MD5 Scan/Cypt/Init

[JackODoo]

Hi guys, cyberdwak posted these offsets for PB (yes they still work):

Quote:

MD5_Scan: dwPbclBase + 0x11D0
MD5Init: MD5_Scan - 0x44
MD5Crypt: MD5_Scan + 0x1B9

This is what i have found in IDA (In order):

Code:

int __cdecl sub_4011D0(SOCKET s, u_short hostshort, const char *cp)
bool __cdecl sub_40122B(SOCKET s)

Didn't find the third one yet though.
Anyways, whenever i try to hook the MD5Scan / MD5Init, i keep crashing. Is there a way to hook it succesfully and then alter the socket / strings etc?

Thanks!

P.S. There seems to be MD5 Update at 0x21D0, but the strings are encrypted i think, all it outputs is your GUID with a load of crap right after it ..

[CyberDwak]

MD5Init is small and should look something like this:

PHP Code:

.text:0040218D MD5Init         proc near               ; CODE XREF: sub_4023D1+1Dp
.text:0040218D                                         ; sub_40267B+28p ...
.text:0040218D
.text:0040218D arg_0           = dword ptr  4
.text:0040218D
.text:0040218D                 mov     eax, [esp+arg_0]
.text:00402191                 mov     edx, eax
.text:00402193                 imul    edx, 0Bh
.text:00402196                 add     edx, 67452301h
.text:0040219C                 mov     [ecx+6Ch], edx
.text:0040219F                 mov     edx, eax
.text:004021A1                 and     dword ptr [ecx+68h], 0
.text:004021A5                 imul    edx, 47h
.text:004021A8                 and     dword ptr [ecx+64h], 0
.text:004021AC                 sub     edx, 10325477h
.text:004021B2                 mov     [ecx+70h], edx
.text:004021B5                 mov     edx, eax
.text:004021B7                 imul    eax, 61h
.text:004021BA                 imul    edx, 25h
.text:004021BD                 sub     edx, 67452302h
.text:004021C3                 add     eax, 10325476h
.text:004021C8                 mov     [ecx+74h], edx
.text:004021CB                 mov     [ecx+78h], eax
.text:004021CE                 retn    4
.text:004021CE MD5Init         endp 


Then MD5Update is right Under it:

PHP Code:


