Jump to content
Tuts 4 You

packet encryption


Recommended Posts

You can try doing this:

  1. Set a breakpoint on recv / recvfrom (depending on how they obtain the packets if they are using winsock).
  2. When the breakpoint is hit, allow the function to obtain the packet.
  3. Before recv returns, set a breakpoint at the start of the received buffer (hardware on access) or something on that line.
  4. Let the code continue running until something else attempts to access the buffer. 

Doing so may land up finding the function that handles the decryption of the packet buffer. 

  • Like 1
Link to comment

The pointer to the buffer is passed as a parameter, so depending on how the application handles the buffer, it may deleted it immediately after using it. So you may have to do some on the fly debugging to ensure you can find what hits it.

Step by step of something I would try:

  1. Set a breakpoint on recv / recvfrom.
  2. Follow the proper argument for the buffer in the memory view of OllyDbg to see the allocated buffer for the packet being received.
  3. When hit, step instruction by instruction until the function is about to return.
  4. Just before you allow the function to return, in the memory view, set a hardware breakpoint on access to the first byte of the packet buffer.
  5. Then let the program run.

Keep in mind, recv/recvfrom allow you to pass no buffer pointer to obtain the size of the packet that is being received. So the call may not include a buffer. In that case you just need to wait for it to be called again and do the same thing.


You could also trace back from the call of recv/recvfrom via the callstack to see where it was called from. The function calling it may be of use.

Link to comment

Followed the packet till POP EBX then the packet is gone what i can do now :o



/edit followed now MOV ECX,DWORD PTR DS:[11F5618] then packet is gone i think it going to 11F5618


how to follow them.

Edited by jamsb123
Link to comment

You can also try doing this:

  1. Set a breakpoint on the function being called to receive the packet. (recv / recvfrom)
  2. When the breakpoint is hit, follow the return address in the stack.
    1. You may need to follow multiple times until you are within the executable / module of the target you are debugging.

  3. Look at the arguments pushed for the call to the receive function.

You should be able to determine which argument is the pointer to the buffer to receive the data. For example:

.text:100C8763                 mov     eax, [esi+250h]
.text:100C8769                 mov     ecx, [esi+254h]
.text:100C876F                 sub     ecx, eax
.text:100C8771                 push    0               ; flags
.text:100C8773                 lea     edx, [eax+esi+258h]
.text:100C877A                 push    ecx             ; len
.text:100C877B                 push    edx             ; buf
.text:100C877C                 push    edi             ; socket
.text:100C877D                 call    ds:recv
.text:100C8783                 test    eax, eax
Link to comment

If you are using OllyDbg, just click into the memory window area, then press Ctrl+G in the window that pops up, enter the address 11F5618 and click ok.

It will follow that address in the memory dump which will be the buffer of the packet.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...