| View previous topic :: View next topic |
| Author |
Message |
Tilosag
Cheater
![]() Reputation: 0
Joined: 21 Dec 2006
Posts: 25
|
 Posted: Sat Apr 17, 2010 9:28 am Post subject: How to find previous procedure and retrieve RAW packet data |
 |
|
Hi,
First, I should say that I'm debugging C++ in Java.
I have a problem with finding the place in memory where the RAW packet data is being stored.
As you can see in the picture below I stopped because I couldn't find the place where data array of WSASend changes (encrypted password, packed packet data).
I can't find the previous call or procedure this procedure was called from.
i30*photobucket*com/albums/c316/Tilosag/debug_PP3*jpg
Moreover the data in OllyDbg doesn't match data captured with WireShark. There are some things added at beginning. I don't understand why.
| Code: | 0000 00 17 9a db f4 20 00 18 f3 5f cf ee 08 00 45 00 ..... ..._....E.
0010 01 9f 1a f3 40 00 80 06 04 52 c0 a8 01 0e 45 50 [email protected]
0020 d3 0d c1 4a 0f a7 92 2c 7c 78 f8 51 9e ca 50 18 ...J...,|x.Q..P.
0030 41 3a 22 94 00 00 00 00 01 77 ff ff 00 27 63 6f A:"......w...'co
0040 6d 2e 74 68 72 65 65 72 69 6e 67 73 2e 70 72 65 m.threerings.pre
0050 73 65 6e 74 73 2e 6e 65 74 2e 41 75 74 68 52 65 sents.net.AuthRe
0060 71 75 65 73 74 01 0f ff fe 00 27 63 6f 6d 2e 74 quest.....'com.t
0070 68 72 65 65 72 69 6e 67 73 2e 70 69 72 61 63 79 hreerings.piracy
0080 2e 6e 65 74 2e 59 6f 43 72 65 64 65 6e 74 69 61 .net.YoCredentia
0090 6c 73 ff fd 00 26 63 6f 6d 2e 74 68 72 65 65 72 ls...&com.threer
00a0 69 6e 67 73 2e 70 69 72 61 63 79 2e 75 74 69 6c ings.piracy.util
00b0 2e 41 63 63 6f 75 6e 74 4e 61 6d 65 01 00 0b 74 .AccountName...t
00c0 69 6c 6f 73 61 67 36 36 36 36 01 00 20 30 66 66 ilosag6666.. 0ff
00d0 35 32 34 37 63 61 38 61 30 64 64 32 34 37 62 33 5247ca8a0dd247b3
00e0 65 64 37 34 32 38 39 32 32 62 37 65 66 01 00 21 ed7428922b7ef..!
00f0 43 71 44 78 44 32 57 4e 5a 38 32 32 47 77 39 6d CqDxD2WNZ822Gw9m
0100 70 46 6c 57 2f 35 72 39 6b 76 68 79 31 54 76 39 pFlW/5r9kvhy1Tv9
0110 2f 01 00 0d 74 69 59 64 78 56 6b 34 4f 5a 6c 31 /...tiYdxVk4OZl1
0120 73 00 00 00 01 00 0e 32 30 31 30 30 34 30 36 31 s......201004061
0130 33 32 38 30 31 01 00 0f 45 75 72 6f 70 65 2f 42 32801...Europe/B
0140 65 6c 67 72 61 64 65 ff fc 00 13 5b 4c 6a 61 76 elgrade....[Ljav
0150 61 2e 6c 61 6e 67 2e 53 74 72 69 6e 67 3b 00 00 a.lang.String;..
0160 00 07 00 01 7f 00 0c 79 6f 68 6f 68 6f 2e 61 64 .......yohoho.ad
0170 6d 69 6e 00 06 70 61 72 6c 6f 72 00 07 77 68 69 min..parlor..whi
0180 72 6c 65 64 00 06 79 6f 68 6f 68 6f 00 0e 70 72 rled..yohoho..pr
0190 65 73 65 6e 74 73 2e 61 64 6d 69 6e 00 05 63 72 esents.admin..cr
01a0 6f 77 64 00 08 70 72 65 73 65 6e 74 73 owd..presents
|
Can you give me some clues how to get to RAW packet data?
Regards
Tilo
PS
PEiD have noticed that this program uses zlib deflate and ALDER32. I think that it is used to pack data stream somehow.
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sat Apr 17, 2010 9:40 am Post subject: |
|
|
raw packet data can be found by hooking/breakpointing at send apis. let's say send(). you can go ctrl-g 'send' and then breakpoint there or write a jmp to an inline asm hook procedure.
it is probably appending header information to the packets before being sent. go to that instruction where it is the CALL to WSASend. and press enter. then press f2 on the location reached. that is wsasend. then when the program hits there, it should break. then read off from the stack as how i described yesterday. it should be the same at that point
what you're looking at now appears to be the wrapper to the sending functions. probably somewhere between the start of that proc and when wsasend is actually called, the buffers are being changed slightly. if you are gonna read it off, read it at the start of the called function or directly before the call itself is done
|
|
| Back to top |
|
|
Tilosag
Cheater
![]() Reputation: 0
Joined: 21 Dec 2006
Posts: 25
|
| Posted: Sun Apr 18, 2010 9:49 am Post subject: |
|
|
| Code: | | you can go ctrl-g 'send' and then breakpoint there |
It doesn't break at send function, only WSASend works.
What is "inline asm hook procedure"? Did you mean to find code cave and write some stuff in there?
I did like you said and, unfortunately, data remains the same (without "things" on beginning).
Situation after break at beginning of procedure which calls WSASend:
([ebp+14] is in dump)
i30*photobucket*com/albums/c316/Tilosag/PPH1-1*png
As you can see it was called from 1ab9f45.
After "show call" (I've already put break points):
i30*photobucket*com/albums/c316/Tilosag/PPH2*png
and after F9 two times (WSASend -> following pic) we land here :
i30*photobucket*com/albums/c316/Tilosag/PPH3*png
That's EXTREMELY weird! Why does not Olly show that there was a jump from somewhere? What is more, program uses this section of code very often so I can't keep BP here all the time. Moreover it sometimes crashes (even with Hardware BP).
It seems as if it was data, not the code(?).
btw I noticed that the program, before sending the packet, initializes a socket. WireShark detects some packets send before the packet with data (login auth). "Socket connect" sends 1 packet, then waits for response and receives it and again sends a packet.
There is another surprise. This data (send with "socket connect") are very similar to the "things" appended to packets with data(login auth).
What do you think about this?
Regards
Tilo
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Apr 18, 2010 10:27 am Post subject: |
|
|
oh i didn't realise you were comparing your results to wireshark. try to use something which employs usermode hooks such as wpe pro and i think you'll find the results match.
and yes, i meant wsasend. when i say inline asm hook procedure, i mean to write a jmp at the start of wsasend to a codecave. inside that codecave, you will record or display the parameters by reading them off the stack. then you will execute the bytes you overwrote ( should be 5 ), then return to the instruction after the jmp you wrote.
anyway try a usermode packet sniffer first, and see if the results match.
|
|
| Back to top |
|
|
Tilosag
Cheater
![]() Reputation: 0
Joined: 21 Dec 2006
Posts: 25
|
| Posted: Sun Apr 18, 2010 12:27 pm Post subject: |
|
|
WPE Pro does not work! I don't know why, maybe because I try to hook java process whereas code responsible for sending packets is somewhere else.
I've also tried to attach WPE Pro to every process listed but no results!
