Node.js+frida sniffer

[Turmalin]

Hi, guys.
This is example for https://forum.ragezone.com/f884/rune...tocol-1068040/ theme.
Code based on node-frida(https://github.com/frida/frida-node).

There are 3 files you would really need: app.js(frida connection), views/js/frida/rom.js(interaction logic) and views/js/frida/romlib.js(list of some or all, not sure, packets enums).

Interceptor.attach(ptr("0x6694E0") used for incoming packets and Interceptor.attach(ptr("0x60CCC0") - for outcoming. Client version for those addreses is 6.0.8 - https://mega.nz/#!wd4GmRLI!M5wTxpaW5...LtvOBlPoNa-3H8

Node lib(without modules, use npm-install + build node-frida) - https://mega.nz/#!sFwBzSjL!7lca4SsME...W17QwETn2hXIF4

There are 2 versions of packet data deserializing:

if(packetname=='EM_PG_Talk_Channel'||
val==156){
var data={
command: packetname,
channelid: readint(dataptr, 4),
msgtype: readint(dataptr, 8),
job: readint(dataptr, 12),
name: readstring(dataptr, 20, 64).replace(new RegExp('\0', 'g'), ''),
sender: {
vocation: readshort(dataptr, 84),
level: readshort(dataptr, 88)
},
contentsize: readint(dataptr, 90),
content: readstring(dataptr, 96, 512)
};

used directly from injected js script.

More readable version used in app.js(frida connection) script -

var PG_Talk_CtoL_GMCommand = StructType({
command: ref.types.int,
gitemid: ref.types.int,
contentsize: ref.types.int,
content: ArrayType('char', 512)
});


var result = new PG_Talk_CtoL_GMCommand(b);


but this version would need passing byte array between inject-hosting.

BTW, this code is example of how you can read(and write in 1st case, doesn't completed in 2nd case) packets from rom. For packets structs you can look into client or server code.

[MentaL]

[Undead Code]

Thanks! Looks interesting. I used to use WinDbg + Python plugin when I was working on encryption of RoM client-server protocol. Back then I did not have access to RoM source code.

Personally I like proxy approach more. Even better is to use own client, since memory footprint is much lower, it is easy to have 50 alts running around ;-)

[Turmalin]

Ofc, just lazy to write it.
Btw, you can use node native addon to copy encryption/decryption code without rewriting to js. Also, using js for things like this is interesting, but not sure, if it would be useful anywhere. Also, it would be interesting to write proxy on node.js, becouse js syntax is kind of sweet candy after C++ or even C#(ok, C# is cool, sry...and if exclude those js async callback-in-callback trash hardcore).

[QAune1992]

Hi Trumalin, i think u do rly good job but not sure if we can use this :)
Im stuck probably on start.

I installed node.js node-v5.1.0-x64 (is this version which i should use?).
I downloaded client 6.0.8 and connected to my server from this client.
I downloaded node_frida.zip and uncompressed.
I navigated to directory node_frida from cmd and used 'nmp install' command.
I noticed in package.json u have predefined
"frida": "D:\\ProjectSVN\\NodeJS\\node_frida\\frida_binding-v0.0.0-node-v46-win32-x64.tar.gz"
Sadly cant find this file in google, so even dont tried with 'npm install'.

I decided to downloaded https://github.com/frida/frida-node and used 'nmp install' command.
It starded with error

npm ERR! addLocal Could not install C:\Users\root\Desktop\node\node_frida\sumo-frida-src-0.9.4.tar.gz
npm ERR! Windows_NT 6.1.7601

Here is debug: https://gist.github.com/anonymous/bd33fa3dd52c28046aa6

Maybe you can attach/upload frida_binding-v0.0.0-node-v46-win32-x64.tar.gz ?
This projects looks really interesting, so i want go for it.

[Turmalin]

Hi!
Sry, it's my bad, project.json is full of different trash, becouse I just usually copy it between diff projects.

https://mega.nz/#!sIQzQIYR!2IqCceQFN8dEsCdRmGkxTTRaPKQkNWQGgcM3F1incqs

Here you can get latest version with all included modules, if it wouldn't work, write me at skype(demogor3).