• Welcome to Valhalla Legends Archive.
 

Thoughts on reversing anti-hack algorithms

Started by tA-Kane, May 09, 2005, 03:13 AM

Previous topic - Next topic

Kp

Quote from: tA-Kane on May 19, 2005, 12:27 PM
Hmm, I was screwing around and found a reference to WS2_32.send, so I breakpointed the beginning of the function, looks like I've accidently found the function that sends data to the server-side part of the anti-hack process BEFORE the data gets encrypted, which is one important step towards writing a third party client.

I'm 90% confident I could trace the program backwards from here... but I'm not so sure about locating where the receiving end of the socket is at... though I'm sure I'll find it with time (after all, if its a nonoverlapped socket, it's gotta be somewhere upper and back down in the calling path... and if it's overlapped, the receiving function needs to be set somewhere...). Hmmm...

This may seem a bit obvious, but have you considered just setting a breakpoint on recv itself?  bp ws2_32!recv should do it.  That'll break to windbg when recv gets called, which should let you get a backtrack into non-encrypted code.  Other functions to consider breaking on: kernel32!ReadFile, kernel32!ReadFileEx, ws2_32!recvfrom, ws2_32!recvmsg.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!