User(s) browsing this thread: 1 Guest(s)
Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Auth Packets -> stopping randomizing!
07-03-2009, 09:44 PM
Post: #11
RE: Auth Packets -> stopping randomizing!
hmm..if i think about it, the best way would be to find out the InitClientDLL Arguments, maybe than we could use our own launcher /login client if we know which data the initclient.dll expects or something...Crap is this a shit.

Btw. rajko i saw your posts on Rarebit forums, i have tried the same before Wink

For other contact possibilities : http://www.redpillalliance.com/support.html .
I try now to contact WBIE again, cause SOE said "we cant do nothign and give out nothig cause the rights have WBIE".

And i have maybe another interesting infos..over 100 developers had worked on MxO ...one of them must have the code and be frustrated enough (and there is a list on the internet with all names of the Devs).

I bet there has not been many changed at all at the structure at the last years .
Find all posts by this user
Quote this message in a reply
07-03-2009, 11:10 PM
Post: #12
RE: Auth Packets -> stopping randomizing!
Okay maybe this is helpful too:

It is "reversed" by Rec Studio (RecStudio trys to make readable Code with your .exe).

However it is helpful cause we know now where it is located.

/* Procedure: 0x00468D60 - 0x00468DBA
* Argument size: 8
* Local size: 0
* Save regs size: 0
* Called by:
* L00468DC0()
*/

L00468D60(A8)
/* unknown */ void A8;
{



if(!(1 & M004f85cc)) {
(save)-268435456;
(save)1;
(save)0;
(save)0;
(save)5211592;
M004f85cc = M004f85cc | 1;
CryptAcquireContextA();
(save)0x4a7dc0;
L0048BC66();
esp = esp + M00000004;
}
ecx = *(ebp + M0000000c);
return CryptGenRandom(M004f85c8, ecx, A8);
}
Find all posts by this user
Quote this message in a reply
07-03-2009, 11:11 PM
Post: #13
RE: Auth Packets -> stopping randomizing!
lol fucking REC, use ida pro and hexrays DERP
Quote this message in a reply
07-03-2009, 11:13 PM (This post was last modified: 07-03-2009 11:14 PM by Neo.)
Post: #14
RE: Auth Packets -> stopping randomizing!
i use IDA Pro , rec, ollydbg, hex editor MX, sometimes moonlight engine ....shall i continue ?Tongue
Find all posts by this user
Quote this message in a reply
07-03-2009, 11:32 PM
Post: #15
RE: Auth Packets -> stopping randomizing!
hexrays > REC
also, i need to find the EXACT version of cryptopp that mxo uses, that way i can compile it and compare binary to get function addresses
i remember its something old like 4.x
Quote this message in a reply
07-03-2009, 11:50 PM
Post: #16
RE: Auth Packets -> stopping randomizing!
hmm...okay this could be not so easy to find out, but we could try it (must be something like a version from 2003/2004 or older).
Find all posts by this user
Quote this message in a reply
07-04-2009, 12:38 AM
Post: #17
RE: Auth Packets -> stopping randomizing!
if you look carefully on params you have in matrix.exe code, you could see some that match:

RSA.cpp on cryptopp database

http://cryptopp.sourceforge.net/docs/ref...ource.html

which stands for 5.2.1 and in the footer, you could see generated on july 2004

Some linux packets changelog, mark it as:

"cryptopp-devel-5.2.1-2.0.rh9.rf.i386.rpm Fri 26 Nov 2004 2313 kb"
"cryptopp-devel-5.2.1-2.1.el3.rf.i386.rpm Fri 26 Nov 2004 2313 kB"

5.2.1-2.2 was launched on february 2005.

So it could be 5.2.1 or earlier, but too much coincidence of params, and dates may be similar too....

Thanks to open software for its listings.

You could try to see some changelog from crypto pp between 200x-2004 to see if rsa.cpp was added/changed.

see ya!

[Image: morphsig1.png]
[Image: ubd8457.png]
http://twitter.com/johnkussack [twitter]
Find all posts by this user
Quote this message in a reply
07-04-2009, 12:57 AM
Post: #18
RE: Auth Packets -> stopping randomizing!
the interface of crypto++ doesnt change much...
i think its 4.9.x or something, i forgot, the newer versions do not cipher name as a string into the classes
Quote this message in a reply
07-04-2009, 01:05 AM
Post: #19
RE: Auth Packets -> stopping randomizing!
another problem that seems to have appeared and has something to do with crypto++ is that the proxy logger logs packets including the twofish padding now....it didnt do this before, the older logs i have didnt have this padding at the end of packets, but now almost every packet has 00 cd cd cd or 00 fd fd fd at the end of it, i know its twofish padding, because if you remove it, then pass that same thing through twofish, it will add it, but why doesnt cryptopp remove it now ? it did before (i have logs to prove)
Quote this message in a reply
07-04-2009, 10:00 PM
Post: #20
RE: Auth Packets -> stopping randomizing!
about the tcp packet length prefix
if packet size is <= 7f, the length prefix is 1 byte and nothing is done with it, its taken as is
if its bigger, the size is made with 2 bytes, but with the first bit set to 1 (aka +0x80 00)
to read the size from this, just set the first bit to 0 and interpret as unsigned short big endian
Quote this message in a reply
Post Reply 


Forum Jump: