 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
kot1990
Expert Cheater
 Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
 Posted: Thu Feb 18, 2010 7:27 pm Post subject: Help decrypting packets |
 |
|
In the client I tried to chat with the message "hello". I did it 3 times. All 3 times the client sends different data. That means that the packet is encrypted I think. Look at this:
The first time I chat hello the packet data is this:
| Code: | 0E 00 25 70 71 95 01 0F 05 00 68 00 65 00 6C 00 6C 00 6F 00
..%pq•....h.e.l.l.o. |
After every chat it send 2 packets with no data, just TCP/IP packets.
The next time I chat hello it sends this:
| Code: | 0E 00 25 70 B1 E3 01 10 05 00 68 00 65 00 6C 00 6C 00 6F 00
..%p±ă....h.e.l.l.o. |
And the last time
| Code: | 0E 00 25 70 26 40 01 11 05 00 68 00 65 00 6C 00 6C 00 6F 00
..%p&@....h.e.l.l.o.
|
0E 00 25 70 <-- this one should be the action CHAT
xx xx <-- this one always changes,, WHAT I NEED!
01 <-- don't know.
xx <-- should be counting how many chats I made.
05 00<-- number of characters.
68 00 65 00 6C 00 6C 00 6F 00 <-- the string "hello" its UNICODE
How can I get the correct xx xx everytime I need to send a packet?
The client is using WSASend to send a packet. If I send incorrect packet the server will kick me off. But the client has to know which is the correct packet to send, that's what I 'm looking for.
|
|
| Back to top |
|
 |
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Thu Feb 18, 2010 8:50 pm Post subject: |
|
|
It's impossible for us to tell you what that value stands for. It could be a WORD or it could be two seperate BYTES. You will have to trace backwards from WSASend and analyze the packet construction sequence for the chat packet. The function that contains WSASend probably has a whole bunch of callees. All you have to do is find the correct one which constructs the chat packet and then analyze the construction of the packet.
_________________
|
|
| Back to top |
|
|
kot1990
Expert Cheater
Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
| Posted: Thu Feb 18, 2010 10:12 pm Post subject: |
|
|
I traced backwards WSASend, found the buffer, and in Cheat Engine found what writes to the xx xx. The code I got from the client it this
| Code: | 00A69324 - mov [edi+ecx*4-18],eax
00A69328 - mov eax,[esi+ecx*4-14]
00A6932C - mov [edi+ecx*4-14],eax
00A69330 - mov eax,[esi+ecx*4-10]
00A69334 - mov [edi+ecx*4-10],eax
00A69338 - mov eax,[esi+ecx*4-0c]
00A6933C - mov [edi+ecx*4-0c],eax
00A69340 - mov eax,[esi+ecx*4-08]
00A69344 - mov [edi+ecx*4-08],eax <-- this one writes to the 2 bytes
00A69348 - mov eax,[esi+ecx*4-04]
00A6934C - mov [edi+ecx*4-04],eax
|
I know eax is 4 bytes, but only the 2 bytes change, the other 2 bytes of eax are constant, so the the packet is. Now I'm confused, I put a breakpoint and this code is called more than 10 times per sec, but only 1 of those calls affects the buffer, that's because edi and ecx are different, and there is only 1 time they point to the buffer/. So what this code may be doing? ecx there has always a small value like 3. 3*4=C.
|
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Thu Feb 18, 2010 10:29 pm Post subject: |
|
|
ECX is the index to an array of DWORDS. ESI contains the base of the array. -08 is just some constant meaning 2 elements backwards in the array. Figure out what is writing to the array element.
_________________
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Fri Feb 19, 2010 4:16 am Post subject: |
|
|
You said
| Quote: | | 0E 00 25 70 <-- this one should be the action CHAT |
To be sure, try other packets (not chat packets) and check what they start with. Maybe the 0x0E is for évery packet and the 0x25 and 0x70 is for chats.
And one of the bytes might also be the complete packet size. Or the size of the packet minus the size of the header.[/code]
|
|
| Back to top |
|
|
kot1990
Expert Cheater
Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
| Posted: Fri Feb 19, 2010 7:58 am Post subject: |
|
|
| Quote: |
To be sure, try other packets (not chat packets) and check what they start with. Maybe the 0x0E is for évery packet and the 0x25 and 0x70 is for chats.
