PCAP and more

[Esoserv]

So i tried to send it as one tcp packet:

Code:

if (sendOnce)
{
     byte[] resBuff = new byte[] { 0x00, 0x00, 0x00, 0x0a, 0x01, 0x03, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00 };
     clientStream.Write(resBuff, 0, resBuff.Length);
     clientStream.Flush();
     sendOnce = false;
}

Client hangs, no escape possible. When i send the packet a second time, client posts a "logout", goes back to login screen and after a while it crashes. Inside crash log player name is local player. Thanks a lot blar0.

[blar0]

It's a bit useless ... but where did you find the function that handle the opcode ?

A IDA python script generate them for me : Private Paste - Pastie
It's really difficult without packet dump, to understand everything, to know what should be the first, second, etc ... packet, but it's fun

Here is the output of the script (from the binary I uploaded on mega)

Code:

[+] Group 1 : RVA = 0001FD60 ; VA = 0088FD60
0x40FF;0x4100;0x4101;0x4102;0x4103;0x4104;0x4105;0x4106;0x4107;0x4108;0x4109;0x410A;0x410B;0x410C;0x410D;0x410E;0x410F;0x4110;0x4111;0x4112;0x4113;0x4114;0x4115;0x4116;0x4117;0x4118;0x4119;0x411A;0x411B;0x411C;0x411D;0x411E;0x411F;0x4120;0x4121;0x4122;0x4123;0x4124;0x4125;0x4126;0x4127;0x4128;0x4129;0x412A;0x412B;0x412C;0x412D;0x412E;0x412F;0x4130;0x4131;0x4132;0x4133;0x4134;0x4135;0x4136;0x4137;0x4138;0x4139;0x413A;0x413B;0x413C;0x413D;0x413E;0x413F;0x4140;0x4141;0x4142;0x4143;0x4144;0x4145;0x4146;0x4147;0x4148;0x4149;0x414A;0x414B;0x414C;0x414D;0x414E;0x414F;0x4150;0x4151;0x4152;0x4153;0x4154;0x4155;0x4156;0x4157;0x4158;0x4159;0x415A;0x415B;0x415C;0x415D;0x415E;0x415F;0x4160;0x4161;0x4162;0x4163;0x4164;0x4165;0x4166;0x4167;0x4168;0x4169;0x416A;0x416B;0x416C;0x416D;0x416E;0x416F;0x4170;0x4171;0x4172;0x4173;0x4174;0x4175;0x4176;0x4177;0x4178;0x4179
[+] Group 2 : RVA = 00024BD0 ; VA = 00894BD0
0x4F01;0x4F02;0x4F03;0x4F04;0x4F05;0x4F06;0x4F07;0x4F08;0x4F09;0x4F0A;0x4F0B;0x4F0C;0x4F0D;0x4F0E;0x4F0F;0x4F10;0x4F11;0x4F12;0x4F13;0x4F14;0x4F15;0x4F16;0x4F17;0x4F18;0x4F19;0x4F1A;0x4F1B;0x4F1C;0x4F1D;0x4F1E;0x4F1F;0x4F20;0x4F21;0x4F22;0x4F23;0x4F24;0x4F25;0x4F26;0x4F27;0x4F28;0x4F29;0x4F2A;0x4F2B;0x4F2C;0x4F2D;0x4F2E;0x4F2F;0x4F30;0x4F31;0x4F32;0x4F33;0x4F34;0x4F35;0x4F36;0x4F37;0x4F38;0x4F39;0x4F3A;0x4F3B;0x4F3C;0x4F3D;0x4F3E;0x4F3F;0x4F40;0x4F41;0x4F42;0x4F43;0x4F44;0x4F45;0x4F46;0x4F47;0x4F48;0x4F49;0x4F4A;0x4F4B;0x4F4C;0x4F4D;0x4F4E;0x4F4F;0x4F50;0x4F51;0x4F52;0x4F53;0x4F54;0x4F55;0x4F56;0x4F57;0x4F58;0x4F59;0x4F5A;0x4F5B;0x4F5C;0x4F5D;0x4F5E;0x4F5F;0x4F60;0x4F61;0x4F62;0x4F63;0x4F64;0x4F65;0x4F66;0x4F67;0x4F68;0x4F69;0x4F6A;0x4F6B;0x4F6C;0x4F6D;0x4F6E;0x4F6F;0x4F70;0x4F71;0x4F72;0x4F73;0x4F74;0x4F75;0x4F76;0x4F77;0x4F78;0x4F79;0x4F7A;0x4F7B;0x4F7C
[+] Group 3 : RVA = 0002AF00 ; VA = 0089AF00
0x0100;0x0101;0x0102;0x0103;0x0104;0x0105;0x0106;0x0107;0x0108;0x0109;0x010A;0x010B;0x010C;0x010D;0x010E;0x010F;0x0110;0x0111;0x0112;0x0113;0x0114;0x0115;0x0116;0x0117;0x0118;0x0119;0x011A;0x011B;0x011C;0x011D
[+] Group 4 : RVA = 00031650 ; VA = 008A1650
0x01FF;0x0200;0x0201;0x0202;0x0203;0x0204;0x0205;0x0206;0x0207;0x0208;0x0209;0x020A;0x020B;0x020C;0x020D;0x020E;0x020F;0x0210;0x0211;0x0212;0x0213;0x0214;0x0215;0x0216;0x0217;0x0218;0x0219;0x021A;0x021B;0x021C;0x021D;0x021E;0x021F;0x0220;0x0221;0x0222;0x0223;0x0224;0x0225;0x0226;0x0227;0x0228;0x0229;0x022A;0x022B;0x022C;0x022D;0x022E;0x022F;0x0230;0x0231;0x0232;0x0233;0x0234;0x0235;0x0236;0x0237;0x0238;0x0239;0x023A;0x023B;0x023C;0x023D;0x023E;0x023F;0x0240;0x0241;0x0242;0x0243;0x0244;0x0245;0x0246;0x0247;0x0248;0x0249;0x024A;0x024B;0x024C;0x024D;0x024E;0x024F;0x0250;0x0251;0x0252;0x0253;0x0254;0x0255;0x0256;0x0257;0x0258;0x0259;0x025A;0x025B;0x025C;0x025D;0x025E;0x025F;0x0260;0x0261;0x0262;0x0263;0x0264;0x0265;0x0266;0x0267;0x0268;0x0269;0x026A;0x026B;0x026C;0x026D;0x026E;0x026F;0x0270;0x0271;0x0272;0x0273;0x0274;0x0275;0x0276;0x0277;0x0278;0x0279;0x027A;0x027B;0x027C;0x027D;0x027E;0x027F;0x0280;0x0281;0x0282;0x0283;0x0284;0x0285;0x0286;0x0287;0x0288;0x0289;0x028A;0x028B;0x028C;0x