[Question] Packet Encryption

[Thiesius]

Hello guys,

I have question about encryption
Aparently decrypt/encrypt doesn't work (with this key?), so I was thinking, that you might help me out . I used encryption from SyronX's source (BakaBug's).

Image describes: Hook, Nothing, Decrypted, Encrypted again

Code:

//...
//Declarations: 
//DWORD SendPacketMain = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",SendPacketMain_+1,0x007FFFFF);
//BYTE *TKey = (BYTE*)*((DWORD*)(PacketSendMain+0xCA));
//BYTE TableKey;
//BYTE Header;
//BYTE tmp;

//....
//INSIDE FUNCTION
TableKey = ((*TKey)-1) & 0x3F;
Header = buf[2];
		DecryptTable(TableKey,(unsigned char *)&Header,1);
		DecryptTable(TableKey,(unsigned char*)buf+2,nSentBytes-2);
		DecryptPacketAES((char*)buf);
//.....
		EncryptPacketAES((char*)buf);
		EncryptTable(TableKey,(unsigned char*)buf+2,nSentBytes-2);
//....

By the way, wouldn't be easier to hook HackShield functions? The one which is called to check if functions aren't hooked and the second one, which is called when server asks for CRC(or some hash I dunno) of specified engine functions.... Of course clientless wouldn't work....

[meak1]

u didnt need send function only recv ;D
if u want write a bot ;/

[BorSti]

correct but iam trying aswell to sniff send again xD

[meak1]

a friend mean that only changing the decrypt and encrypt table , encrypt to decrypt and decrypt to encrypt^^ but i can ask him next time how he got it ;p

[Thiesius]

I know that I don't basicly need hooking the send function, but what if I don't know packet structures? How can I know (yea I know few packet structures) which format I should use when I want to response with send after recv? Tracing the packet forging functions in engine? That can take ages .

I don't want only bot.... I want both - send and recv - functions hooked so I can sniff.

I had 2 Methods of bypassing:
First one works for 2-10 minuts... Then server CRC check pwns me.
Second one: I made it today... I disabled HShield driver (Not with Registry key security - that is pretty nooby and doesn't always work) so I can load engine into olly. I patched hackshield memory checking functions... So now I'm logged in and waiting for expell. I think there is one more function, which generate CRC.

Now it's 35 minuts from my login. I haven't been disconnected yet.
EDIT:
Hmmm 2 hours 30 mins and no C/L yet.

[BorSti]

Quote:

Originally Posted by Thiesius

I know that I don't basicly need hooking the send function, but what if I don't know packet structures? How can I know (yea I know few packet structures) which format I should use when I want to response with send after recv? Tracing the packet forging functions in engine? That can take ages .

I don't want only bot.... I want both - send and recv - functions hooked so I can sniff.

I had 2 Methods of bypassing:
First one works for 2-10 minuts... Then server CRC check pwns me.
Second one: I made it today... I disabled HShield driver (Not with Registry key security - that is pretty nooby and doesn't always work) so I can load engine into olly. I patched hackshield memory checking functions... So now I'm logged in and waiting for expell. I think there is one more function, which generate CRC.

Now it's 35 minuts from my login. I haven't been disconnected yet.
EDIT:
Hmmm 2 hours 30 mins and no C/L yet.

nice report !

[katze123]

yep... but what can you do if you bypassed it? normally hook the functions as before? ;D

[Thiesius]

3 hours without Expell. Then I got C/L because I didn't realize that I can't do router cache cleanup when I'm connected :].

It should be possible to hook anything now, I guess. Atleast Send and Recv works....

[katze123]

very nice ;D but uhm... with intercept you get expelled after 30-300 minutes
maybe with this bypass not? tell me

[Thiesius]

Yup, I also thought so... It's possible, that there is another different function which checks the functions again and send a CRC/hash to server. At evening I will start Kal and let it run over the night.... Will see.... If there is another function, then I should patch it too .

Basicly Hackshield "Memory Manipulation" check is every 2-3 mins (Maybe it's that one which was kicking us after 30-300 mins, but now it's more frequented and loads a error message from config too...) and HShield "Check if all hackshield functions are OK" every 3-5 mins.

[katze123]

hmm... yes while we hooked the functions with intercept we got expelled, but maybe now you don't get an expell because you bypassed something which was checking this... really nice work

[bloodx]

There are some way's to bypass the "Intercept" block.

But u dont really need Intercept o.O

[Thiesius]

Intercept only replace original instructions with jump to your modified function.

So I setup Time logging on every 0x05 packet sent. Will see how long it will stay without expell (if there will be any). I hope noone will play with router or internet connection settings again (Probabilty is high for some reasons....)

[katze123]

yes i know that there is a way without intercept

good luck thiesius

[Thiesius]

Thanks. I hope I won't have to patch any more functions.... Because if there is that "3rd one", it would probably take some time to trace it and fix it.