I'm working on it again, got a bit caught up in life. Need to readjust everything to the new offsets or find a way to make them adjust :/ then I'm back to trying to find out how to follow memory locations lol
I'm working on it again, got a bit caught up in life. Need to readjust everything to the new offsets or find a way to make them adjust :/ then I'm back to trying to find out how to follow memory locations lol
These ads disappear when you log in.
Anyone knows where the send and receive functions are?
Last edited by arteros; 05-13-2014 at 08:51 AM.
it looks like there are a few different sends and receives being used (I haven't been digging into it for a few weeks - been busy) If I remember correctly, you can pretty easily find the calls for send and recv... but hooking in either of those will get you encrypted data.
The encryption itself looks like RC4, and both send and receive go through the same function to encrypt and decrypt, so hooking right at the start or end of the RC4 block will get you some plaintext and some ciphertext, depending on whether the data going through encryption is on the way in or out.
I have not yet had a chance to find a common point on the inbound or outbound traffic path that I can hook in order to capture plaintext; that's next on my list, but I just haven't had the free time. There have been a number of patches since I last looked at the code, so I'll need to do some extra work to find the RC4 function again as well... but when I do, I can post the offset here.
The last patch was a MAJOR change - it looks like they switched compilers (though I haven't confirmed yet). Most of the code is the same, but the registers have been switched around, and enough code has changed that most offsets have moved as well. It wasn't terribly hard to find the new functions and offsets, but it *was* annoying.
arteros (or anyone) - are you still pursuing this? I've gone through and located the RC4 block again if you're interested. Unfortunately, I still have not had the time (or maybe it's taking so much time because I lack the ability) to trace between the RC4 block and the actual send/receive functions... so I still don't have easy way to determine what's plaintext and what is ciphertext.
The RC4 algorithm is this:
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
Here's the block, with my comments, that I *think* is RC4. If anyone sees error, please don't hold back - I'm still VERY new at this.
I'd really like to try to reverse the protocol - I've never done protocol reversing, and it seems like an interesting challenge... however, without unencrypted traffic, I'm afraid I'm dead in the water.Code:.text:00BCF700 ; =============== S U B R O U T I N E ======================================= .text:00BCF700 .text:00BCF700 ; Attributes: bp-based frame .text:00BCF700 .text:00BCF700 run_rc4_sub_BCF700 proc near ; CODE XREF: MsgConn_cpp_sub_BCBE80+66p .text:00BCF700 ; MsgConn_cpp_sub_BCC290+167p .text:00BCF700 .text:00BCF700 esi_temp_storage_var_8= dword ptr -8 .text:00BCF700 s_box_var_4 = dword ptr -4 .text:00BCF700 loop_counter_arg_0= dword ptr 8 .text:00BCF700 plaintext_arg_4 = dword ptr 0Ch .text:00BCF700 some_array_maybe_sbox_arg_8= dword ptr 10h .text:00BCF700 .text:00BCF700 push ebp .text:00BCF701 mov ebp, esp ; standard function header .text:00BCF703 sub esp, 8 .text:00BCF706 cmp [ebp+loop_counter_arg_0], 0 ; check if length is 0 .text:00BCF70A push esi ; save esi .text:00BCF70B mov esi, ecx .text:00BCF70D push edi .text:00BCF70E mov eax, [esi] ; eax = esi = i .text:00BCF710 mov edi, [esi+4] ; edi = esi + 4 = j .text:00BCF713 lea edx, [esi+8] ; edx = esi+8 = S[] .text:00BCF716 mov [ebp+esi_temp_storage_var_8], esi .text:00BCF719 mov [ebp+s_box_var_4], edx .text:00BCF71C jbe short loc_BCF772 ; clean up stack for return .text:00BCF71E mov esi, [ebp+some_array_maybe_sbox_arg_8] .text:00BCF721 sub [ebp+plaintext_arg_4], esi .text:00BCF724 push ebx .text:00BCF725 .text:00BCF725 loc_BCF725: ; CODE XREF: run_rc4_sub_BCF700+6Cj .text:00BCF725 inc eax ; while(true) .text:00BCF725 ; i=i+1 % 256 .text:00BCF726 and eax, 0FFh ; | .text:00BCF72B lea esi, [esi+1] ; j = (j+S[i]) % 256 .text:00BCF72E mov bl, [edx+eax] ; | .text:00BCF731 movzx ecx, bl ; | .text:00BCF734 add edi, ecx ; | .text:00BCF736 and edi, 0FFh ; | .text:00BCF73C movzx ecx, byte ptr [edx+edi] ; | .text:00BCF740 mov [edx+eax], cl ; swap(s[i], s[j]) .text:00BCF743 mov [edx+edi], bl ; | .text:00BCF746 movzx edx, byte ptr [edx+eax] ; | .text:00BCF74A movzx ecx, bl ; | .text:00BCF74D add edx, ecx ; t=(S[i]+S[j]) % 256 .text:00BCF74F mov ecx, [ebp+s_box_var_4] ; | (set ecx=plaintext) .text:00BCF752 and edx, 0FFh ; | .text:00BCF758 movzx ecx, byte ptr [edx+ecx] ; k = S[t] .text:00BCF75C mov edx, [ebp+plaintext_arg_4] .text:00BCF75F xor cl, [edx+esi-1] ; perform encryption. cl - plaintext .text:00BCF763 dec [ebp+loop_counter_arg_0] .text:00BCF766 mov edx, [ebp+s_box_var_4] .text:00BCF769 mov [esi-1], cl ; save ciphertext in esi-i (esi has already been inc'd) .text:00BCF76C jnz short loc_BCF725 ; while(true) .text:00BCF76C ; i=i+1 % 256 .text:00BCF76E mov esi, [ebp+esi_temp_storage_var_8] ; restore ESI .text:00BCF771 pop ebx ; restore ebx .text:00BCF772 .text:00BCF772 loc_BCF772: ; CODE XREF: run_rc4_sub_BCF700+1Cj .text:00BCF772 mov [esi+4], edi ; clean up stack for return .text:00BCF775 pop edi .text:00BCF776 mov [esi], eax .text:00BCF778 pop esi .text:00BCF779 mov esp, ebp .text:00BCF77B pop ebp .text:00BCF77C retn 0Ch .text:00BCF77C run_rc4_sub_BCF700 endp![]()
Last edited by m1m; 06-06-2014 at 07:33 PM. Reason: Decided to just add code
Anyone know anything about the red circles on the ground? like where they are stored etc?