[Question] Packet Encryption

katze123 · 02/08/2010, 10:10

m packets used in selling to npc, trade and the hshield function u mentioned.
and f/l but that one is released somewhere here

SendDetour(0x5c,"bbssdwbdd",[...])
this is from kalhackzz v0.4 from hello123456
very hard to find sth like this i think

Thiesius · 02/08/2010, 17:33

Well, all packets are listed in packet forging function (atleast it looks like there are all).

Mahatma · 02/08/2010, 17:45

Quote:

Originally Posted by katze123

and f/l but that one is released somewhere here
SendDetour(0x5c,"bbssdwbdd",[...])

wrong...sending an fl is no 'm' packet....
but well...doesn't matter cause it doesn't belong to hs :P

Thiesius · 02/08/2010, 21:06

I found some time to continue working on the engine.
Quick facts:
If HShield driver wasn't loaded during initialization, then none of hackshield services will work (Such as checking for memory manipulation).
If HShield driver is killed then there is one more packet sent. If it's sent, you will be expelled.
Packet order if driver isn't loaded:
1. Packet with session keys
2. 0x09 packet (Version?)
3. 0x05 aka ping packet
4. Packet of format Ud. Doesn't went through pre-encryption packetsend (or better for you - "SendPacketMain") and will disconnect you. I don't remember type. I guess it was 0x5B
5. Here should be "m" packet... but dunno...

Packet order if everything is allright:
1. Packet with session keys
2. 0x09 packet (Version?)
3. 0x05 aka ping packet
4. "m" packet

I tried to follow that 0x5B packet, but I endup in KalOnline callback WindowProc. I bookmarked it, and I will continue later. I hope I have atleast good lead...

I must admit, that after reversing session keys, the debugging is lot less time consuming.

I hope those informations will be helpful to someone (or somebody will help me o.O).

meak1 · 02/08/2010, 21:21

yust hook the send where is encryptet and make new decrypt algorithmus or look whats changed^^
its not so hard how emulate hackshield

Mahatma · 02/08/2010, 23:11

Quote:

Originally Posted by meak1

its not so hard how emulate hackshield

i don't think that u are able to do it... :P

Thiesius · 02/08/2010, 23:16

What would you do, if the ws2_32 exports were also scanned by integrity check? Sure, engine has very badass method to check if it isn't hooked. Called one time at initialization

#EDIT:
@Mahatma
I think the sentance he had written was actually meant as "Decrypting is easier than emulating hackshield"
"its not so hard how emulate hackshield " -> "...it's not so hard, unlike emulating HShield"
imho

meak1 · 02/08/2010, 23:19

ich meint halt das es nich so schwer ist(send da decrypt) wie hackshield zu emulieren(glaube ich) ;/ aber mein english is **** oder du hast es falsch verstanden^^

Mahatma · 02/08/2010, 23:34

Quote:

Originally Posted by Thiesius

@Mahatma
I think the sentance he had written was actually meant as "Decrypting is easier than emulating hackshield"
"its not so hard how emulate hackshield " -> "...it's not so hard, unlike emulating HShield"
imho

oh, yap...i misunderstood him :P

well, b2t: really good work!
i would help u but i'm totally noob in debugging and also pretty nooby with ida :/

Quote:

Originally Posted by meak1

ich meint halt das es nich so schwer ist(send da decrypt) wie hackshield zu emulieren(glaube ich) ;/ aber mein english is **** oder du hast es falsch verstanden^^

***, sry...hatte dich falsch verstanden^^

meak1 · 02/08/2010, 23:51

what u want to make if u have send working?

Thiesius · 02/09/2010, 00:27

Quote:

Originally Posted by Mahatma

well, b2t: really good work!
i would help u but i'm totally noob in debugging and also pretty nooby with ida :/

Well, thank you. I don't know much about IDA either (but I should

), so that's why I mainly focus on olly (IDA wouldn't help in this case anyways).

Quote:

Originally Posted by meak1

what u want to make if u have send working?

Well I could focus on encryption too, but come on: HShield could be really powerfull tool one day ( I don't think it isn't powerful enough, but I have in my mind a lot of improvements

) and one day you might not be able to use any hooks when the hackshield is active.
And I'm learning a lot when I'm reversing, so it's atleast some kind of experience.

meak1 · 02/09/2010, 00:36

only experience or for what u need the send ;o?

Thiesius · 02/09/2010, 00:47

I know I can PUSH params directly to the stack (by asm or detour) and then call the "SendPacketMain". But I might use it to sniff packet format directly. Like "dddwwwsddwwwwwwwww".
Btw I have found today most epic packet format in packet forging function. When I saw that I was like "OMFG monkey ballz!". It was really like "dawwbbbwddwbmbdw"

meak1 · 02/09/2010, 00:49

i want to know what u want to do if u have send working ^^ its so hard question ;p?

Thiesius · 02/09/2010, 01:02

I will stand up and yell: "OMG, I DID IT!!!"

... Guess I will create bot, and I have concept of two other useful things (first will work for sure, not sure about second).

#EDIT: Go sleep already :P