Crypto ; packet decrypt stuff

[Esoserv2]

This is how LordPE looks here:



And that are my ,text segment settings:




I reproduced it again, launched olly 1.0.10.0 32 bit, set a hardware breakpoint, pressed Shift-F9 til call and jump instruction comes, insert oep, make a dump without fixing raw size. Then opened this file with LordPE, changed to writable, saved and done. The dump executes without failure.

[Anakin5]

- Patch the public key (StaticOtherPublicKey) hardcoded in the binary.
- Hook the method SetKeyWithIV from CTR_Mode<AES> class, and get the key (aka sha256 of the SharedSecret).

Is there anything already existing to auto patch client binary ? I am thinking about having an alternate tool that hook SetKeyWithIV and send the key to server though another channel. So that client binary remain intact.

[races]

Is there anything already existing to auto patch client binary ? I am thinking about having an alternate tool that hook SetKeyWithIV and send the key to server though another channel. So that client binary remain intact.

Looks at this thread : http://www.ownedcore.com/forums/mmo/...ml#post2962191
In the realease.rar, you can found an injector and a DLL to replace the public key, definitly more easy than hooking SetKeyWithIV and create a "new" protocol to just send a key.
And the main problem was that you don't know the private key of the official server, so you have to patch the public one in all cases.

[blar0]

It's not necessary to patch the public key. If you can hook the SetKeyWithIV it's the same thing. But yeah maybe it's more complicated to do that.

[Anakin5]

I guest patching on the fly is also an acceptable solution of course. As long as the client binary is not touched. Thx for pointing me to that thread, I missed this one.

[Anakin5]

There is something a little confusing about the key exchange part in your python module:

Keys are received in that order: 3, 5, 2, 1, 4 and that's also the order to give them to the DiffieHellman class.
But when decoding opcode 2b10, they are read 00, 01, 02, 03, 04 (aka 3, 5, 2, 1, 4) and passed to the DiffieHellman class as 03, 02, 00, 04, 01 (aka 1, 2, 3, 4, 5).

Is that just names being mixed up or is there a trick in the order of keys ?

[blar0]

There is a special order for lobby, character and region server, maybe look at the last release of the debug server, I think i fixed this naming order

[Xasher]

Hi,

i search a packet dumper with the encryption inside. alternative otherwise I would programming this tool.

sry for my english.. :/

PS. thx blar0 for your guide.
In the next time i will release the c# emu for teso.

Xasher

[Raknar4]

Hi all,

How different is reversing from WoW?