[HELP] Server.dat bypass (Conquer.exe)

~Zero~ · 04/14/2012, 16:59

Hello,
as you know, Server.dat got encrypted after a certain patch (I belive 5072) and you cannot simply NOP the inet_addr in order to connect to private servers/proxies etc. For this higher patches, the "NOP the inet_addr" method it's working but once I replace the Server.dat content (a crypted one) with the normal one, there are no servers to choose, I mean, the message "Server.dat failed" doesn't pop-up but it's obviously there is something wrong with the file since if I replace the custom Server.dat with a original, untouched one, it works but well, I can't edit its content.

Now I'm asking you people, what should I search in Ollydbg or what's the method to make the Conquer.exe bypass this encryption and read directly the uncrypted content.

Any help will be greatly appreciated!

_DreadNought_ · 04/15/2012, 17:41

The server.dat is encrypted by RSA at patch 5180-5187(5817 I think..) and I believe only one person so far has cracked that?

Anyhow, I would assume the server.dat structure has changed dramatically since they implemented the RSA encryption.

I have accomplished the task of overriding the connect() function in both C++ and C#.

I have never attempted to mess with the inet_addr function on its own as such, as I think it gets overriden when hooking connect() (a function conquer.exe uses from ws2_32.dll to connect).

As for C++ I just use detours, I detour the connect function(from memory the exact name of the function is "connect" and the parameters are "socket s, inet_addr Handle, int length" that's right or at least very similar, double check!) and replace the IP with my own, and the ports.

As for C#, I do the exact same thing, but with EasyHooks, Someone posted a C#+C++ code of doing this task without using Detours or EasyHooks but pure changing the memory using kernel32.

But as I said.

Override the connect function and replace the IP and port and return it.

Hope I was of some help.

_DreadNought_ · 04/17/2012, 01:41

Sorry for the bump...

Did you get the information you seeked to successfully bypass the server.dat?

~Zero~ · 04/17/2012, 02:44

Yup, thank you, this is valueable info. However, the thing I req to do is more a ASM thing but nevertheless, your stuff is cool and it will help me for my future projects.
NOP-ing the inet_addr just let's you connect to localhost (127.0.0.1) and thats all, it doesnt help in decrypting/bypassing the server.dat.

{ Angelius } · 04/17/2012, 06:16

Im not sure whats the goal of bypassing the server.dat but...

If you set a break point on this address and step into it you can see where its processing the ip/port and maybe the server name i don`t remember.

004ADE7E . E8 F6C6FFFF CALL Conquer.004AA579

And so you don't get confused cus there is too many calls for that address

Spoiler

PHP Code:


			
0073D95C  /$ 55             PUSH EBP
0073D95D  |. 8BEC           MOV EBP,ESP
0073D95F  |. 83EC 10        SUB ESP,10
0073D962  |. 56             PUSH ESI
0073D963  |. 8B75 08        MOV ESI,DWORD PTR SS:[EBP+8]
0073D966  |. 8D45 0C        LEA EAX,DWORD PTR SS:[EBP+C]
0073D969  |. 50             PUSH EAX                                        ; /Arg2
0073D96A  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]                    ; |
0073D96D  |. 50             PUSH EAX                                        ; |Arg1
0073D96E  |. 8BCE           MOV ECX,ESI                                     ; |
0073D970  |. E8 BC1FEDFF    CALL Conquer.0060F931                           ; \Conquer.0060F931
0073D975  |. 56             PUSH ESI
0073D976  |. FF76 18        PUSH DWORD PTR DS:[ESI+18]
0073D979  |. 8D4D F0        LEA ECX,DWORD PTR SS:[EBP-10]
0073D97C  |. E8 A55FDBFF    CALL Conquer.004F3926
0073D981  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]
0073D984  |. 50             PUSH EAX
0073D985  |. 8D4D F8        LEA ECX,DWORD PTR SS:[EBP-8]
0073D988  |. E8 3ADECCFF    CALL Conquer.0040B7C7
0073D98D  |. 5E             POP ESI
0073D98E  |. 84C0           TEST AL,AL
0073D990  |. 75 5B          JNZ SHORT Conquer.0073D9ED
0073D992  |. FF75 10        PUSH DWORD PTR SS:[EBP+10]
0073D995  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]
0073D998  |. 50             PUSH EAX
0073D999  |. 8D4D F8        LEA ECX,DWORD PTR SS:[EBP-8]
0073D99C  |. E8 EC8DF5FF    CALL Conquer.0069678D
0073D9A1  |. 8BC8           MOV ECX,EAX                                     ; |
0073D9A3  |. 83C1 04        ADD ECX,4                                       ; |
0073D9A6  |. E8 25FFFFFF    CALL Conquer.0073D8D0                           ; \Conquer.0073D8D0
0073D9AB  |. 8D4D F8        LEA ECX,DWORD PTR SS:[EBP-8]
0073D9AE  |. E8 DA8DF5FF    CALL Conquer.0069678D
0073D9B3  |. 83C0 04        ADD EAX,4
0073D9B6  |. 50             PUSH EAX
0073D9B7  |. FF70 18        PUSH DWORD PTR DS:[EAX+18]
0073D9BA  |. 8D4D F8        LEA ECX,DWORD PTR SS:[EBP-8]
0073D9BD  |. E8 645FDBFF    CALL Conquer.004F3926
0073D9C2  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]
0073D9C5  |. 50             PUSH EAX
0073D9C6  |. 8D4D F0        LEA ECX,DWORD PTR SS:[EBP-10]
0073D9C9  |. E8 F9DDCCFF    CALL Conquer.0040B7C7
0073D9CE  |. 84C0           TEST AL,AL
0073D9D0  |. 75 1B          JNZ SHORT Conquer.0073D9ED
0073D9D2  |. 8D4D F0        LEA ECX,DWORD PTR SS:[EBP-10]
0073D9D5  |. E8 B38DF5FF    CALL Conquer.0069678D
0073D9DA  |. 83C0 1C        ADD EAX,1C
0073D9DD  |. 8378 18 10     CMP DWORD PTR DS:[EAX+18],10
0073D9E1  |. 72 05          JB SHORT Conquer.0073D9E8
0073D9E3  |. 8B40 04        MOV EAX,DWORD PTR DS:[EAX+4]
0073D9E6  |. EB 07          JMP SHORT Conquer.0073D9EF
0073D9E8  |> 83C0 04        ADD EAX,4
0073D9EB  |. EB 02          JMP SHORT Conquer.0073D9EF
0073D9ED  |> 33C0           XOR EAX,EAX
0073D9EF  |> C9             LEAVE
0073D9F0  \. C2 0C00        RETN 0C

I used to patch some addresses around that call to change the ip/port upon login
And i believe that if you spend some time debugging the exe you will find where the server.dat is being decrypted.

Good luck.