028D;0x028E;0x028F;0x0290;0x0291;0x0292;0x0293;0x0294;0x0295;0x0296;0x0297;0x0298;0x0299;0x029A;0x029B;0x029C;0x029D;0x029E;0x029F;0x02A0;0x02A1;0x02A2;0x02A3;0x02A4;0x02A5;0x02A6;0x02A7;0x02A8;0x02A9;0x02AA;0x02AB;0x02AC;0x02AD;0x02AE;0x02AF;0x02B0;0x02B1;0x02B2;0x02B3;0x02B4;0x02B5;0x02B6;0x02B7;0x02B8;0x02B9;0x02BA;0x02BB;0x02BC;0x02BD;0x02BE;0x02BF;0x02C0;0x02C1;0x02C2;0x02C3;0x02C4;0x02C5;0x02C6;0x02C7;0x02C8;0x02C9;0x02CA;0x02CB;0x02CC;0x02CD;0x02CE;0x02CF;0x02D0;0x02D1;0x02D2;0x02D3;0x02D4;0x02D5;0x02D6;0x02D7;0x02D8;0x02D9;0x02DA;0x02DB;0x02DC;0x02DD;0x02DE;0x02DF;0x02E0;0x02E1;0x02E2;0x02E3;0x02E4;0x02E5;0x02E6;0x02E7;0x02E8;0x02E9;0x02EA;0x02EB;0x02EC;0x02ED;0x02EE;0x02EF;0x02F0;0x02F1;0x02F2;0x02F3;0x02F4;0x02F5;0x02F6;0x02F7;0x02F8;0x02F9;0x02FA;0x02FB;0x02FC;0x02FD;0x02FE;0x02FF;0x0300;0x0301;0x0302;0x0303;0x0304;0x0305;0x0306;0x0307;0x0308;0x0309;0x030A;0x030B;0x030C;0x030D;0x030E;0x030F;0x0310;0x0311;0x0312;0x0313;0x0314;0x0315;0x0316;0x0317;0x0318;0x0319;0x031A;0x031B;0x031C;0x031D;0x031E;0x031F;0x0320;0x0321;0x0322;0x0323;0x0324;0x0325;0x0326;0x0327;0x0328;0x0329;0x032A;0x032B;0x032C;0x032D;0x032E;0x032F;0x0330;0x0331;0x0332;0x0333;0x0334;0x0335;0x0336;0x0337;0x0338;0x0339;0x033A;0x033B;0x033C;0x033D;0x033E;0x033F;0x0340;0x0341;0x0342;0x0343;0x0344;0x0345;0x0346;0x0347;0x0348;0x0349;0x034A;0x034B;0x034C;0x034D;0x034E;0x034F;0x0350;0x0351;0x0352;0x0353;0x0354;0x0355;0x0356;0x0357;0x0358;0x0359;0x035A;0x035B;0x035C;0x035D;0x035E;0x035F;0x0360;0x0361;0x0362;0x0363;0x0364;0x0365;0x0366;0x0367;0x0368;0x0369;0x036A;0x036B;0x036C;0x036D;0x036E;0x036F;0x0370;0x0371;0x0372;0x0373;0x0374;0x0375;0x0376;0x0377;0x0378;0x0379;0x037A;0x037B;0x037C;0x037D;0x037E;0x037F;0x0380;0x0381;0x0382;0x0383;0x0384;0x0385;0x0386;0x0387;0x0388;0x0389;0x038A;0x038B;0x038C;0x038D;0x038E;0x038F;0x0390;0x0391;0x0392;0x0393;0x0394;0x0395;0x0396;0x0397;0x0398;0x0399;0x039A;0x039B;0x039C;0x039D;0x039E;0x039F;0x03A0;0x03A1;0x03A2;0x03A3;0x03A4;0x03A5;0x03A6;0x03A7;0x03A8;0x03A9;0x03AA;0x03AB;0x03AC;0x03AD;