[Release] Spoofed download server (reverse engineering)

~~Gooby.~~ · 03/27/2017, 16:37

Hi,

So, you have a filter and DDoS protection but forgot to spoof download server and do not want to edit or mess with your executable files or CERT, this is the perfect option for you if you want to spoof your download server and hide your real server IP from all your players.

Working on

Spoiler

vSRO 188

vSRO 274

How it works

Spoiler

Prevent download packet to be sent to client

Read necessary information like (Files to patch)

Re-writing the packet and the information and replaces the IP&PORT

Sending the new packet to client, containing protected IP:PORT.

Client receives the packet and see the protected IP:PORT.

Whats needed

Spoiler

A SSA Filter.

A TCP proxy for download server, examples below

HaProxy, or C# proxy.

S->C (Reverse engineering)

Spoiler

PHP Code:

#region 0xA100_DOWNLOAD_SPOOF if(_pck.Opcode == 0xA100) { byte result = _pck.ReadUInt8(); if (result == 0x02) { byte ErrorCode = _pck.ReadUInt8(); if (ErrorCode == 0x02) { string ip = _pck.ReadAscii(); // ServerIP ushort port = _pck.ReadUInt16(); // ServerPort UInt32 version = _pck.ReadUInt32(); // Version byte flag = _pck.ReadUInt8(); // Flag Packet spoof = new Packet(0xA100, false, true); spoof.WriteUInt8(result); spoof.WriteUInt8(ErrorCode); spoof.WriteAscii("127.0.0.1"); // Spoofing part spoof.WriteUInt16("15881"); // Spoofing part spoof.WriteUInt32(version); // Version spoof.WriteUInt8(flag); while (flag == 0x01) { UInt32 FileID = _pck.ReadUInt32(); string FileName = _pck.ReadAscii(); string FilePath = _pck.ReadAscii(); UInt32 FileLen = _pck.ReadUInt32(); byte unk = _pck.ReadUInt8(); // Packed, no idea. flag = _pck.ReadUInt8(); spoof.WriteUInt32(FileID); spoof.WriteAscii(FileName); spoof.WriteAscii(FilePath); spoof.WriteUInt32(FileLen); spoof.WriteUInt8(unk); spoof.WriteUInt8(flag); } m_LocalSecurity.Send(spoof); Send(false); continue; } } } #endregion

Credit goes to

Spoiler

Ace
and...

There is no backdoor in this code, Kappa

denise456 · 03/27/2017, 17:11

Thanks

nemo08 · 03/27/2017, 17:23

nice

hieulovehoa · 03/27/2017, 17:34

Please <Debug> into .exe software

Dracula Untold · 03/27/2017, 18:11

Gooby = Goofie ? ))

kanift · 03/27/2017, 18:11

idk why do u want to read whole packet till flag is zero instead of skip them

Judgelemental · 03/27/2017, 18:16

Quote:

Originally Posted by Gooby.

There is no backdoor in this code, Kappa

In this one no :^)
In literally everything you release, yes. :^)

hieulovehoa · 03/27/2017, 18:22

Upgrade SUPERMIKE to version 3.1

~~Gooby.~~ · 03/27/2017, 18:38

Quote:

Originally Posted by kanift

idk why do u want to read whole packet till flag is zero instead of skip them

Reading if flag is byte 1, reading all the files that needs to be patched in client @ Media.pk2 and so on. You must read all the files that must be patched or the response aka reverse engineering will not work.

Quote:

Originally Posted by Dracula Untold

Gooby = Goofie ? ))

Yes? It's not a secret.

Quote:

Originally Posted by hieulovehoa

Upgrade SUPERMIKE to version 3.1

Contact me on Skype and I will send KRYLFILTER v10.

Quote:

Originally Posted by Judgelemental

In this one no :^)
In literally everything you release, yes. :^)

Only was detected for that backdoor, if you have more proof please share them.

kanift · 03/27/2017, 19:08

Quote:

Originally Posted by Gooby.

Reading if flag is byte 1, reading all the files that needs to be patched in client @ Media.pk2 and so on. You must read all the files that must be patched or the response aka reverse engineering will not work.

actually u dont have to read whole packet to manage it to work, it will create lag (because of loop) if there are huge amount of files, u can shorten the logic without loop try to handle patch response w/o loop :^)

~~Gooby.~~ · 03/27/2017, 20:41

Quote:

Originally Posted by kanift

actually u dont have to read whole packet to manage it to work, it will create lag (because of loop) if there are huge amount of files, u can shorten the logic without loop try to handle patch response w/o loop :^)

It will not cause any lag.

kanift · 03/27/2017, 21:19

Quote:

Originally Posted by Gooby.

It will not cause any lag.

this answer is the result of why ur filter is sh*** if it runs its ok for u and no matter what will be happen afterwards, anyway imo thats an unnecessary show so good luck with other bad filter projects ^^.

B1Q · 03/28/2017, 06:58

Reverse engineering ? funny

and the loop is not necessary

cardoso125874 · 03/29/2017, 06:00

"while (flag == 0x01)
{"

why this loop? unnecessary

ramy_11_1 · 04/08/2017, 15:39

analyze the full packet is not necessary, you can use packet.GetBytes()
to write all remaining bytes into the new packet.

i using this code
it working well for me:

Code:

#region Download Packet
if (packet.Opcode == 0xA100 && Main.FDownloadPort > 0)
{
	try
	{
		Packet DownServ = new Packet(packet.Opcode, packet.Encrypted, packet.Massive);
		bool bo = true;
		int length = 0;

		byte num1 = packet.ReadUInt8(); // 0x02
		length++;

		if (num1 == 2)
		{
			byte num2 = packet.ReadUInt8(); // 0x02
			length++;

			if (num2 == 2)
			{
				string str1 = packet.ReadAscii(); // IP
				length += 2; // Ascii length
				length += str1.Length; // Ascii bytes length

				short num3 = packet.ReadInt16(); // Port
				length += 2; // port bytes length

				DownServ.WriteUInt8(num1);
				DownServ.WriteUInt8(num2);
				DownServ.WriteAscii(Main.FakeIP);
				DownServ.WriteUInt16(Main.FDownloadPort);

				int loop = bytes.Length - length;

				for (int i = 0; i < loop; i++)
				{
					DownServ.WriteUInt8(bytes[length]);
					length++;
				}

				this.gw_local_security.Send(DownServ);
				continue;
			}
		}
	}
	catch
	{
		this.Disconnect();
		continue;
	}
}
#endregion