|
You last visited: Today at 01:11
Advertisement
packet logger
Discussion on packet logger within the Perfect World forum part of the MMORPGs category.
06/12/2009, 15:28
|
#16
|
elite*gold: 0 
Join Date: Dec 2008
Posts: 89
Received Thanks: 56
|
I am pretty sure the easiest way is to log packets is to find the code in the client that encrypts the packets and hook it. can't be that hard to find... start at the sockets and work your way up! Same for decryption, hook the client! why do the hard work when you can use the excisting code in the client. lazyness ftw 
EDIT: Oh great, that is exactly what you did... nevermind 
|
|
|
|
06/15/2009, 10:48
|
#17
|
elite*gold: 0
Join Date: Nov 2007
Posts: 160
Received Thanks: 28
|
plixbugmenot, you can participate in finding crypto-algorythm if it seams so easy to you.
|
|
|
|
|
06/16/2009, 01:28
|
#18
|
elite*gold: 0
Join Date: Dec 2008
Posts: 89
Received Thanks: 56
|
I'm talking about intercepting the data BEFORE encryption... somewhere the objects/values that are sent to the server must get serialized and encrypted through a function call... for example SendAndEncrypt(Object* myObject). If you find that function and hook it, then you don't have to find the decryption algorithm. And if you want to make a standalone client you can probably extract the encryption algo in asm and use it in your own program. Don't make things harder then they need to be!
(hard part is finding the function(s) that serialize/encrypt)
You know, you just made me want to figure this thing out, let's fire up my disassembler.
|
|
|
|
|
06/17/2009, 11:01
|
#19
|
elite*gold: 0
Join Date: Nov 2007
Posts: 160
Received Thanks: 28
|
Ha. It's the most interesting part - to find encryption algo. Is far as I've discovered - client uses GNET::Octets for storing the encrypted data, but I'm stuck in findning where plain data being encrypted...
|
|
|
|
|
06/17/2009, 22:06
|
#20
|
elite*gold: 0
Join Date: Jun 2008
Posts: 142
Received Thanks: 13
|
since someone still wondering - here's 
|
|
|
|
|
06/18/2009, 00:24
|
#21
|
elite*gold: 0
Join Date: Dec 2008
Posts: 89
Received Thanks: 56
|
I took a little peek under the hood, and I found this
.data:0093A110 class GNET::CompressARCFourSecurity
.data:0093A110 class GNET::CompressARCFourSecurity
these are both RTTI type descriptors 
I saw those called pretty close to some ws_32.send calls. Coincidence? I don't think so.
But who cares about those, when you have the objects that get used for sending data. You don't even have to reverse engineer the packet data, nor decrypt it.
I'm talking about these:
GNET::ChatMessage
GNET::WorldChat
GNET::RoleStatusAnnounce
and maybe more interesting for trade hacks:
GNET::TradeAddGoods_Re
GNET::TradeStart_Re
GNET::TradeRemoveGoods_Re
and there are lots more, for walking, fighting, etc
Just find the constructor of these objects, add breakpoints, and you can figure the other stuff out yourself I think
ohyeah, receiving data, I don't know exactly how that works, but I am pretty sure it will clear itself up when you dig into these GNET objects. I'm guessing there is actually a callback to these objects when receiving data.
Just throwing in some ideas 
EDIT:
I went a little deeper, I chose 1 object, GNET::ChatRoomCreate, and did some debugging, this is what I found.
Code:
005C86C0 [COLOR="Green"]CONSTRUCTOR of chatRoomCreate, gets normal string of the name of the chatroom[/COLOR]
v
sub_5B3B30, [COLOR="Green"]ENCRYPTION starts here, all data that gets send passes through here, this means walking, battling, skills etc
this is a function of a baseclass, either GNET::MARSHALL or GNET::PROTOCOL I know this because ecx gets passed [/COLOR]
v
sub_5B3B70, [COLOR="Green"]this is a function of an object at offset 0AC, this could be the encryption object?[/COLOR]
calls CALL DWORD PTR DS:[EDX] [COLOR="Green"]///these are just here[/COLOR]
v
somefunc [COLOR="Green"]///to show how the data gets at the socket[/COLOR]
v
00431490
{
00431507 |. FFD5 CALL EBP [COLOR="Green"]//copy data into socket to send[/COLOR]
}
BUT I am not sure if there is really encryption going on, no breakpoints hit on the RCFOUR code while I was testing. They might be just serializing the data in some compressed binary format, which would make more sense anyway
|
|
|
|
|
06/18/2009, 11:36
|
#22
|
elite*gold: 0
Join Date: Nov 2007
Posts: 160
Received Thanks: 28
|
Quote:
|
sub_5B3B30, ENCRYPTION starts here
|
plz, post fragments of dizasm, because we have different versions of client exe.
