Исходник Информация Black Russia Bypass

Hotring

Известный
Автор темы
27
19
Реальный разбор

Первым делом в BlackRussia первый 24 пакет изменен в стандартном сампе отправляется 18 69 69 в бр же 23 42 52 (или же в ASCII #BR)


1743474820117.png



Все отправляемые пакеты проходят криптование через CAuthentication::EncryptOutcomingData
Ниже предоставлена функция криптования

CAuthentication:
[/B]
void __fastcall CAuthentication::CAuthentication(CAuthentication *this)
{
  this->_vptr$Auth = (int (**)(void))&off_8415A8;
  *(_OWORD *)this->m_aKey = xmmword_118510;
  this->m_DynamicPass = 98;
  this->m_XorKey = 0x57;
  this->m_PermutateParts = 4;
  CTEA::SetKey(&this->m_Tea, this->m_aKey);
}


void __fastcall CAuthentication::EncryptOutcomingData(
        CAuthentication *this,
        const unsigned __int8 *src,
        unsigned __int8 *dst,
        size_t inLength,
        size_t *outLength)
{
  size_t m_PermutateParts; // x21
  CAuthentication *v9; // x27
  signed int v10; // w23
  int *v11; // x24
  int *v12; // x19
  int *v13; // x22
  int *v14; // x26
  __int64 v15; // x28
  CAuthentication *v16; // x20
  int v17; // w27
  __int64 v18; // x8
  unsigned __int64 v19; // x9
  unsigned __int64 v20; // x25
  __int64 v21; // x21
  unsigned __int64 v22; // x8
  unsigned __int64 v23; // x23
  __int64 v24; // x0
  signed __int64 v25; // x8
  unsigned __int64 v26; // x8
  int *v27; // x8
  int v28; // t1
  unsigned __int64 v29; // x10
  __int64 v30; // x9
  __int64 v31; // x11
  __int64 v32; // x13
  _OWORD *v33; // x11
  int *v34; // x12
  __int128 v35; // q0
  __int128 v36; // q1
  size_t v37; // x8
  size_t v39; // [xsp+18h] [xbp-48h]
  size_t v40; // [xsp+20h] [xbp-40h]
  const unsigned __int8 *v41; // [xsp+28h] [xbp-38h]
  unsigned __int8 *v42; // [xsp+30h] [xbp-30h]
  std::vector<int> used; // [xsp+40h] [xbp-20h] BYREF
  __int64 v45; // [xsp+58h] [xbp-8h]

