The night before last I played with the bag for a whole night, just started (first time with the bag) tell me what I found all night.
I was directly intercepted by WPE, because the Golden Hill game itself has interception package protection measures (as MM said), directly with WPE interception I can not intercept, and later used ollydbg debugging when the interception to.
After the preparation of the front, sealed the report of the clear text ready has been OK, ready to encrypt, encryption is to take a 4-byte number of packets to the XOR operation, after the operation is directly sent out, I checked with WPE intercept packets of data, and I see the results of the operation are fully consistent, This means that a sealed packet can be obtained by using the 4-byte number to reverse-xor the packet.
In fact, the 4-byte number is the encryption key every time, that is, the server approved, this 4-byte how to arrive I did not follow, temporarily only found that as long as not to replace the scene, the 4-byte key will not accounts.
In the same way, the information returned by the service is processed by the 4-byte XOR operation, and the client decrypts the service-side 4-byte key to decrypt the packet to get the clear envelope.
In general, the encryption and decryption process of the seal of God
Send:
1, the production of clear sealed package
2, take 4 bytes send key
3, with a 4-byte key to the packet XOR operation (retain the first 2 bits), the last less than 4 bytes for single-byte operations.
4, send.
REVC:
1, received the package
2, take a 4-byte REVC key
3, with a 4-byte key to the packet XOR operation (retain the first 2 bits), the last less than 4 bytes for single-byte operations.
4, the analysis of the clear-letter packet
The above method is more tiring! Let's talk about local production (both familiar with the FPE and other software)
make auxiliary plug (automatically add blood, automatically add blue, free weight, etc.)
HP's address is not fixed, I use Jinshan Ranger first to find the current address,
Then use SoftICE to set a breakpoint on the address, SoftICE should be immediately broken,
You'll see mov DWORD PTR ds:[eax+ecx*8+eb4],edi,
In the client, the position is 0x4b2c74,
You can change the course of the game,
Put mov DWORD PTR ds:[eax+ecx*8+eb4],
EDI changed into a E9 xx xx xx xx 90 90,
JMP the free address between the rsrc and. Data in the process.
The code (xx xx xx xx) + 0x4b2c74 + 5 is modified into MOV Y, EDI,
The next one does the original MOV DWORD PTR ds:[eax+ecx*8+eb4],edi,
One more E9 ZZ ZZ ZZ,
Set Good ZZ ZZ ZZ so that it jumps back to the original DWORD PTR DS:[EAX+ECX*8+EB4],
The next line of EDI is the 0x4b2c7b office,
So HP's address is fixed, just look at Y and know hp.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.