This is the sending routine
Code:
.text:0059F960 push ebx
.text:0059F961 push esi
.text:0059F962 mov esi, ecx ; eci = ecx = streamIO
.text:0059F964 push edi
.text:0059F965 push 0 ; flags
.text:0059F967 mov eax, [esi+10h] ; data
.text:0059F96A mov ecx, [eax+4] ; data buffer
.text:0059F96D mov edx, [eax+8] ; data length
.text:0059F970 mov eax, [esi+4] ; socket
.text:0059F973 mov ebx, ecx
.text:0059F975 sub edx, ebx
.text:0059F977 push edx ; len
.text:0059F978 push ecx ; buf
.text:0059F979 push eax ; s
.text:0059F97A call ds:__imp_send
.text:0059F980 mov ebx, eax
.text:0059F982 test ebx, ebx
.text:0059F984 jle short loc_59F9B1 ; jump if send error
.text:0059F986 mov edi, [esi+10h]
.text:0059F989 mov esi, [edi+4]
.text:0059F98C add ebx, esi
.text:0059F98E cmp esi, ebx
.text:0059F990 jz short loc_59F9EC
.text:0059F992 mov ecx, [edi+8]
.text:0059F995 sub ecx, ebx
.text:0059F997 push ecx ; Size
.text:0059F998 push ebx ; Src
.text:0059F999 push esi ; Dst
.text:0059F99A call ds:memmove
.text:0059F9A0 mov eax, [edi+8]
.text:0059F9A3 sub esi, ebx
.text:0059F9A5 add esp, 0Ch
.text:0059F9A8 add eax, esi
.text:0059F9AA mov [edi+8], eax
.text:0059F9AD pop edi
.text:0059F9AE pop esi
.text:0059F9AF pop ebx
.text:0059F9B0 retn
.text:0059F9B1 ; ---------------------------------------------------------------------------
.text:0059F9B1
.text:0059F9B1 loc_59F9B1:
.text:0059F9B1 call ds:WSAGetLastError
.text:0059F9B7 cmp ebx, 0FFFFFFFFh
.text:0059F9BA jnz short loc_59F9C3
.text:0059F9BC cmp eax, 2733h
.text:0059F9C1 jz short loc_59F9EC
.text:0059F9C3
.text:0059F9C3 loc_59F9C3: ;
.text:0059F9C3 mov ecx, [esi+10h]
.text:0059F9C6 push eax
.text:0059F9C7 push offset aPolloutErrnoD ; "Pollout: errno=%d \n"
.text:0059F9CC push 80h ; Count
.text:0059F9D1 mov edx, [ecx+4]
.text:0059F9D4 push offset byte_97F5B4 ; Dest
.text:0059F9D9 mov [ecx+8], edx
.text:0059F9DC call ds:__imp__snprintf
.text:0059F9E2 mov eax, [esi+8]
.text:0059F9E5 add esp, 10h
.text:0059F9E8 mov byte ptr [eax+4], 1
.text:0059F9EC
.text:0059F9EC loc_59F9EC:
.text:0059F9EC pop edi
.text:0059F9ED pop esi
.text:0059F9EE pop ebx
.text:0059F9EF retn
as you can see in mov eax, [esi+10h] ; data we have to find where this data being created and encrypted.
|
|
|
|
|
06/18/2009, 11:37
|
#23
|
elite*gold: 0
Join Date: Nov 2007
Posts: 160
Received Thanks: 28
|
Quote:
|
sub_5B3B30, ENCRYPTION starts here
|
plz, post fragments of dizasm, because we have different versions of client exe.