Honestly, I don't know any user mode packet sniffers apart from WPE Pro but I downloaded source code of Packet Monitor in C# and compiled it. Results are the same as in the WireShark:
i30*photobucket*com/albums/c316/Tilosag/PPH4*png
Anyway, do you know how to explain this extraordinary jump without a jump?
i30*photobucket*com/albums/c316/Tilosag/PPH3*png
Regards
Tilo
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Apr 18, 2010 1:04 pm Post subject: |
 |
|
do you know how this 'Packet Monitor' works ?
if possible, you should try breakpointing on wsasend and read off the buffers when the code breaks. i would be very very confused if the buffers did not match at that point. if they do ( should do ), then you can slowly start tracing back and see where the extra bytes are being appended.
the thing is, you've said you've been breaking on wsasend but from your screenshots you appear to be in java.nio opposed to Ws2_32.dll. i am suspecting java.nio's send functions to be wrappers to windows apis which do sending. see if you are able to break on the real wsasend.
and i'm not sure what you mean about your 'jump without a jump' thing :/
how big is the executable ? perhaps i can dl it and take a look myself
|
|
| Back to top |
|
|
Tilosag
Cheater
![]() Reputation: 0
Joined: 21 Dec 2006
Posts: 25
|
| Posted: Mon Apr 19, 2010 9:22 am Post subject: |
|
|
I don't know how 'Packet Monitor' works, however I achieved my goal. I found that data added at the begging is connected with some kind of socket information. So your method of finding RAW packets data works perfectly! Thank you for that.
By 'jump without a jump' i meant that (on 3rd screen) Olly did not show how he get to that point. He just immediately jumped there, it seemed like without a reason. However I don't want to dig that far.
I don't know how big executable is, because program is executed by short cut on desktop with some parameters:
| Code: | | C:\Windows\System32\javaw.exe -jar getdown-dop.jar . |
Now, I am on track of function which encrypts password.
Thanks again for your effort.
Regards
Tilosag
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Mon Apr 19, 2010 10:01 pm Post subject: |
|
|
Do you realize you can decompile .jar files?
_________________
|
|
| Back to top |
|
|
nwongfeiying
Grandmaster Cheater
![]() Reputation: 2
Joined: 25 Jun 2007
Posts: 695
|
| Posted: Mon Apr 19, 2010 11:44 pm Post subject: |
|
|
| sponge wrote: | | Do you realize you can decompile .jar files? |
Proof? Pics or it didn't happen.
|
|
| Back to top |
|
|
NINTENDO
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 02 Nov 2007
Posts: 1371
|
| Posted: Tue Apr 20, 2010 2:25 am Post subject: |
|
|
| nwongfeiying wrote: | | sponge wrote: | | Do you realize you can decompile .jar files? |
Proof? Pics or it didn't happen. |
http://java.decompiler.free.fr/
_________________
Intel over amd yes. |
|
| Back to top |
|
|
Tilosag
Cheater
![]() Reputation: 0
Joined: 21 Dec 2006
Posts: 25
|
| Posted: Tue Apr 20, 2010 5:43 am Post subject: |
|
|
| sponge wrote: | | Do you realize you can decompile .jar files? |
Hmm.. It is possible but let some other expert to comment this.
Anyway,the game is written in Java and the performance oriented part is written in C++. You should pay attention to fact that game is invoked like this:
| Code: | | C:\Windows\System32\javaw.exe -jar getdown-dop.jar . |
I opened this file and look:
i30*photobucket*com/albums/c316/Tilosag/PPH5*png
For me, it seems interesting but not useful.
Regards
Tilo
|
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Tue Apr 20, 2010 8:02 pm Post subject: |
|
|
| Tilosag wrote: | | sponge wrote: | | Do you realize you can decompile .jar files? |
Hmm.. It is possible but let some other expert to comment this.
Anyway,the game is written in Java and the performance oriented part is written in C++. You should pay attention to fact that game is invoked like this:
| Code: | | C:\Windows\System32\javaw.exe -jar getdown-dop.jar . |
I opened this file and look:
i30*photobucket*com/albums/c316/Tilosag/PPH5*png
For me, it seems interesting but not useful.
Regards
Tilo |
Unfortunately for you, you know nothing on how Java works. The "performance oriented part" is actually what is called the Java Virtual Machine. It is not the game, the Java Virtual Machine is the interpreter for Java byte-code (think of it as assembly). Everything you need is in the .jar file which can be decompiled. This is why Java can be run on different platforms, and even different processor architectures. The only thing that needs to be ported to each platform/processor is the Java VM.
So instead of reversing the VM, focus your efforts on the .jar file. It will make your life so much easier.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
