- 27
- 19
Реальный разбор
Первым делом в BlackRussia первый 24 пакет изменен в стандартном сампе отправляется 18 69 69 в бр же 23 42 52 (или же в ASCII #BR)
Все отправляемые пакеты проходят криптование через CAuthentication::EncryptOutcomingData
Ниже предоставлена функция криптования
Первым делом в BlackRussia первый 24 пакет изменен в стандартном сампе отправляется 18 69 69 в бр же 23 42 52 (или же в ASCII #BR)
Все отправляемые пакеты проходят криптование через CAuthentication::EncryptOutcomingData
Ниже предоставлена функция криптования
CAuthentication:
[/B]
void __fastcall CAuthentication::CAuthentication(CAuthentication *this)
{
this->_vptr$Auth = (int (**)(void))&off_8415A8;
*(_OWORD *)this->m_aKey = xmmword_118510;
this->m_DynamicPass = 98;
this->m_XorKey = 0x57;
this->m_PermutateParts = 4;
CTEA::SetKey(&this->m_Tea, this->m_aKey);
}
void __fastcall CAuthentication::EncryptOutcomingData(
CAuthentication *this,
const unsigned __int8 *src,
unsigned __int8 *dst,
size_t inLength,
size_t *outLength)
{
size_t m_PermutateParts; // x21
CAuthentication *v9; // x27
signed int v10; // w23
int *v11; // x24
int *v12; // x19
int *v13; // x22
int *v14; // x26
__int64 v15; // x28
CAuthentication *v16; // x20
int v17; // w27
__int64 v18; // x8
unsigned __int64 v19; // x9
unsigned __int64 v20; // x25
__int64 v21; // x21
unsigned __int64 v22; // x8
unsigned __int64 v23; // x23
__int64 v24; // x0
signed __int64 v25; // x8
unsigned __int64 v26; // x8
int *v27; // x8
int v28; // t1
unsigned __int64 v29; // x10
__int64 v30; // x9
__int64 v31; // x11
__int64 v32; // x13
_OWORD *v33; // x11
int *v34; // x12
__int128 v35; // q0
__int128 v36; // q1
size_t v37; // x8
size_t v39; // [xsp+18h] [xbp-48h]
size_t v40; // [xsp+20h] [xbp-40h]
const unsigned __int8 *v41; // [xsp+28h] [xbp-38h]
unsigned __int8 *v42; // [xsp+30h] [xbp-30h]
std::vector<int> used; // [xsp+40h] [xbp-20h] BYREF
__int64 v45; // [xsp+58h] [xbp-8h]
v45 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
m_PermutateParts = this->m_PermutateParts;
if ( m_PermutateParts > inLength )
{
memcpy(dst, src, inLength);
*outLength = inLength;
return;
}
v9 = this;
memset(&used, 0, sizeof(used));
*outLength = inLength + m_PermutateParts + 1;
v42 = &dst[m_PermutateParts + 1];
memcpy(v42, src, inLength);
v10 = v9->m_PermutateParts;
if ( v10 )
{
v11 = 0LL;
v12 = 0LL;
v13 = 0LL;
v14 = 0LL;
v15 = 0LL;
v40 = inLength / m_PermutateParts;
v41 = src;
v39 = (int)(inLength / m_PermutateParts);
while ( 1 )
{
v16 = v9;
v17 = rand() % v10;
if ( v14 != v13 )
{
do
{
v18 = 0LL;
v19 = v14 - v13;
if ( v19 <= 1 )
v19 = 1LL;
while ( v17 != v13[v18] )
{
if ( v19 == ++v18 )
goto LABEL_5;
}
v13 = v12;
v17 = rand() % v10;
}
while ( v14 != v12 );
