[Question] Packet Encryption

ILikeItEasy · 02/02/2010, 20:52

any update?

Thiesius · 02/02/2010, 23:18

Yup,
Some news:
Client is still expelling after time. So I thought I will find from where I got pwned, but I cannot connect with Olly attached. Few minutes ago, I was thinking and I made something. Basicly I was able to connect with olly, but I still need to fix something (That won't be problem - I hope -, because I already did it for send and recv). When I will manage to connect with olly, I might be able to get some info about expells. But I don't have time for reversing (I'm really newbie to reversing) it in middle of the week so I'm not sure when it will be done.

It's possible that I won't be able to fix the expells anyway, because hackshield is really complex **** (from newbie's perspective) and I'm not directly hooking HShield functions (That would be great if I 100% knew how those functions works

).

Now I'm going to sleep....

Thiesius · 02/03/2010, 21:35

Some news for today:
1st - the bad new: I didn't solved expell yet (It's probably just a memory checksum sent to server - not a big deal => read the good new).

2nd - the good new: HShield officially pwned itself. Long story short: I was searching for something and I found a something else that was fkn more interesting. What does it mean? No more HackShield error messages for me. I can even use a plain Cheat Engine now without client-close messages (Like mem manipulation, problem in function of antihacking, debugger found within your system, hacking tool detected etc.)

So only thing I have to do now, is patch the memory checksum functions. Then I can use every tool and hack I want

BorSti · 02/04/2010, 07:02

Quote:

Originally Posted by Thiesius

Some news for today:
1st - the bad new: I didn't solved expell yet (It's probably just a memory checksum sent to server - not a big deal => read the good new).

2nd - the good new: HShield officially pwned itself. Long story short: I was searching for something and I found a something else that was fkn more interesting. What does it mean? No more HackShield error messages for me. I can even use a plain Cheat Engine now without client-close messages (Like mem manipulation, problem in function of antihacking, debugger found within your system, hacking tool detected etc.)

So only thing I have to do now, is patch the memory checksum functions. Then I can use every tool and hack I want

well done bad boy xD

Thiesius · 02/04/2010, 21:18

I guess it will be more complicated after update. If I bypassed driver loading and engine check, but EhSvc will end up in some ****** loop - Memory manipulation and such **** will stop working. And I got expell at login attempt. Seems there is something that checks HackShield initialization. After ping packet there is sent another packet, from hackshield( because it isn't listed in packets sent from engine pre-encryption send) - then I'm expelled.
***, I hate this game so much

.

Now I'm kinda lost. I haven't been analyzing HShield initialization to the depth, but from first look, I don't see anything which could help me understand how to bypass this s***.
I guess it's time for somebody more experienced to do it.

ILikeItEasy · 02/04/2010, 22:10

I already thought they updated HSield. Can't even start Kal in Win7 without running as Admin

Thiesius · 02/04/2010, 22:37

I will keep trying to bypass it tomorrow. For today I have had enough. I cannot continue working on old packethack, till I won't be able to bypass driver check. But as I said, maybe somebody more experienced could help. What about Bloodx ?

bloodx · 02/04/2010, 23:12

hmm, why u trying to bypass full hackshield o.O When u want hook u need only to change 1(2?) things.

Or write Emulator for Hackshield :P

Thiesius · 02/04/2010, 23:42

Yea when you want to hook, you need only 2 things (With my recent found it should need only one thing). But server ask for CRC after some time (You're expelled) and I want to patch it. And I have to patch it from game. So I need to connect with debugger. That means disabling the driver

.

Emulating HackShield would mean emulating AES - I have no experience with integrity checks and encryption. That would be easier to use Send and Recv from Winsock to sniff.

syntex · 02/05/2010, 16:57

@bloodx,

stop writing the same **** all the time..

@Thiesius,
really nice work youre one of the people that got my full respect. Do not use Intercepts rather detour the functions, you can detour the recv very easly its not crypted anyway on send you gotta encrypt the packets and code an unhook when HackShield checks for your send function . With Unhook I mean when you get the Packet 0x05 -> Unhook() wait for end of the check and Hook() again. If youre already able to use Ollydbg (some people cant :P) then just follow the Packet 0x05 and you will see the function thats checkin and you will also see some variables of HackShield that change when you have CheatEngine open for example. I found out that I can modify just a Var of HackShield to make my state undetected

Ok good luck on your project .. youre on of the people that use their own brain and do not write **** all the time ..

btw I never saw you in this Section but Welcome.

Thiesius · 02/05/2010, 18:09

Quote:

Originally Posted by syntex

@bloodx,

stop writing the same shit all the time..

