Is it possible to track how a program encrypts packets?

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Is it possible to track how a program encrypts packets?

Postby wahoyaho » Mon Nov 26, 2007 1:37 pm

So what I'm looking at right now is just a game that sends encrypted packets. So I sent a message, found out which assembly code accesses it and using step-into found all the codes that are executed between pressing enter to send the message to when the packet is sent.

So I'm just wondering if it's possible to find what I'm looking for by reading through that whole chunk of code? Because it goes through about 10 different calls to different locations before ending in a sysenter command which sends out the packet.
wahoyaho
I Ask A Lot Of Questions
 
Posts: 11
Joined: Sat Nov 24, 2007 8:11 am

Postby mezzo » Mon Nov 26, 2007 1:56 pm

unless they wrote the encryption routines themselves, they are most likely located in a DLL (most SSL, RSA, and standard encryption routines are)

Browse through the DLL's in the disassembler helper window and find what the program is importing and then which could be the 'encrypting' one.. BP it and work from there. The data that is send, will probably be referenced to by a pointer, this pointer will be 'fed' to the DLL's encryption routine as a parameter.

that's what I would do... perhaps anybody has any other ideas..
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby Shynd » Mon Nov 26, 2007 11:19 pm

I'd breakpoint on the WSOCK32:send() function, then work backwards. Find where send was called from, work up until you find what called THAT subroutine, etc. As you work backwards, constantly check the pointer (on the stack) to the packet data in memory until it appears in memory as plain text. For instance, if you sent the chat packet 'asdf,' keep working backwards until you see 'asdf' in the packet data somewhere. Now you know where it's getting encrypted and you can either 1) breakpoint there and catch the data before it's sent or 2) reverse-engineer the decryption routine so you can simply read packets and decrypt them yourself.
User avatar
Shynd
Acker
 
Posts: 68
Joined: Fri Jan 05, 2007 2:11 am

Postby wahoyaho » Tue Nov 27, 2007 5:23 am

How do I know which pointer points to the packet data? I tried doing a hex search for the same hex that was sent with the packet but nothing.
Last edited by wahoyaho on Tue Nov 27, 2007 5:25 am, edited 1 time in total.
wahoyaho
I Ask A Lot Of Questions
 
Posts: 11
Joined: Sat Nov 24, 2007 8:11 am

Postby mezzo » Tue Nov 27, 2007 5:25 am

- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron