Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Network packets

Initiate Mage
Joined
Feb 20, 2019
Messages
24
Reaction score
0
So I started sniffing some packets from a game but some of them are encrypted. What I know about the encryption being used is that they are using RSA and RC4. Is it possible to decrypt them by only looking at TCP packets? I don't know how I should continue. If anyone wants to link me some books/guides or w.e feel free to.
 
Last edited:
Joined
Sep 27, 2006
Messages
557
Reaction score
88
Would need more info about the game?

Most tools that i use are:

1. Ida pro
2. Ghdra
3. Search win sock (recv for decrypting) (send for encrypting)
4. decomplie the code find the functions and addresses
5. using a debugger to trace and walk through the code to match what its doing
6. write it to the programming language you use (proxy)

Answer your question you can't look at the packets to decrypt them (maybe XOR). But your gonna need to learn asm and whatever programming language you know.
 
Initiate Mage
Joined
Feb 20, 2019
Messages
24
Reaction score
0
Would need more info about the game?

Most tools that i use are:

1. Ida pro
2. Ghdra
3. Search win sock (recv for decrypting) (send for encrypting)
4. decomplie the code find the functions and addresses
5. using a debugger to trace and walk through the code to match what its doing
6. write it to the programming language you use (proxy)

Answer your question you can't look at the packets to decrypt them (maybe XOR). But your gonna need to learn asm and whatever programming language you know.
Mhm I used Ghidra for a month before. I tried hooking to win recv and send. I researched on some of the dlls they are using but not much luck. I tried decompiling the code but there was not much to see like ghidra failed to decompile it or something (the .exe could be packed or w.e I'm not sure). Tried using x64dbg but no luck because of the anti-debug (XIGNCODE with Themida). I know a handful of programming languages so that's not an issue as I already have a base.

The game has an x86 architecture and has XIGNCODE as an anticheat. Sometimes Themida pops up when I try to attach a debugger :/.
Eh ye I'm working on learning asm but I feel like I'm wasting my time because of the anticheat and stuff that I don't know.

Also, jonny bravo xD I used to love that show. CN was at its best back then.
 
Joined
Jun 14, 2012
Messages
31
Reaction score
2
Hooking send/recv is honestly a pain. I had tons of issues when I tried this myself.
Try writing a TCP forwarder. That way you act as a proxy between the real server and you can dump/handle any incoming/outgoing data.
It's a much cleaner approach and it works beautifully.

For encryption, it really depends on how it's done. Sometimes clients derive their key from a public key that servers send at some point.
 
Joined
Sep 27, 2006
Messages
557
Reaction score
88
What game? I can unpack Thermida but it is a pain in the butt. No pro at it. Xigncode you can just turn it off and debug the login etc.. Gonna at some point need a proxy to log packets so theres no other ways of doing it.

Can pretty much dump the exe from memory and rebuild the IAT etc.. to get around the packed exe.
 
Software Engineer
Member
Joined
Feb 19, 2008
Messages
1,055
Reaction score
492
To clarify what others are saying and why they're mentioning using Assembly / Ghidra and so on: If you need to decrypt the game, you need to find the encryption keys from the client. Depending on what the game client is coded in you would use different utilities to achieve this. If the client is a normal x86 executable (coded in C / C++ or similar languages) then yeah, you will need either IDA or Ghidra. If it's Java, Flash, C# / .NET or similar, you might be able to decompile the client, it might partially be obfuscated, but with enough will power you should be able to hunt down the keys. Also if others have done the work before, maybe reach out to them to throw you a bone.

As someone else said: without more context, we can't help you.
 
Joined
Jun 10, 2009
Messages
658
Reaction score
140
Hooking send/recv is honestly a pain. I had tons of issues when I tried this myself.
Try writing a TCP forwarder. That way you act as a proxy between the real server and you can dump/handle any incoming/outgoing data.
It's a much cleaner approach and it works beautifully.

For encryption, it really depends on how it's done. Sometimes clients derive their key from a public key that servers send at some point.

Take a look at my project . This might help!
 
Joined
Jun 14, 2012
Messages
31
Reaction score
2
Take a look at my project . This might help!

Yep that sorta looks like what I was using, except some issues there:
WSASend, WSARecv, sendto and recvfrom all had to be hooked as well in my case and everything has to be handled since I was also working with nonblocking sockets. I had tons of duplicate packets spam while others were just missing (might be custom network code somewhere) so I just wrote a tcp forwarder instead.
 
Back
Top