Most visitors online was 12720 , on 2 May 2024
-
Unfortunately, we have experienced significant hard drive damage that requires urgent maintenance and rebuilding. The forum will be a state of read only until we install our new drives and rebuild all the configurations needed. Please follow our Facebook page for updates, we will be back up shortly! (The forum could go offline at any given time due to the nature of the failed drives whilst awaiting the upgrades.) When you see an Incapsula error, you know we are in the process of migration.
Reverse Engineering Packet Structures Through The Client?
- Thread starter AcarX
- Start date
Elite Diviner
- Joined
- Apr 28, 2012
- Messages
- 420
- Reaction score
- 439
encrypt function can be found here:
result:
function looks "terrible")))
You must be registered to see links
result:
You must be registered to see links
function looks "terrible")))
Code:
int __stdcall sub_500B70(int a1, int *a2, unsigned int *a3)
{
int result; // eax@1
unsigned int v4; // edx@1
unsigned int v5; // ecx@1
unsigned int v6; // edx@1
unsigned int v7; // ecx@1
unsigned int v8; // edx@1
unsigned int v9; // ecx@1
unsigned int v10; // edx@1
unsigned int v11; // ecx@1
unsigned int v12; // edx@1
unsigned int v13; // ecx@1
unsigned int v14; // edx@1
unsigned int v15; // ecx@1
unsigned int v16; // edx@1
unsigned int v17; // ecx@1
unsigned int v18; // edx@1
unsigned int v19; // ecx@1
int v20; // ebx@1
unsigned __int8 v21; // bp@1
int v22; // ecx@1
result = a1;
v4 = *a2 ^ *(a1 + 8);
v5 = *a3 ^ *(a1 + 12) ^ (*(a1 + 4 * (*a2 ^ *(a1 + 8)) + 3152)
+ (*(a1 + 4 * BYTE1(v4) + 2128) ^ (*(a1 + 4 * (v4 >> 24) + 80)
+ *(a1 + 4 * ((v4 >> 16) & 0xFF) + 1104))));
v6 = *(a1 + 16) ^ (*(a1
+ 4
* (*a3 ^ *(a1 + 12) ^ (*(a1 + 4 * (*a2 ^ *(a1 + 8)) + 3152)
+ (*(a1 + 4 * BYTE1(v4) + 2128) ^ (*(a1 + 4 * (v4 >> 24) + 80)
+ *(a1 + 4 * ((v4 >> 16) & 0xFF) + 1104)))))
+ 3152)
+ (*(a1 + 4 * BYTE1(v5) + 2128) ^ (*(a1 + 4 * (v5 >> 24) + 80)
+ *(a1 + 4 * ((v5 >> 16) & 0xFF) + 1104)))) ^ v4;
v7 = *(a1 + 20) ^ (*(a1 + 4 * v6 + 3152)
+ (*(a1 + 4 * BYTE1(v6) + 2128) ^ (*(a1 + 4 * (v6 >> 24) + 80)
+ *(a1 + 4 * ((v6 >> 16) & 0xFF) + 1104)))) ^ v5;
v8 = *(a1 + 24) ^ (*(a1 + 4 * v7 + 3152)
+ (*(a1 + 4 * BYTE1(v7) + 2128) ^ (*(a1 + 4 * (v7 >> 24) + 80)
+ *(a1 + 4 * ((v7 >> 16) & 0xFF) + 1104)))) ^ v6;
v9 = *(a1 + 28) ^ (*(a1 + 4 * v8 + 3152)
+ (*(a1 + 4 * BYTE1(v8) + 2128) ^ (*(a1 + 4 * (v8 >> 24) + 80)
+ *(a1 + 4 * ((v8 >> 16) & 0xFF) + 1104)))) ^ v7;
v10 = *(a1 + 32) ^ (*(a1 + 4 * v9 + 3152)
+ (*(a1 + 4 * BYTE1(v9) + 2128) ^ (*(a1 + 4 * (v9 >> 24) + 80)
+ *(a1 + 4 * ((v9 >> 16) & 0xFF) + 1104)))) ^ v8;
v11 = *(a1 + 36) ^ (*(a1 + 4 * v10 + 3152)
+ (*(a1 + 4 * BYTE1(v10) + 2128) ^ (*(a1 + 4 * (v10 >> 24) + 80)
