[Question] Sending data
 

I have 2 questions.

I know that packets are encrypted. I found address of send in engine, not ws2 send but engineSend func that takes data before it's encrypted.

I am able to use it but i can't hook it because of memory manipulation detection. Mid function hook doesn't work also, so i guess there has to be somekind of checksum of memory part.

I hooked IAT send function, but sniffed sent data is encrypted. I know that I am sending packets to server because when I use engineSend then I see sniffed packets client->server, but they are always different so they has to be encrypted.

This is how I'm finding the address and SendEngine is just using their function.

When i for example write

I see in sniffer that it was sent but nothing happens in game. Am i doing something wrong?

u need to decrypt the packets also.
upload unpacked engine for me and I give u encrypt + decrypt call + table

the key u get from 0x2a packet also.

position 7 or smth

and Send is no __stdcall its __cdecl

+ u also dont pass the last " ... " parameter to the send function, so what he should do ?

the Whole engine.exe is checked by HS

Decrypt packets or just use the Send function, u didnt need any hook there... Just use the func for sending them ;d

I changed calling convention to cdecl already. I've noticed it after posting ;p.

@meak
I am using their send function. I just got address and sendEngine is executing it as u can see. I can't hook it because of hs. I only hooked send function at IAT but it's send from ws2_32 so packets intercepted in there are encrypted already.

What about last parameter? I think I am blind cuz i don't see any error ;p

I attached my dumped engine.exe. Tell me if it's ok ;)

AS I SAID, NOT HOOK IT, ONLY USE IT........................................

GET RECV PACKET, ANSWER WITH CALL SEND, NOT HOOK IT... -.-#

Edit: or for what u wanna hook Send?

I can hook IAT send. How can i answer to that if it needs socket,buf,len,flags.
It's easier to use engineSend than ws2 send. I'd have to crypt packet first in order to use IAT hooked send.

I didn't hook send in engine. I just have address and i'm trying to use it.

Btw. If i try to call

It gives me an error and I don't really know why because typedef is ok.

i didnt said any other method, its puplic how to send over engineFunc

Yes i know this example. But in order for this to work you need to place JMP over first 5 bytes of this func to ur function right? And if I try that hs detects memory corruption.

Edit.

@blood

I've changed it so it's passing va_list args but it is still not working ;)

What's the easiest way of checking it. I mean what packet can I use to check. Maybe my problem is with trying to use it ;p

U DONT UNDERSTAND?
NOT HOOK IT JUST USE IT, THIS IS UR FUNCTION AND THIS JUMP BACK TO ENGINE, ENGINE DIDNT NEED TO JUMP TO UR FUNCTION -.-.................................................. .................................................

Said it now 5 times, if u dont get it, its ur problem.

U Just call the function, engine didnt need to jmp to ur function...

oh... i get it know. This kind of programming is new for me so don't be angry if i don't undestand how sometimes some things works.

np, i like to rage ;D

U use the function from Engine, u call ur function with ur Paramaters and then the Function jumps to the Engine Send, the engine Send crypt ur Packet and send it..

Ye so pretty much my engineSend did the same thing but it was calling directly their function and passing parameters. Anyway is this sit packet ok? I want to check if it works

send(0x1F,"b",1);

static int (__cdecl* SendPacket)(DWORD,LPCSTR,...) = (int (__cdecl*)(DWORD,LPCSTR,...))0x005A0100;

u can do this ,too and than just use SendPacket(......);

if u want to sniff packets hook send from ws2 and decrypt packets there.

005A01F3 there should be the Encrypt call and @0073AEE0 should be Encrypt Table

so you add 6 Bytes to SendPacketMain
so you can reconstruct those 6 Bytes and jump to SendPacketBack.
This is one big NOP :D
why dont you call SendPacketMain directly?

Thanks blood ;)

I changed my send to

so it should now pass all data to func ;) But ur way is also great. Good trick xD
Ye i found this encrypt func and ida pseudocode looks like bakabug's one so i guess it is it ;p Encrypt table is pretty big oO. Well i guess i can use pointer to it and use the one from engine directly.

And about that packet sending. I am hooked already to IAT send so i can sniff sent data. Now i have to decrypt them in order to learn more. Are some packets changed now because this sit packet

0x1f,"b",1 is not working I can see that it was sent, because sniffed functions shows it but nothing happens.

Thanks. I love you xDD I'd try to check it myself after decrypting send packets but it's huge help for me ;) I guess encrypt table can be also used to decrypt packets. I know it's a stupid question but it's better to ask if i'm not sure xD heh I just started cryptography at this semester so i will know more when it ends ^^

DecryptTable != EncryptTable :P

in some Games / Applications sure, but here are 2 different used.

hmm so i have to find decrypt table in order to decrypt packets right and decrypt function. Or just use encrypt function in reversed order?

u also can use the engine crypt function like I did with SendPacket ;) hehe

or u just use BakaBugs released stuff hehe I think his Decrypt and Encrypt Table is still the same like now.

But this function u gave is encrypt. I didn't yet tried to reverse it. I guess it takes buffer and some other stuff to do it. I guess it would be easier to find their decrypt function and just use it. hmm but when it will be used ;p Somewhere before receiving? or in send also?

u can see Decrypt Function @ recv :P

I'm guessing that

00484E80 is Decrypt func and at 007412E0 is DecryptTable right? ;) Now i have to guess what parameters they are taking ^^

same like bakabugs function I think :p

use bakabugs source, update crypt/decrypt table(changed 1 time long time ago), use pointer for AESkey or dumb it.

There is alot to reverse ;p I guess it's not a job for today. It seems like alot of work for me since I am new at reversing ^^ and baka source's are complicated for me. Specially that I've never had to deal with cryptography ;) I don't even really know what for is this DecryptTable function xD I'm guessing it decrypts header and size seperately and rest of packet is decrypted by AESPacketDecrypt but who knows xD

u didnt need to know, just copy it ;d

thought sooner too, dat bakabug is a boss on coding but later i found all in IDA, he just copied all out from IDA ;\

Edit: Gogo, if ur fast enough we can handle the HS d;
i just look sometimes into it, got the first HS packet i guess

heh most of his stuff is generated by IDA as i see ;) Now i'm tracing call of decrypt func so i can find this stupid eas key xD I already have decrypttable. xor key also changed? Oh, and HS is too difficult for me xDD Maybe someday. For now it is not a problem since i'm able to work even with hs on.

y u have time E;
Xor not changed.

I'm trying to reverse this shit and it's so annoying ;p I can't find anywhere in near calls any trace of AES key. I thought that recv packet are not crypted and as it turns out they are ;p

There are some func i was able to find. Any hints where to look next?

[Only registered and activated users can see links. Click Here To Register...]

Encrypt is used both by send and recvEngine but there is this this func that is using it and i have no idea what is it for. 5A0000

but bakabug's source only decrypts the first 16 bytes (?)

@Runzel cause first 16 bytes are not used for AES crypt.
Bakabug added the AESkey pointer wrong or idk, if u add it manually it works well.

Just use the AESkey pointer from bakabug and make a Dumb every week.

if u get the 0x2A packet, dumb it.

0x01 is Encrypt
0x02 is Decrypt, at the End. its the AESKey expanded into 2 parts 0x01 and 0x02 at the End.

I have to get straight some info because it's chaos in my head right now xDD

This is captured packet 0x2a

This part is changing. I got the pointer to decryption table and i swapped it with baka's table.

Now what for is DecryptTable function of his because is says that is takes index buf and len. Ok buf and len i get but u are passing RecvKey as index. WTF xD Is it just for decrypting type of packet/first 3 bytes? And when u do it u just use decryptPacketAES? I don't get this cryptography stuff right now so a bit explanation would be great ;)

Ps. And this pointer u gave SendEngine + 0xA5 it's pointing to some table(unknown) full of 0 bytes. Actually start of this table is at SendEngine + 0xA4 according to my dump and ida ;) Well not start but push ;p

if 0x2A comes in, u can dumb at the address SendEngine + 0xA5. The AESkey is created in runtime, expanded into 2 parts 0x01 0x02

i got RecvKey cause clientless u need to decrypt Recv...
in Engine.exe the Recv is called twice. first for encrypt and secound is the Real Recv
but it goes over the same function, its to hard to explain, if u hook recv at engine u get the Real recv data.

Index is the Tablekey i guess, KalOnline routine ->

under 16 bytes u didnt need the 2 AESKey's, it gets only crypted by Tablekey(Xoring with the Tablekey) and XorKey at the End.

For what u need now the Decrypt part? i would say its to difficult to explain
U see at the SendFunc how its decrypted, there are 2 calls, one for Tablkey Xoring and one for AES crypt

And bakabug just copied those functions with IDA.

EDIT: Someone know about VEH hooking? its hooking over exceptions, its still undetected hook in all Games, cause it cant get detected i guess, its smth new

Well i want to have a look at encrypted send packets so i can learn more about them.

So AES key is this 540 bytes long unknown table in baka code?

Basically i have to dump this table, swap it with original. Swap decrypt/encryp tables. And everytime at the start when 0x2a comes i have to save sendKey so i can later use it to decrypt header + data of send packets? (Edit. Scratch that ;p As this table is static i can save the key and dump table at first use then at the start of app just compare first key and if it differs then make new dump and replace with old).

so I did this

I got updated decryptTable.

so can I now do this?

sendKey is BYTE* so it's first cell of aes table 0x3A i guess.

AESkey != Tablekey....

the aeskey is for AES cryption(UNKNOWN), and TableKey is just an Xor cryption
and bakabug have a pointer to the Tablekey... u just can use it.

Tablekey is 0x1-0x3F - Tablekey+an hex 0x25, then it using the Tablekey from encrypttable to encrypt it with Xor.. idk how to explain <,<

You mean that there are 2 seperate pointers for aes key and table key?

The one u gave is to table with aes data and

BYTE *TKey = (BYTE*)*((DWORD*)(PacketSendMain+0xCA));

this is for table key?

then i should do this

TableKey = ((*TKey)-1) & 0x3F;

and then i can use it?

y

Ok then what's this for in ur code? Because i'm now a little confused xD

is this pointer the same data?

isnt a pointer, u dont have a client on clientless, u cant doing a pointer on memory, cause the game isnt opened. 0x2A is welcome packet, and buf[7] is the first sendkey.

so with Client u just use the Pointer from tablekey. *Tkey

best way to learn, is by doing. Now watching a movie and going to sleep after ;E