• Welcome to Valhalla Legends Archive.
 

Playing with Battle.snp in IDA

Started by UserLoser., December 15, 2003, 08:55 PM

Previous topic - Next topic

UserLoser.

I'm a newb, to this stuff atleast.  I'm trying to teach my self, like I teach my self many other things, along with some minor help & explainations Arta gave me the other day.  Anyways, so far I've established that usually when you see "mov     cl, SomeNumericValueh", it's setting the packet id for a BNCS packet (as you can see in the picture below, my genious findings)



From going to the locations of those, i've been able to see how some packets are built, example:

.text:19016D74 loc_19016D74:                           ; CODE XREF: sub_19016810+415j
.text:19016D74                 push    offset aGetLatestBattl ; "Get latest battle.net icons"
.text:19016D79                 call    sub_190023C0
.text:19016D7E                 add     esp, 4
.text:19016D81                 xor     edx, edx
.text:19016D83                 mov     cl, 2Dh
.text:19016D85                 push    ebx
.text:19016D86                 call    sub_19015A60
.text:19016D8B                 test    eax, eax
.text:19016D8D                 jz      loc_19016EB8
.text:19016D93                 mov     ebp, [ebp+0Ch]
.text:19016D96                 cmp     ebp, 53544152h
.text:19016D9C                 jz      short loc_19016DA6
.text:19016D9E                 cmp     ebp, 53455850h
.text:19016DA4                 jnz     short loc_19016DCE


(Thanks to Blizzard for the comments.)

I know I should be learning what push, test, mov, jz, jnz, ect all mean first before asking questions, but maybe by posting and asking here, I can get a quicker explanation from the more advanced users. I believe add     esp, 4 sets the packet length, mov     cl, 2Dh sets the packet ID, and maybe call    sub_19015A60 is the sub to send the packet, but in that sub I don't really see it being sent.

Was going to post more, but have to go now, so I'll end this here...

My goal someday, no matter how long it takes (even a few years) is to reverse joining games, or War3 logon. :P

Any comments, hints, or help appreciated :)

Etheran


.text:19016D74 loc_19016D74:                          ; CODE XREF: sub_19016810+415j
.text:19016D74                push    offset aGetLatestBattl ; "Get latest battle.net icons"
.text:19016D79                call    sub_190023C0
.text:19016D7E                add    esp, 4

I think the add esp, 4 is to recover the stack.

dev invisible

I have a great 100+ page pfd on reverse engineering.  Its basically a course in computer architecture and assembly language.

message me on aim:  dev INVISIBLE
make sure you mention where your from or i'll ignore you.

iago

Quote from: Etheran on December 15, 2003, 09:10 PM

.text:19016D74 loc_19016D74:                          ; CODE XREF: sub_19016810+415j
.text:19016D74                push    offset aGetLatestBattl ; "Get latest battle.net icons"
.text:19016D79                call    sub_190023C0
.text:19016D7E                add    esp, 4

I think the add esp, 4 is to recover the stack.

in a _cdecl function, the stack pointer from the arguments being pushed isn't restored within the function, and must be done after the function is called, by adding to the stack pointer.  In a __stdcall function, that would be done inside.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

Quote from: iago on December 15, 2003, 11:28 PM
Quote from: Etheran on December 15, 2003, 09:10 PM

.text:19016D74 loc_19016D74:                          ; CODE XREF: sub_19016810+415j
.text:19016D74                push    offset aGetLatestBattl ; "Get latest battle.net icons"
.text:19016D79                call    sub_190023C0
.text:19016D7E                add    esp, 4

I think the add esp, 4 is to recover the stack.

in a _cdecl function, the stack pointer from the arguments being pushed isn't restored within the function, and must be done after the function is called, by adding to the stack pointer.  In a __stdcall function, that would be done inside.
Note that this need not be done with the add instruction; sometimes, the compiler will optimize it into something like pop ecx.

Adron

IIRC, cl holds the packet ID, edx holds the offset of the packet data, and the first dword on the stack holds the length of the packet data.

iago

You (and Adron) are right about that sub:
.text:19015A60        ; ecx = char PacketCode
.text:19015A60        ; edx = char *Packet
.text:19015A60        
.text:19015A60        ; void __stdcall SendOutTCPPacket(DWORD dwLength)


I know it's not actually __stdcall, it's __fastcall, but IDA doesn't like __fastcall.

The packet is actually sent here:
.text:19015AEC 06C 8B+        mov     edx, ds:TCPSocket
.text:19015AF2 06C 6A+        push    0                       ; flags
.text:19015AF4 070 57         push    edi                     ; len
.text:19015AF5 074 56         push    esi                     ; buf
.text:19015AF6 078 52         push    edx                     ; s
.text:19015AF7 07C FF+        call    ds:send
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Kp

Quote from: iago on December 16, 2003, 04:30 AM
I know it's not actually __stdcall, it's __fastcall, but IDA doesn't like __fastcall.

As I recall (no pun intended), _fastcall implies _stdcall for the arguments after the first two.  At least for MSVC code, I doubt you'll ever see a function which takes two arguments in registers, then treats its stack arguments as _cdecl.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

UserLoser.

So does

.text:19016D8B                test    eax, eax
.text:19016D8D                jz      loc_19016EB8
.text:19016D93                mov    ebp, [ebp+0Ch]
.text:19016D96                cmp    ebp, 53544152h
.text:19016D9C                jz      short loc_19016DA6
.text:19016D9E                cmp    ebp, 53455850h
.text:19016DA4                jnz    short loc_19016DCE


Have anything to do with sending the packet?

iago

.text:19016D8B 230 85+        test    eax, eax                ; test the return value
.text:19016D8D 230 0F+        jz      LoginFailure            ; Jump if the send failed



not sure about the rest, and I'm busy right now
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Arta

At a totally unresearched guess, I'd say it's putting the dword at offset 0x0C in an incoming packet into EBP and comparing that to 2 Product IDs.

iago

hmm:

.text:19016D86 234 E8+        call    SendOutTCPPacket        ; ecx = char PacketCode
.text:19016D86 234 D5+                                        ; edx = char *Packet
.text:19016D8B 230 85+        test    eax, eax                ; test the return value
.text:19016D8D 230 0F+        jz      LoginFailure            ; Jump if the send failed
.text:19016D93 230 8B+        mov     ebp, [ebp+0Ch]
.text:19016D96 230 81+        cmp     ebp, 'STAR'
.text:19016D9C 230 74+        jz      short loc_19016DA6
.text:19016D9E 230 81+        cmp     ebp, 'SEXP'
.text:19016DA4 230 75+        jnz     short loc_19016DCE
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


UserLoser.

bleh, never thought of converting the hex to a string!

Adron

Quote from: UserLoser. on December 17, 2003, 10:31 AM
bleh, never thought of converting the hex to a string!

Poor unexperienced reverse engineer....

With experience, those values are obvious candidates for turning into strings. You'll learn many such things with practise.

UserLoser.

Quote from: Adron on December 17, 2003, 12:49 PM
Poor unexperienced reverse engineer....

With experience, those values are obvious candidates for turning into strings. You'll learn many such things with practise.

Not poor, but yes unexperienced :P