+ *(a1 + 4 * ((v10 >> 16) & 0xFF) + 1104)))) ^ v9;
v12 = *(a1 + 40) ^ (*(a1 + 4 * v11 + 3152)
+ (*(a1 + 4 * BYTE1(v11) + 2128) ^ (*(a1 + 4 * (v11 >> 24) + 80)
+ *(a1 + 4 * ((v11 >> 16) & 0xFF) + 1104)))) ^ v10;
v13 = *(a1 + 44) ^ (*(a1 + 4 * v12 + 3152)
+ (*(a1 + 4 * BYTE1(v12) + 2128) ^ (*(a1 + 4 * (v12 >> 24) + 80)
+ *(a1 + 4 * ((v12 >> 16) & 0xFF) + 1104)))) ^ v11;
v14 = *(a1 + 48) ^ (*(a1 + 4 * v13 + 3152)
+ (*(a1 + 4 * BYTE1(v13) + 2128) ^ (*(a1 + 4 * (v13 >> 24) + 80)
+ *(a1 + 4 * ((v13 >> 16) & 0xFF) + 1104)))) ^ v12;
v15 = *(a1 + 52) ^ (*(a1 + 4 * v14 + 3152)
+ (*(a1 + 4 * BYTE1(v14) + 2128) ^ (*(a1 + 4 * (v14 >> 24) + 80)
+ *(a1 + 4 * ((v14 >> 16) & 0xFF) + 1104)))) ^ v13;
v16 = *(a1 + 56) ^ (*(a1 + 4 * v15 + 3152)
+ (*(a1 + 4 * BYTE1(v15) + 2128) ^ (*(a1 + 4 * (v15 >> 24) + 80)
+ *(a1 + 4 * ((v15 >> 16) & 0xFF) + 1104)))) ^ v14;
v17 = *(a1 + 60) ^ (*(a1 + 4 * v16 + 3152)
+ (*(a1 + 4 * BYTE1(v16) + 2128) ^ (*(a1 + 4 * (v16 >> 24) + 80)
+ *(a1 + 4 * ((v16 >> 16) & 0xFF) + 1104)))) ^ v15;
v18 = *(a1 + 64) ^ (*(a1 + 4 * v17 + 3152)
+ (*(a1 + 4 * BYTE1(v17) + 2128) ^ (*(a1 + 4 * (v17 >> 24) + 80)
+ *(a1 + 4 * ((v17 >> 16) & 0xFF) + 1104)))) ^ v16;
v19 = *(a1 + 68) ^ (*(a1 + 4 * v18 + 3152)
+ (*(a1 + 4 * BYTE1(v18) + 2128) ^ (*(a1 + 4 * (v18 >> 24) + 80)
+ *(a1 + 4 * ((v18 >> 16) & 0xFF) + 1104)))) ^ v17;
v20 = *(a1 + 4 * BYTE1(v19) + 2128) ^ (*(a1 + 4 * (v19 >> 24) + 80) + *(a1 + 4 * ((v19 >> 16) & 0xFF) + 1104));
v21 = v19;
v22 = *(a1 + 76) ^ v19;
*a3 = *(a1 + 72) ^ (*(a1 + 4 * v21 + 3152) + v20) ^ v18;
*a2 = v22;
return result;
}
- Joined
- Sep 27, 2006
- Messages
- 557
- Reaction score
- 88
Yep that be it got the same thing its just a simple XOR over XOR.
Was cracked back in 2007 i believe.
Was cracked back in 2007 i believe.
YEy i has custom title^_^
- Joined
- Sep 29, 2006
- Messages
- 452
- Reaction score
- 67
One way to analyze packets from client only is to hook the functions that write the bytes and makes the packet. This way you can basically just sniff the packet while being created and get the structure same time, however this wont tell you what all the bytes represent but it would speed up analyzing them as you dont have to figure the structure out yourself.
zarut said:
Could you elaborate on that please? How would I accomplish this? From what I could gather in assembly most functions don't use a separate writing function. It's mostly like:
Code:
lea edx, [buffer_addr + offset]
mov [edx], 5
Incase my assembly isn't correct, here's what I mean in C:
buffer[offset] = 5;YEy i has custom title^_^
- Joined
- Sep 29, 2006
- Messages
- 452
- Reaction score
- 67
Here is a tutorial how its accomplished in silkroad:
You must be registered to see links
RaGEZONE Sponsor