.text:004021D1 ; int __stdcall MD5Update(int a1,int a2)
.text:004021D1 MD5Update       proc near               ; CODE XREF: MD5Final+2Ep
.text:004021D1                                         ; sub_4023D1+2Cp ...
.text:004021D1
.text:004021D1 CurrentOffset   = dword ptr -40h
.text:004021D1 a1              = dword ptr  8
.text:004021D1 a2              = dword ptr  0Ch
.text:004021D1
.text:004021D1                 push    ebp
.text:004021D2                 mov     ebp, esp
.text:004021D4                 sub     esp, 40h
.text:004021D7                 push    esi
.text:004021D8                 mov     esi, ecx
.text:004021DA                 mov     ecx, [esi+64h]
.text:004021DD                 push    edi
.text:004021DE                 mov     edi, [ebp+a2]
.text:004021E1                 mov     eax, ecx
.text:004021E3                 shr     eax, 3
.text:004021E6                 lea     edx, [ecx+edi*8]
.text:004021E9                 and     eax, 3Fh
.text:004021EC                 cmp     edx, ecx
.text:004021EE                 jnb     short loc_4021F3
.text:004021F0                 inc     dword ptr [esi+68h]
.text:004021F3
.text:004021F3 loc_4021F3:                             ; CODE XREF: MD5Update+1Dj
.text:004021F3                 mov     ecx, edi
.text:004021F5                 shr     ecx, 1Dh
.text:004021F8                 add     [esi+68h], ecx
.text:004021FB                 test    edi, edi
.text:004021FD                 mov     [esi+64h], edx
.text:00402200                 jz      short loc_402258
.text:00402202                 mov     [ebp+a2], edi
.text:00402205                 mov     edi, [ebp+a1]
.text:00402208                 push    ebx
.text:00402209
.text:00402209 loc_402209:                             ; CODE XREF: MD5Update+84j
.text:00402209                 mov     cl, [edi]
.text:0040220B                 mov     [esi+eax+7Ch], cl
.text:0040220F                 inc     eax
.text:00402210                 inc     edi
.text:00402211                 cmp     eax, 40h
.text:00402214                 jnz     short loc_402252
.text:00402216                 xor     ecx, ecx
.text:00402218                 lea     eax, [esi+7Eh]
.text:0040221B
.text:0040221B loc_40221B:                             ; CODE XREF: MD5Update+6Ej
.text:0040221B                 movzx   ebx, byte ptr [eax-1]
.text:0040221F                 xor     edx, edx
.text:00402221                 mov     dh, [eax+1]
.text:00402224                 mov     dl, [eax]
.text:00402226                 add     eax, 4
.text:00402229                 shl     edx, 8
.text:0040222C                 or      edx, ebx
.text:0040222E                 movzx   ebx, byte ptr [eax-6]
.text:00402232                 shl     edx, 8
.text:00402235                 or      edx, ebx
.text:00402237                 mov     [ebp+ecx*4+CurrentOffset], edx
.text:0040223B                 inc     ecx
.text:0040223C                 cmp     ecx, 10h
.text:0040223F                 jb      short loc_40221B
.text:00402241                 lea     eax, [ebp+CurrentOffset]
.text:00402244                 push    eax             ; CurrentSize
.text:00402245                 lea     eax, [esi+6Ch]
.text:00402248                 push    eax             ; BaseAddress
.text:00402249                 mov     ecx, esi
.text:0040224B                 call    ScanMem
.text:00402250                 xor     eax, eax
.text:00402252
.text:00402252 loc_402252:                             ; CODE XREF: MD5Update+43j
.text:00402252                 dec     [ebp+a2]
.text:00402255                 jnz     short loc_402209
.text:00402257                 pop     ebx
.text:00402258
.text:00402258 loc_402258:                             ; CODE XREF: MD5Update+2Fj
.text:00402258                 pop     edi
.text:00402259                 pop     esi
.text:0040225A                 leave
.text:0040225B                 retn    8
.text:0040225B MD5Update       endp 


And MD5Final is Under MD5Update:

PHP Code:


.text:0040225E MD5Final        proc near               ; CODE XREF: sub_4023D1+33p
.text:0040225E                                         ; sub_40267B+58p ...
.text:0040225E
.text:0040225E CurrentOffset   = dword ptr -40h
.text:0040225E var_8           = dword ptr -8
.text:0040225E var_4           = dword ptr -4
.text:0040225E
.text:0040225E                 push    ebp
.text:0040225F                 mov     ebp, esp
.text:00402261                 sub     esp, 40h
.text:00402264                 push    esi
.text:00402265                 mov     esi, ecx
.text:00402267                 mov     eax, [esi+64h]
.text:0040226A                 mov     ecx, [esi+68h]
.text:0040226D                 mov     [ebp+var_8], eax
.text:00402270                 shr     eax, 3
.text:00402273                 push    38h
.text:00402275                 mov     [ebp+var_4], ecx
.text:00402278                 and     eax, 3Fh
.text:0040227B                 pop     ecx
.text:0040227C                 cmp     eax, ecx
.text:0040227E                 jl      short loc_402283
.text:00402280                 push    78h
.text:00402282                 pop     ecx
.text:00402283
.text:00402283 loc_402283:                             ; CODE XREF: MD5Final+20j
.text:00402283                 sub     ecx, eax
.text:00402285                 push    ecx             ; a2
.text:00402286                 lea     eax, [esi+21h]
.text:00402289                 push    eax             ; a1
.text:0040228A                 mov     ecx, esi
.text:0040228C                 call    MD5Update
.text:00402291                 xor     ecx, ecx
.text:00402293                 lea     eax, [esi+7Eh]
.text:00402296                 push    ebx
.text:00402297
.text:00402297 loc_402297:                             ; CODE XREF: MD5Final+5Dj
.text:00402297                 movzx   ebx, byte ptr [eax-1]
.text:0040229B                 xor     edx, edx
.text:0040229D                 mov     dh, [eax+1]
.text:004022A0                 mov     dl, [eax]
.text:004022A2                 add     eax, 4
.text:004022A5                 shl     edx, 8
.text:004022A8                 or      edx, ebx
.text:004022AA                 movzx   ebx, byte ptr [eax-6]
.text:004022AE                 shl     edx, 8
.text:004022B1                 or      edx, ebx
.text:004022B3                 mov     [ebp+ecx*4+CurrentOffset], edx
.text:004022B7                 inc     ecx
.text:004022B8                 cmp     ecx, 0Eh
.text:004022BB                 jb      short loc_402297
.text:004022BD                 lea     eax, [ebp+CurrentOffset]
.text:004022C0                 push    eax             ; CurrentSize
.text:004022C1                 lea     eax, [esi+6Ch]
.text:004022C4                 push    eax             ; BaseAddress
.text:004022C5                 mov     ecx, esi
.text:004022C7                 call    ScanMem
.text:004022CC                 push    4
.text:004022CE                 lea     ecx, [esi+0BDh]
.text:004022D4                 lea     eax, [esi+6Eh]
.text:004022D7                 pop     esi
.text:004022D8                 pop     ebx
.text:004022D9
.text:004022D9 loc_4022D9:                             ; CODE XREF: MD5Final+98j
.text:004022D9                 mov     dl, [eax-2]
.text:004022DC                 mov     [ecx-1], dl
.text:004022DF                 mov     dl, [eax-1]
.text:004022E2                 mov     [ecx], dl
.text:004022E4                 mov     dl, [eax]
.text:004022E6                 mov     [ecx+1], dl
.text:004022E9                 mov     dl, [eax+1]
.text:004022EC                 mov     [ecx+2], dl
.text:004022EF                 add     eax, 4
.text:004022F2                 add     ecx, 4
.text:004022F5                 dec     esi
.text:004022F6                 jnz     short loc_4022D9
.text:004022F8                 pop     esi
.text:004022F9                 leave
.text:004022FA                 retn
.text:004022FA MD5Final        endp 


Notice that inside MD5Update there is a function called ScanMem that 'Messiah.' First told me about.

If I was you I would forget about these MD5Update Functions and Focus on that ScanMem Function.
Just Redirect the Scans and your set ...

P.S. This is in both "pbcl.dll" and in "PnkBstrB.exe"

[JackODoo]

Thanks for responding , but i am not focussed on the Scanmem function.
I was more wondering on how to hook any of those MD5 Functions properly without crashing, mind sharing how to do so?
I had already stated some of the offsets, and still u didn't note where MD5 Crypt is ;-)
And btw, your PBCL seems out of date :O

Thanks!

[CyberDwak]

Quote:

Originally Posted by JackODoo

Thanks for responding , but i am not focussed on the Scanmem function.
I was more wondering on how to hook any of those MD5 Functions properly without crashing, mind sharing how to do so?
I had already stated some of the offsets, and still u didn't note where MD5 Crypt is ;-)
And btw, your PBCL seems out of date :O

Thanks!

-.-

This is an old Dissemble of the pbcl file. I cba to do the new ones so you should just find them yourself.
Why don't you find MD5Crypt?

I Can't remember how I logged them. Try a Naked hook Maybe? Or Try not even Hooking at all

[Quicktime]

Quote:

Originally Posted by JackODoo

Thanks for responding , but i am not focussed on the Scanmem function.
I was more wondering on how to hook any of those MD5 Functions properly without crashing, mind sharing how to do so?
I had already stated some of the offsets, and still u didn't note where MD5 Crypt is ;-)
And btw, your PBCL seems out of date :O

Thanks!

Hello,

If your having trouble with code you have written, the first thing to do would be to post that code. You can hook these functions in many ways.

