![[Release] Packet Security](https://www.elitepvpers.com/forum/iconimages/dekaron-exploits-hacks-bots-tools-macros/release-packet-security_ltr.gif){kind=small}
. Code:
/************************************************
*
* PACKET SECURITY
*
************************************************/
public static string RestOfPacketDecryption_16(byte[] packet)
{
int counter = 10;
int icount = 16;
int FinalPacketHolder = 0;
long OldByte;
long SideStuff;
long SideStuff2;
long FirstArrayVal = 0x8CCA191D; // Need to figure this out
long SecondArrayVal;
long SideStuff3;
long NewByte;
int NewByteIndexer;
long FinalByte;
int PacketLen = frmMain.PacketLen ;
byte[] FinalPacket = new byte[PacketLen];
do
{
if (icount == PacketLen)
{
icount = icount - 1;
}
OldByte = Convert.ToInt32(packet.GetValue(icount));
NewByteIndexer = FindByteOutOfArray(icount);
SideStuff = OldByte ^ FirstArrayVal;
FirstArrayVal = FirstArrayVal >> 8;
SideStuff2 = SideStuff & 0x0FF;
SecondArrayVal = Table.MoonsTable[SideStuff2 & 0x0FF];
FirstArrayVal = FirstArrayVal ^ SecondArrayVal;
SideStuff3 = counter & 0x0FF;
NewByte = (OldByte ^ NewByteIndexer) ^ 0x0F;
FinalByte = NewByte;
FinalPacket[FinalPacketHolder] = Convert.ToByte(FinalByte);
frmMain.uPacket[icount] = FinalPacket[FinalPacketHolder];
//Console.WriteLine("Final Byte[" + FinalPacketHolder + "]: " + ConvertByteToHex(Convert.ToInt16( FinalByte))); <- Testing purposes
counter = counter + 1;
icount = icount + 1;
FinalPacketHolder = FinalPacketHolder + 1;
} while (icount < PacketLen); //would be counter < bytes recved in proxy or iAnalyze
return frmMain.ToHex(FinalPacket);
}
public static string First4BytesDecryption(byte[] packet)
{
byte[] FinalPacket = { Convert.ToByte(packet.GetValue(3)), Convert.ToByte(packet.GetValue(2)), Convert.ToByte(packet.GetValue(1)), Convert.ToByte(packet.GetValue(0)) };
byte[] uPacket = { Convert.ToByte(packet.GetValue(3)), Convert.ToByte(packet.GetValue(2)), Convert.ToByte(packet.GetValue(1)), Convert.ToByte(packet.GetValue(0)) };
return frmMain.ToHex(FinalPacket);
}
public static string Second12BytesDecryption_16(byte[] packet)
{
byte[] FinalPacket = new byte[12];
int counter = 4;
int icount = 0;
long OldByte;
long SideStuff;
long SideStuff2;
long FirstArrayVal;
long NewByte;
long FinalByte;
do
{
OldByte = Convert.ToInt32(packet.GetValue(icount));
FirstArrayVal = Table.MoonsTable[counter & 0x0FF];
SideStuff = (0xFFFFFFFF >> 8) ^ FirstArrayVal;
FirstArrayVal = SideStuff;
SideStuff2 = SideStuff;
NewByte = FindByteOutOfArray(counter);
SideStuff = (NewByte ^ Convert.ToInt32(packet.GetValue(icount))) ^ 0x0F;
FinalByte = SideStuff;
FinalPacket[icount] = Convert.ToByte(FinalByte);
frmMain.uPacket[counter] = FinalPacket[icount];
counter = counter + 1;
icount = icount + 1;
} while (icount < packet.Length);
return frmMain.ToHex(FinalPacket);
}
public static int FindByteOutOfArray(int CounterVal)
{
int FinalByte = 0;
string lastbyte;
lastbyte = Table.FindByteArrayTable[CounterVal];
lastbyte = lastbyte.Substring(6, 2);
FinalByte = Convert.ToInt32(frmMain.ToDec(lastbyte));
return FinalByte;
}
public static string RestOfPacketDecryption_0E(byte[] packet)
{
int counter = 10;
int icount = 16;
int RestOfBytesLen = 0;
int FinalPacketHolder = 0;
long OldByte;
long SideStuff;
long SideStuff2;
long FirstArrayVal;
long SecondArrayVal;
long SideStuff3;
long NewByte;
int NewByteIndexer;
long FinalByte;
int PacketLen = frmMain.PacketLen ;
byte[] FinalPacket = new byte[PacketLen];
long val;
do
{
OldByte = Convert.ToInt32(packet.GetValue(icount));
if (icount == PacketLen)
{
icount = icount - 1;
}
if (icount == 16)
{
val = 1024 + OldByte;
FirstArrayVal = Table.MoonsTable[(val ^ 0xFFFFFFFF) & 0x0FF];
}
else
{
FirstArrayVal = Table.MoonsTable[(counter ^ 0xFFFFFFFF) & 0x0FF];
}
NewByteIndexer = FindByteOutOfArray(icount);
SideStuff = OldByte ^ FirstArrayVal;
FirstArrayVal = FirstArrayVal >> 8;
SideStuff2 = SideStuff & 0x0FF;
SecondArrayVal = Table.MoonsTable[SideStuff2 & 0x0FF];
FirstArrayVal = FirstArrayVal ^ SecondArrayVal;
SideStuff3 = counter & 0x0FF;
NewByte = (OldByte ^ NewByteIndexer) ^ 0x17; // For some reason 0x17 seems to decrypt it correctly
FinalByte = NewByte;
FinalPacket[FinalPacketHolder] = Convert.ToByte(FinalByte);
counter = counter + 1;
icount = icount + 1;