And one of the bytes might also be the complete packet size. Or the size of the packet minus the size of the header. |
I've already checked that. All 4 bytes is the action, and for the other actions 2 its happening the same as in CHAT. After the 4 bytes of the action, the other 2 bytes always change for the same action.
EDIT:I tried to find the location from where the xx xx is taken. It is that instruction.
| Code: | 00A69340 - mov eax,[esi+ecx*4-08] <-- esi should be the pointer.
00A69344 - mov [edi+ecx*4-08],eax <-- this one writes to the 2 bytes |
I moved to the location pointed by esi, but the next time I chat the location is different. I think it allocates/deallocates the location every time I chat, so it is on different location.
|
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Fri Feb 19, 2010 3:27 pm Post subject: |
|
|
Look higher up in the function and find where ESI is set. After you do that, you have to trace even further back to the point where the writing of that DWORD in the ESI array is executed.
_________________
|
|
| Back to top |
|
|
kot1990
Expert Cheater
Reputation: 1
Joined: 06 Sep 2009
Posts: 131
Location: Greece
|
| Posted: Fri Feb 19, 2010 4:36 pm Post subject: |
|
|
I think I got it. I found the static memory location, where it keeps the address that esi is pointing. I found what writes to that static memory location and fell here:
| Code: |
//Referenced by call at addresses
//0048599D, 00485C2F, 00486AA4, 00486BDD
0048B460 - push ebp <-- ebp has the address, it pushes it to the static location I found. It is the address that esi is pointing and the writing to the buffer. But that location is not actually the buffer. It contains everything is going to be copied to the buffer. Now I have to find what causes ebp to take that value. I need to find which of the addresses called that code.
0048B461 - mov ebp,[esp+08]
0048B465 - push esi
0048B466 - mov esi,eax
0048B468 - test esi,esi
0048B46A - jne 0048b473
0048B46C - pop esi
0048B46D - xor al,al
0048B46F - pop ebp
0048B470 - ret 0004
|
The static address is this 0013D9F0. It is working the same even if I close and reopen the game. The moment the push ebp is executed the esp has this address: 0013D9F0.
EDIT: but when assigning the memory to the prebuffer, the prebuffer has already the packet in. That means that I have to go backwards to find who is writing the packet there.
EDIT: Fuhh, after a lot of searching I found it.
| Code: |
0048592D - mov eax,[edi]
0048592F - mov edx,[eax+00001054]
00485935 - mov dx,[edx]
00485938 - and dx,7fff
0048593D - push ebx
0048593E - add dx,06
00485942 - xor ebx,ebx
00485944 - test byte ptr [esi+0000016f],04
0048594B - push ebp
0048594C - mov ebp,[eax+00001034]
00485952 - movzx edx,dx
00485955 - je 004859c0
00485957 - cmp [esi+08],ecx
0048595A - jne 004859ae
0048595C - mov al,[esi+0000016c]
00485962 - not al
00485964 - add al,[esi+0000016d]
0048596A - imul byte ptr [esi+0000016e]
00485970 - mov cl,al
00485972 - shr cl,04
00485975 - xor cl,al
00485977 - mov [esi+0000016c],cl
0048597D - mov eax,[edi]
0048597F - mov eax,[eax+00001058]
00485985 - mov [eax],cl <-- the first byte xx
00485987 - mov ecx,[edi]
00485989 - mov eax,[ecx+0000105c]
0048598F - movzx ecx,dx
00485992 - mov [eax],bl
00485994 - push ecx
00485995 - lea ecx,[esi+00000164]
0048599B - mov eax,ebp
0048599D - call 0048b460
004859A2 - mov edx,[edi]
004859A4 - mov ecx,[edx+0000105c]
004859AA - mov [ecx],al <-- the second byte xx
004859AC - jmp 004859c0
|
now I have to find out how this is done...
EDIT::: YEAH!!  ,, I 've just sent a packet successfully without being kicked!! Thank you everyone who helped!!! yoohooo!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