v13 = v12;
}
LABEL_5:
if ( v14 == v11 )
break;
*v14++ = v17;
used.__end_ = v14;
LABEL_7:
dst[(unsigned int)(v15 + 1)] = v17;
memcpy(&v42[v15 * v39], &v41[v17 * (int)v40], v39);
v10 = v16->m_PermutateParts;
v9 = v16;
if ( v10 <= (unsigned int)++v15 )
goto LABEL_44;
}
v20 = (char *)v11 - (char *)v12;
v21 = v11 - v12;
v22 = v21 + 1;
if ( (unsigned __int64)(v21 + 1) >> 62 )
std::vector<int>::__throw_length_error[abi:v170000](&used);
if ( v20 >> 1 > v22 )
v22 = v20 >> 1;
if ( v20 >= 0x7FFFFFFFFFFFFFFCLL )
v23 = 0x3FFFFFFFFFFFFFFFLL;
else
v23 = v22;
if ( v23 )
{
if ( v23 >> 62 )
std::__throw_bad_array_new_length[abi:v170000]();
v24 = operator new(4 * v23);
v13 = (int *)(v24 + 4 * v21);
v25 = (char *)v11 - (char *)v12;
*v13 = v17;
v14 = v13 + 1;
if ( v11 == v12 )
goto LABEL_30;
}
else
{
v24 = 0LL;
v13 = (int *)(4 * v21);
v25 = (char *)v11 - (char *)v12;
*(_DWORD *)(4 * v21) = v17;
v14 = (int *)(4 * v21 + 4);
if ( v11 == v12 )
goto LABEL_30;
}
v26 = v25 - 4;
if ( v26 >= 0xBC )
{
v29 = ((char *)(v11 - 1) - (char *)v12) & 0xFFFFFFFFFFFFFFFCLL;
if ( v24 + v20 - 4 - v29 > v24 + v20 - 4 )
{
v27 = v11;
}
else if ( (int *)((char *)v11 - v29 - 4) > v11 - 1 )
{
v27 = v11;
}
else if ( (unsigned __int64)v12 - v24 >= 0x20 )
{
v30 = (v26 >> 2) + 1;
v31 = 4 * (v30 & 0x7FFFFFFFFFFFFFF8LL);
v32 = v30 & 0x7FFFFFFFFFFFFFF8LL;
v27 = &v11[v31 / 0xFFFFFFFFFFFFFFFCLL];
v13 = (int *)((char *)v13 - v31);
v33 = (_OWORD *)(v24 + 4 * v21 - 16);
v34 = v11 - 4;
do
{
v36 = *((_OWORD *)v34 - 1);
v35 = *(_OWORD *)v34;
v34 -= 8;
v32 -= 8LL;
*(v33 - 1) = v36;
*v33 = v35;
v33 -= 2;
}
while ( v32 );
if ( v30 == (v30 & 0x7FFFFFFFFFFFFFF8LL) )
goto LABEL_30;
}
else
{
v27 = v11;
}
}
else
{
v27 = v11;
}
do
{
v28 = *--v27;
*--v13 = v28;
}
while ( v27 != v12 );
LABEL_30:
v11 = (int *)(v24 + 4 * v23);
used.__begin_ = v13;
used.__end_ = v14;
used.__end_cap_.__value_ = v11;
if ( v12 )
operator delete(v12);
v12 = v13;
goto LABEL_7;
}
v12 = 0LL;
LABEL_44:
if ( *outLength )
{
v37 = 0LL;
do
dst[v37++] ^= LOBYTE(v9->m_PermutateParts);
while ( *outLength > v37 );
}
*dst = 27;
if ( v12 )
operator delete(v12);
}
[B]Содержимое пакета на выходе будет такое
1b 06 04 07 05 0c 15 86 f2 (Первые 4 байта после 1b будут в случайном порядке, так же и остальные 4 тоже будут в случайном порядке)
в ответ получим 1d 00
Затем формируются куки
ProcessConnectionCookies:
void __fastcall CAuthentication::ProcessConnectionCookies(CAuthentication *this, unsigned __int8 *pData)
{
pData[3] = this->m_XorKey ^ pData[2];
pData[4] = pData[1] ^ LOBYTE(this->m_DynamicPass);
}После отправки куки получаем хэш в authkey'и
Все айди пакетов и рпц измененные, в БР ауткей пакет имеет айди 32
Такими темпами мы сможем дойти до 228 пакета
скрин с прокси.
