Help Help With Analysis Of Disassembler Code

neverend · March 20, 2017

Hello, dear forum users.

I decided to disassemble Lineage 2 "in pieces."

To be more precise, I'm interested in the network side of the client: I want to understand how packets are formed for sending / receiving and how they are sent to the server.

For these tasks, I downloaded IDA Pro and some client files were disassembled through it ... By simple search method, I found functions with a similar name "SendPacket, ReciewePacket" ... But that's what's going on in them, I have no idea .. . More precisely, I understand the operators of the language of assembler, but I do not understand the meaning of all this.

A little background: at the very beginning, I just wanted to understand the principle of packet encryption and used wireshark for these purposes, but I did not understand the encryption algorithm (I do not mean the standard XOR algorithm) and therefore decided to dig deeper

In this post I will post the disassembled code of the PostSend function (I note that there are also functions with the same name as PreSend, PostSendMap).

I also add that while digging in the wireshark I already learned how to catch the package I needed: for example, sending a message to the chat, and also found this function in the disassembled code (by the way, I disassembled the file engine.dll).

There have been many introductory parts, now the question is essentially: how do I understand (to be more honest, to poke my nose) where the packet is sent to the specified ip address and where (how) is the package formed, its encryption and other related with this.

I will be glad to any answers in essence. Sorry for my english, I'm a russian man :)

.text:10763000 ; =============== S U B R O U T I N E =======================================
.text:10763000
.text:10763000 ; Attributes: bp-based frame
.text:10763000
.text:10763000 ; void __thiscall UNetConnection::PostSend(UNetConnection *__hidden this)
.text:10763000 ?PostSend@UNetConnection@@QAEXXZ_0 proc near
.text:10763000                                         ; CODE XREF: UNetConnection::PostSend(void)j
.text:10763000
.text:10763000 var_10          = dword ptr -10h
.text:10763000 var_C           = dword ptr -0Ch
.text:10763000 var_4           = dword ptr -4
.text:10763000
.text:10763000                 push    ebp
.text:10763001                 mov     ebp, esp
.text:10763003                 push    0FFFFFFFFh
.text:10763005                 push    offset ?PostSend@UNetConnection@@QAEXXZ_0_SEH
.text:1076300A                 mov     eax, large fs:0
.text:10763010                 push    eax
.text:10763011                 mov     large fs:0, esp
.text:10763018                 sub     esp, 0Ch
.text:1076301B                 push    ebx
.text:1076301C                 push    esi
.text:1076301D                 push    edi
.text:1076301E                 mov     [ebp+var_10], esp
.text:10763021                 mov     esi, ecx
.text:10763023                 mov     [ebp+var_4], 0
.text:1076302A                 lea     edi, [esi+254h]
.text:10763030                 mov     ecx, edi
.text:10763032                 mov     ebx, ds:?GetNumBits@FBitWriter@@QAEHXZ ; FBitWriter::GetNumBits(void)
.text:10763038                 call    ebx ; FBitWriter::GetNumBits(void) ; FBitWriter::GetNumBits(void)
.text:1076303A                 mov     ecx, [esi+0C8h]
.text:10763040                 add     ecx, ecx
.text:10763042                 add     ecx, ecx
.text:10763044                 add     ecx, ecx
.text:10763046                 cmp     eax, ecx
.text:10763048                 jle     short loc_10763062
.text:1076304A                 push    26Eh
.text:1076304F                 push    offset a_Unconn_cpp ; ".\\UnConn.cpp"
.text:10763054                 push    offset aOut_getnumbi_0 ; "Out.GetNumBits()<=MaxPacket*8"
.text:10763059                 call    ds:?appFailAssert@@YAXPBD0H@Z ; appFailAssert(char const *,char const *,int)
.text:1076305F                 add     esp, 0Ch
.text:10763062
.text:10763062 loc_10763062:                           ; CODE XREF: UNetConnection::PostSend(void)+48j
.text:10763062                 mov     ecx, edi
.text:10763064                 call    ebx ; FBitWriter::GetNumBits(void) ; FBitWriter::GetNumBits(void)
.text:10763066                 mov     edx, [esi+0C8h]
.text:1076306C                 add     edx, edx
.text:1076306E                 add     edx, edx
.text:10763070                 add     edx, edx
.text:10763072                 cmp     eax, edx
.text:10763074                 jnz     short loc_10763082
.text:10763076                 mov     eax, [esi]
.text:10763078                 mov     ecx, esi
.text:1076307A                 mov     edx, [eax+84h]
.text:10763080                 call    edx
.text:10763082
.text:10763082 loc_10763082:                           ; CODE XREF: UNetConnection::PostSend(void)+74j
.text:10763082                 mov     [ebp+var_4], 0FFFFFFFFh
.text:10763089                 mov     ecx, [ebp+var_C]
.text:1076308C                 mov     large fs:0, ecx
.text:10763093                 pop     edi
.text:10763094                 pop     esi
.text:10763095                 pop     ebx
.text:10763096                 mov     esp, ebp
.text:10763098                 pop     ebp
.text:10763099                 retn
.text:10763099 ?PostSend@UNetConnection@@QAEXXZ_0 endp

P.S. Just in case, I'll put here a pseudo-code, generated IDA

void __thiscall UNetConnection::PostSend(UNetConnection *this)
{
  UNetConnection *v1; // esi@1
  FBitWriter *v2; // edi@1
  int v3; // [sp+0h] [bp-24h]@1
  int *v4; // [sp+14h] [bp-10h]@1
  int v5; // [sp+20h] [bp-4h]@1
 
  v4 = &v3;
  v1 = this;
  v5 = 0;
  v2 = (UNetConnection *)((char *)this + 596);
  if ( FBitWriter::GetNumBits((UNetConnection *)((char *)this + 596)) > 8 * *((_DWORD *)this + 50) )
    appFailAssert("Out.GetNumBits()<=MaxPacket*8", ".\\UnConn.cpp", 622);
  if ( FBitWriter::GetNumBits(v2) == 8 * *((_DWORD *)v1 + 50) )
    (*(void (__thiscall **)(UNetConnection *))(*(_DWORD *)v1 + 132))(v1);
}

P.P.S. Just in case, attach a link to the source and disassembled files.

http://rgho.st/92QyYRsvK

vampir · March 22, 2017

What about investigating decryption of packets in any open source server? If you just want to find out how they are encrypted, checking java code of decryption might be very usefull.

neverend · April 1, 2017

What about investigating decryption of packets in any open source server? If you just want to find out how they are encrypted, checking java code of decryption might be very usefull.

How can I view Java code? The source code is compiled, moreover, additionally installed SmartGuard

vampir · April 4, 2017

How can I view Java code? The source code is compiled, moreover, additionally installed SmartGuard

I am talking about server side, not client. There are plenty of open source projects.

Szakalaka · April 4, 2017

How can I view Java code? The source code is compiled, moreover, additionally installed SmartGuard

Finding decrpyting/encrpyting function (address of it in client) is easy. Just put a breakpoint on send/recv in ws2_32.dll, its same mechanism in every l2 version. It will be extremely hard to find the exact enc/dec procedure (the xors, counters and other operations) of protected client, because the code added by guards is obfuscated.

Edited April 4, 2017 by Szakalaka

Help Help With Analysis Of Disassembler Code

Recommended Posts

neverend

vampir

neverend

vampir

Szakalaka

Create an account or sign in to comment

Create an account

Sign in

Posts

Topics

Browse

Activity

Store

Important Information