We need help with recvpackets extraction @bRO

[ever_boy_]

Here is what I mean: differente address, same packet's ID, same called sub...

.text:0058EF86 push 0
.text:0058EF88 push 1Eh
.text:0058EF8A push 1Eh
.text:0058EF8C push 165h
.text:0058EF91 mov ecx, esi
.text:0058EF93 call sub_58B510
.text:0058EF98 push 1
.text:0058EF9A push 3
.text:0058EF9C push 3
.text:0058EF9E push 167h
.text:0058EFA3 mov ecx, esi
.text:0058EFA5 call sub_58B510
.text:0058EFAA push 0
.text:0058EFAC push 0Eh
.text:0058EFAE push 0Eh
.text:0058EFB0 push 168h
.text:0058EFB5 mov ecx, esi
.text:0058EFB7 call sub_58B510
.text:0058EFBC push 1
.text:0058EFBE push 3
.text:0058EFC0 push 3
.text:0058EFC2 push 169h
.text:0058EFC7 mov ecx, esi
.text:0058EFC9 call sub_58B510
.text:0058EFCE push 1
.text:0058EFD0 push 1Eh
.text:0058EFD2 push 1Eh
.text:0058EFD4 push 16Ah
.text:0058EFD9 mov ecx, esi
.text:0058EFDB call sub_58B510
.text:0058EFE0 push 0
.text:0058EFE2 push 0Ah
.text:0058EFE4 push 0Ah
.text:0058EFE6 push 16Bh
.text:0058EFEB mov ecx, esi
.text:0058EFED call sub_58B510
.text:0058EFF2 push 0
.text:0058EFF4 push 9
.text:0058EFF6 push 9
.text:0058EFF8 push 149h
.text:0058EFFD mov ecx, esi
.text:0058EFFF call sub_58B510
.text:0058F004 push 1
.text:0058F006 push 6
.text:0058F008 push 6
.text:0058F00A push 14Ah
.text:0058F00F mov ecx, esi
.text:0058F011 call sub_58B510
.text:0058F016 push 1
.text:0058F018 push 1Bh
.text:0058F01A push 1Bh
.text:0058F01C push 14Bh
.text:0058F021 mov ecx, esi
.text:0058F023 call sub_58B510
.text:0058F028 push 0
.text:0058F02A push 0BAh
.text:0058F02F push 0BAh
.text:0058F034 push 16Eh
.text:0058F039 mov ecx, esi
.text:0058F03B call sub_58B510
.text:0058F040 push 1
.text:0058F042 push 0B6h
.text:0058F047 push 0B6h
.text:0058F04C push 16Fh
.text:0058F051 mov ecx, esi
.text:0058F053 call sub_58B510
.text:0058F058 push 0
.text:0058F05A push 4
.text:0058F05C push 0FFFFFFFFh
.text:0058F05E push 17Eh
.text:0058F063 mov ecx, esi
.text:0058F065 call sub_58B510
.text:0058F06A push 1
.text:0058F06C push 4
.text:0058F06E push 0FFFFFFFFh
.text:0058F070 push 17Fh
.text:0058F075 mov ecx, esi
.text:0058F077 call sub_58B510
.text:0058F07C push 0
.text:0058F07E push 1Eh
.text:0058F080 push 1Eh
.text:0058F082 push 165h
.text:0058F087 mov ecx, esi
.text:0058F089 call sub_58B510

[kLabMouse]

Here is what I mean: differente address, same packet's ID, same called sub...

Oh. IC. Well it's not a problem.
You should see the Difference when you will compare old and new recvpackets.txt.
It the Duplication is not right, ehn you could remove in form there once you fill it's needed.
But again. I like to work with RAW data. It's more Clean to see the changes.

[ever_boy_]

Ok, so now I think we're able to build the recvpackets.
just one thing: how do we know what is the right order to build the recvpackets?

The matter now is, how do we build a new bRO.pm? I mean, how to build an algorithm so that it can put the packets in the right order inside the bRO.pm?

[daggerblade]

Damn. Now i see the light also.

I have one question, when creating the recvpackets do we need the packetminlenght and replay factor to it work? Because your last only had the packet lenght size and worked some stuff. If not i believe i can create a small program that can pick the packets and lenght by itself just analizing a txt of the dissassembled code.

Another, do these packets always ocupy the same adress in memory? Meaning, not the same packet, but for example lets supose the login packets would occupy this adress 0058EBAC, if they change this packet lets say it was 0190 in one week, but another week it was 08EE, will this adress area (0058EBAC) still contain the packet with the same function (which will be the login packet in my example)?

Thanks klab, you da bomb : D . We really apreciate your patience in this matter.

[ever_boy_]

right now I'm trying to understand how the encryption key works:

$MID = ($MID ^ (($enc_val1 >> 8 >> 8) & 0x7FFF)) & 0xFFFF;

But I don't know what the ">>" and "^" stand for.

[5e13ct]

right now I'm trying to understand how the encryption key works:

$MID = ($MID ^ (($enc_val1 >> 8 >> 8) & 0x7FFF)) & 0xFFFF;

But I don't know what the ">>" and "^" stand for.

^ (Exclusive OR)

Does the bit value of 1 if only one of the corresponding bits in the operands is 1 and 0 in other cases. Example: if the variable var has the value 12 (00001100) and doing the operation with 6 (00000110), the result, var ^ 6, is 10 (00001010).

>> (Right shift)

Shifts to the right, the bits of the left operand at the value given by the right operand. Equivalent to division by power of 2 given by the latter. Example: if the variable var has the value 12 (00001100), after >> var 2, will have 3 (00000011).


[PT-BR]
^ (OU exclusivo)

Faz o valor do bit igual a 1 se apenas um dos bits correspondentes nos operandos é 1 e 0 nos demais casos. Exemplo: se a variável var tem o valor 12 (00001100) e fazendo a operação com 6 (00000110), o resultado, var ^ 6, será 10 (00001010).

>> (deslocamento à direita)

Desloca, para a direita, os bits do operando esquerdo no valor dado pelo operando direito. Equivale à divisão pela potência de 2 dada por este último. Exemplo: se a variável var tem o valor 12 (00001100), após var >> 2, terá 3 (00000011).

ever_boy_ see pm pls.

[ever_boy_]

Thanks. Already figured it out.


Now, I need to know what is the best tool to get a desired packet. I tried WireShark, but I just couldn't read/identify its packets.

Being more specific, even thought I got the packet via WireShark, I can't find where's the packet ID in the packet's bytes:

Code: Select all

0000  1c af f7 59 41 be 00 24  8c 53 1e 51 08 00 45 00   ...YA..$ .S.Q..E.
0010  00 34 34 81 40 00 80 06  0a 07 c0 a8 00 83 c8 e5   .44.@... ........
0020  32 2b cf 50 13 88 85 ae  94 b1 00 00 00 00 80 02   2+.P.... ........
0030  20 00 95 a1 00 00 02 04  05 b4 01 03 03 02 01 01    ....... ........
0040  04 02                                              ..

[5e13ct]

ever_boy_?

Its you see the message I sent you by PM?

[kLabMouse]

The procedure is Simple.
OpenKore uses only PacketID and Len.
There is also MinLen and ReplayFactor.
Thus are good, to determinate the difference more accurate. but OpenKore do not require them.

Once you Got old (working) recvpacket.txt and new (current) recvpacket.txt, you just need to compare them and change packet ID's according to that compare.

Next step, is to change Encryption key's.

[daggerblade]

The procedure is Simple.
OpenKore uses only PacketID and Len.
There is also MinLen and ReplayFactor.
Thus are good, to determinate the difference more accurate. but OpenKore do not require them.

Once you Got old (working) recvpacket.txt and new (current) recvpacket.txt, you just need to compare them and change packet ID's according to that compare.

Next step, is to change Encryption key's.

we already got the keys, recvpackets i believe its no prob also now that we understand the procedure, but now we need to know which packet goes where in bro.pm. Thanks