[Reproduced] Lianzhong upgrade protocol analysis
Cloud Network (Jimzj@21cn.com)
I remember that when I first arrived at the university, I played with everyone was playing cards. I believe many people will have this experience; I also learned to upgrade (tractor) at that time.
After the last two, I have been playing crazy, so I have always been an indebride to the upgrade; but after work, I can't find someone on the one hand, and on the other hand, even if I find someone, I can't do it as before.
Go to play. Fortunately, I saw someone else's upgrades on the Internet, huh, huh, I was not afraid to find someone, I can play someone else and others.
Hidden; I said so much, I haven't transferred the topic, I'm not intended.
For doing external, I haven't done it before, because there is not a lot of time, so I don't want to find related websites in the Internet, if there is a lot of money in this area.
If you have, you don't prevent it, share it with you.
First, for external hanging, first we talk about data acquisition:
1. For action game classes: You can send a mouse, keyboard, etc. to the window or API, so that the characters in the game will flow or attack, this is
For local games, there are many introductions on the Internet, which is no longer written here.
2. Intercept message: Through Hook Technology, get data related to the game, then see how you handle these data :).
3, intercept the socket package: to replace Winsock.dll or Winsock32.dll, the replacement function we write is consistent with the original function, that is, its function output
What kind of, we also have to output a function, and the parameters, the parameter order must be the same, then call the true Winsock32.dll in our function.
The function is OK. When the game is going, it will call our dynamic library, then jump to the true dynamic library from the function address of the real dynamic library after processing it from our dynamic library.
This way we can handle your own data inside; however, this method should be re-written as an example:
Void * psocketfun = getProcadDress (i, "wsastartup");
WSAStartup1 = (int (_stdcall *) (word, lpwsadata)) psocketfun;
There are so many functions in Winsock32.dll, you have a replacement of yourself, is not very tired, this dynamic library is still a public, in one place, a place wrong, no
It is a big problem, so I feel that this method is not very good.
4, directly listen to the network packet: This method is almost the same as the techniques used by Sniffer and ComView, but we don't directly monitor the network layer or the following
The packet, as long as the IP layer is on;
Use Raw Socket: Original Socket
It is to send and receive raw packets above the IP layer, such as ICMP, TCP, UDP ..., etc., the general game data is not large, and use TCP protocol to transfer data.
The upgrade of the Lianzhong game is like this, but if the bubble hall is used to send the UDP, the amount of data is large. About this method introduces you to see an article, there will be a big help
Help, I would like to thank the author (ShadowStar) to provide such a good article, I also have a lot of help (~ _ ~).
Http://web.nyist.net/~shadowstar/essay/security/sniffer1.html
Below is a program that I did a piece of data received and separated from the IP package:
...........
Try
{
Niprevlen = Recv (PCTLSocket-> M_Socket, Ciprevbuff, Max_Command_size - 24, 0);
Catch (...)
{
}
IF (niprevlen == Socket_ERROR) Continue;
IP * p_ip = (ip *) ciprevbuff;
TCP * p_tcp = (tcp *) (CIPREVBUFF IP_HDRLEN (P_IP));
IF (p_ip-> dstaddr! = pctlsocket-> addr_in.sin_addr.s_un.s_addr) Continue; // This sentence and the next sentence filtering other unbel
IF (p_ip-> protocol! = ipproto_tcp) Continue;
INT nsrcport = ntoHS (p_tcp-> srcport);
IF (nsrcport! = port_dodz) Continue;
Char * ppackconten = (char *) p_tcp tcp_hdrlen (p_tcp); // This is the content of the package
NPACKLEN = NTOHS (p_ip-> Totallen) - IP_HDRLEN (P_IP) - TCP_HDRLEN (P_TCP); // This is the length of the package
...........
Second, the protocol analysis of data
Below to analyze the agreement of Lianzhong upgrade. If you receive data, you can write down the data, but it is better to use someone else's ready-made tools.
Here I use ComView3.3 to receive data, this tool is still very easy to use, I suggest you download one to try it with a try; below is some received data:
0x0000 05 02 00 00 22 00 00 00 00 00 00 00 00 .... ".... ..? ..
0x0010 00 00 00 00 00 00 00 00 00 ................
