3 6 0 the end of the tour the ultimate firepower“stealth”,“the spike”, etc. vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201672262
Type myhack58
Reporter CoolCmd
Modified 2016-03-06T00:00:00


0x01 introduction Before sent over a patch a generic D3D game buck perspective plug-in, a buddy because the stock Duvet cover, with a plug-in to play the ultimate firepower of boredom, a do nothing level is too dishes light has a perspective or abused, please I helped him the whole point of the killer, then the reverse analysis, now buddy a few days ago has been loosened from shame., with the fold in the hard disk, not the entire article entertainment of the public. 0x02 ready to work The ultimate fire->【link】 OllyDbg->【link】 CoolCmd Protocol tools->search online or into the official QQ group download 0x03 analysis 1, to achieve the game the plaintext Protocol tool Online game client and server through a packet Protocol communication,so the Protocol package is our digging online vulnerability of important routes,and the online Protocol packet is usually encrypted,a can be injected and the online plaintext Protocol directly to add, change, delete and other basic operations of the tool became essential goods. Preparing the Protocol the tool supports injection of NP, HS, XTRAP, the XIGNCODE, TP, etc. all kinds of mainstream anti-plug system, protection of all kinds of online games(Warcraft, the sword of the spirit, LOL, etc. are OK,a plug-in to support domestic online games faucet TX all self-developed game is also OK),so for ultimate firepower we simply reverse the encryption interface,according to an example of filling the code to write a plug-in can be started. Reverse the plaintext of the encryption function,commonly used and effective method is as follows: 1、From the bottom up a stack backtracking,by send, sendto, and WSASend, And WSASendTo, and other related Api the call stack relationship back to the encryption function. 2, By on down to any of a plaintext information as a starting point,such as a megaphone for the content or use of the items the conditions are not reached in the prompt string,the CE searches the memory location then the memory breakpoint analysis,is particularly suitable for the lower layer is the VM case. This game is relatively simple,we use the stack for backtracking can be Encryption function corresponding to the compiled code: ! The encryption function calls the compiled code: ! Encryption function corresponding to the prototype: typedef DWORD (__cdecl TEncryptProc)(DWORD dwBuff,DWORD dwLen,DWORD dwOut,DWORD dwParamB,DWORD dwParamA); The plugin HOOK handler as follows: DWORD __cdecl NewEncrypt(DWORD dwBuff,DWORD dwLen,DWORD dwOut,DWORD dwParamB,DWORD dwParamA) { TFilterRet FltRet; g_b_SendFill = true; //Call the filter interface,parse the number corresponding to the CheckBox to create a number g_InitIO. Api. FilterOper((char)(dwBuff),dwLen,2,&FltRet); if (FltRet. bVis){ if (strlen(FltRet. cName) != 0){ g_InitIO. Api. WriteLog("Send plain text",FltRet. cName,(char)(dwBuff),dwLen,0); } else{ g_InitIO. Api. WriteLog("Send plain text",CN_PUB_DEFHINT,(char)(dwBuff),dwLen,0); } } //Shielding is sent directly back if (! FltRet. bCom){ return 1; } //Call the original Contracting function return OldEncrypt(dwBuff, dwLen, dwOut, dwParamB, dwParamA); } Full access to the renderings: ! Specific access procedure may refer to: the CoolCmd access tutorial(a game Protocol crack and full can compile plugin source code) of the 2. Stealth vulnerability Into game battle scenario, the client constantly sends to the server two contains the role to coordinate the related information of the Protocol packet The coordinates of A packet(length of 0x2A+2): The 2A00 02103F00000093CA0000 EEC48442 596C0342 40239A3C 6339000000000000000000000000000000000B02 The coordinates of the B packet(the length of the 0x1E+2): The 1E00 0B203F000000CACA000063393C0600000000 EEC48442 596C0342 40239A3C Do some tests Modify the test: Modify the Send packets in the coordinates, because the client keep the client in memory the actual coordinates sent to the server, can not see the effect Analysis memory the role of the coordinate Data, Direct Memory modification, there is a role to be the pull-back of the case, the description of the server to do the acceleration, Teleport class judging Shield test: Shield A pack: card monster effect, but unstable Shield B package: no effect At the same time shield AB, package: can be achieve card role effect and stable (Key point: the shield must be in into the game scene for the first time send the coordinates of the packet before, otherwise it will be Server T out of the room) Card role performance: I.e., the server is considered as well as players looking to cheat the roles had been born in the base, while the cheat character may actually be the whole map to do anything. Card role can be achieved metamorphosis function: The Battle may have been stealth, full map kill(party and enemy players see the cheating role has been in the birth point), the effect is as follows: ! Hunting copy of the room card strange invincible(the server that the cheat role has been in the birth point,the monster has been stuck in the birth point of attack does not exist in the role), the effect is as follows: ! Stealth security, de ray(stealth security, de-ray, in others it seems is remote security, de-ray): the Where do the bandits while the more interesting point, stealth, Ann, ray, stealth, sit back and wait, to how many enemies are easy to destroy(played CS seconds know of). 3. Spike vulnerability CPU overclocking with a super outer-frequency, times the frequency of the two-class method, the spike class vulnerability also true: FSB: modify the roles, the weapons attack power Octave: modify the attack speed The interception of a M4 attack packet: the 390041101E000000000000002A270002A08400000200011100000000 8DBE5C42 C2449941 C822D53F 2 1 6 9 6 1 4 2 0740C141 70649B3F 0 2 0 0 0 0 0 0 0 0 0 0 0 0 The packet inside contains ballistic and other information, and no attack power and other data, apparently the damage calculation is performed in the server, modify the attack power attribute will have no effect. Try doubling the attack speed of the method: Currently the access tool HOOK point is the encryption interface, encrypt repeat call will not be effective, so we need according to the encryption function to continue to stack back out of the shoot function interface HOOK shot function interface, the call a shot and modified to call the N-th shot(reproduction test), and found the server off gun skills and no rigorous CD determination, can achieve N times the spike effect

[1] [2] [3] next