FinalPacketHolder = FinalPacketHolder + 1;
RestOfBytesLen = RestOfBytesLen + 1;
} while (RestOfBytesLen < PacketLen);
return frmMain.ToHex(FinalPacket);
}
public static string Second12BytesDecryption_0E(byte[] packet)
{
byte[] FinalPacket = new byte[12];
int counter = 4;
int icount = 0;
int OldByte;
long SideStuff;
long SideStuff2;
long FirstArrayVal;
long NewByte;
long FinalByte;
long val;
do
{
OldByte = Convert.ToInt32(packet.GetValue(icount));
if (icount == 0)
{
val = 1024 + OldByte;
FirstArrayVal = Table.MoonsTable[(val ^ 0xFFFFFFFF) & 0x0FF];
}
else
{
FirstArrayVal = Table.MoonsTable[(counter ^ 0xFFFFFFFF) & 0x0FF];
}
val = 1024 + OldByte;
SideStuff = (0xFFFFFFFF >> 8) ^ FirstArrayVal;
FirstArrayVal = SideStuff;
SideStuff2 = counter & 0x0FF;
NewByte = FindByteOutOfArray(Convert.ToInt32(SideStuff2));
SideStuff = (NewByte ^ OldByte) ^ 0x17; // Need to figure out wat the 0x17 val really is so what it really gets XOR'ed by
//(Sum reason 0x17 decrypts the packet correctly, keep an eye on this)
FinalByte = SideStuff;
FinalPacket[icount] = Convert.ToByte(FinalByte);
counter = counter + 1;
icount = icount + 1;
} while (icount < packet.Length);
return frmMain.ToHex(FinalPacket);
}
Code:
2Moons Table
public static long[] MoonsTable = {
0x00000000,
0x77073096,
0xEE0E612C,
0x990951BA,
0x076DC419,
0x706AF48F,
0xE963A535,
0x9E6495A3,
0x0EDB8832,
0x79DCB8A4,
0xE0D5E91E,
0x97D2D988,
0x09B64C2B,
0x7EB17CBD,
0xE7B82D07,
0x90BF1D91,
0x1DB71064,
0x6AB020F2,
0xF3B97148,
0x84BE41DE,
0x1ADAD47D,
0x6DDDE4EB,
0xF4D4B551,
0x83D385C7,
0x136C9856,
0x646BA8C0,
0xFD62F97A,
0x8A65C9EC,
0x14015C4F,
0x63066CD9,
0xFA0F3D63,
0x8D080DF5,
0x3B6E20C8,
0x4C69105E,
0xD56041E4,
0xA2677172,
0x3C03E4D1,
0x4B04D447,
0xD20D85FD,
0xA50AB56B,
0x35B5A8FA,
0x42B2986C,
0xDBBBC9D6,
0xACBCF940,
0x32D86CE3,
0x45DF5C75,
0xDCD60DCF,
0xABD13D59,
0x26D930AC,
0x51DE003A,
0xC8D75180,
0xBFD06116,
0x21B4F4B5,
0x56B3C423,
0xCFBA9599,
0xB8BDA50F,
0x2802B89E,
0x5F058808,
0xC60CD9B2,
0xB10BE924,
0x2F6F7C87,
0x58684C11,
0xC1611DAB,
0xB6662D3D,
0x76DC4190,
0x01DB7106,
0x98D220BC,
0xEFD5102A,
0x71B18589,
0x06B6B51F,
0x9FBFE4A5,
0xE8B8D433,
0x7807C9A2,
0x0F00F934,
0x9609A88E,
0xE10E9818,
0x7F6A0DBB,
0x086D3D2D,
0x91646C97,
0xE6635C01,
0x6B6B51F4,
0x1C6C6162,
0x856530D8,
0xF262004E,
0x6C0695ED,
0x1B01A57B,
0x8208F4C1,
0xF50FC457,
0x65B0D9C6,
0x12B7E950,
0x8BBEB8EA,
0xFCB9887C,
0x62DD1DDF,
0x15DA2D49,
0x8CD37CF3,
0xFBD44C65,
0x4DB26158,
0x3AB551CE,
0xA3BC0074,
0xD4BB30E2,
0x4ADFA541,
0x3DD895D7,
0xA4D1C46D,
0xD3D6F4FB,
0x4369E96A,
0x346ED9FC,
0xAD678846,
0xDA60B8D0,
0x44042D73,
0x33031DE5,
0xAA0A4C5F,
0xDD0D7CC9,
0x5005713C,
0x270241AA,
0xBE0B1010,
0xC90C2086,
0x5768B525,
0x206F85B3,
0xB966D409,
0xCE61E49F,
0x5EDEF90E,
0x29D9C998,
0xB0D09822,
0xC7D7A8B4,
0x59B33D17,
0x2EB40D81,
0xB7BD5C3B,
0xC0BA6CAD,
0xEDB88320,
0x9ABFB3B6,
0x03B6E20C,
0x74B1D29A,
0xEAD54739,
0x9DD277AF,
0x04DB2615,
0x73DC1683,
0xE3630B12,
0x94643B84,
0x0D6D6A3E,
0x7A6A5AA8,
0xE40ECF0B,
0x9309FF9D,
0x0A00AE27,
0x7D079EB1,
0xF00F9344,
0x8708A3D2,
0x1E01F268,
0x6906C2FE,
0xF762575D,
0x806567CB,
0x196C3671,
0x6E6B06E7,
0xFED41B76,
0x89D32BE0,
0x10DA7A5A,
0x67DD4ACC,
0xF9B9DF6F,
0x8EBEEFF9,
0x17B7BE43,
0x60B08ED5,
0xD6D6A3E8,
0xA1D1937E,
0x38D8C2C4,
0x4FDFF252,
0xD1BB67F1 ,
0xA6BC5767,
0x3FB506DD,
0x48B2364B,
0xD80D2BDA,
0xAF0A1B4C,
0x36034AF6,
0x41047A60,
0xDF60EFC3,
0xA867DF55,
0x316E8EEF,
0x4669BE79,
0xCB61B38C,
0xBC66831A,
0x256FD2A0,
0x5268E236,
0xCC0C7795,
0xBB0B4703,
0x220216B9,
0x5505262F,
0xC5BA3BBE,
0xB2BD0B28,
0x2BB45A92,
0x5CB36A04,
0xC2D7FFA7,
0xB5D0CF31,
0x2CD99E8B,
0x5BDEAE1D,
0x9B64C2B0,
0xEC63F226,
0x756AA39C,
0x026D930A,
0x9C0906A9,
0xEB0E363F,
0x72076785,
0x05005713,
0x95BF4A82,
0xE2B87A14,
0x7BB12BAE,
0x0CB61B38,
0x92D28E9B,
0xE5D5BE0D,
0x7CDCEFB7,
0x0BDBDF21,
0x86D3D2D4,
0xF1D4E242,
0x68DDB3F8,
0x1FDA836E,
0x81BE16CD,
0xF6B9265B,
0x6FB077E1,
0x18B74777,
0x88085AE6,
0xFF0F6A70,
0x66063BCA,
0x11010B5C,
0x8F659EFF,
0xF862AE69,
0x616BFFD3,
0x166CCF45,
0xA00AE278,
0xD70DD2EE,
0x4E048354,
0x3903B3C2,
0xA7672661 ,
0xD06016F7,
0x4969474D,
0x3E6E77DB,
0xAED16A4A,
0xD9D65ADC,
0x40DF0B66,
0x37D83BF0,
0xA9BCAE53,
0xDEBB9EC5,
0x47B2CF7F,
0x30B5FFE9,
0xBDBDF21C,
0xCABAC28A,
0x53B39330,
0x24B4A3A6,
0xBAD03605,
0xCDD70693,
0x54DE5729,
0x23D967BF,
0xB3667A2E,
0xC4614AB8,
0x5D681B02,
0x2A6F2B94,