0x03AE;0x03AF;0x03B0;0x03B1;0x03B2;0x03B3;0x03B4;0x03B5;0x03B6;0x03B7;0x03B8;0x03B9;0x03BA;0x03BB;0x03BC;0x03BD;0x03BE;0x03BF;0x03C0;0x03C1;0x03C2;0x03C3;0x03C4;0x03C5;0x03C6;0x03C7;0x03C8;0x03C9;0x03CA;0x03CB;0x03CC;0x03CD;0x03CE;0x03CF;0x03D0;0x03D1;0x03D2;0x03D3;0x03D4;0x03D5;0x03D6;0x03D7;0x03D8;0x03D9;0x03DA;0x03DB;0x03DC;0x03DD;0x03DE;0x03DF;0x03E0;0x03E1;0x03E2;0x03E3;0x03E4;0x03E5;0x03E6;0x03E7;0x03E8;0x03E9;0x03EA;0x03EB;0x03EC;0x03ED;0x03EE;0x03EF;0x03F0;0x03F1;0x03F2;0x03F3;0x03F4;0x03F5;0x03F6;0x03F7;0x03F8;0x03F9;0x03FA;0x03FB;0x03FC;0x03FD;0x03FE;0x03FF;0x0400;0x0401;0x0402;0x0403;0x0404;0x0405;0x0406;0x0407;0x0408;0x0409;0x040A;0x040B;0x040C;0x040D;0x040E;0x040F;0x0410;0x0411;0x0412;0x0413;0x0414;0x0415;0x0416;0x0417;0x0418;0x0419;0x041A;0x041B;0x041C;0x041D;0x041E;0x041F;0x0420;0x0421;0x0422;0x0423;0x0424;0x0425;0x0426;0x0427;0x0428;0x0429;0x042A;0x042B;0x042C;0x042D;0x042E;0x042F;0x0430;0x0431;0x0432;0x0433;0x0434;0x0435;0x0436;0x0437;0x0438;0x0439;0x043A;0x043B;0x043C;0x043D;0x043E;0x043F;0x0440;0x0441;0x0442;0x0443;0x0444;0x0445;0x0446;0x0447;0x0448;0x0449;0x044A;0x044B;0x044C;0x044D;0x044E;0x044F;0x0450;0x0451;0x0452;0x0453;0x0454;0x0455;0x0456;0x0457;0x0458;0x0459;0x045A;0x045B;0x045C;0x045D;0x045E;0x045F;0x0460;0x0461;0x0462;0x0463;0x0464;0x0465;0x0466;0x0467;0x0468;0x0469;0x046A;0x046B;0x046C;0x046D;0x046E;0x046F;0x0470;0x0471;0x0472;0x0473;0x0474;0x0475;0x0476;0x0477;0x0478;0x0479;0x047A;0x047B;0x047C;0x047D;0x047E;0x047F;0x0480;0x0481;0x0482;0x0483;0x0484;0x0485;0x0486;0x0487;0x0488;0x0489;0x048A;0x048B;0x048C;0x048D;0x048E;0x048F;0x0490;0x0491;0x0492;0x0493;0x0494;0x0495;0x0496;0x0497;0x0498;0x0499;0x049A;0x049B;0x049C;0x049D;0x049E;0x049F;0x04A0;0x04A1;0x04A2;0x04A3;0x04A4;0x04A5;0x04A6;0x04A7;0x04A8;0x04A9;0x04AA;0x04AB;0x04AC;0x04AD;0x04AE;0x04AF;0x04B0;0x04B1;0x04B2;0x04B3;0x04B4;0x04B5;0x04B6;0x04B7;0x04B8;0x04B9;0x04BA;0x04BB
[+] Group 5 : RVA = 01210FA7 ; VA = 01A80FA7
0x2B06;0x2B07;0x2B08;0x2B09;0x2B0A;0x2B0B;0x2B0C;0x2B0D;0x2B0E;0x2B0F;0x2B10;0x2B11