Regards,

- Quicktime

[|KungFuPenguin|]

They each parse the 'this' ptr so if you hook them you must preserve the ecx register before calling your logging function and then restore it before returning.

[zoomgod]

Once you locate them in IDA you could hit F5 and probably get a good function prototype to use.

When you see something like these last 2 lines you can be pretty sure it's a class member as stated above.

Code:

.text:004021D1 push ebp
.text:004021D2 mov ebp, esp
.text:004021D4 sub esp, 40h
.text:004021D7 push esi
.text:004021D8 mov esi, ecx
.text:004021DA mov ecx, [esi+64h]

Keep in mind the offsets change so just because you find some in a post does not mean they are the same now or the same for other games.

So as an example:

Code:

//typedef for orig call
typedef int (WINAPI *LPFN_sub_4011D0)(void* thisPtr, SOCKET s, u_short hostshort, const char *cp)

//hooked function declaration
int WINAPI sub_4011D0(void* thisPtr, SOCKET s, u_short hostshort, const char *cp);

[JackODoo]

Thanks zoomgod, +REP.

[CyberDwak]

Quote:

Originally Posted by zoomgod

Once you locate them in IDA you could hit F5 and probably get a good function prototype to use.

When you see something like these last 2 lines you can be pretty sure it's a class member as stated above.

Code:

.text:004021D1 push ebp
.text:004021D2 mov ebp, esp
.text:004021D4 sub esp, 40h
.text:004021D7 push esi
.text:004021D8 mov esi, ecx
.text:004021DA mov ecx, [esi+64h]

Keep in mind the offsets change so just because you find some in a post does not mean they are the same now or the same for other games.

So as an example:

Code:

//typedef for orig call
typedef int (WINAPI *LPFN_sub_4011D0)(void* thisPtr, SOCKET s, u_short hostshort, const char *cp)

//hooked function declaration
int WINAPI sub_4011D0(void* thisPtr, SOCKET s, u_short hostshort, const char *cp);

Ya Nice... Or you could do:
Easy Classfunction hooking
lol

[zoomgod]

Quote:

Originally Posted by CyberDwak

Ya Nice... Or you could do:
Easy Classfunction hooking
lol

What exactly is your point as I was pointing out how to quickly see it is most likely the member of a class and how to typedef a function to preserve teh "this" pointer which in fact is held in ECX. I don't recall showing him how to hook anything.

BTW, typedef's like I posted can be used with MS detours as well, I do it all the time, for example the "void* thisPtr" becomes "LPDIRECT3DDEVICE9 pDevice" for DIP etc...

"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime."

[CyberDwak]

Quote:

Originally Posted by zoomgod

What exactly is your point as I was pointing out how to quickly see it is most likely the member of a class and how to typedef a function to preserve teh "this" pointer which in fact is held in ECX. I don't recall showing him how to hook anything.

BTW, typedef's like I posted can be used with MS detours as well, I do it all the time, for example the "void* thisPtr" becomes "LPDIRECT3DDEVICE9 pDevice" for DIP etc...

"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime."

I Was just going through Threads on UC and I found that one and decided to post it here... lol.

Thought that maybe it would help someone here.

lol... I'ma stab u for going all 'wize grazhuppa' on meh!

[zoomgod]

Quote:

Originally Posted by CyberDwak

I Was just going through Threads on UC and I found that one and decided to post it here... lol.

Thought that maybe it would help someone here.

lol... I'ma stab u for going all 'wize grazhuppa' on meh!

Be careful with those "lol" you add on then end and sorry if I had a PMS (Message Posting Syndrome) moment as I get conveniently dyslexic at times

[Anddos]

Quote:

Originally Posted by JackODoo

Hi guys, cyberdwak posted these offsets for PB (yes they still work):



This is what i have found in IDA (In order):

Code:

int __cdecl sub_4011D0(SOCKET s, u_short hostshort, const char *cp)
bool __cdecl sub_40122B(SOCKET s)

Didn't find the third one yet though.
Anyways, whenever i try to hook the MD5Scan / MD5Init, i keep crashing. Is there a way to hook it succesfully and then alter the socket / strings etc?

Thanks!

P.S. There seems to be MD5 Update at 0x21D0, but the strings are encrypted i think, all it outputs is your GUID with a load of crap right after it ..

I think i remember there is a tool called where you can hook send/sendto calls and you can change the data at runtime, i remeber some guy talking to me about when he was using it for online casino stuff..wpepro09x.zip is the filename, you just need to google it

here is a screenshot so you know what the program looks like

[Quicktime]

Quote:

Originally Posted by Anddos

I think i remember there is a tool called wespro where you hook send/sendto calls and you can change the data at runtime, i remeber some guy talking to me about when he was using it for online casino stuff..

Hello,

WPE* Pro is an old and deprecated application in my opinion, there exists better alternatives (one of which was developed in this forum if memory serves me correct, try searching for Max Power's threads). Wireshark is also a nice application.

Anyway, punk-buster traffic is encrypted as far as I know, one would have to hook before send/sendto in order to decipher the encryption. Depending on what you are trying to accomplish, hooking those winsock functions may or may not be useful. I wonder how punk-buster handles IPC?

Regards,

- Quicktime

[zoomgod]

Quote:

Originally Posted by Quicktime

Hello,

WPE* Pro is an old and deprecated application in my opinion, there exists better alternatives (one of which was developed in this forum if memory serves me correct, try searching for Max Power's threads). Wireshark is also a nice application.

Anyway, punk-buster traffic is encrypted as far as I know, one would have to hook before send/sendto in order to decipher the encryption. Depending on what you are trying to accomplish, hooking those winsock functions may or may not be useful. I wonder how punk-buster handles IPC?

Regards,

- Quicktime

Traffic to/from servers is encrypted. They open a socket on localhost to communicate with services. There is also a named pipe to the kernel driver I believe.

[Quicktime]

Quote:

Originally Posted by zoomgod

Traffic to/from servers is encrypted. They open a socket on localhost to communicate with services. There is also a named pipe to the kernel driver I believe.

Hey,

That's what I was guessing, I wonder if the localhost data is encrypted! Might be fun to play with...

Regards,

- Quicktime

[zoomgod]

I should have said obfuscated before someone corrects me. If encryption to them is XOR with static constants then it's not going to be a challenge. You only need to mouse over in IDA to get their "key" values

I've drawn the conclusion that their goal has changed to become the world record holder for the number of XOR ops in a single dll. In addition they have decided that hiding the word "summon" is important as seen below.

Code:

.text:13991895 sub_13991895    proc near               ; DATA XREF: sub_139D9D31+2371o
.text:13991895                 mov     al, byte_13A1DF05
.text:1399189A                 mov     cl, al
.text:1399189C                 xor     cl, 60h
.text:1399189F                 mov     byte_13A22FA0, cl  
.text:139918A5                 mov     cl, byte_13A1DF07
.text:139918AB                 mov     dl, cl
.text:139918AD                 xor     dl, 0F1h
.text:139918B0                 mov     byte_13A22FA1, dl 
.text:139918B6                 mov     dl, byte_13A1DF08
.text:139918BC                 xor     cl, 0E9h
.text:139918BF                 xor     dl, 9Ch
.text:139918C2                 mov     byte_13A22FA3, cl
.text:139918C8                 mov     cl, byte_13A1DF04
.text:139918CE                 mov     byte_13A22FA2, dl
.text:139918D4                 mov     dl, cl
.text:139918D6                 xor     al, 7Dh
.text:139918D8                 xor     dl, 0CCh
.text:139918DB                 xor     cl, 0A3h
.text:139918DE                 mov     byte_13A22FA5, al
.text:139918E3                 mov     byte_13A22FA4, dl
.text:139918E9                 mov     dword_13A230A0, 6
.text:139918F3                 mov     byte_13A22FA6, cl
.text:139918F9                 mov     eax, offset byte_13A22FA0
.text:139918FE                 retn
.text:139918FE sub_13991895    endp