0xB40BBE37,
0xC30C8EA1,
0x5A05DF1B,
0x2D02EF8D,
0x00000000,
0x00007325,
0x00A550DC,
0x0044B4E0,
0x00A55124 ,
0x0044B890
};
Code:
Packet Security Breakdown
189A514 <- Offset in dump for recved packet(5th byte and so on)
goes through 12 bytes in a loop then jmps at 0044A8AE
starting at 0044B430 it starts to mess with the starting byte
starts looping at 0044A8E0 to get the rest of the bytes
----------------------------------------------------------------------------------------
12 Bytes breakdown
Packet: 0B4157CE16803AEC3DAB118724B0081F620F369972E710B43AC7C710142FADF8C751EB7DDE48F264F563D94FEC7AC056A3358F19BA2C96009107BD2B881EA432
Decrypted: CE57410B00004000000000008100020009F2714800034E7C6308B2F354F9C10200000000000000000000000000000000000000000000000000000000000000000000000000
Packet: 9774CD4E16803AEC3DAB118724B0081F6238B5CD72F86A3F4292F5104C98FCF8C751EB7DDE48F264F563D94FEC7AC056A3358F19BA2C96009107BD2B881EA432
19 8F 35 A3 <- goes this for the first 4 tymes (in order one at a tyme)
32 A4 1E 88 2B BD 07 91 <- 5th tyme uses these(in order one at a tyme)
0044A873 8A1431 MOV DL,BYTE PTR DS:[ECX+ESI] <- DL = 16, which is the 5th byte in the packet
0044A876 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C] <- 0xFFFFFFFF gets moved to EAX
0044A879 8ADA MOV BL,DL <- 16 gets moved into BL
0044A87B 33D8 XOR EBX,EAX <- 16 gets XOR'ed by 0xFFFFFFFF(16 = 0xFFFFFFE9 now)
0044A87D C1E8 08 SHR EAX,8 <- 0xFFFFFFFF gets shifted to the right by 8(now equals 0x00FFFFFF)
0044A880 81E3 FF000000 AND EBX,0FF <- 0xFFFFFFE9 gets AND by 0x0FF(now equals E9)
0044A886 33049D 400D9A00 XOR EAX,DWORD PTR DS:[EBX*4+9A0D40] <- XOR's 0x00FFFFFF by DS:[009A10E4]=D9D65ADC (EAX now equals D929A523) ***(EBX is the array pos val so int table[EBX];)
0044A88D 8945 1C MOV DWORD PTR SS:[EBP+1C],EAX <- Places EAX into DWORD PTR SS:[EBP+1C] (EBP =0B69B578)
0044A890 8BC1 MOV EAX,ECX <- 4 gets moved into EAX( EAX = 4), ECX is the counter and equals 4
0044A892 25 FF000000 AND EAX,0FF <- AND's 4 by 0x0FF (EAX equals 4 still)
0044A897 8A0485 400D9A00 MOV AL,BYTE PTR DS:[EAX*4+9A0D40] <- AL = 4 and DS: [009A0D50] = 19 (EAX now eauals 19)
0044A89E 32C2 XOR AL,DL <- XOR's 19 by 16 (EAX now equals 0x00000F)
0044A8A0 324424 13 XOR AL,BYTE PTR SS:[ESP+13] <- SS: [0012FC33] = 0F, XOR's 0F by 0F (EAX now equals 00000000)
0044A8A4 880431 MOV BYTE PTR DS:[ECX+ESI],AL <- DS:[ECX+ESI]= 16, EAX gets moved into their which creates the new value for that spot in the packet
0044A8A7 8345 18 01 ADD DWORD PTR SS:[EBP+18],1 <- Adds 1 to the counter( counter = counter + 1) counter = 5
0044A8AB 397D 18 CMP DWORD PTR SS:[EBP+18],EDI <- CMP's to see if the counter is = 10
0044A8AE ^ 72 C0 JB SHORT dekaron.0044A870 <- Jumps if below 10
0044A873 8A1431 MOV DL,BYTE PTR DS:[ECX+ESI] <- DL equals 80 which is next byte in packet
0044A876 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C] <- EAX now equals D929A523
0044A879 8ADA MOV BL,DL <- 80 is moved into BL and replaces the old value E9 (EBX now equals 80)
0044A87B 33D8 XOR EBX,EAX <- 80 is XOR'ed by D929A523 (EBX now equals D929A5A3)
0044A87D C1E8 08 SHR EAX,8 <- EAX gets shifted to the right by 8 (EAX now equals 00D929A5)
0044A880 81E3 FF000000 AND EBX,0FF <- D929A5A3 is AND by 0x0FF (EBX now equals A3)
0044A886 33049D 400D9A00 XOR EAX,DWORD PTR DS:[EBX*4+9A0D40] <- DS:[009A0FFC]=4FDFF252, EAX now equals 4F06DBF7
0044A88D 8945 1C MOV DWORD PTR SS:[EBP+1C],EAX <- SS:[0B69B594] now equals EAX
0044A890 8BC1 MOV EAX,ECX <- ECX which is the counter and equals 5 gets moved into EAX( EAX now equals 5)
0044A892 25 FF000000 AND EAX,0FF <- EAX which is 5 gets AND by 0x0FF (EAX now equals 5)
0044A897 8A0485 400D9A00 MOV AL,BYTE PTR DS:[EAX*4+9A0D40] <- DS:[009A0D54]=8F, AL = 5 (EAX now equals 8F)
0044A89E 32C2 XOR AL,DL <- EAX is XOR'ed by 80 the old packet value at this spot ( EAX now equals 0F)
0044A8A0 324424 13 XOR AL,BYTE PTR SS:[ESP+13] <- SS:[0012FC33]=0F, EAX is XOR'ed by 0F (EAX now equals 00000000)
0044A8A4 880431 MOV BYTE PTR DS:[ECX+ESI],AL <- EAX replaces the old byte which was 80 with the new one which is 00
0044A8A7 8345 18 01 ADD DWORD PTR SS:[EBP+18],1 <- Add 1 to the counter, counter now equals 6
0044A8AB 397D 18 CMP DWORD PTR SS:[EBP+18],EDI <- CMP 6 to 10
0044A8AE ^ 72 C0 JB SHORT dekaron.0044A870 <- JMP if counter is less than 10
-------------------------------------------------------------------------------------------------------
First 4 bytes break down
0044B430 33D2 XOR EDX,EDX ; dekaron.009A0C1F <- EDX = 009A0C1F (EDX now equals 00000000)
0044B432 56 PUSH ESI
0044B433 8BF1 MOV ESI,ECX <- ESI equals ECX (ECX = 0DC76008)
0044B435 8B0E MOV ECX,DWORD PTR DS:[ESI] <- DS:[0DC76008] = 01676F2 [Points to the First 4 Bytes] (ECX = First 4 Bytes)
0044B437 8AF1 MOV DH,CL <- Grabs the First Byte and moves to DH
0044B439 8BC1 MOV EAX,ECX <- EAX now equals 016762F2 [first 4 bytes]
0044B43B C1E8 10 SHR EAX,10 < - Shifts EAX to the right by 10 (EAX now equals 167)
0044B43E 8AD5 MOV DL,CH <- DL = 62 now which is the Second Byte
0044B440 33C9 XOR ECX,ECX <- ECX = 016762F2 (ECX now equals 00000000)
0044B442 8AE8 MOV CH,AL <- CH = 67 which is the Third Byte
0044B444 0FB6C4 MOVZX EAX,AH <- AH = 1 and EAX = 167 (EAX = 1 now)
0044B447 C1E2 10 SHL EDX,10 <- EDX = 0000F262, Shift EDX to the lft by 10(EDX now equals F2620000)
0044B44A 0FB7C9 MOVZX ECX,CX <- CX = 6700 and ECX = 00006700 (ECX now equals 6700)
0044B44D 0BD1 OR EDX,ECX <- EDX = F2620000, ECX = 00006700 (EDX = F2626700 now)
0044B44F 0BD0 OR EDX,EAX <- EAX = 1 (EDX = F2626701 now)
0044B451 66:8B46 04 MOV AX,WORD PTR DS:[ESI+4] <- AX = 0001, DS:[0DC7600C] = 0000 (AX = 00)
0044B455 66:0FB6CC MOVZX CX,AH <- CX = 6700, AH = 00 (CX = 0000)
0044B459 8AE8 MOV CH,AL <- Both equal 0
0044B45B 66:8B46 06 MOV AX,WORD PTR DS:[ESI+6] <- AX = 0000, DS:[0DC7600E]=4000 (AX = 4000 now)
0044B45F 8916 MOV DWORD PTR DS:[ESI],EDX ; dekaron.009A0C1F <- DS:[0DC76008]=016762F2, EDX = F2626701 (DS = EDX now)
0044B461 66:0FB6D4 MOVZX DX,AH <- DX = 6701, AH = 40 (DX now equals 0040)
0044B465 8AF0 MOV DH,AL <- Both 0
0044B467 66:894E 04 MOV WORD PTR DS:[ESI+4],CX <- Both 0
0044B46B 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8] <- Both 0
0044B46E 8BC1 MOV EAX,ECX <- EAX = 00004000 (EAX now equals 00000000)
0044B470 C1E8 10 SHR EAX,10 <- Shifts EAX to the right by 10 (EAX now equals 00000000)
0044B473 66:8956 06 MOV WORD PTR DS:[ESI+6],DX <- DS:[0DC7600E]=4000, DX=0040 (DS now equals 0040)
0044B477 33D2 XOR EDX,EDX ; dekaron.009A0C1F <- EDX = F2620040 (EDX now equals 00000000)
0044B479 8AF1 MOV DH,CL <- Both 0
0044B47B 8AD5 MOV DL,CH <- Both 0
0044B47D 33C9 XOR ECX,ECX <- ECX = 00000000 (ECX stays the same)
0044B47F 8AE8 MOV CH,AL <- Both 0
0044B481 0FB6C4 MOVZX EAX,AH <- Both 0
0044B484 C1E2 10 SHL EDX,10 <- EDX = 00000000 (Stays the same)
0044B487 0FB7C9 MOVZX ECX,CX <- Both 0
0044B48A 0BD1 OR EDX,ECX <- Both 0
0044B48C 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C] <- DS:[0DC76014]=81000200 [last 4 decrypted packets in the 12 byte decryption] , ECX = 00000000 (ECX now equals 81000200)
0044B48F 0BD0 OR EDX,EAX <- Both 0
0044B491 8956 08 MOV DWORD PTR DS:[ESI+8],EDX ; dekaron.009A0C1F <- Both 0
0044B494 33D2 XOR EDX,EDX ; dekaron.009A0C1F <- EDX = 00000000 (EDX stays the same)
0044B496 8AF1 MOV DH,CL <- Both 0
0044B498 8BC1 MOV EAX,ECX <- ECX = 81000200 , EAX = 00000000 (EAX now equals 81000200)
0044B49A C1E8 10 SHR EAX,10 <- Shifts EAX to the right by 10 (EAX now equals 00008100)
0044B49D 8AD5 MOV DL,CH <- CH = 02, DL = 00 (DL now equals 02)
0044B49F 33C9 XOR ECX,ECX <- ECX = 81000200 (ECX now equals 00000000)
0044B4A1 8AE8 MOV CH,AL <- Both 0
0044B4A3 0FB6C4 MOVZX EAX,AH <- AH = 81, EAX = 00008100 ( EAX now equals 81)
0044B4A6 C1E2 10 SHL EDX,10 <- EDX = 00000002, Shifts EDX to the left by 10 (EDX now equals 00020000)
0044B4A9 0FB7C9 MOVZX ECX,CX <- Both 0
0044B4AC 0BD1 OR EDX,ECX <- EDX = 00020000, ECX = 00000000 (EDX stays the same)
0044B4AE 0BD0 OR EDX,EAX <- EAX = 00000081 (EDX now equals 00020081)
0044B4B0 8956 0C MOV DWORD PTR DS:[ESI+C],EDX ; dekaron.009A0C1F <- DS:[0DC76014] = 81000200, EDX = 00020081 (DS = EDX now) 'Basically flips the 81 amd the 02 so now is like 81 00 02 00 in the packet
0044B4B3 5E POP ESI ; dekaron.0044A8B8
0044B4B4 C3 RETN
----------------------------------------------------------------------------------------------------------------------------
Rest of packets breakdown
0044A90E uses:
17th, 4th, 19th, 20th, 21st, 22nd, 23rd, 24th, 25th, 26th, 27th, 28th, 29th, 30th, 31st, 32nd, 33rd, 34th, 35th and so on...
