[Help] Reversing Client Packets Structure

Results 1 to 3 of 3
  1. #1
    Earth is Beautiful. vergil250493 is offline
    Gold SubscriberRank
    Jul 2009 Join Date
    brazilLocation
    410Posts

    Question [Help] Find Opcodes Client decompiled


    RaGEZONE Recommends

    RaGEZONE Recommends

    Hello i dont have enought knowledge in ASM to do this so i am here to ask if someone with theses knowledge would help me to do this ! i have de client decompiled but each fuction like this :
    Code:
    //----- (005629A0) --------------------------------------------------------
    signed __int64 __cdecl sub_5629A0(int a1)
    {
      unsigned __int8 v1; // al@1
      int v2; // edi@5
      signed __int64 result; // rax@5
    
      sub_562AF0(a1);
      v1 = sub_5624F0(a1);
      if ( (signed int)v1 > 80 )
        sub_55E990(*(_DWORD *)a1, "%s too new: read version %d.%d; expected at most %d.%d", *(_DWORD *)(a1 + 16));
      if ( (signed int)v1 < 80 )
        sub_55E990(*(_DWORD *)a1, "%s too old: read version %d.%d; expected at least %d.%d", *(_DWORD *)(a1 + 16));
      v2 = (unsigned __int8)sub_5624F0(a1);
      *(_DWORD *)(a1 + 12) = sub_562B80() != v2;
      sub_562B40(a1, 4);
      sub_562B40(a1, 4);
      sub_562B40(a1, 4);
      sub_562B40(a1, 6);
      sub_562B40(a1, 8);
      sub_562B40(a1, 9);
      sub_562B40(a1, 9);
      sub_562B40(a1, 8);
      result = (signed __int64)sub_562980(a1);
      if ( (_DWORD)result != 31415926 )
        sub_55E990(*(_DWORD *)a1, "unknown number format in %s", *(_DWORD *)(a1 + 16));
      return result;
    }
    So how i will find exemple Opcode 0x03 and etc...
    Last edited by vergil250493; 09-02-17 at 03:49 PM.


  2. #2
    Earth is Beautiful. vergil250493 is offline
    Gold SubscriberRank
    Jul 2009 Join Date
    brazilLocation
    410Posts

    Re: [Help] Reversing Client Packets Structure

    Anyone can help with it ?

  3. #3
    Newbie Ci3l0phi is offline
    MemberRank
    May 2017 Join Date
    2Posts

    Re: [Help] Reversing Client Packets Structure

    You need to first understand that most clients do not rely on their own code to implement server communication. Clients will use some external library. You need to be able to view the import table and look at what libraries are being imported. Look at what functions are being referenced. There are more than likely library functions for sending and receiving data like winsock library.

    Try using a debugger and set breakpoints on all references on these library calls. This should be able to show you data as soon as it is available on the buffer to be sent/recvd. You will need to understand how to trace in the debugger from that point and go backwards to the point where data is not manipulated. Eventually, you should be able to find the point where data is normal :)

    Then, you should be able to trace back to the function that zips/encrypts/manipulates data. You can take a look at the data before that encryption, and then use something to dump that data which should represent the packet. If the protocol is unknown, then you will need to figure out the protocol, and somewhere in there should be opcode. Perhaps the opcode is within the first few bytes or towards the end (unlikely).

    good luck~




Advertisement