So i tried to send it as one tcp packet:
Client hangs, no escape possible. When i send the packet a second time, client posts a "logout", goes back to login screen and after a while it crashes. Inside crash log player name is local player. Thanks a lot blar0.

I have sent the same packet :

Code:

0000  00 00 00 0a                                       ....

0000  01 03 00 0a 00 01 00 01 00 00                     ..........

I only have hang if the program is under a debugger ... weird.

[blar0]

Few notes about some opcode :

Read_Byte : the packet require to have a byte
Read_Word : the packet require to have a word
Read_Integer : the packet require to have an Integer
Read_Qword : the packet require to have a 64 bit Integer
Read_Buffer : the packet require to have a word for the size of the buffer and the buffer + "\x00"

Code:

- 0x113:

	Read_Byte			// NULL : DEBUG ; not NULL : NO DEBUG
	Read_Buffer			// Client version ([WORD : 0x11 ; BUFFER : "live.1.0.0.707462"])
	if DEBUG:
		error_msg("This version of the client is not compatible with the server you are connecting to.\n\nError: %s\n", BUFFER);
		// ^ to verify put HBP on this string

- 0x11F: // Position in QUEUE

	Read_Word			
	error_msg("You are in the login queue at place %u.")
        // ^ to verify put HBP on this string

- 0x101 	// Related with player population ?

	nb = Read_Integer
	if nb > 0xFDE8
		goto error
	else
		for (i = 0; i < nb; i++)
			Read_Byte
		Read_Word

- 0x102: // Send Configuration ?!

	// Buffer_1 == Name_Config (Ex : "MouseRawInput" ; "CachedRLREnabled" ; "HardwareCheckEnabled.2" ; "etc ... ")
	// Buffer_2 == VALUE

	nb = Read_Byte
	if nb > 0x32
		goto error
	else
		for (i = 0; i < nb; i++)
			Read_Buffer
			Read_Buffer

- 0x104: // Send disconnection !

	Read_Integer
	Read_Integer
	Read_Integer

[blar0]

For those who want to help to work on it or whatever, here is a python script I use to test all the stuff that I reverse : Private Paste - Pastie

Btw I really need packet dump !!! I don't care if they are from older version

[blar0]

A few update of the first packet sent by the client to the server after connecting.
010 editor template :

Code:

typedef struct
{
  WORD      size;
  BYTE      data[size + 1];
} TESO_Buffer;

typedef struct
{
  DWORD     uncomp_size;
  DWORD     comp_size;
  BYTE      data[comp_size];
} zlib_buffer;

typedef struct 
{
    WORD        NS_version;
    WORD        NS_streamID;
    DWORD       size;
    WORD        opcode;
    TESO_Buffer login;
    TESO_Buffer version;
    zlib_buffer unk_zlib_00;
    zlib_buffer unk_zlib_01;
    zlib_buffer unk_zlib_02;
    DWORD       unk_dword_00;  // (Region protocol ? )
    zlib_buffer unk_zlib_03;
    DWORD       unk_dword_01;
    DWORD       unk_dword_02;  // (Lobby protocol ?)
    DWORD       unk_dword_03;
    zlib_buffer unk_zlib_04;
    BYTE        unk_byte_03;
    TESO_Buffer langage;
} TESO_FIRST;
BigEndian();
DWORD size_packet;
TESO_FIRST f;

[races]

Do you the unpacked binary for build 'eso.live.1.0.0.707462' ?

[blar0]

Here you go : link

[races]

thx !
I will try to continue to reverse some stuff but I'm such a noob with IDA

[blar0]

Be careful when you use IDA, don't forget to manual load the binary, to be able to have .reloc section loaded, because there is some (a lot) of (obfuscated) code in it
^ talking about the unpacked version.

[blar0]

More informations about the handshake, answer with opcode 0x2B08 and do the diffie hellman to check that :

Code:

 # Agree 1
CryptoPP::DH2::Agree(AgreedValue = OUT, StaticSecretKey = CKey_1->Private_buf, ephemeralSecretKey = CKey_2->Private_buf,  staticOtherPublicKey = StaticOtherPublicKey, ephemeralOtherPublicKey = zlib_2)
# Agree 2
CryptoPP::DH2::Agree(AgreedValue = OUT, StaticSecretKey = CKey_1->Private_buf, ephemeralSecretKey = CKey_3->Private_buf,  staticOtherPublicKey = StaticOtherPublicKey, ephemeralOtherPublicKey = zlib_0)
# Agree 3
CryptoPP::DH2::Agree(AgreedValue = OUT, StaticSecretKey = CKey_1->Private_buf, ephemeralSecretKey = CKey_4->Private_buf,  staticOtherPublicKey = StaticOtherPublicKey, ephemeralOtherPublicKey = zlib_4)
# Agree 4
CryptoPP::DH2::Agree(AgreedValue = OUT, StaticSecretKey = CKey_1->Private_buf, ephemeralSecretKey = CKey_5->Private_buf,  staticOtherPublicKey = StaticOtherPublicKey, ephemeralOtherPublicKey = zlib_1)

PUB KEY :

Code:

.data:012F9FC0 StaticOtherPublicKey db 67h,0ADh,27h,36h,92h,45h,0AAh,0A7h,2Eh,0E3h,43h,4Fh
.data:012F9FC0                 db 0A3h,0C2h,52h,0Ch,33h,4Ch,3Eh,99h,0Fh,0FAh,9Dh,42h
.data:012F9FC0                 db 73h,6,6Ch,0DFh,49h,13h,61h,0F4h,99h,5Ch,34h,31h,0FFh
.data:012F9FC0                 db 0F2h,1Dh,2Eh,99h,0E4h,0A5h,38h,24h,1,6Bh,46h,0C8h,0B5h
.data:012F9FC0                 db 21h,0D7h,4,49h,0D0h,2,0CEh,0C6h,3Dh,4Fh,0EBh,63h,0A7h
.data:012F9FC0                 db 9Eh,8Eh,6Ch,9Bh,67h,0F4h,82h,0E4h,77h,38h,7Fh,0BDh
.data:012F9FC0                 db 0C2h,0A0h,0C7h,25h,22h,3Dh,3Bh,23h,78h,38h,93h,0AEh
.data:012F9FC0                 db 0A4h,6Eh,0DFh,51h,0E2h,6Eh,0E0h,0D0h,3Bh,57h,6,76h
.data:012F9FC0                 db 0F9h,7Bh,76h,23h,0E9h,0EDh,6Ah,9Fh,60h,0DFh,2Eh,28h
.data:012F9FC0                 db 5Fh,99h,0B1h,9Eh,7Fh,0DEh,77h,6Ch,0C0h,0E2h,6Dh,20h
.data:012F9FC0                 db 37h,97h,0A8h,0D1h,44h

Internal KeyPair :

Code:

.data:0136B0C8 CKey_1 CKey <?>
.data:0136B0C8
.data:0136B0D8 CKey_2 CKey <?>
.data:0136B0D8
.data:0136B0E8 CKey_3 CKey <?>
.data:0136B0E8
.data:0136B0F8 CKey_4 CKey <?>
.data:0136B0F8
.data:0136B108 CKey_5 CKey <?>

CKEY :

Code:

00000000 CKey            struc ; (sizeof=0x10)
00000000 Buffer_pubic    dd ?
00000004 Size_public     dd ?
00000008 Buffer_priv     dd ?
0000000C Size_priv       dd ?
00000010 CKey            ends

[races]

So the answer packet should contain multiple ephemeralOtherPublicKey ? Can you describe the format of the packet ?
Do you still use python to deal with the crypto too ?

[blar0]

Yes the answer is all the ephemeralOtherPublicKey.

I will post more info about the layout of the answer later.

Yes I still use python to deal with the crypto stuff, but because of the hardcoded public key of the server inside the client, it's difficult to make well the handshake without setup hook on Diffie Hellman agree method inside client binary.

[nippel]

Has one of you guys found the correct OEP yet or a hint for how to? dumping the exe works somewhat, but it is not the same, I'd like to have a properly working exe in IDA. (yes, finding the OEP and fixing the IAT this is new territory for me )

[blar0]

did you check the link on mega ?
I uploaded two versions of the unpacked binary.
You don't need to fix the IAT ...
Just put HBP on ESP, trace until reaching : "call security_init_cookie and jmp mainCRTStartup", dump the exe without fixing raw size and offset.
OEP RVA : 0x5be76

[races]

If you have the time, you should make a tutorial about that, it would be much appreciated by the community imho.