0044A8E3 8A1431 MOV DL,BYTE PTR DS:[ECX+ESI] <- DS:[0DC76018]=64 (DL = 64) next byte in unencrypted packet
0044A8E6 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C] <- SS:[0CBD1464]=8CCA191D (EAX = SS)
0044A8E9 8ADA MOV BL,DL <- DL = 64 (BL = 64 now)
0044A8EB 33D8 XOR EBX,EAX <- EBX = 64, EAX = 8CCA191D (EBX = 8CCA1979 now)
0044A8ED C1E8 08 SHR EAX,8 <- Shifts 8CCA191D to the right by 8 (EAX now equals 008CCA19)
0044A8F0 81E3 FF000000 AND EBX,0FF <- EBX = 8CCA1979, AND EBX by 0x0FF (EBX now equals 79)
0044A8F6 33049D 400D9A00 XOR EAX,DWORD PTR DS:[EBX*4+9A0D40] <- DS:[009A0F24]= 29D9C998 , EAX = 008CCA19 (EAX now equals 29550381)
0044A8FD 8945 1C MOV DWORD PTR SS:[EBP+1C],EAX <- DS:[0CBD1464] = EAX now
0044A900 8BC1 MOV EAX,ECX <- ECX = 10 (EAX now equals 10)
0044A902 25 FF000000 AND EAX,0FF <- AND EAX by 0x0FF (EAX equals the same)
0044A907 8A0485 400D9A00 MOV AL,BYTE PTR DS:[EAX*4+9A0D40] <- DS:[009A0D80]=64 (AL = 64 now)
0044A90E 32C2 XOR AL,DL <- AL = 64, DL = 64 (AL now equals 00)
0044A910 324424 13 XOR AL,BYTE PTR SS:[ESP+13] <- SS:[0012FC22]=0F, AL = 00 (AL now equals 0F)
0044A914 880431 MOV BYTE PTR DS:[ECX+ESI],AL <- AL = 0F (Replaces the old byte with this one the decrypted byte)
0044A917 8345 18 01 ADD DWORD PTR SS:[EBP+18],1 <- counter = 10, add 1 to the counter
0044A91B 397D 18 CMP DWORD PTR SS:[EBP+18],EDI <- if(counter < 40) { jmp }
0044A91E ^ 72 C0 JB SHORT dekaron.0044A8E0
-----------------------------------------------------------------
5th packet recved
Packet -> 194580AD0E9922AC25B3099F38AA108473E55FC96BFD475F
194580AD -> AD804519
0E9922AC25B3099F38AA1084 -> 0100180000000004000002
194580AD0E9922AC25B3099F38AA108473E55FC96BFD475F -> AD 80 45 19 01 00 18 00 00 00 00 00 02 00 00 04 00 00 00 00 01 01 01 8F
0044A879 8ADA MOV BL,DL < BL = 0E (which is 5th byte in packet)
0044A87B 33D8 XOR EBX,EAX <- EAX = FFFFFFFF , EBX = 0000040E (04 = counter)
0044A87D C1E8 08 SHR EAX,8
0044A880 81E3 FF000000 AND EBX,0FF < EBX now equals F1
0044A886 33049D 400D9A00 XOR EAX,DWORD PTR DS:[EBX*4+9A0D40] <- Ptr = CABAC28A
0044A88D 8945 1C MOV DWORD PTR SS:[EBP+1C],EAX <- Ptr = FFFFFFFF
0044A890 8BC1 MOV EAX,ECX
0044A892 25 FF000000 AND EAX,0FF <- XOR 04(counter) by 0FF
0044A897 8A0485 400D9A00 MOV AL,BYTE PTR DS:[EAX*4+9A0D40] <- Ptr = 19
0044A89E 32C2 XOR AL,DL <- XOR new bye(19) by old byte(0E)
0044A8A0 324424 13 XOR AL,BYTE PTR SS:[ESP+13] <- Ptr = 13 <- Figure out this array
0044A8A4 880431 MOV BYTE PTR DS:[ECX+ESI],AL <- AL = 00 (final byte)
0044A8A7 8345 18 01 ADD DWORD PTR SS:[EBP+18],1 <- counter now equals 5(counter was 4)
0044A8AB 397D 18 CMP DWORD PTR SS:[EBP+18],EDI <- cmp to hex val 10(16)
0044A870 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18] <- counter = 5
0044A873 8A1431 MOV DL,BYTE PTR DS:[ECX+ESI] <- DL = 99(which is next byte in packet)
0044A876 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C] <- Ptr = CA453D75 <- Figure out this array(Ptr from first go around?!?)
0044A879 8ADA MOV BL,DL
0044A87B 33D8 XOR EBX,EAX <- XOR 99 by CA453D75
0044A87D C1E8 08 SHR EAX,8
0044A880 81E3 FF000000 AND EBX,0FF <- EBX now equals EC
0044A886 33049D 400D9A00 XOR EAX,DWORD PTR DS:[EBX*4+9A0D40] <- Ptr = A9BCAE53
0044A88D 8945 1C MOV DWORD PTR SS:[EBP+1C],EAX <- Ptr = EAX(CA453D75)
0044A890 8BC1 MOV EAX,ECX <- EAX equals counter which is 5
0044A892 25 FF000000 AND EAX,0FF <- EAX still = 5
0044A897 8A0485 400D9A00 MOV AL,BYTE PTR DS:[EAX*4+9A0D40] <- Ptr = 8F
0044A89E 32C2 XOR AL,DL <- XOR new byte(8F) by old byte(99)
0044A8A0 324424 13 XOR AL,BYTE PTR SS:[ESP+13] <- Ptr = 17
0044A8A4 880431 MOV BYTE PTR DS:[ECX+ESI],AL <- AL = 01 now from the XOR above
0044A8A7 8345 18 01 ADD DWORD PTR SS:[EBP+18],1 <- counter = 6 now(counter was 5)
0044A8AB 397D 18 CMP DWORD PTR SS:[EBP+18],EDI <- CMP counter to hex val 10(16)
-Decrypts rest of the stuff the same...
NOTES: Everytime it starts decrypting a new byte in the packet for the first tyme like it adds 04 onto the byte so the byte would be 0473 instead of just 73. Also does this everytime it does a new packet so the byte is 040E instead of just 0E. But everyone else is just a stand alone regular byte no 04 with them...
2MOONS TABLE ARRAY VALUES: 4 BYTES EACH
009A0D44 96 30 07 77 2C 61 0E EE 0 w,a
009A0D4C BA 51 09 99 19 C4 6D 07 Q.m
009A0D54 8F F4 6A 70 35 A5 63 E9 jp5c
009A0D5C A3 95 64 9E 32 88 DB 0E d2
009A0D64 A4 B8 DC 79 1E E9 D5 E0 y
009A0D6C 88 D9 D2 97 2B 4C B6 09 җ+L.
009A0D74 BD 7C B1 7E 07 2D B8 E7 |~ -
009A0D7C 91 1D BF 90 64 10 B7 1D
d
009A0D84 F2 20 B0 6A 48 71 B9 F3 jHq
009A0D8C DE 41 BE 84 7D D4 DA 1A A}
009A0D94 EB E4 DD 6D 51 B5 D4 F4 mQ
009A0D9C C7 85 D3 83 56 98 6C 13 DžӃVl
009A0DA4 C0 A8 6B 64 7A F9 62 FD kdzb
009A0DAC EC C9 65 8A 4F 5C 01 14 eO\
009A0DB4 D9 6C 06 63 63 3D 0F FA lcc=
009A0DBC F5 0D 08 8D C8 20 6E 3B . n;
009A0DC4 5E 10 69 4C E4 41 60 D5 ^iLA`
009A0DCC 72 71 67 A2 D1 E4 03 3C rqg<
009A0DD4 47 D4 04 4B FD 85 0D D2 GK.
009A0DDC 6B B5 0A A5 FA A8 B5 35 k.5
009A0DE4 6C 98 B2 42 D6 C9 BB DB lBɻ
009A0DEC 40 F9 BC AC E3 6C D8 32 @l2
009A0DF4 75 5C DF 45 CF 0D D6 DC u\E.
009A0DFC 59 3D D1 AB AC 30 D9 26 Y=ѫ0&
009A0E04 3A 00 DE 51 80 51 D7 C8 :.QQ
009A0E0C 16 61 D0 BF B5 F4 B4 21 aп!
009A0E14 23 C4 B3 56 99 95 BA CF #ijV
009A0E1C 0F A5 BD B8 9E B8 02 28 (
009A0E24 08 88 05 5F B2 D9 0C C6 _.
009A0E2C 24 E9 0B B1 87 7C 6F 2F $
|o/
009A0E34 11 4C 68 58 AB 1D 61 C1 LhX
a
009A0E3C 3D 2D 66 B6 90 41 DC 76 =-fAv
009A0E44 06 71 DB 01 BC 20 D2 98 q Ҙ
009A0E4C 2A 10 D5 EF 89 85 B1 71 *q
009A0E54 1F B5 B6 06 A5 E4 BF 9F 俟
009A0E5C 33 D4 B8 E8 A2 C9 07 78 3Ը x
009A0E64 34 F9 00 0F 8E A8 09 96 4..
009A0E6C 18 98 0E E1 BB 0D 6A 7F .j
009A0E74 2D 3D 6D 08 97 6C 64 91 -=mld
009A0E7C 01 5C 63 E6 F4 51 6B 6B \cQkk
009A0E84 62 61 6C 1C D8 30 65 85 bal
0e
009A0E8C 4E 00 62 F2 ED 95 06 6C N.bl
009A0E94 7B A5 01 1B C1 F4 08 82 {
009A0E9C 57 C4 0F F5 C6 D9 B0 65 Wٰe
009A0EA4 50 E9 B7 12 EA B8 BE 8B P긾
009A0EAC 7C 88 B9 FC DF 1D DD 62 |
b
009A0EB4 49 2D DA 15 F3 7C D3 8C I-|ӌ
009A0EBC 65 4C D4 FB 58 61 B2 4D eLXaM
009A0EC4 CE 51 B5 3A 74 00 BC A3 Q:t.
009A0ECC E2 30 BB D4 41 A5 DF 4A 0AJ
009A0ED4 D7 95 D8 3D 6D C4 D1 A4 ו=mѤ
009A0EDC FB F4 D6 D3 6A E9 69 43 jiC
009A0EE4 FC D9 6E 34 46 88 67 AD n4Fg*
009A0EEC D0 B8 60 DA 73 2D 04 44 и`s-D
009A0EF4 E5 1D 03 33 5F 4C 0A AA
3_L.
009A0EFC C9 7C 0D DD 3C 71 05 50 |.<qP
009A0F04 AA 41 02 27 10 10 0B BE A'
009A0F0C 86 20 0C C9 25 B5 68 57 .%hW
009A0F14 B3 85 6F 20 09 D4 66 B9 o .f
009A0F1C 9F E4 61 CE 0E F9 DE 5E a^
009A0F24 98 C9 D9 29 22 98 D0 B0 )"а
009A0F2C B4 A8 D7 C7 17 3D B3 59 =Y
009A0F34 81 0D B4 2E 3B 5C BD B7 ..;\
009A0F3C AD 6C BA C0 20 83 B8 ED *l
009A0F44 B6 B3 BF 9A 0C E2 B6 03 .
009A0F4C 9A D2 B1 74 39 47 D5 EA ұt9G
009A0F54 AF 77 D2 9D 15 26 DB 04 wҝ&
009A0F5C 83 16 DC 73 12 0B 63 E3 s
c
009A0F64 84 3B 64 94 3E 6A 6D 0D ;d>jm.
009A0F6C A8 5A 6A 7A 0B CF 0E E4 Zjz
009A0F74 9D FF 09 93 27 AE 00 0A .'..
009A0F7C B1 9E 07 7D 44 93 0F F0 }D
009A0F84 D2 A3 08 87 68 F2 01 1E ңh
009A0F8C FE C2 06 69 5D 57 62 F7 i]Wb
009A0F94 CB 67 65 80 71 36 6C 19 geq6l
009A0F9C E7 06 6B 6E 76 1B D4 FE knv
009A0FA4 E0 2B D3 89 5A 7A DA 10 +ӉZz
009A0FAC CC 4A DD 67 6F DF B9 F9 Jgo߹
009A0FB4 F9 EF BE 8E 43 BE B7 17 ホC
009A0FBC D5 8E B0 60 E8 A3 D6 D6 Վ`
009A0FC4 7E 93 D1 A1 C4 C2 D8 38 ~ѡ8
009A0FCC 52 F2 DF 4F F1 67 BB D1 ROg
009A0FD4 67 57 BC A6 DD 06 B5 3F gW?
009A0FDC 4B 36 B2 48 DA 2B 0D D8 K6H+.
009A0FE4 4C 1B 0A AF F6 4A 03 36 L.J6
009A0FEC 60 7A 04 41 C3 EF 60 DF `zA`
009A0FF4 55 DF 67 A8 EF 8E 6E 31 Ugn1
009A0FFC 79 BE 69 46 8C B3 61 CB yiFa
009A1004 1A 83 66 BC A0 D2 6F 25 f o%
009A100C 36 E2 68 52 95 77 0C CC 6hRw.
009A1014 03 47 0B BB B9 16 02 22 G
"
009A101C 2F 26 05 55 BE 3B BA C5 /&U;
009A1024 28 0B BD B2 92 5A B4 2B (
Z+
009A102C 04 6A B3 5C A7 FF D7 C2 j\
009A1034 31 CF D0 B5 8B 9E D9 2C 1е,
009A103C 1D AE DE 5B B0 C2 64 9B
[d
009A1044 26 F2 63 EC 9C A3 6A 75 &c윣ju
009A104C 0A 93 6D 02 A9 06 09 9C .m.
009A1054 3F 36 0E EB 85 67 07 72 ?6g r
009A105C 13 57 00 05 82 4A BF 95 W.J
009A1064 14 7A B8 E2 AE 2B B1 7B z+{
009A106C 38 1B B6 0C 9B 8E D2 92 8.Ғ
009A1074 0D BE D5 E5 B7 EF DC 7C .|
009A107C 21 DF DB 0B D4 D2 D3 86 !
ӆ
009A1084 42 E2 D4 F1 F8 B3 DD 68 Bh
009A108C 6E 83 DA 1F CD 16 BE 81 n
009A1094 5B 26 B9 F6 E1 77 B0 6F [&wo
009A109C 77 47 B7 18 E6 5A 08 88 wGZ
009A10A4 70 6A 0F FF CA 3B 06 66 pj;f
009A10AC 5C 0B 01 11 FF 9E 65 8F \
e
009A10B4 69 AE 62 F8 D3 FF 6B 61 ibka
009A10BC 45 CF 6C 16 78 E2 0A A0 Elx.
009A10C4 EE D2 0D D7 54 83 04 4E .TN
009A10CC C2 B3 03 39 61 26 67 A7 ³9a&g
009A10D4 F7 16 60 D0 4D 47 69 49 `MGiI
009A10DC DB 77 6E 3E 4A 6A D1 AE wn>JjѮ
009A10E4 DC 5A D6 D9 66 0B DF 40 Zf
@
009A10EC F0 3B D8 37 53 AE BC A9 ;7S
009A10F4 C5 9E BB DE 7F CF B2 47 ŞϲG
009A10FC E9 FF B5 30 1C F2 BD BD 0
009A1104 8A C2 BA CA 30 93 B3 53 º0S
009A110C A6 A3 B4 24 05 36 D0 BA $6к
009A1114 93 06 D7 CD 29 57 DE 54 )WT
009A111C BF 67 D9 23 2E 7A 66 B3 g#.zf
009A1124 B8 4A 61 C4 02 1B 68 5D Jah]
009A112C 94 2B 6F 2A 37 BE 0B B4 +o*7
009A1134 A1 8E 0C C3 1B DF 05 5A .Z
009A113C 8D EF 02 2D 00 00 00 00 -....
009A1144 25 73 00 00 DC 50 A5 00 %s..P.
009A114C E0 B4 44 00 24 51 A5 00 D.$Q.
009A1154 90 B8 44 00 D.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Example: Take 4bytes and turn it into like this 0x00000000, read them backwards so 96300777 would be put like this 0x77073096
- 0x00000000
- 0x77073096
00 00 00 00
96 30 07 77
2C 61 0E EE
BA 51 09 99
19 C4 6D 07
8F F4 6A 70
35 A5 63 E9
A3 95 64 9E
32 88 DB 0E
A4 B8 DC 79
1E E9 D5 E0
88 D9 D2 97
2B 4C B6 09
BD 7C B1 7E
07 2D B8 E7
91 1D BF 90
64 10 B7 1D
F2 20 B0 6A
48 71 B9 F3
DE 41 BE 84
7D D4 DA 1A
EB E4 DD 6D
51 B5 D4 F4
C7 85 D3 83
56 98 6C 13
C0 A8 6B 64
7A F9 62 FD
EC C9 65 8A
4F 5C 01 14
D9 6C 06 63
63 3D 0F FA
F5 0D 08 8D
C8 20 6E 3B
5E 10 69 4C
E4 41 60 D5
72 71 67 A2
D1 E4 03 3C
47 D4 04 4B FD 85 0D D2 6B B5 0A A5 FA A8 B5 35
6C 98 B2 42 D6 C9 BB DB 40 F9 BC AC E3 6C D8 32
75 5C DF 45 CF 0D D6 DC 59 3D D1 AB AC 30 D9 26
3A 00 DE 51 80 51 D7 C8 16 61 D0 BF B5 F4 B4 21
23 C4 B3 56 99 95 BA CF 0F A5 BD B8 9E B8 02 28
08 88 05 5F B2 D9 0C C6 24 E9 0B B1 87 7C 6F 2F
11 4C 68 58 AB 1D 61 C1 3D 2D 66 B6 90 41 DC 76
06 71 DB 01 BC 20 D2 98 2A 10 D5 EF 89 85 B1 71
1F B5 B6 06 A5 E4 BF 9F 33 D4 B8 E8 A2 C9 07 78
34 F9 00 0F 8E A8 09 96 18 98 0E E1 BB 0D 6A 7F
2D 3D 6D 08 97 6C 64 91 01 5C 63 E6 F4 51 6B 6B
62 61 6C 1C D8 30 65 85 4E 00 62 F2 ED 95 06 6C
7B A5 01 1B C1 F4 08 82 57 C4 0F F5 C6 D9 B0 65
50 E9 B7 12 EA B8 BE 8B 7C 88 B9 FC DF 1D DD 62
49 2D DA 15 F3 7C D3 8C 65 4C D4 FB 58 61 B2 4D
CE 51 B5 3A 74 00 BC A3 E2 30 BB D4 41 A5 DF 4A
D7 95 D8 3D 6D C4 D1 A4 FB F4 D6 D3 6A E9 69 43
FC D9 6E 34 46 88 67 AD D0 B8 60 DA 73 2D 04 44
E5 1D 03 33 5F 4C 0A AA C9 7C 0D DD 3C 71 05 50
AA 41 02 27 10 10 0B BE 86 20 0C C9 25 B5 68 57
B3 85 6F 20 09 D4 66 B9 9F E4 61 CE 0E F9 DE 5E
98 C9 D9 29 22 98 D0 B0 B4 A8 D7 C7 17 3D B3 59
81 0D B4 2E 3B 5C BD B7 AD 6C BA C0 20 83 B8 ED
B6 B3 BF 9A 0C E2 B6 03 9A D2 B1 74 39 47 D5 EA
AF 77 D2 9D 15 26 DB 04 83 16 DC 73 12 0B 63 E3
84 3B 64 94 3E 6A 6D 0D A8 5A 6A 7A 0B CF 0E E4
9D FF 09 93 27 AE 00 0A B1 9E 07 7D 44 93 0F F0
D2 A3 08 87 68 F2 01 1E FE C2 06 69 5D 57 62 F7
CB 67 65 80 71 36 6C 19 E7 06 6B 6E 76 1B D4 FE
E0 2B D3 89 5A 7A DA 10 CC 4A DD 67 6F DF B9 F9
F9 EF BE 8E 43 BE B7 17 D5 8E B0 60 E8 A3 D6 D6
7E 93 D1 A1 C4 C2 D8 38 52 F2 DF 4F F1 67 BB D1
67 57 BC A6 DD 06 B5 3F 4B 36 B2 48 DA 2B 0D D8
4C 1B 0A AF F6 4A 03 36 60 7A 04 41 C3 EF 60 DF
55 DF 67 A8 EF 8E 6E 31 79 BE 69 46 8C B3 61 CB
1A 83 66 BC A0 D2 6F 25 36 E2 68 52 95 77 0C CC
03 47 0B BB B9 16 02 22 2F 26 05 55 BE 3B BA C5
28 0B BD B2 92 5A B4 2B 04 6A B3 5C A7 FF D7 C2
31 CF D0 B5 8B 9E D9 2C 1D AE DE 5B B0 C2 64 9B
26 F2 63 EC 9C A3 6A 75 0A 93 6D 02 A9 06 09 9C
3F 36 0E EB 85 67 07 72 13 57 00 05 82 4A BF 95
14 7A B8 E2 AE 2B B1 7B 38 1B B6 0C 9B 8E D2 92
0D BE D5 E5 B7 EF DC 7C 21 DF DB 0B D4 D2 D3 86
42 E2 D4 F1 F8 B3 DD 68 6E 83 DA 1F CD 16 BE 81
5B 26 B9 F6 E1 77 B0 6F 77 47 B7 18 E6 5A 08 88
70 6A 0F FF CA 3B 06 66 5C 0B 01 11 FF 9E 65 8F
69 AE 62 F8 D3 FF 6B 61 45 CF 6C 16 78 E2 0A A0
EE D2 0D D7 54 83 04 4E C2 B3 03 39 61 26 67 A7
F7 16 60 D0 4D 47 69 49 DB 77 6E 3E 4A 6A D1 AE
DC 5A D6 D9 66 0B DF 40 F0 3B D8 37 53 AE BC A9
C5 9E BB DE 7F CF B2 47 E9 FF B5 30 1C F2 BD BD
8A C2 BA CA 30 93 B3 53 A6 A3 B4 24 05 36 D0 BA
93 06 D7 CD 29 57 DE 54 BF 67 D9 23 2E 7A 66 B3
B8 4A 61 C4 02 1B 68 5D 94 2B 6F 2A 37 BE 0B B4
A1 8E 0C C3 1B DF 05 5A 8D EF 02 2D 00 00 00 00
25 73 00 00 DC 50 A5 00 E0 B4 44 00 24 51 A5 00
90 B8 44 00
