I played with the package for one night the night before, so I started to talk about my discovery for the first time (with the package for the first time).
I used WPE to intercept packets directly, because Kingsoft game itself has protective measures to intercept packets (as MM said). I cannot intercept packets directly with WPE, later, it was intercepted during Ollydbg debugging.
After preparation, the plain text of the packet has been OK and you are ready to encrypt it. The encryption method is to take a 4-byte number and perform Xor operations on the packet, after the computation is completed, it is directly sent out. I have checked that the data in the packet is captured using WPE, which is exactly the same as the computation result I have seen, this indicates that as long as the 4-byte number is used to perform the Xor operation on the packets, the packets in plaintext can be obtained.
In fact, to put it bluntly, the 4-byte number is the encryption key each time, that is, the server recognizes it. How can I get this 4-byte, the 4-byte key will not change.
In the same way, the information returned by the service is also processed by 4-byte Xor operations. When the client decrypts the packet, it obtains the plaintext packet by taking the 4-byte key of the server.
Let's talk about the encryption and decryption process of envelope packets.
Send:
1. Manufacturing plaintext packets
2, take the 4-byte Send key
3. Use a 4-byte key to perform the Xor operation on the packet (retain the first two digits), and then perform the single-byte operation on less than 4 bytes.
4. Send.
Revc:
1. Receive the packet
2. 4-byte Revc key
3. Use a 4-byte key to perform the Xor operation on the packet (retain the first two digits), and then perform the single-byte operation on less than 4 bytes.
4. Analyze plaintext packets
Certificate --------------------------------------------------------------------------------------------------------------------------------------------------------
The above methods are quite tiring! Let's talk about local production (using FPE and other software that everyone is familiar)
Auxiliary plug-ins (Automatic adding of blood, automatic adding of blue, no load, etc)
The HP address is not fixed. I use Kingsoft Ranger to find the current address first,
Then, use softice to set a breakpoint for the address. softice should be immediately disconnected,
You will see mov dword ptr ds: [EAX + ECX * 8 + EB4], EDI,
In the client, the location is 0x4B2C74,
You can modify the game process,
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
