We need help with recvpackets extraction @bRO
Moderator: Moderators
Re: We need help with recvpackets extraction @bRO
We finally managed to get the packets!
Well, at least the plain ones.
As kLabMouse figured out before, there are some packets who are "hidden".
I believe the hidden packets start at address 0058D823
And the plain ones at 0058EBBD
for example:
.text:0058EBBD push 0
.text:0058EBBF push 4
.text:0058EBC1 push 4
.text:0058EBC3 push 17Ah
.text:0058EBC8 mov ecx, esi
.text:0058EBCA call sub_58B510
that means the packet is 017A 4 4 0
is that right?
Well, at least the plain ones.
As kLabMouse figured out before, there are some packets who are "hidden".
I believe the hidden packets start at address 0058D823
And the plain ones at 0058EBBD
for example:
.text:0058EBBD push 0
.text:0058EBBF push 4
.text:0058EBC1 push 4
.text:0058EBC3 push 17Ah
.text:0058EBC8 mov ecx, esi
.text:0058EBCA call sub_58B510
that means the packet is 017A 4 4 0
is that right?
-
- Plain Yogurt
- Posts: 59
- Joined: 06 Jun 2010, 22:08
- Noob?: No
Re: We need help with recvpackets extraction @bRO
yes, did you find any reference to convert normal integer to asm? so it can speed up the process
Re: We need help with recvpackets extraction @bRO
integer to asm? no need for that.daggerblade wrote:yes, did you find any reference to convert normal integer to asm? so it can speed up the process
.text:0058EBBD push 0 ---> convert from hexa to decimal
.text:0058EBBF push 4 ---> convert from hexa to decimal
.text:0058EBC1 push 4 ---> convert from hexa to decimal
.text:0058EBC3 push 17Ah ---> stays the same
now we need to know how to uncover the hidden packets:
.text:0058EB8A call sub_58B360
.text:0058EB8F mov eax, 4
.text:0058EB94 mov ecx, eax
.text:0058EB96 xor edx, edx
.text:0058EB98 mov [esp+18h], ecx
.text:0058EB9C lea ecx, [esp+10h]
.text:0058EBA0 mov [esp+1Ch], edx
.text:0058EBA4 push ecx
.text:0058EBA5 lea edx, [esp+0Ch]
.text:0058EBA9 push edx
.text:0058EBAA mov ecx, esi
.text:0058EBAC mov dword ptr [esp+18h], 178h
.text:0058EBB4 mov [esp+1Ch], eax
.text:0058EBB8 call sub_58B360
I can see the packet's id (0178), but I can't figure how to get the packet's length and replay factor... need someone who understand assembly. I'm working on it right now, though.
Re: We need help with recvpackets extraction @bRO
I've changes a bit. so it show the Structure in stack:ever_boy_ wrote: .text:0058EB8A call sub_58B360
.text:0058EB8F mov eax, 4
.text:0058EB94 mov ecx, eax
.text:0058EB96 xor edx, edx
.text:0058EB98 mov [esp+18h], ecx
.text:0058EB9C lea ecx, [esp+10h]
.text:0058EBA0 mov [esp+1Ch], edx
.text:0058EBA4 push ecx
.text:0058EBA5 lea edx, [esp+0Ch]
.text:0058EBA9 push edx
.text:0058EBAA mov ecx, esi
.text:0058EBAC mov dword ptr [esp+18h], 178h
.text:0058EBB4 mov [esp+1Ch], eax
.text:0058EBB8 call sub_58B360
Code: Select all
seg000:0058EB8F mov eax, 4 -> eax = 4
seg000:0058EB94 mov ecx, eax -> ecx = eax
seg000:0058EB96 xor edx, edx -> edx = 0
seg000:0058EB98 mov [esp+20h+packet.MinLength], ecx -> packet.MinLength = 4
seg000:0058EB9C lea ecx, [esp+20h+packet] -> ecx = &packet
seg000:0058EBA0 mov [esp+20h+packet.ReplayFactor], edx -> packet.ReplayFactor = 0
seg000:0058EBA4 push ecx
seg000:0058EBA5 lea edx, [esp+24h+var_18] -> edx = &var_18
seg000:0058EBA9 push edx
seg000:0058EBAA mov ecx, esi -> ecx = esi
seg000:0058EBAC mov [esp+28h+packet.PacketID], 178h -> packet.PacketID = 0x178
seg000:0058EBB4 mov [esp+28h+packet.Length], eax -> packet.Length = 4
seg000:0058EBB8 call sub_58B360 -> ecx->sub_58B360(edx, ecx)
Code: Select all
eax = 4
ecx = eax
edx = 0
packet.MinLength = 4
ecx = &packet
packet.ReplayFactor = 0
push ecx
edx = &var_18
push edx
ecx = esi
packet.PacketID = 0x178;
packet.Length = 4;
ecx->sub_58B360(edx, ecx);
Code: Select all
packet.MinLength = 4;
packet.ReplayFactor = 0;
packet.PacketID = 0x178;
packet.Length = 4;
esi->sub_58B360(&var_18, &packet);
Re: We need help with recvpackets extraction @bRO
Thank you, you're awesome! Now I can see it clearer.
Just one thing:
how did you figure out this??
[esp+18h] = [esp+20h+packet.MinLength]
[esp+10h] = [esp+20h+packet]
[esp+1Ch] = [esp+20h+packet.ReplayFactor]
[esp+18h] = [esp+28h+packet.PacketID]
[esp+1Ch] = [esp+28h+packet.Length]
Just one thing:
how did you figure out this??
[esp+18h] = [esp+20h+packet.MinLength]
[esp+10h] = [esp+20h+packet]
[esp+1Ch] = [esp+20h+packet.ReplayFactor]
[esp+18h] = [esp+28h+packet.PacketID]
[esp+1Ch] = [esp+28h+packet.Length]
Re: We need help with recvpackets extraction @bRO
You use RAW address here. the "esp" changes upon "push" or "pop" and after "call" sometimes.ever_boy_ wrote:Thank you, you're awesome! Now I can see it clearer.
Just one thing:
how did you figure out this??
[esp+18h] = [esp+20h+packet.MinLength]
[esp+10h] = [esp+20h+packet]
[esp+1Ch] = [esp+20h+packet.ReplayFactor]
[esp+18h] = [esp+28h+packet.PacketID]
[esp+1Ch] = [esp+28h+packet.Length]
That's why I use Relative addressing there.
and defined a Structure in Stack vars to make everything easy and clean.
I Donno why to to reinvent a wheel if you already have the Pseudo C code.
Re: We need help with recvpackets extraction @bRO
there are some packet ID's which appear more than once. What should I do in this case? Take the first one and ignore the others?
Re: We need help with recvpackets extraction @bRO
and what's the difference with them?ever_boy_ wrote:there are some packet ID's which appear more than once. What should I do in this case? Take the first one and ignore the others?
Re: We need help with recvpackets extraction @bRO
none, except that this would change the order in recvpackets. eg, if I pick the first one, the recvpackets order is different than if I pick the second one.
Re: We need help with recvpackets extraction @bRO
No No. The first one should be the "ClientSecure" function.ever_boy_ wrote:none, except that this would change the order in recvpackets. eg, if I pick the first one, the recvpackets order is different than if I pick the second one.
The second one is that one that calls "ClientSecure".
so this should look like this: first, packets from the "Secure" function, then from usual one.