VB from zero start of the supernumerary hanging (nine)

The comparison of the package! Network games are through the exchange of data to achieve game competition drop, so the analysis of the package is a step to create a plug-in.

--------------------------------------------------------------------------------------------------------------- -----------------------------------------

Network game packet is divided into 2 kinds of packets: 1. Clear sealed Package 2. Encrypted envelope

Most network games are encrypted packets because the information is not modified. Clear sealed package also have, oh "CS" Yes these

--------------------------------------------------------------------------------------------------------------- -----------------------------------------

All right, get to the point. It's really hard to seal this thing. But if you get started, it's not too hard!

Clear text of the good deal, but encryption is a bit .... But there are ways to drop it.

Is "more grasp bag, more analysis, more decryption!" Oh

--------------------------------------------------------------------------------------------------------------- -----------------------------------------

Grasping the article: What grab bag? Grab bag Of course is to use WPE, or write their own software pull, the last time (hehe ' is yesterday) has done!

0056df38 4E 3E 4 a 6C (+)-4D-6A-6E-N>TSVUJLWDCBMFJN
0056df48 4 B 3F-A-7A 4C 3D 5F akb?qxvyegzflp=_
0056df58 5A 5C 6D 5D to 6F-3B-er@z\am]chgowd; Q
0056df68 5B 3C (6B) 5E-ux[<tkpr^-4F-Iihoys
0056df78 2E 1E 0B 2D 0D (3C 3B) 3 "(-.<;
0056df88 1C 0C 3D 1D 2F 23 2C (3E). =/!,1>#
0056df98 1F 0A ' 1 b 2A 3 a 0E 2$ ' 89%. *):
0056dfa8 0F 2B 5&+67?40 (3F) 1 (a)

This is the packet of a network game! Of course it's a secret.

00878BE0 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E UANNNNNNNNNBNNPN
00878bf0 4E 3E 3E 4E 4 b Aevn>a>xynke

00878BE0 a 0B 00 00 36 00 ..... .......... 6.
00878BF0 10 20 04 00 01 10 01 31 17 00 11 18.1.

0087CC04 0B 0D 80 42 01 00 05 ...???????. B.
0087cc14 5C q\x

What does that mean? Of course is to analyze pull!

--------------------------------------------------------------------------------------------------------------- -----------------------------------------

Analysis: Analysis is mainly to analyze the contents of RAM inside pull. You can go to "see the snow" to learn a simple assembler command.

