My packet analyzer

Gogeta70 · 05/06/2011, 03:32

Hey guys. So i made my own little proxy dll for kalonline that outputs the data sent to the send() and recv() functions to a console window. When i was done with it, i tested it out but it's only putting out data from send(). My guess would be that it's using a different function to receive data (WSArecv, recvfrom), but when i checked those functions they were never called. Anybody know something i don't?

Also, in the screenshot below, i put in a bogus username and password and expected to see them in the console's send() output, but i just get a bunch of garbage. Is the data encoded or encrypted or something?

RunzelEier · 05/06/2011, 11:53

of course are the packets crypted

meak1 · 05/06/2011, 11:58

jeah encryptet, use bakabug source. For int its the same, u only need to copy the new encrypt/decrypt table out of engine =P

maakera · 05/06/2011, 11:59

I dont know, there might be a problem with you're script because it workis fine with me. i send & recv packets quite well. the only problem with me is that the packets are encrypted so there i cant use them for anything.

What language did you use ?

strik3r2k5 · 05/06/2011, 12:06

c++

Gogeta70 · 05/06/2011, 15:15

I made it in c++. Here's the code snippet

Code:

/* This is the "original" call to recv in my proxy dll. 
extern "C" __declspec(naked) void __stdcall __E__109__()
	{
	__asm
		{
		jmp p[109*4];
		}
	}
*/

extern "C" int __stdcall __E__109__(SOCKET socket, char* buff, int len, int flags)
  {

	unsigned char* buffer = (unsigned char*) buff;
	char s[512];

	WriteToConsole("recv: "); // Just writes output to console window

	if(len > 512)
		len = 512;

	for(int i = 0; i < len; i++)
	{
		sprintf(s, "%.2X", buffer[i]);
		WriteToConsole(s);
	}

	WriteToConsole("\n");
	
	for(int i = 0; i < len; i++)
	{
		if(buffer[i] < 0x20 && buffer[i] != '\r' && buffer[i] != '\n' && buffer[i] != '\t')
			sprintf(s, ".");
		else
			sprintf(s, "%c", buffer[i]);

		WriteToConsole(s);
	}

	WriteToConsole("\n\n");

  // call original recv

     typedef int (__stdcall *pS)(SOCKET,char*,int,int);
     pS pps = (pS)p[109];
     int rv = pps(socket, buff, len, flags);

     return rv;
  }

strik3r2k5 · 05/06/2011, 15:44

This have to be on the start of your function.
int rv = pps(socket, buff, len, flags);
e.g.

Code:

extern "C" int __stdcall __E__109__(SOCKET socket, char* buff, int len, int flags)
  {
       typedef int (__stdcall *pS)(SOCKET,char*,int,int);
       pS pps = (pS)p[109];
	int rv = pps(socket, buff, len, flags);
	unsigned char* buffer = (unsigned char*) buff;

Gogeta70 · 05/08/2011, 02:52

Quote:

Originally Posted by strik3r2k5

This have to be on the start of your function.
int rv = pps(socket, buff, len, flags);
e.g.
...

Thanks for your input, but i don't think moving the real function call to the beginning of my function would change anything.

I ran the engine in ollydbg with my dll loaded and set a breakpoint on every type of recv function there is for winsock2, turns out the game uses WSArecv.

Still, thanks to everyone who replied, i much appreciate it ^_^

Edit:

It works beautifully ^_^
Now to decrypt those packets...

RunzelEier · 05/08/2011, 19:40

why dont you use the ms detours lib?
makes it much easieer to detour functions.

if you want to decrypt the packets it is much easier to hook the recv function after the engine has decrypted the packets.
if you want to decrypt it by hand there is a function by bakabug who has done this a while ago.

but why would you go the hard way?

bloodx · 05/08/2011, 20:41

Quote:

Originally Posted by RunzelEier

why dont you use the ms detours lib?
makes it much easieer to detour functions.

if you want to decrypt the packets it is much easier to hook the recv function after the engine has decrypted the packets.
if you want to decrypt it by hand there is a function by bakabug who has done this a while ago.

but why would you go the hard way?

why would u go the **** way without de/encrypt?

Gogeta70 · 05/09/2011, 08:49

Well, i'm still looking for the function that encrypts/decrypts packets. Not only do i need it to analyze packets, i'll need the the ability to encrypt and decrypt packets so that i can make a packet bot.

What i've done so far is follow the buffer passed to WSARecv and set a memory breakpoint on the first byte of the buffer upon access. So far, it seems that the buffer is copied into a second buffer and the decryption is done there.

Edit:

By the way, i can't seem to find this en/decryptor that people keep mentioning.

meak1 · 05/09/2011, 11:44

Hm, u just need to follow the send func or the recv where its decryptet, if u jump some address backwards from send with breakpoints u should get here

the beginning looks like

PUSH EBP
SUP BLAH
MOV ESB,0x14

or so
And in the call from decrypt/encrypt is the table

But as i said u didnt need to decrypt it by urself, Bakabug released Source for decrypt&encrypt.

Gogeta70 · 05/10/2011, 08:15

Thanks for the tip. I've searched for bakabug's source both on epvp and google, but all the links i have found 404 on me.

bloodx · 05/10/2011, 17:14

RunzelEier · 05/10/2011, 17:48

bloodx und das ist jetzt eine bessere methode, als sie die packets von kal entschlüsseln zu lassen?