| Author | Message | Time |
|---|---|---|
| dlStevens | So, I've become quite interested in Reverse Engineering lately, and well, I've come to a problem. I'm fairly new to packet logging so, this answer might be easily found. This is the official client connecting to get the news, this is the very first packet. [code] 0000 00 18 f8 3f 4a b4 00 17 31 46 8b 27 08 00 45 00 ...?J...1F.'..E. 0010 00 30 c6 ef 40 00 80 06 73 30 c0 a8 01 64 79 80 .0..@...s0...dy. 0020 85 1b 0d ee 3d a3 e4 26 b4 0d 00 00 00 00 70 02 ....=..&......p. 0030 ff ff de b1 00 00 02 04 05 b4 01 01 04 02 .............. [/code] This is my replica of it... [code] 0000 00 18 f8 3f 4a b4 00 17 31 46 8b 27 08 00 45 00 ...?J...1F.'..E. 0010 00 30 6d 26 40 00 80 06 cc fa c0 a8 01 64 79 80 .0m&@........dy. 0020 85 1a 10 5a 3d a3 6a f5 20 77 00 00 00 00 70 02 ...Z=.j. w....p. 0030 ff ff e9 0e 00 00 02 04 05 b4 01 01 04 02 .............. [/code] I haven't sent any data yet, or anything so why would the two packet logs be different? Q. If my TCP header differs of the client, will this make a difference? Or is the data that matters? Thanks to whoever replies. - Dale | September 25, 2007, 12:53 AM |
| BreW | No. The header doesn't matter. Are you sure the values in those fields are what you're supposed to be sending? Take more then one packetlog, just to be sure that the data in the first packet is static. If it isn't, you know your problem. | September 25, 2007, 2:42 AM |
| dlStevens | yup, just figured that out, it's not static, so now I have to open up IDA ::) | September 25, 2007, 2:47 AM |
| Yegg | [quote author=Dale link=topic=17049.msg173200#msg173200 date=1190688468] yup, just figured that out, it's not static, so now I have to open up IDA ::) [/quote] Whenever you see weird looking data like that, you should probably assume it is encrypted in whatever method. Since it's encrypted, there's a very high chance that it is definitely not a static value. It will always change. I remember looking at Rise of Nations over a year ago. There were several values (looked like md5 hashes) that were always the same. I was able to determine what some of them were, but not others. I'll have to get back into that stuff some day -- when I have free time which is hard due to school and work. | September 25, 2007, 4:12 AM |
| dlStevens | I haven't completely looked into it yet, but from the quick look I did in IDA it looks like it might be some sort of time stamp, since the data is partly static, and partly not. My guess is that the static part in this situation would be Year, Month, and as of yesterday, the day. the changing would be the hour, minute, second. | September 25, 2007, 12:51 PM |
| Yegg | That timestamp idea sounds possible. Create a filetime of the system time and local time and see how close it is to that of the client's. | September 25, 2007, 2:08 PM |
| dlStevens | You're are correct to my knowledge so far, I'm pretty certain there is some encryption going on even, before I send any real important data. EDIT: I just too about six packet logs, at various different times, there seems to be no difference. I do notice though that the first 4 bytes of the data is static always. | September 25, 2007, 11:24 PM |