8 007C43EF |. C1EA 08 |SHR EDX,8 007C43F2 |. 8810 |MOV BYTE PTR DS:[EAX],DL 007C43F4 |. 8848 01 |MOV BYTE PTR DS:[EAX+1],CL 007C43F7 |> 8B4C24 1C |MOV ECX,DWORD PTR SS:[ARG.1] 007C43FB |. 8A01 |MOV AL,BYTE PTR DS:[ECX] 007C43FD |. 41 |INC ECX 007C43FE |. 894C24 1C |MOV DWORD PTR SS:[ARG.1],ECX 007C4402 |. 8A0C3E |MOV CL,BYTE PTR DS:[EDI+ESI] 007C4405 |. 88043E |MOV BYTE PTR DS:[EDI+ESI],AL 007C4408 |. 32C1 |XOR AL,CL 007C440A |. 8B4C24 20 |MOV ECX,DWORD PTR SS:[ARG.2] 007C440E |. 46 |INC ESI 007C440F |. 8801 |MOV BYTE PTR DS:[ECX],AL 007C4411 |. 41 |INC ECX 007C4412 |. 83E6 07 |AND ESI,00000007 007C4415 |. 894C24 20 |MOV DWORD PTR SS:[ARG.2],ECX 007C4419 |. 85ED |TEST EBP,EBP 007C441B |.^ 0F85 2FFFFFFF \JNZ 007C4350 007C4421 |. 8B4424 30 MOV EAX,DWORD PTR SS:[ARG.6] 007C4425 |> 5F POP EDI 007C4426 |. 8930 MOV DWORD PTR DS:[EAX],ESI 007C4428 |. 5E POP ESI 007C4429 |. 5D POP EBP 007C442A |. 5B POP EBX 007C442B |. 83C4 08 ADD ESP,8 007C442E \. C3 RETN

Conquer.exe|ASM

Spoiler

PHP Code:

0079A040 /$ 55 PUSH EBP 0079A041 |. 8DAC24 60FDFF LEA EBP,[LOCAL.168] 0079A048 |. 81EC 34030000 SUB ESP,334 0079A04E |. A1 543A9D00 MOV EAX,DWORD PTR DS:[9D3A54] .... 0079A13A |. FF15 7CBA8A00 CALL DWORD PTR DS:[<&WS2_32.#4>] ; \WS2_32.connect 0079A140 |. 8D4D 74 LEA ECX,[LOCAL.139] 0079A143 |. 51 PUSH ECX ; /Arg5 => OFFSET LOCAL.139 0079A144 |. 53 PUSH EBX ; |Arg4 0079A145 |. 8D8D 6CFFFFFF LEA ECX,[LOCAL.205] ; | 0079A14B |. 51 PUSH ECX ; |Arg3 => OFFSET LOCAL.205 0079A14C |. 8D46 01 LEA EAX,[ESI+1] ; | 0079A14F |. 53 PUSH EBX ; |Arg2 0079A150 |. 50 PUSH EAX ; |Arg1 0079A151 |. FF15 A4BA8A00 CALL DWORD PTR DS:[<&WS2_32.#18>] ; \WS2_32.select 0079A157 |. 85C0 TEST EAX,EAX 0079A159 |. 0F8E 92000000 JLE 0079A1F1 0079A15F |. 8D45 7C LEA EAX,[LOCAL.137] 0079A162 |. 50 PUSH EAX ; /parg => OFFSET LOCAL.137 0079A163 |. 68 7E660480 PUSH 8004667E ; |cmd = FIONBIO 0079A168 |. 56 PUSH ESI ; |socket 0079A169 |. 895D 7C MOV DWORD PTR SS:[LOCAL.137],EBX ; | 0079A16C |. FF15 74BA8A00 CALL DWORD PTR DS:[<&WS2_32.#10>] ; \WS2_32.ioctlsocket 0079A172 |. 8D85 98010000 LEA EAX,[LOCAL.66] 0079A178 |. 53 PUSH EBX 0079A179 |. 50 PUSH EAX 0079A17A |. E8 E3DF0900 CALL <JMP.&MSVCR90.strlen> ; Jump to MSVCR90.strlen 0079A17F |. 59 POP ECX 0079A180 |. 50 PUSH EAX ; |Arg3 0079A181 |. 8D85 98010000 LEA EAX,[LOCAL.66] ; | 0079A187 |. 50 PUSH EAX ; |Arg2 => OFFSET LOCAL.66 0079A188 |. 56 PUSH ESI ; |Arg1 0079A189 |. FF15 6CBA8A00 CALL DWORD PTR DS:[<&WS2_32.#19>] ; \WS2_32.send 0079A18F |. 8D45 74 LEA EAX,[LOCAL.139] 0079A192 |. 50 PUSH EAX ; /Arg5 => OFFSET LOCAL.139 0079A193 |. 53 PUSH EBX ; |Arg4 0079A194 |. 53 PUSH EBX ; |Arg3 0079A195 |. 8D85 6CFFFFFF LEA EAX,[LOCAL.205] ; | 0079A19B |. 50 PUSH EAX ; |Arg2 => OFFSET LOCAL.205 0079A19C |. 8D46 01 LEA EAX,[ESI+1] ; | 0079A19F |. 50 PUSH EAX ; |Arg1 0079A1A0 |. 89B5 70FFFFFF MOV DWORD PTR SS:[LOCAL.204],ESI ; | 0079A1A6 |. 89BD 6CFFFFFF MOV DWORD PTR SS:[LOCAL.205],EDI ; | 0079A1AC |. C745 74 03000 MOV DWORD PTR SS:[LOCAL.139],3 ; | 0079A1B3 |. 895D 78 MOV DWORD PTR SS:[LOCAL.138],EBX ; | 0079A1B6 |. FF15 A4BA8A00 CALL DWORD PTR DS:[<&WS2_32.#18>] ; \WS2_32.select 0079A1BC |. 85C0 TEST EAX,EAX 0079A1BE |. 7E 31 JLE SHORT 0079A1F1 0079A1C0 |. 53 PUSH EBX ; /Arg4 0079A1C1 |. 68 FF000000 PUSH 0FF ; |Arg3 = 0FF 0079A1C6 |. 8D85 94000000 LEA EAX,[LOCAL.131] ; | 0079A1CC |. 50 PUSH EAX ; |Arg2 => OFFSET LOCAL.131 0079A1CD |. 56 PUSH ESI ; |Arg1 0079A1CE |. FF15 88BA8A00 CALL DWORD PTR DS:[<&WS2_32.#16>] ; \WS2_32.recv 0079A1D4 |. 8D85 94000000 LEA EAX,[LOCAL.131] //Received string against UPDATE 0079A1DA |. 68 D86E9100 PUSH 00916ED8 ; /Arg2 = ASCII "UPDATE" 0079A1DF |. 50 PUSH EAX ; |Arg1 => OFFSET LOCAL.131 0079A1E0 |. FF15 70B68A00 CALL DWORD PTR DS:[<&MSVCR90.strstr>] ; \MSVCR90.strstr 0079A1E6 |. 59 POP ECX 0079A1E7 |. 85C0 TEST EAX,EAX 0079A1E9 |. 59 POP ECX 0079A1EA |. 0F9585 830000 SETNZ BYTE PTR SS:[LOCAL.136+3] 0079A1F1 |> 3BF3 CMP ESI,EBX 0079A1F3 |. 74 07 JE SHORT 0079A1FC 0079A1F5 |. 56 PUSH ESI ; /Arg1 0079A1F6 |. FF15 94BA8A00 CALL DWORD PTR DS:[<&WS2_32.#3>] ; \WS2_32.closesocket 0079A1FC |> 8A85 83000000 MOV AL,BYTE PTR SS:[LOCAL.136+3] 0079A202 |. 5F POP EDI 0079A203 |. 5E POP ESI 0079A204 |. EB 02 JMP SHORT 0079A208 0079A206 |> 32C0 XOR AL,AL 0079A208 |> 8B8D 9C020000 MOV ECX,DWORD PTR SS:[LOCAL.1] 0079A20E |. 33CD XOR ECX,EBP 0079A210 |. 5B POP EBX 0079A211 |. E8 14DE0900 CALL 0083802A 0079A216 |. 81C5 A0020000 ADD EBP,2A0 0079A21C |. C9 LEAVE 0079A21D \. C3 RETN

Wow thanks. Now I know where the Update checking goes on. But since I'm insanely newbish in RE, I still don't know where to find that Cast_Encrypt you're talking about within the Conquer.exe. But it's alright. For now I'm just going to read the logic behind that Cast_Encrypt and keep looking for it since I'll have an idea of what to look for.

phize · 09/03/2013, 17:16

Quote:

Originally Posted by { Angelius }

On realco, on the latest patch, by just blacknulling the exe? i don't think so.

If by "blacknulling the exe" you mean starting the client with the " blacknull blacknull" argument, then yeah I'm not getting banned.