  v45 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  m_PermutateParts = this->m_PermutateParts;
  if ( m_PermutateParts > inLength )
  {
    memcpy(dst, src, inLength);
    *outLength = inLength;
    return;
  }
  v9 = this;
  memset(&used, 0, sizeof(used));
  *outLength = inLength + m_PermutateParts + 1;
  v42 = &dst[m_PermutateParts + 1];
  memcpy(v42, src, inLength);
  v10 = v9->m_PermutateParts;
  if ( v10 )
  {
    v11 = 0LL;
    v12 = 0LL;
    v13 = 0LL;
    v14 = 0LL;
    v15 = 0LL;
    v40 = inLength / m_PermutateParts;
    v41 = src;
    v39 = (int)(inLength / m_PermutateParts);
    while ( 1 )
    {
      v16 = v9;
      v17 = rand() % v10;
      if ( v14 != v13 )
      {
        do
        {
          v18 = 0LL;
          v19 = v14 - v13;
          if ( v19 <= 1 )
            v19 = 1LL;
          while ( v17 != v13[v18] )
          {
            if ( v19 == ++v18 )
              goto LABEL_5;
          }
          v13 = v12;
          v17 = rand() % v10;
        }
        while ( v14 != v12 );
        v13 = v12;
      }
LABEL_5:
      if ( v14 == v11 )
        break;
      *v14++ = v17;
      used.__end_ = v14;
LABEL_7:
      dst[(unsigned int)(v15 + 1)] = v17;
      memcpy(&v42[v15 * v39], &v41[v17 * (int)v40], v39);
      v10 = v16->m_PermutateParts;
      v9 = v16;
      if ( v10 <= (unsigned int)++v15 )
        goto LABEL_44;
    }
    v20 = (char *)v11 - (char *)v12;
    v21 = v11 - v12;
    v22 = v21 + 1;
    if ( (unsigned __int64)(v21 + 1) >> 62 )
      std::vector<int>::__throw_length_error[abi:v170000](&used);
    if ( v20 >> 1 > v22 )
      v22 = v20 >> 1;
    if ( v20 >= 0x7FFFFFFFFFFFFFFCLL )
      v23 = 0x3FFFFFFFFFFFFFFFLL;
    else
      v23 = v22;
    if ( v23 )
    {
      if ( v23 >> 62 )
        std::__throw_bad_array_new_length[abi:v170000]();
      v24 = operator new(4 * v23);
      v13 = (int *)(v24 + 4 * v21);
      v25 = (char *)v11 - (char *)v12;
      *v13 = v17;
      v14 = v13 + 1;
      if ( v11 == v12 )
        goto LABEL_30;
    }
    else
    {
      v24 = 0LL;
      v13 = (int *)(4 * v21);
      v25 = (char *)v11 - (char *)v12;
      *(_DWORD *)(4 * v21) = v17;
      v14 = (int *)(4 * v21 + 4);
      if ( v11 == v12 )
        goto LABEL_30;
    }
    v26 = v25 - 4;
    if ( v26 >= 0xBC )
    {
      v29 = ((char *)(v11 - 1) - (char *)v12) & 0xFFFFFFFFFFFFFFFCLL;
      if ( v24 + v20 - 4 - v29 > v24 + v20 - 4 )
      {
        v27 = v11;
      }
      else if ( (int *)((char *)v11 - v29 - 4) > v11 - 1 )
      {
        v27 = v11;
      }
      else if ( (unsigned __int64)v12 - v24 >= 0x20 )
      {
        v30 = (v26 >> 2) + 1;
        v31 = 4 * (v30 & 0x7FFFFFFFFFFFFFF8LL);
        v32 = v30 & 0x7FFFFFFFFFFFFFF8LL;
        v27 = &v11[v31 / 0xFFFFFFFFFFFFFFFCLL];
        v13 = (int *)((char *)v13 - v31);
        v33 = (_OWORD *)(v24 + 4 * v21 - 16);
        v34 = v11 - 4;
        do
        {
          v36 = *((_OWORD *)v34 - 1);
          v35 = *(_OWORD *)v34;
          v34 -= 8;
          v32 -= 8LL;
          *(v33 - 1) = v36;
          *v33 = v35;
          v33 -= 2;
        }
        while ( v32 );
        if ( v30 == (v30 & 0x7FFFFFFFFFFFFFF8LL) )
          goto LABEL_30;
      }
      else
      {
        v27 = v11;
      }
    }
    else
    {
      v27 = v11;
    }
    do
    {
      v28 = *--v27;
      *--v13 = v28;
    }
    while ( v27 != v12 );
LABEL_30:
    v11 = (int *)(v24 + 4 * v23);
    used.__begin_ = v13;
    used.__end_ = v14;
    used.__end_cap_.__value_ = v11;
    if ( v12 )
      operator delete(v12);
    v12 = v13;
    goto LABEL_7;
  }
  v12 = 0LL;
LABEL_44:
  if ( *outLength )
  {
    v37 = 0LL;
    do
      dst[v37++] ^= LOBYTE(v9->m_PermutateParts);
    while ( *outLength > v37 );
  }
  *dst = 27;
  if ( v12 )
    operator delete(v12);
}
[B]

Содержимое пакета на выходе будет такое
1b 06 04 07 05 0c 15 86 f2 (Первые 4 байта после 1b будут в случайном порядке, так же и остальные 4 тоже будут в случайном порядке)

cbdebeb1-981b-47f9-b14f-25afd7d5c28a.jpg

в ответ получим 1d 00
Затем формируются куки
ProcessConnectionCookies:
void __fastcall CAuthentication::ProcessConnectionCookies(CAuthentication *this, unsigned __int8 *pData)
{
  pData[3] = this->m_XorKey ^ pData[2];
  pData[4] = pData[1] ^ LOBYTE(this->m_DynamicPass);
}
Отправляя куки их тоже нужно криптовать через EncryptOutcomingData
После отправки куки получаем хэш в authkey'и

Все айди пакетов и рпц измененные, в БР ауткей пакет имеет айди 32

1743477152491.png


Такими темпами мы сможем дойти до 228 пакета
5a24da43-ce16-47de-bc5f-f85b31ac31fa.jpg

скрин с прокси.
Чтобы дальше отвечать на пакеты нужно изменить айди ID_CONNECTION_ATTEMPT_FAILED с 29 на 20