This is the sending routine
Code:
.text:0059F960 push ebx
.text:0059F961 push esi
.text:0059F962 mov esi, ecx ; eci = ecx = streamIO
.text:0059F964 push edi
.text:0059F965 push 0 ; flags
.text:0059F967 mov eax, [esi+10h] ; data
.text:0059F96A mov ecx, [eax+4] ; data buffer
.text:0059F96D mov edx, [eax+8] ; data length
.text:0059F970 mov eax, [esi+4] ; socket
.text:0059F973 mov ebx, ecx
.text:0059F975 sub edx, ebx
.text:0059F977 push edx ; len
.text:0059F978 push ecx ; buf
.text:0059F979 push eax ; s
.text:0059F97A call ds:__imp_send
.text:0059F980 mov ebx, eax
.text:0059F982 test ebx, ebx
.text:0059F984 jle short loc_59F9B1 ; jump if send error
.text:0059F986 mov edi, [esi+10h]
.text:0059F989 mov esi, [edi+4]
.text:0059F98C add ebx, esi
.text:0059F98E cmp esi, ebx
.text:0059F990 jz short loc_59F9EC
.text:0059F992 mov ecx, [edi+8]
.text:0059F995 sub ecx, ebx
.text:0059F997 push ecx ; Size
.text:0059F998 push ebx ; Src
.text:0059F999 push esi ; Dst
.text:0059F99A call ds:memmove
.text:0059F9A0 mov eax, [edi+8]
.text:0059F9A3 sub esi, ebx
.text:0059F9A5 add esp, 0Ch
.text:0059F9A8 add eax, esi
.text:0059F9AA mov [edi+8], eax
.text:0059F9AD pop edi
.text:0059F9AE pop esi
.text:0059F9AF pop ebx
.text:0059F9B0 retn
.text:0059F9B1 ; ---------------------------------------------------------------------------
.text:0059F9B1
.text:0059F9B1 loc_59F9B1:
.text:0059F9B1 call ds:WSAGetLastError
.text:0059F9B7 cmp ebx, 0FFFFFFFFh
.text:0059F9BA jnz short loc_59F9C3
.text:0059F9BC cmp eax, 2733h
.text:0059F9C1 jz short loc_59F9EC
.text:0059F9C3
.text:0059F9C3 loc_59F9C3: ;
.text:0059F9C3 mov ecx, [esi+10h]
.text:0059F9C6 push eax
.text:0059F9C7 push offset aPolloutErrnoD ; "Pollout: errno=%d \n"
.text:0059F9CC push 80h ; Count
.text:0059F9D1 mov edx, [ecx+4]
.text:0059F9D4 push offset byte_97F5B4 ; Dest
.text:0059F9D9 mov [ecx+8], edx
.text:0059F9DC call ds:__imp__snprintf
.text:0059F9E2 mov eax, [esi+8]
.text:0059F9E5 add esp, 10h
.text:0059F9E8 mov byte ptr [eax+4], 1
.text:0059F9EC
.text:0059F9EC loc_59F9EC:
.text:0059F9EC pop edi
.text:0059F9ED pop esi
.text:0059F9EE pop ebx
.text:0059F9EF retn
as you can see in mov eax, [esi+10h] ; data we have to find where this data being created and encrypted.
|
|
|
|
|
06/18/2009, 14:31
|
#24
|
elite*gold: 0
Join Date: Dec 2008
Posts: 89
Received Thanks: 56
|
that's easy, I found that already
Code:
.text:00431490 ; int __stdcall sub_431490(int, void *Src, size_t Size)
.text:00431490 sub_431490 proc near ; CODE XREF: sub_431210+2Bp
.text:00431490 ; sub_431210+42p ...
.text:00431490
.text:00431490 arg_0 = dword ptr 4
.text:00431490 Src = dword ptr 8
.text:00431490 Size = dword ptr 0Ch
.text:00431490
.text:00431490 push ebx
.text:00431491 mov ebx, [esp+4+Size]
.text:00431495 push ebp
.text:00431496 push esi
.text:00431497 mov esi, ecx
.text:00431499 push edi
.text:0043149A mov edi, [esp+10h+arg_0]
.text:0043149E mov eax, [esi+4]
.text:004314A1 mov ebp, [esi+8]
.text:004314A4 mov edx, [esi+0Ch]
.text:004314A7 sub ebp, eax
.text:004314A9 sub edi, eax
.text:004314AB lea ecx, [ebx+ebp]
.text:004314AE cmp ecx, edx
.text:004314B0 jbe short loc_4314E0
.text:004314B2 dec ecx
.text:004314B3 mov dword ptr [esi+0Ch], 2
.text:004314BA shr ecx, 1
.text:004314BC jz short loc_4314CA
.text:004314BE
.text:004314BE loc_4314BE: ; CODE XREF: sub_431490+38j
.text:004314BE mov edx, [esi+0Ch]
.text:004314C1 shl edx, 1
.text:004314C3 shr ecx, 1
.text:004314C5 mov [esi+0Ch], edx
.text:004314C8 jnz short loc_4314BE
.text:004314CA
.text:004314CA loc_4314CA: ; CODE XREF: sub_431490+2Cj
.text:004314CA mov ecx, [esi+0Ch]
.text:004314CD push ecx ; NewSize
.text:004314CE push eax ; Memory
.text:004314CF call ds:__imp_realloc
.text:004314D5 add esp, 8
.text:004314D8 mov [esi+4], eax
.text:004314DB add eax, ebp
.text:004314DD mov [esi+8], eax
.text:004314E0
.text:004314E0 loc_4314E0: ; CODE XREF: sub_431490+20j
.text:004314E0 mov eax, [esp+10h+arg_0]
.text:004314E4 test eax, eax
.text:004314E6 jz short loc_43151D
.text:004314E8 mov eax, [esi+4]
.text:004314EB mov edx, [esi+8]
.text:004314EE mov ebp, ds:memmove
.text:004314F4 add edi, eax
.text:004314F6 sub edx, edi
.text:004314F8 push edx ; Size
.text:004314F9 lea eax, [edi+ebx]
.text:004314FC push edi ; Src
.text:004314FD push eax ; Dst
.text:004314FE call ebp ; memmove
.text:00431500 mov ecx, [esp+1Ch+Src]
.text:00431504 push ebx ; Size
.text:00431505 push ecx ; Src
.text:00431506 push edi ; Dst
[COLOR="Red"].text:00431507 call ebp ; memmove[/COLOR]
.text:00431509 mov eax, [esi+8]
.text:0043150C add esp, 18h
.text:0043150F add eax, ebx
.text:00431511 mov [esi+8], eax
.text:00431514 mov eax, esi
.text:00431516 pop edi
.text:00431517 pop esi
.text:00431518 pop ebp
.text:00431519 pop ebx
.text:0043151A retn 0Ch
.text:0043151D ; ---------------------------------------------------------------------------
.text:0043151D
.text:0043151D loc_43151D: ; CODE XREF: sub_431490+56j
.text:0043151D mov edx, [esp+10h+Src]
.text:00431521 mov eax, [esi+4]
.text:00431524 push ebx ; Size
.text:00431525 push edx ; Src
.text:00431526 push eax ; Dst
.text:00431527 call ds:memmove
.text:0043152D mov eax, [esi+4]
.text:00431530 add esp, 0Ch
.text:00431533 add ebx, eax
.text:00431535 mov eax, esi
.text:00431537 mov [esi+8], ebx
.text:0043153A pop edi
.text:0043153B pop esi
.text:0043153C pop ebp
.text:0043153D pop ebx
.text:0043153E retn 0Ch
.text:0043153E sub_431490 endp
pretty easy to find with ollydbg... break on the send call, follow ECX in dump(pointer to the data), set breakpoint on that memory location and find out what writes to that. The line in red does that
here is my elementclient and IDA database
Code:
http://rapidshare.com/files/245897680/ElementClientFiles.rar
and mov eax, [esi+10h] is NOT the data
Code:
mov esi, ecx //ESI = THIS ptr
mov eax, [esi+10h] //go to offset 10 in this instance of the class, dereference pointer
mov ecx, [eax+4] //go to offset 4 from the eax pointer, dereference it, here is the pointer to the data in ecx
push edx ; len
push ecx ; buf //give pointer to data to ws32_send(socket* s,char* buf,uint len);
push eax ; s
call ds:__imp_send
|
|
|
|
|
06/27/2009, 15:17
|
#25
|
elite*gold: 0
Join Date: Jun 2009
Posts: 1
Received Thanks: 3
|
here is simple client
which logs shout chat
_http://slil.ru/27794994
enjoy
|
|
|
|
|
07/01/2009, 04:56
|
#26
|
elite*gold: 0
Join Date: Dec 2008
Posts: 120
Received Thanks: 8
|
wew.. how to descrpt... ?
|
|
|
|
Similar Threads
|
Packet Logger/Proxy
11/24/2007 - CO2 Exploits, Hacks & Tools - 81 Replies
After seeing many "proxy" programs abuse trust and/or disappear I decided to make my own. I figured I might as well release it. Use it if you'd like. It runs off a similar system as my Emu I'm working on so you can get a general idea for it's power :o :P
The setup is simple. The config file is filled out as such:
proxy-address = yourip
server-address = 69.59.142.13
proxy-port = 9958
;ignore-id = 1010
;special-id = 1011
ignore-id ignores certain packets (both directions) from being...
|
All times are GMT +1. The time now is 01:14.
|
|
