Packet Decryption

majidemo · 12/14/2009, 02:27

I need help with understanding packet decryption.
can anyone point me to a right tutorial?

maybe tuts for reverse engineering? or tutorials for using ollydbg.
the game im trying to hack is khan online.
in w/c it has no game guard. packets used to be unencypted but are encrypted now..

one of a few hacks that work in game is duping and speed hack..

now we need to broaden our knowledge on hacking w/ packets.

how does it work?

let me see..

also i need to know how to hook on ws_32.dll of khanclient.exe
thanks for all the help..

game can be found here
khan.in.th

game client is
ftp://ftp.khan.in.th

thanks in advance..

about the games ws_32

Quote:

0069C48C .rdata Import &WS2_32.#3 WS2_32.closesocket
0096C490 #52 WS2_32.gethostbyname
0096C494 #116 WS2_32.WSACleanup
0096C498 #11 WS2_32.inet_addr
0096C49C #16 WS2_32.recv
0096C4A0 #101 WS2_32.WSAAsyncSelect
0096C4A4 #10 WS2_32.ioctlsocket
0096C4A8 #4 WS2_32.connect
0096C4AC #115 WS2_32.WSAStartup
0096C4B0 #19 WS2_32.send
0096C4B4 #111 ntdll.RtlGetLastWin32Error
0096C4B8 #23 WS2_32.socket
0096C4BC #8 WS2_32.ntohl
0096C4C0 #2 WS2_32.bind
0096C4C4 #21 WS2_32.setsockopt
0096C4C8 #9 WS2_32.ntohs

i used PEiD and gave me this results

Quote:

ADLER32 :: 001B02BC :: 005B02BC
CCITT-CRC16 (rev) [word] :: 002B6940 :: 006B6940
CRC32 :: 002B26F8 :: 006B26F8
CRC32 :: 002B6B40 :: 006B6B40
ZLIB deflate [long] :: 002B2FB0 :: 006B2FB0

and this

Quote:

Entropy: 6.29(Not Packed)
EP Check: Not Packed
Fast Check: Not Packed.

~~MoepMeep~~ · 12/14/2009, 22:02

gamedecption.

majidemo · 12/17/2009, 12:27

somethings i got from reading guides of how to understand packets

Quote:

1B000A 91 5C BE 9C 14 5E C5 5E 0C 65 C1 22 6B E4 D2 E2 3E 2D C9 2C 44 58 65 8B
1B000A CA 5D BD D8 5C D6 0D 36 B4 1D 39 6A 93 2C AA 3A 76 C5 91 64 5A F2 44 5A
1B000A 8F 5A BC F7 26 0C F7 AC 7E 17 6F 0C 9D 72 04 70 AC C3 BB 9A A4 C4 18 7E
1B000A 90 5B BB 37 E5 51 2A 6F 3D D8 B0 4B DC B3 C3 B1 E9 7C 78 DD 4F 2E DB 52
1B000A 65 18 4A D5 42 B0 E3 D0 52 03 93 08 89 4E 08 9C 10 A7 AF 86 A1 EB F2 04
1B000A 5E 19 59 39 0A 68 CB 48 9A 7B CB 30 71 16 E0 D4 48 1F F7 3E 1D 5F 64 24

1B - 27 / Packet Size
00 - 00 / Server
0A - 10 / Map Code
the rest are crypts

Anatomy of Khan Attack Packets

anyways does this help about anything?

Quote:

00540BDC |. E8 AF2E0C00 CALL KhanClie.00603A90 ; \KhanClie.00603A90
00540BE1 |. 68 E0F04500 PUSH KhanClie.0045F0E0 ; /Arg2 = 0045F0E0
00540BE6 |. 68 24696A00 PUSH KhanClie.006A6924 ; |Arg1 = 006A6924 ASCII "Send_Packet"
00540BEB |. 8B0D A0E38501 MOV ECX,DWORD PTR DS:[185E3A0] ; |
00540BF1 |. E8 9A2E0C00 CALL KhanClie.00603A90 ; \KhanClie.00603A90
00540BF6 |. 68 00F24500 PUSH KhanClie.0045F200 ; /Arg2 = 0045F200
00540BFB |. 68 30696A00 PUSH KhanClie.006A6930 ; |Arg1 = 006A6930 ASCII "Set_Receive_Function"

Quote:

Found intermodular calls, item 1539
Address=004DF0B2
Disassembly=CALL DWORD PTR DS:[<&WS2_32.#19>]
Destination=WS2_32.send

Found intermodular calls, item 1540
Address=004DF16E
Disassembly=CALL DWORD PTR DS:[<&WS2_32.#19>]
Destination=WS2_32.send

Found intermodular calls, item 1541
Address=004DF20B
Disassembly=CALL DWORD PTR DS:[<&WS2_32.#19>]
Destination=WS2_32.send

Adroxxx · 12/18/2009, 13:21