swtor winsock2 Hook

[the1domo]

hello I was curious if anyone has found out where in memory the packets are being encrypted and decrypted because I am working on a simple winsock2 Hook and here is my code it's rather crude I'm just using simple Detours

Code:

//==========================================================================
// by The1domo swtor winsock2 hooking :)
//==========================================================================
#include <winsock2.h>
#include <windows.h>
#include <iostream>
#include <vector>
#include <string>
#include <fstream>
#include <io.h>
#include <fcntl.h>
#include <fcntl.h>
#include "detours.h"
//==========================================================================
// to create a Console for write to
//==========================================================================
void createConsole( )
{
    AllocConsole();
    int hConHandle;
    long lStdHandle;
    FILE *fp;
    lStdHandle = (long)GetStdHandle(STD_OUTPUT_HANDLE);
    hConHandle = _open_osfhandle(lStdHandle, _O_TEXT);
    fp = _fdopen( hConHandle, "w" );
    *stdout = *fp;
    setvbuf( stdout, NULL, _IONBF, 0 );
}
//==========================================================================
// the original connect Function call
//==========================================================================
int (WINAPI* connect_t)(SOCKET,const struct sockaddr*,int,int);
//==========================================================================
// the original WSARecv Function call
//==========================================================================
DWORD (WINAPI* WSARecv_t)(SOCKET,LPWSABUF,DWORD,DWORD,int);
//==========================================================================
// write to the Console windows
//==========================================================================
void msg2(char* str)
{
	std::cout << " " << std::endl;
	std::cout << "msg: " << str << std::endl;
	std::cout << " " << std::endl;
}
//==========================================================================
// the hooked Function to Detour
//==========================================================================
// a hook_connect Function call
//==========================================================================
int WINAPI hook_connect(SOCKET s, const struct sockaddr *name, int namelen, int a4)
{
	_asm pushad;
		msg2("ATTEMPTED CONNECT !!!!!!!!!!!!!!!!");
	_asm popad;

	return connect_t(s, name, namelen, a4);
}
//==========================================================================
// a hook_WSARecv Function call
//==========================================================================
DWORD WINAPI hook_WSARecv(SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, DWORD a4, int a5)
{
	_asm pushad;

	if( lpBuffers && lpBuffers->buf && lpBuffers->len > 0 )
	{
		char szShit[24] = { 0 };
		sprintf( szShit, "0x%X", (DWORD)lpBuffers->buf );
		msg2(szShit);
	}

	_asm popad;

	return WSARecv_t(s, lpBuffers, dwBufferCount, a4, a5);
}
//==========================================================================
// Hooking Thread
//==========================================================================
DWORD WINAPI Thread(LPVOID)
{
		// exe base address
		DWORD swtor = (DWORD)GetModuleHandle("swtor.exe");

		// Detour for a hooked Function call
		connect_t = (int(WINAPI*)(SOCKET,const struct sockaddr*,int,int))DetourFunction((PBYTE)swtor+0x603590, (PBYTE)hook_connect);
		WSARecv_t = (DWORD(WINAPI*)(SOCKET,LPWSABUF,DWORD,DWORD,int))DetourFunction((PBYTE)swtor+0x62C7C0, (PBYTE)hook_WSARecv);

		// create a Console for write to
		createConsole( );

		// test write to Console
		std::cout << "Attached to Process" << std::endl;

		return 0;
}
//==========================================================================
// DllMain
//==========================================================================
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
	if(dwReason == DLL_PROCESS_ATTACH)
	{
		// Create a Thread to use by the hook
		CreateThread(NULL,NULL,Thread,NULL,NULL,NULL);
	}

	return TRUE;
}
//==========================================================================

now if anyone sees anything wrong with this or would like to help on my project to parse the packets and give them decrypted I be much appreciated if you can post in this thread all criticism is accepted thank you

[the1domo]

A working hook to log all packets it is a DLL that you inject you need the Microsoft DetourFunction library to compile if anyone has figured out the method for decrypted packets please reply or add to this code

Code:

//==========================================================================
// by The1domo swtor winsock2 hooking :)
//==========================================================================
#include <winsock2.h>
#include <windows.h>
#include <iostream>
#include <vector>
#include <string>
#include <fstream>
#include <io.h>
#include <fcntl.h>
#include <fcntl.h>
#include "detours.h"
//==========================================================================
// to create a Console for write to
//==========================================================================
void createConsole( )
{
    AllocConsole();
    int hConHandle;
    long lStdHandle;
    FILE *fp;
    lStdHandle = (long)GetStdHandle(STD_OUTPUT_HANDLE);
    hConHandle = _open_osfhandle(lStdHandle, _O_TEXT);
    fp = _fdopen( hConHandle, "w" );
    *stdout = *fp;
    setvbuf( stdout, NULL, _IONBF, 0 );
}
//==========================================================================
// write to the Console windows
//==========================================================================
void msg2(char* str)
{
	std::cout << " " << std::endl;
	std::cout << "msg: " << str << std::endl;
	std::cout << " " << std::endl;
}
//==========================================================================
// a hook_WSARecv Function call
//==========================================================================
void (WINAPI* WSARecv_t)(DWORD,LPWSABUF,DWORD,DWORD,DWORD,struct _OVERLAPPED*);

void WINAPI hook_WSARecv(DWORD Flags, LPWSABUF lpBuffers, DWORD dwBufferCount, DWORD a5, DWORD NumberOfBytesRecvd, struct _OVERLAPPED *lpOverlapped)
{
	_asm pushad;

	static int Counter = 0;
	char name[MAX_PATH];
	sprintf(name, "C:\\packets\\packet_%d.bin", Counter++);

	FILE *f = fopen(name, "wb");

	if (f )
	{
		if( lpBuffers && lpBuffers->buf && lpBuffers->len > 0 )
			fwrite(lpBuffers->buf, 1, lpBuffers->len, f);

		fflush(f);
		fclose(f);
	}

	_asm popad;

	return WSARecv_t(Flags, lpBuffers, dwBufferCount, a5, NumberOfBytesRecvd, lpOverlapped);
}
//==========================================================================
// Hooking Thread
//==========================================================================
DWORD WINAPI Thread(LPVOID)
{
		// exe base address
		DWORD swtor = (DWORD)GetModuleHandle("swtor.exe");

		// Detour for a hooked Function call
		WSARecv_t = (void(WINAPI*)(DWORD,LPWSABUF,DWORD,DWORD,DWORD,struct _OVERLAPPED*))DetourFunction((PBYTE)swtor+0x6049E0, (PBYTE)hook_WSARecv);

		// create a Console for write to
		createConsole( );

		// test write to Console
		std::cout << "Attached to Process" << std::endl;

		return 0;
}
//==========================================================================
// DllMain
//==========================================================================
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
	if(dwReason == DLL_PROCESS_ATTACH)
	{
		// Create a Thread to use by the hook
		CreateThread(NULL,NULL,Thread,NULL,NULL,NULL);
	}

	return TRUE;
}
//==========================================================================

[polimorfic]

Don't forget about hook detection system and packet 0x2195CC8A(MODULES_LIST)

[the1domo]

What module is that located in ?

[polimorfic]

in swtor.exe

[the1domo]

can i get the base address for the address

[polimorfic]

I can't understand you, what address do you need? For what?

I work not with exe hooking, I get sniffer dumps and decrypt/decompress them with my tools(not swor). So I have no any base addresses...


4 all: if anyone want get decrypted packets like these:

0x00 0x5FE920D4
D4 20 E9 5F 00 00 2C 02 0D 00 00 00 62 69 6F 6D | Ф й_..<.....biom
6F 6E 73 65 72 76 65 72 00 07 00 00 00 62 69 6F | onserver.....bio
6D 6F 6E 00 01 00 00 00 00 01 00 00 00 00 1C 00 | mon.............
00 00 6F 6D 65 67 61 6D 65 74 72 69 63 73 70 75 | ..omegametricspu
62 6C 69 73 68 65 72 6F 62 6A 65 63 74 00 01 00 | blisherobject...
00 00 00 09 00 00 00 33 61 33 30 33 61 66 35 00 | .......3a303af5.


PACKET 8:
Decrypt packet 159.153.64.193:21606 => 192.168.0.100:56197
0x00 0xA609E6A7
A7 E6 09 A6 FF FF FF FF 1A 00 00 00 41 70 70 6C | ж.│яяяя....Appl
69 63 61 74 69 6F 6E 5F 54 69 6D 65 52 65 71 75 | ication_TimeRequ
65 73 74 65 72 00 21 A2 02 00 00 00 00 00 00 00 | ester.__........
00 00 | ..

...

PACKET 33:
Decrypt packet 192.168.0.100:56197 => 159.153.64.193:21606
0x00 0x2195CC8A (client modules list)
8A CC 95 21 05 12 55 14 48 16 00 00 22 26 20 20 | _М!..f.H...D...
37 3E 31 40 41 40 00 00 42 4D 50 50 50 50 6B 63 | WNб0....b}.*...c
3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 77 6F 77 | :\windows\syswow
36 34 5C 6C 72 63 2E 64 6C 6C 8F 90 83 92 00 00 | 64\pkl.dll.`3...

0x00 0xD4BA5CFB
FB 5C BA D4 3C 01 00 00 00 00 00 00 BD 0F 00 00 | √\║╘<.......╜...
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 | <?xml version="1
2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 | .0" encoding="UT
...

PM to me. I upload to you key dumper, you run sniffer(wireshark for example, or any with .pcap format support), run keydumper and swtor.exe. After that you send .pcap file + keys file to me and i send decrypted logs to you.

[the1domo]

ok i pm you