packet encryption

[jamsb123]

how i can find the recv decrypted packets?

i tried to follow them but not helped.

 

 

 

[atom0s]

You can try doing this:

1. Set a breakpoint on recv / recvfrom (depending on how they obtain the packets if they are using winsock).
   
2. When the breakpoint is hit, allow the function to obtain the packet.
   
3. Before recv returns, set a breakpoint at the start of the received buffer (hardware on access) or something on that line.
   
4. Let the code continue running until something else attempts to access the buffer. 
   

Doing so may land up finding the function that handles the decryption of the packet buffer. 

[jamsb123]

i found it but the packet is like in ebp i pressed f8 to follow then the packet is gone.

[atom0s]

The pointer to the buffer is passed as a parameter, so depending on how the application handles the buffer, it may deleted it immediately after using it. So you may have to do some on the fly debugging to ensure you can find what hits it.

Step by step of something I would try:

1. Set a breakpoint on recv / recvfrom.
   
2. Follow the proper argument for the buffer in the memory view of OllyDbg to see the allocated buffer for the packet being received.
   
3. When hit, step instruction by instruction until the function is about to return.
   
4. Just before you allow the function to return, in the memory view, set a hardware breakpoint on access to the first byte of the packet buffer.
   
5. Then let the program run.
   

Keep in mind, recv/recvfrom allow you to pass no buffer pointer to obtain the size of the packet that is being received. So the call may not include a buffer. In that case you just need to wait for it to be called again and do the same thing.

 

You could also trace back from the call of recv/recvfrom via the callstack to see where it was called from. The function calling it may be of use.

[jamsb123]

Thanks for your help. I will try it.

[jamsb123]

Followed the packet till POP EBX then the packet is gone what i can do now

 

 

/edit followed now MOV ECX,DWORD PTR DS:[11F5618] then packet is gone i think it going to 11F5618

 

how to follow them.

Edited August 23, 2014 by jamsb123

[atom0s]

You can also try doing this:

1. Set a breakpoint on the function being called to receive the packet. (recv / recvfrom)
   
2. When the breakpoint is hit, follow the return address in the stack.
   
   1. You may need to follow multiple times until you are within the executable / module of the target you are debugging.
      
   
   
3. Look at the arguments pushed for the call to the receive function.
   

You should be able to determine which argument is the pointer to the buffer to receive the data. For example:

.text:100C8763                 mov     eax, [esi+250h]

.text:100C8769                 mov     ecx, [esi+254h]

.text:100C876F                 sub     ecx, eax

.text:100C8771                 push    0               ; flags

.text:100C8773                 lea     edx, [eax+esi+258h]

.text:100C877A                 push    ecx             ; len

.text:100C877B                 push    edx             ; buf

.text:100C877C                 push    edi             ; socket

.text:100C877D                 call    ds:recv

.text:100C8783                 test    eax, eax

[jamsb123]

yea but the problem is here

MOV ECX,DWORD PTR DS:[11F5618] THE PACKET is going to 11F5618 but how i can go to the adress?

[atom0s]

If you are using OllyDbg, just click into the memory window area, then press Ctrl+G in the window that pops up, enter the address 11F5618 and click ok.

It will follow that address in the memory dump which will be the buffer of the packet.

[jamsb123]

 

i followeed to the adress after i pressed F8 on the MOV EAX but its only a D here?

[jamsb123]

can you not help me?