Cheat Engine

[hitmetwice]

Is it possible to analyze received network packets in a similar way we can analyze the memory with Cheat Engine? Or do you know a nice tool that I could use to do that? (I'm not looking for something like Wireshark.)

[zm0d]

http://wpepro.net/index.php?categoryid=1

Should be the tool of your dreams. But whatever you want to do with editing network packets can get you in big "law"problems. Just keep in mind.

[hitmetwice]

The program seems to be as basic as it could be.
I'm looking for a program that has some decrypting/decoding/decompressing algorithms on board. Like base64, gzip, diffi-helman, blowfish etc.
And I'd also like to have some analyzing tools.

I haven't really worked with non-http packets so far, but there has to be a good tool for that.

[atom0s]

Check out Wireshark:
http://www.wireshark.org/

You could also code your own hook to dump the packets too.

[hitmetwice]

I already mentioned that in the first post. I'm not looking for Wireshark.
Wireshark is a really poor program in my eyes.
I can't capture traffic by process, very confusing/unclear UI, it's not possible to copy the raw contents of packets, it can't show the packets as pure ASCII/Unicode,........................, no support for Blowfish decryption.

It's just lacking soo many extremely important features that it becomes absolutely useless to me.


And coding something on my own is out of question because I have no idea about encryption at all. http://mcaf.ee/3nbkd
Block size, 16-round Feistel cipher, S-boxes, CAST-128... I barely understand a word on that site.

[Hatschi]

If you have no idea about encryption why are you looking for blowfish decryption? Blowfish is a two level encryption and requires more than basic knowledge when you really looking forward to decrypt it. Which isn't even possible if you haven't got both keys.

WPE and Wireshark as the most known package capture tools. Apart of that I don't really know what you're looking for. You said you look for something like CE for package analyzing but these are two separate things.

And the network traffic doesn't have memory. It contains raw bytes only. Which you can analyze by capturing it with the tools named above. But as soon as it uses encryption like SSL you nearly have no chance to get what you're searching for. There is a reason why things like SSL are used everywhere: It's secure. And like you said you have no idea about this topic.

//edit: List of package analyzer
https://en.wikipedia.org/wiki/Packet_analyzer

[hitmetwice]

I already managed to get the key. I'm confused about the two level encryption. On this site for example you can decrypt it with only one key: http://blowfish.online-domain-tools.com/

I'm basically looking for a program that can capture packets and decrypt them in realtime.
And it would also be nice to have a bunch of useful analyzing tools.
Since I don't really have experience with packets, I don't really know what kind of tools I'm actually talking about.
It would be great to have tools which make comparing packets easier, viewing data in different encodings (ASCII/Hex/Binary), filters etc.

[Rydian]

Then you want Wireshark, and you want to actually learn how to use it.

[atom0s]

[hitmetwice]

I don't see how all these things would be possible in Wireshark. I already googled for these issues.
And it is not possible to capture traffic by process in Wireshark because it reads the packets at a point where it is unclear which process they are connected to.
The UI is confusing I couldn't find an option to make it more readable or to temporarely hide unnecessary features.
Copying the raw contents actually is possible, but not with a simple Ctrl+c and I can also only copy the whole contents, I can't simply mark text and copy it.
I also couldn't find a way to show a packets contents as raw ASCII code with linefeeds etc.
And Blowfish decryption simply doesn't seem to be supported as well.

[Chris12]

First of all you seem to think that programs actually use a text-based format to communicate with a server or each other. Thats wrong.

Almost all programs that make good use of the available network bandwidth will use a binary protocol. HTTP for example is a text protocol, it contains text in its packets.
For games: I'm not aware of any game that actually uses HTTP(S) for its communication.
And also non-games: For example skype, steam, etc... they all use a binary protocol. That means even the decrypted packets won't contain text.

If you can't even make your own hook to grab the packets before they are encrypted then I think you're lost.

As far as I know WPE and Wireshark can only display calls to send/recv and similar functions. If the data is encrypted then you have to grab the calls yourself.

Maybe, if you're lucky, it's possible to tell wireshark to hook another point in the program to grab the packets, but the chances are very slim.
(How would wireshark even know the calling convention from only an address??)

I don't want to be mean but if you really want to do this then learn programming, hacking and how networking in a program works;
unless someone else here has a magical program that can reason about arbitrary data like a human thats the only way...

Network hacking just isn't as easy as memory-hacking when there's encryption.

[hitmetwice]

[Chris12]

Ok that makes things clearer.

send/recv are the basic send and receive functions that sockets use. WPEPro hooks them to get the packets.

Yes you are right, wireshark uses a driver to hook so it can show traffic in an implementation independent way.

As with (i think) every cryptostream you need to start capturing packets from the beginning.
If the final step in the encryption is a xor then I think its also possible to jump to a specific point of they key stream and then start xor-ing from there.

It's not really common for a program to use a static encryption key but it's not completely unheard of either.

So what you ask for is possible but I think other than wireshark there's no program that can do it for you.

If you don't want to use wireshark and you have some programming background then I'd suggest making it yourself. It should be a good training.

There's two ways when making it yourself:
Hook the send and receive functions then start decrypting the packets in blocks (blowfish is a block-encryption not a stream encryption, and I'm not sure if you can modify it to be a stream-encryption).

The other method where you don't even need the encryption or key is that you reverse the program and look where send(...) and recv(...) are used.
Then you can look for what looks like an encryption routine and hook there.

Both ways shouldn't be too hard.
There are lots of hooking tutorials, you can also use easyhook if you don't want to delve too deep into the matter.
For reversing, its basically the same thing as revering a game...

If you have questions just ask.
It would be good to know the name of your target executable by the way.

[atom0s]

The easier method of doing anything with this would be to hook onto the game yourself. You can avoid the encryption layer altogether if you hook the proper functions in the game.

Most of the time, games will work in a similar fashion to this:
Sending: Generate Packet -> Encrypt/Encode Packet -> Send Packet
Receiving: Receive Packet -> Decrypt/Decode Packet -> Handle Packet

The method here would be to hook the encrypt/decryption functions that the game uses. This way you can get the packets before they are actually encrypted removing the need to decrypt them by hand.

Blowfish uses a key as well, so unless you know the key off-hand, you are going to have an annoying time decrypting logged packets constantly.

Wireshark will let you filter the packets entirely based on the traffic parameters such as the port, the IP (source and destination) etc. You just need to learn how to use the filtering system and not assume that everything is a simple 1 click solution.

And yes it uses WinPCap which is a driver based middle-man. It will not automatically decrypt packets for you because it cannot just assume or know what encryption is used. You can setup Wiresharks ESP preferences to handle the encryption if you know the key:
http://wiki.wireshark.org/ESP_Preferences

This is all stuff you could have found and done yourself with simple Google searches. Wireshark is a great tool. It takes more than downloading it and opening it to learn about it.

[Chris12]