Network packets

Results 1 to 9 of 9
  1. #1
    Registered skf01 is offline
    MemberRank
    Feb 2019 Join Date
    14Posts

    Network packets

    Network packets
    So I started sniffing some packets from a game but some of them are encrypted. What I know about the encryption being used is that they are using RSA and RC4. Is it possible to decrypt them by only looking at TCP packets? I don't know how I should continue. If anyone wants to link me some books/guides or w.e feel free to.
    Last edited by skf01; 16-08-19 at 07:16 PM.


  2. #2
    Account Upgraded | Title Enabled! jonnybravo is offline
    True MemberRank
    Sep 2006 Join Date
    764Posts

    Re: Network packets

    Would need more info about the game?

    Most tools that i use are:

    1. Ida pro
    2. Ghdra
    3. Search win sock (recv for decrypting) (send for encrypting)
    4. decomplie the code find the functions and addresses
    5. using a debugger to trace and walk through the code to match what its doing
    6. write it to the programming language you use (proxy)

    Answer your question you can't look at the packets to decrypt them (maybe XOR). But your gonna need to learn asm and whatever programming language you know.

  3. #3
    Registered skf01 is offline
    MemberRank
    Feb 2019 Join Date
    14Posts

    Re: Network packets

    Quote Originally Posted by jonnybravo View Post
    Would need more info about the game?

    Most tools that i use are:

    1. Ida pro
    2. Ghdra
    3. Search win sock (recv for decrypting) (send for encrypting)
    4. decomplie the code find the functions and addresses
    5. using a debugger to trace and walk through the code to match what its doing
    6. write it to the programming language you use (proxy)

    Answer your question you can't look at the packets to decrypt them (maybe XOR). But your gonna need to learn asm and whatever programming language you know.
    Mhm I used Ghidra for a month before. I tried hooking to win recv and send. I researched on some of the dlls they are using but not much luck. I tried decompiling the code but there was not much to see like ghidra failed to decompile it or something (the .exe could be packed or w.e I'm not sure). Tried using x64dbg but no luck because of the anti-debug (XIGNCODE with Themida). I know a handful of programming languages so that's not an issue as I already have a base.

    The game has an x86 architecture and has XIGNCODE as an anticheat. Sometimes Themida pops up when I try to attach a debugger :/.
    Eh ye I'm working on learning asm but I feel like I'm wasting my time because of the anticheat and stuff that I don't know.

    Also, jonny bravo xD I used to love that show. CN was at its best back then.

  4. #4
    Member DarkKaine is offline
    MemberRank
    Jun 2012 Join Date
    30Posts

    Re: Network packets

    Hooking send/recv is honestly a pain. I had tons of issues when I tried this myself.
    Try writing a TCP forwarder. That way you act as a proxy between the real server and you can dump/handle any incoming/outgoing data.
    It's a much cleaner approach and it works beautifully.

    For encryption, it really depends on how it's done. Sometimes clients derive their key from a public key that servers send at some point.

  5. #5
    Account Upgraded | Title Enabled! jonnybravo is offline
    True MemberRank
    Sep 2006 Join Date
    764Posts

    Re: Network packets

    What game? I can unpack Thermida but it is a pain in the ass. No pro at it. Xigncode you can just turn it off and debug the login etc.. Gonna at some point need a proxy to log packets so theres no other ways of doing it.

    Can pretty much dump the exe from memory and rebuild the IAT etc.. to get around the packed exe.

  6. #6
    GPL License Advocate Moogly is offline
    Alpha MaleRank
    Feb 2008 Join Date
    Vault 101Location
    2,321Posts

    Re: Network packets

    To clarify what others are saying and why they're mentioning using Assembly / Ghidra and so on: If you need to decrypt the game, you need to find the encryption keys from the client. Depending on what the game client is coded in you would use different utilities to achieve this. If the client is a normal x86 executable (coded in C / C++ or similar languages) then yeah, you will need either IDA or Ghidra. If it's Java, Flash, C# / .NET or similar, you might be able to decompile the client, it might partially be obfuscated, but with enough will power you should be able to hunt down the keys. Also if others have done the work before, maybe reach out to them to throw you a bone.

    As someone else said: without more context, we can't help you.

  7. #7
    Programmer cyberinferno is offline
    True MemberRank
    Jun 2009 Join Date
    127.0.0.1Location
    687Posts

    Re: Network packets

    Quote Originally Posted by DarkKaine View Post
    Hooking send/recv is honestly a pain. I had tons of issues when I tried this myself.
    Try writing a TCP forwarder. That way you act as a proxy between the real server and you can dump/handle any incoming/outgoing data.
    It's a much cleaner approach and it works beautifully.

    For encryption, it really depends on how it's done. Sometimes clients derive their key from a public key that servers send at some point.
    Take a look at my project https://github.com/cyberinferno/PacketDumper . This might help!
    ** Web developer **

  8. #8
    Member DarkKaine is offline
    MemberRank
    Jun 2012 Join Date
    30Posts

    Re: Network packets

    Quote Originally Posted by cyberinferno View Post
    Take a look at my project https://github.com/cyberinferno/PacketDumper . This might help!
    Yep that sorta looks like what I was using, except some issues there:
    WSASend, WSARecv, sendto and recvfrom all had to be hooked as well in my case and everything has to be handled since I was also working with nonblocking sockets. I had tons of duplicate packets spam while others were just missing (might be custom network code somewhere) so I just wrote a tcp forwarder instead.

  9. #9
    not a DEVELOPER Droppy is offline
    DeveloperRank
    Feb 2012 Join Date
    /home/droppyLocation
    2,085Posts

    Re: Network packets

    What I know about the encryption being used is that they are using RSA and RC4. Is it possible to decrypt them by only looking at TCP packets?
    if you could do that, then the encryption wouldn't be doing its job.

    Disclaimer: I will never ask you for money for any purposes nor sell you game files (either inside or outside the forums).
    Subscribe | Rules
    PM Me | Add Me

    Developer
    &
    Ex-Moderator




Advertisement