004f3b9c/$ PUSH EBX
004f3b9d |. 83C4 F8 ADD esp,-8
004f3ba0 |. 8BDA MOV Ebx,edx; Data Destination address after decryption
004f3ba2 |. 8bd4 MOV Edx,esp; Data Delivery Destination Address
004f3ba4 |. B9 04000000 MOV ecx,4; The number of passes is 4
004f3ba9 |. E8 12eef8ff call client.004829c0; Pass the 4 value of the waiter to decrypt it.
004f3bae |. 8a0424 MOV al,byte PTR Ss:[esp]; First place
004F3BB1 |. C1E0 SHL eax,2
004f3bb4 |. 33D2 XOR Edx,edx
004f3bb6 |. 8a5424 MOV dl,byte PTR ss:[esp+1]; Second place
004f3bba |. C1ea SHR edx,4
004F3BBD |. 0ac2 or AL,DL; First with every two bits 0r
004F3BBF |. 8803 MOV BYTE PTR ds:[ebx],al; Output 1th bit
004F3BC1 |. INC EBX; Counter +1 points to second digit
004F3BC2 |. 8a4424 MOV al,byte PTR ss:[esp+1]; Second place
004f3bc6 |. C1E0 SHL eax,4
004F3BC9 |. 33D2 XOR Edx,edx
004F3BCB |. 8a5424 MOV dl,byte PTR ss:[esp+2]; Third place
004F3BCF |. C1ea SHR edx,2
004f3bd2 |. 0ac2 or AL,DL; The second and third digits or
004f3bd4 |. 8803 MOV BYTE PTR ds:[ebx],al; Output second digit
004f3bd6 |. INC EBX; Counter +1 points to third digit
004f3bd7 |. 8a4424 MOV al,byte PTR ss:[esp+2]; Third place
004f3bdb |. C1E0 SHL eax,6
004f3bde |. 8a5424 MOV dl,byte PTR ss:[esp+3]; 4th One
004f3be2 |. 0ac2 or AL,DL; Third and fourth or
004f3be4 |. 8803 MOV BYTE PTR ds:[ebx],al; Output third digit
004f3be6 |. ECX POP
004f3be7 |. 5 a POP EDX
004f3be8 |. 5 B POP EBX
004F3BE9 \. C3 RETN
004f3bea 8bc0 MOV Eax,eax
004f3bec/$ PUSH EBX
004f3bed |. PUSH ESI
004f3bee |. PUSH EDI
004F3BEF |. PUSH EBP
004f3bf0 |. PUSH EAX; Envelope
004f3bf1 |. B8 02000000 MOV eax,2
004f3bf6 |> 81c4 04f0ffff/add ESP,-0FFC
004F3BFC |. 50 | PUSH EAX
004F3BFD |. 48 | DEC EAX
004f3bfe |. ^75 F6 \jnz Short Client.004f3bf6
004f3c00 |. 8b8424 0020000>mov Eax,dword PTR ss:[esp+2000]
004f3c07 |. 8BD9 MOV EBX,ECX
004f3c09 |. 8BFA MOV Edi,edx
004f3c0b |. 8bd3 MOV EDX,EBX
004f3c0d |. 81E2 03000080 and edx,80000003
004f3c13 |. JNS Short CLIENT.004F3C1A
004F3C15 |. 4 a DEC EDX
004F3C16 |. 83CA FC OR EDX,FFFFFFFC
004f3c19 |. EDX INC
004F3C1A |> 85d2 TEST Edx,edx
004f3c1c |. JE Short Client.004f3c23
004f3c1e |. 83c8 FF OR eax,ffffffff
004f3c21 |. EB 7B JMP Short client.004f3c9e
004f3c23 |> 8bd3 MOV edx,ebx
004f3c25 |. 85d2 TEST Edx,edx
004f3c27 |. JNS Short client.004f3c2c
004f3c29 |. 83C2 ADD edx,3
004f3c2c |> C1FA SAR edx,2
004f3c2f |. 891424 MOV DWORD PTR Ss:[esp],edx
004f3c32 |. 8d5424 LEA Edx,dword PTR ss:[esp+4]
004f3c36 |. 8BCB MOV ECX,EBX
004f3c38 |. E8 83edf8ff call client.004829c0; Sorting out the packet pass to decrypt the decryption address
004f3c3d |. c6441c MOV BYTE PTR ss:[esp+ebx+4],0
004f3c42 |. 8b1c24 MOV Ebx,dword PTR Ss:[esp]
004f3c45 |. C1e3 SHL ebx,2
004f3c48 |. 4 B DEC EBX
004f3c49 |. 85DB TEST EBX,EBX
004f3c4b |. 7C JL Short Client.004f3c75
004f3c4d |. EBX INC
004f3c4e |. 8d4424 LEA Eax,dword PTR ss:[esp+4]; An envelope
004F3C52 |> 8a10/mov dl,byte PTR Ds:[eax]; Nth bit
004f3c54 |. 80FA 3B | CMP dl,3b
004f3c57 |. 72 05 | JB Short client.004f3c5e
004f3c59 |. 80FA 7A | CMP dl,7a
004f3c5c |. 76 05 | Jbe Short Client.004f3c63
004f3c5e |> 83c8 FF |or eax,ffffffff; Error handling
004f3c61 |. EB 3B | JMP Short client.004f3c9e
004f3c63 |> 81E2 FF000000 | and EDX,0FF
004f3c69 |. 8a92 3def5a00 | MOV dl,byte PTR DS:[EDX+5AEF3D]; 54EF3D is a string of strings.
004f3c6f |. 8810 | MOV BYTE PTR ds:[eax],dl; Post-conversion code
004f3c71 |. 40 | INC EAX; Next Envelope character
004f3c72 |. 4 B | DEC EBX; Counter minus 1
004f3c73 |. ^75 DD \jnz Short client.004f3c52
004f3c75 |> 8b1c24 MOV ebx,dword PTR Ss:[esp]
004f3c78 |. 4 B DEC EBX
004f3c79 |. 85DB TEST EBX,EBX
004f3c7b |. 7C 1 b JL Short client.004f3c98
004f3c7d |. EBX INC
004f3c7e |. 33ED XOR EBP,EBP
004f3c80 |. 8d7424 LEA Esi,dword PTR ss:[esp+4]; Take the converted value above
004f3c84 |> 8d546d 00/lea edx,dword PTR ss:[ebp+ebp*2]
004f3c88 |. 03d7 | ADD Edx,edi; Target Address 3 per conversion
004f3c8a |. 8bc6 | MOV Eax,esi; Source Address per Fetch
004f3c8c |. E8 0BFFFFFF | Call client.004f3b9c; Decrypt the data (take 4, convert 3)
004f3c91 |. 45 | INC EBP
004f3c92 |. 83c6 04 | ADD esi,4
004f3c95 |. 4 B | DEC EBX
004f3c96 |. ^75 EC \jnz Short client.004f3c84
004f3c98 |> 8b0424 MOV eax,dword PTR Ss:[esp]
004f3c9b |. 8d0440 LEA Eax,dword PTR ds:[eax+eax*2]
004f3c9e |> 81c4 04200000 ADD esp,2004
004F3CA4 |. 5D POP EBP
004f3ca5 |. 5F POP EDI
004f3ca6 |. 5E POP ESI
004f3ca7 |. 5 B POP EBX
004F3CA8 \. C3 RETN

What do you mean? is to decrypt after the production of plug pull!

--------------------------------------------------------------------------------------------------------------- -----------------------------------------
Plug the production does not introduce the design to the VB assembly pointer problem, the application of VB pointer next time to tell everyone!