Список всех ID RPC и Пакетов
ScrMoveObject = 423
ScrSetVehicleZAngle = 332
ScrSetMaxArmour = 384
ScrSetPlayerColor = 371
ScrSetCameraPos = 433
ScrCreateObject = 330
SetRaceCheckpoint = 401
ScrUpdateAudioStream = 421
ScrSetCameraLookAt = 419
ScrVehicleParams = 436
ScrAddGangZone = 409
ScrSetPlayerSkin = 375
UpdateScoresPingsIPs = 360
ScrResetPlayerWeapons = 355
ScrDetachTrailerFromVehicle = 312
ScrFlashGangZone = 310
ConnectionRejected = 350
ServerQuit = 321
ScrSetVehicleVelocity = 348
ScrCustomizeVehicle = 385
Weather = 403
ScrPlayRadioStream = 438
ScrResetMoney = 412
ScrSetPlayerHealth = 404
ScrStopObject = 378
ScrSetVehiclePos = 402
ScrSetVehicleHealth = 352
ScrClearPlayerAnimations = 366
SetActorFacingAngle = 342
ScrSetPlayerArmour = 322 ScrSetMaxHealth = 358
ScrDisableMapIcon = 329
ScmEvent = 399
ScrApplyPlayerAnimation = 411
WorldPlayerDeath = 333
SetCheckpoint = 382
ScrClearActorAnimations = 306 ScrRemovePlayerFromVehicle = 335
ScrTogglePlayerSpectating = 304
ScrStopFlashGangZone = 370
EnterVehicle = 308
WorldActorAdd = 389
ScrSetObjectRotation = 324
ScrSetPlayerPosFindZ = 323
ScrInterpolateCamera = 359
SetActorHealth = 316
InitGame = 377
ScrRemoveComponent = 381
ScrCommonStuff = 343
ScrGivePlayerWeapon = 315
ScrAttachTrailerToVehicle = 396 SetTimeEx = 414
ScrSetPlayerAmmo = 415
ScrHaveSomeMoney = 425
ScrSetPlayerWantedLevel = 429
DialogBoxRPC = 361
ScrSetPlayerVelocity = 356
ScrSetMapIcon = 307
WorldVehicleAdd = 346
ScrDestroyObject = 331
ScrLinkVehicle = 327
ClientMessage = 380
ScrSetPlayerFacingAngle = 432
DamageVehicle = 392
DisableCheckpoint = 334
QueueGame = 325
ScrDestroyWayPoint = 376
ScrSetObjectPos = 407
ScrShowTextDraw = 398
WorldTime = 372
ScrPlayAudioStream = 362
ScrSetPlayerArmed = 379
ScrCreateWayPoint = 383
WorldVehicleRemove = 373
ScrApplyActorAnimation = 400
WorldPlayerRemove = 394
ExitVehicle = 435
DisableRaceCheckpoint = 365
Pickup = 406
ScrSelectTextDraw = 340
ChatBubble = 326
ScrSetInterior = 328 ScrHideTextDraw = 357
ScrCreateExplosion = 391
SetActorPos = 424
WorldActorRemove = 302
ScrPlayerSpectatePlayer = 345
ScrEditTextDraw = 393
ScrPutPlayerInVehicle = 397
Create3DTextLabel = 416
ScrSetSpawnInfo = 314
ScrSetCameraBehindPlayer = 422
ScrSetPlayerPos = 301
DestroyPickup = 405
ScrVehicleParamsEx = 338
ScrTogglePlayerControllable = 413
ScrPlayerSpectateVehicle = 390
SetNpcAttachedObject = 303
ServerJoin = 420
ScrRemoveGangZone = 354
WorldPlayerAdd = 369
RequestSpawn = 410
ScrDisplayGameText = 349
ScrSetPlayerName = 388
ScrSetPlayerAttachedObject = 386
Update3DTextLabel = 417
ScrSetEntityOutline = 427
SendChatMessage = 311
ID_CONNECTION_REQUEST = 16
ID_CONNECTION_REQUEST_ACCEPTED = 35
ID_NEW_INCOMING_CONNECTION = 30
ID_DISCONNECTION_NOTIFICATION = 32
ID_CONNECTION_LOST = 33
ID_PING = 6/ID_PONG = 39
ID_MODIFIED_PACKET = 37
ID_INVALID_PASSWORD = 36
ID_RSA_PUBLIC_KEY_MISMATCH = 36


Ниже приложен обход, комнды для луа скрипта: /reg - регистрация /auth - авторизация, активация asi автоматическая, за работоспособность сказать не могу, давно сделан был
 

Вложения

  • !0BlackRussiaBypass.asi
    19.5 KB · Просмотры: 39
  • !0BlackRussiaBypass.lua
    3.6 KB · Просмотры: 30
Последнее редактирование: