Master Summoner
- Joined
- Sep 5, 2013
- Messages
- 582
- Reaction score
- 54
Aion Sea, IP(103.246.18.234), d3d8thk(02 09 4E 4C 05 0A 0B 33 1B 4C 0C 0B 0A 00)
Conquest Aion, IP(176.31.235.31), d3d8thk(0F 39 3F 07 4C 10 3F 0E 0A 0D 4C 0D 08 05)
Eternal Aion, IP(88.190.212.4), d3d8thk(01 0A 4C 0B 02 17 09 07 1B 33 4C 04 08 00)
Evolution Fr, IP(5.135.141.17), d3d8thk(4F 4C 33 3F 0B 02 09 0A 08 0D 33 4C 15 09)
Gamez Aion, IP(69.167.179.118), d3d8thk(05 3F 33 0B 10 3F 07 0D 0C 4C 39 0D 33 00)
Just Aion, IP(188.138.11.122), d3d8thk(0A 4C 00 1B 09 0A 3F 07 0D 0C 4C 0C 0B 0A)
Unforgotten, IP(178.254.20.148), d3d8thk(08 14 4F 4F 4A 4E 4C 4F 38 02 1B 4C 3A 0B)
Actually if you try to diff some 120k dlls you will see there is often only 14 bytes changing and you can see in IDA those are used in a part that takes those bytes and a static number which must be the length of that data.
I don't know much what's happening from here but it seems that function is trying to decrypt the data and that data is then passed to getaddrinfo.
What are you trying to find, ip or length?
Put "16" instead of "14" in the box on the top of the window it'll be easier...
Aion Sea: ls0.gtemu.net
02 09 4E 4C 05 0A 0B 33 1B 4C 0C 0B 0A 00
l s 0 . g t e m u . n e t
Conquest Aion: qcai.zapto.org
0F 39 3F 07 4C 10 3F 0E 0A 0D 4C 0D 08 05
q c a i . z a p t o . o r g
Eternal Aion: kt.elysium.fr
01 0A 4C 0B 02 17 09 07 1B 33 4C 04 08 00
k t . e l y s i u m . f r
Gamez Aion: gamezaion.com
05 3F 33 0B 10 3F 07 0D 0C 4C 39 0D 33 00
g a m e z a i o n . c o m
Just Aion: t.justaion.net
0A 4C 00 1B 09 0A 3F 07 0D 0C 4C 0C 0B 0A
t . j u s t a i o n . n e t
Unforgotten: rv1140.1blu.de
08 14 4F 4F 4A 4E 4C 4F 38 02 1B 4C 3A 0B
r v 1 1 4 0 . 1 b l u . d e
I got it. The 13 or 14 byte string in the dll corresponds to the URL for the server. You can see below how the characters in each URL matches between themselves (i.e. 'a' = 3F, '.' = 4C, etc)
Knowing this, I took the gamezaion version, put it in bin32 and then edited my hosts file to map 127.0.0.1 to gameszion.com. That works fine. However, if I used my local machine IP (192.168.1.x) it failed.