0x0020 06 00 00 00 67 67 2E 68-74 6D 05 02 00 00 23 00 .... gg.htm .... #.
0x0030 00 00 00 00 00 00 00 00 00 00 .....f .........
0x0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00-
0x0050 2E 68 74 6D 6c .html
Like this data, I believe that anything will be unclear, but I don't doubt that some geniuses can be deeply open, but I have to analyze someone else 's association from raw data.
It is indeed some inspiration, :). It seems to be boasted with yourself, I am sorry ...... but, the analysis of the agreement should be combined with the actual operation, if you won't play
Upgrade, it is hard to imagine that you will easily analyze the protocols of others. Fortunately, I am still not counting in this regard, or the upgrade is a sub-data of a small official, huh, huh.
We can think about the game throughout the process, log in, enter the game room, find players, licensing, deduction, playing cards and end. With such a process can help in your mind
Helps information for each data.
I use a very poor method to let this process and the received data together:
1. Start the tool for COMVIEW or other receive data packets, set filter criteria, only receive IP / TCP packets, the target's IP is your own machine, if you don't set these conditions, the network is a large amount of packets. You have eaten, you have to find out the data you want from tens of thousands of bags, too difficult ...
2, then start the game, enter the upgrade (in order to analyze these agreements, I have been said slowly like a turtle, and I have lost a lot of points: (), you can note
It means to collect data, write down the current reap, when is the card, the anti-card, score, and the card, very much from the data to record, but also think about how to play cards,
It is not really a sorry to play with you.
3. With the record of the data, the analysis protocol has the place where you have, let's first look at the following data:
0x0000 00 02 00 80 F0 00 00 00 00 00 00 04 00 02 00 ... €? ..........
0x0010 00 00 00 00 63 61 6F 77-65 69 5F 30 30 31 30 00 .... DDDD_0010.
0x0020 11 20 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00. ... DDDD ...
As you can see here, DDDD_0010 (original data is not this, I am modified) is the same as the name of playing together, if it is the same, this can
Yes, the server returned to play with the player information you played with you;
If you have been programmed by Scotr, you should be able to know the general structure of a package, let me know below:
Application Baotou Sign
Sequence number
The length of the entire package
CRC check (or accumulation and check)
Command word
Digital length
Data body
The data on the network is not like the whole image, send a package out, will pick up the entire package in the other party, and many times will receive a few complete packages.
. Let's take another package:
0x0000 10 20 00 80 24 00 00-D9 54 DF 77 01 00 00 00. € $ ... UK ....
0x0010 01 00 00 00 00 00 00 00 00 00 00 ................
0x0020 03 00 00 00 01 00 00 00 00 00 17 71 40 00 ........... q @.
What is the same thing in these two packages, that is, 8 bytes started in the header. Is it possible to see a holistic structure of a package, pay attention to the network data format to convert to machine data
If you want to reverse the data MSDN, you can find a function NTOHL, NTOHS, HTONL, and HTONS like this, so we have to turn the word in the case ...
If you understand, the harmonious 80 is an identifier as a response package so that we can see two command words:
80 00 00 02 hexadecimal expression: 0x80000002
80 00 20 10 0x80002010
These two commands are different. It can be seen that there is no statistical application clasp sign on the protocol, starting from the command word. With the concept of the above, the next natural is
The length, because the first package is not complete, we look at the second package, the general length can be used in two bytes, but will use four bytes, which is an int type value, the second package The length is not difficult to see is 0x24. It is assumed that the length uses four bytes, then the content should be D9 54 .... 71 40 00, 0x24 = 36, our data, just right
This length, huh,, just like now, understand the structure of a pack, we are going to success in a success ...
In this step, everyone can also have to analyze the agreement, because some other because I will no longer analyze the specific role of each command word.
But you can tell everyone that 0x80000002 is all the player information returned by the server after logging in, pay attention, when we are registering the joint user, the longest login name cannot be
More than 19 bytes, so you should add an end compact in the package, which is 20 bytes.
The above analysis is just a primer, which is limited by my own level. If there is any mistake, please point out to learn together.
In addition, I have been released by the Assistant V1.0 in www.9cbs.net (game class, other types), you can download it, it is completely free. Because of the limited time, no complete
Test, if you find what bug, you can inform me by email, thank you!