@Thiesius,
really nice work youre one of the people that got my full respect. Do not use Intercepts rather detour the functions, you can detour the recv very easly its not crypted anyway on send you gotta encrypt the packets and code an unhook when HackShield checks for your send function . With Unhook I mean when you get the Packet 0x05 -> Unhook() wait for end of the check and Hook() again. If youre already able to use Ollydbg (some people cant :P) then just follow the Packet 0x05 and you will see the function thats checkin and you will also see some variables of HackShield that change when you have CheatEngine open for example. I found out that I can modify just a Var of HackShield to make my state undetected

Ok good luck on your project .. youre on of the people that use their own brain and do not write shit all the time ..

btw I never saw you in this Section but Welcome.

Thank you, that kinda cheered me up. I was already thinking about Unhook/Hook, but I thought that it is kinda nooby do it this way

and you will loose some sniffed data. And yes I noticed that there is sent another packet after 0x05 (ping packet I guess), but it doesn't went throught engine's send. Just before the update I found a HShield callback... I modified it and was laughing when I saw those messages "Change in memory sector at: XXXXXX" or "Undefined hacking tool detected" and HShield was unable to do anything. I saved the pattern, but seems that it was changed after update.

So you are saying that there is variable that stores HackShield initialization status (driver not loaded)? But if I don't let driver initialize, other hackshield function will stop working (like integrity check). Thank you again.

syntex · 02/07/2010, 17:56

just a hint:
check the recv 0x03 packet (its hackshield check).

Unloading drivers isnt the simplest thing in the world :P rather try to find the functions that check for manipulated functions cause its much easier and waste less time

btw I unhook and hook on 0x03 is a good start but will end in loosing some packet informations.

Keep reversing and try to understand whats going wrong with your hack , you can simply start a new project and figure out what hook or mem edit will expell ya .. for example if you only use recv detour/hook you wont get expelled , when you add send now you will , that means send hook/detour is checked by hackshield..

good luck and keep the community on running there are may some people that can help you with your problems and bring you forward.

syntex : - )

Thiesius · 02/07/2010, 20:05

Quote:

Originally Posted by syntex

just a hint:
check the recv 0x03 packet (its hackshield check).

Unloading drivers isnt the simplest thing in the world :P rather try to find the functions that check for manipulated functions cause its much easier and waste less time

btw I unhook and hook on 0x03 is a good start but will end in loosing some packet informations.

Keep reversing and try to understand whats going wrong with your hack , you can simply start a new project and figure out what hook or mem edit will expell ya .. for example if you only use recv detour/hook you wont get expelled , when you add send now you will , that means send hook/detour is checked by hackshield..

syntex : - )

0x03 is "m" packet as far I remember. Yea I know it's a hackshield's check. I could try use hook/unhook on 0x03, but now I would like to finish my previous project. As you see I'm trying to learn as much as I can, so I can't just give up the way I chosen.
I found callback function again btw

.
Everything was kinda good before update. But how I'm supposed to reverse now? When EagleNT is loaded -> I can't attach usermode debugger to kernelmode process. And unloading EagleNT forcefully will endup in BSOD. Bypassing EagleNT loading (as I did before) -> all hackshield functions will stop operate so I can't connect or trace mem-manipulation detecting functions (but the hackshield won't close the game aswell

).

Today I had one goal -> Let's figure out those session Keys. I did it.... Was kinda suprised how easy it was. Now I can simply "run and play"

Now I don't know: Shall I release it or not? I think I know what would Inix do after the release, but maybe I would be able to reverse it again...

Quote:

good luck and keep the community on running there are may some people that can help you with your problems and bring you forward.

Well, maybe you

katze123 · 02/07/2010, 23:18

Thiesius. I really like what you're doing here and i read every post. If I were you, i wouldn't release this.
You're giving enough information here and if you release it Inix will destroy it and destroy you're work, but as it is here, inix won't be able to do anything; i hope

Really nice work, but i don't even know how to decrypt 'm' packets

never spent time to find out =]

Thiesius · 02/07/2010, 23:41

To be honest, I don't know much about 'm' packets either. I just recognize, that most of them belongs to anti-hack, because I got obviously kicked many times on those packets. I guess it contains CRCs or hacking tool warnings anyway - so I should focus on recv. It might work like that: RECV: type:MAKECRC data:FUNCTION54,FUNCTION12,FUNCTION41. Request is processed and then in some "m" packet, the info is sent. And server checks: If any of CRC != REALCRC then "I'm gonna expell ya buddy". I don't know a lot of things yet, things above are just speculations. I should focus on packet flow to understand it little bit better, but now I have to beat that fkn HShield initialization protection (maybe if I unpack it? But I'm sure the Themida would beat my *** again).