Чтобы дальше отвечать на пакеты нужно изменить айди ID_CONNECTION_ATTEMPT_FAILED с 29 на 20
Список всех ID RPC и Пакетов
ScrMoveObject = 423
ScrSetVehicleZAngle = 332
ScrSetMaxArmour = 384
ScrSetPlayerColor = 371
ScrSetCameraPos = 433
ScrCreateObject = 330
SetRaceCheckpoint = 401
ScrUpdateAudioStream = 421
ScrSetCameraLookAt = 419
ScrVehicleParams = 436
ScrAddGangZone = 409
ScrSetPlayerSkin = 375
UpdateScoresPingsIPs = 360
ScrResetPlayerWeapons = 355
ScrDetachTrailerFromVehicle = 312
ScrFlashGangZone = 310
ConnectionRejected = 350
ServerQuit = 321
ScrSetVehicleVelocity = 348
ScrCustomizeVehicle = 385
Weather = 403
ScrPlayRadioStream = 438
ScrResetMoney = 412
ScrSetPlayerHealth = 404
ScrStopObject = 378
ScrSetVehiclePos = 402
ScrSetVehicleHealth = 352
ScrClearPlayerAnimations = 366
SetActorFacingAngle = 342
ScrSetPlayerArmour = 322 ScrSetMaxHealth = 358
ScrDisableMapIcon = 329
ScmEvent = 399
ScrApplyPlayerAnimation = 411
WorldPlayerDeath = 333
SetCheckpoint = 382
ScrClearActorAnimations = 306 ScrRemovePlayerFromVehicle = 335
ScrTogglePlayerSpectating = 304
ScrStopFlashGangZone = 370
EnterVehicle = 308
WorldActorAdd = 389
ScrSetObjectRotation = 324
ScrSetPlayerPosFindZ = 323
ScrInterpolateCamera = 359
SetActorHealth = 316
InitGame = 377
ScrRemoveComponent = 381
ScrCommonStuff = 343
ScrGivePlayerWeapon = 315
ScrAttachTrailerToVehicle = 396 SetTimeEx = 414
ScrSetPlayerAmmo = 415
ScrHaveSomeMoney = 425
ScrSetPlayerWantedLevel = 429
DialogBoxRPC = 361
ScrSetPlayerVelocity = 356
ScrSetMapIcon = 307
WorldVehicleAdd = 346
ScrDestroyObject = 331
ScrLinkVehicle = 327
ClientMessage = 380
ScrSetPlayerFacingAngle = 432
DamageVehicle = 392
DisableCheckpoint = 334
QueueGame = 325
ScrDestroyWayPoint = 376
ScrSetObjectPos = 407
ScrShowTextDraw = 398
WorldTime = 372
ScrPlayAudioStream = 362
ScrSetPlayerArmed = 379
ScrCreateWayPoint = 383
WorldVehicleRemove = 373
ScrApplyActorAnimation = 400
WorldPlayerRemove = 394
ExitVehicle = 435
DisableRaceCheckpoint = 365
Pickup = 406
ScrSelectTextDraw = 340
ChatBubble = 326
ScrSetInterior = 328 ScrHideTextDraw = 357
ScrCreateExplosion = 391
SetActorPos = 424
WorldActorRemove = 302
ScrPlayerSpectatePlayer = 345
ScrEditTextDraw = 393
ScrPutPlayerInVehicle = 397
Create3DTextLabel = 416
ScrSetSpawnInfo = 314
ScrSetCameraBehindPlayer = 422
ScrSetPlayerPos = 301
DestroyPickup = 405
ScrVehicleParamsEx = 338
ScrTogglePlayerControllable = 413
ScrPlayerSpectateVehicle = 390
SetNpcAttachedObject = 303
ServerJoin = 420
ScrRemoveGangZone = 354
WorldPlayerAdd = 369
RequestSpawn = 410
ScrDisplayGameText = 349
ScrSetPlayerName = 388
ScrSetPlayerAttachedObject = 386
Update3DTextLabel = 417
ScrSetEntityOutline = 427
SendChatMessage = 311
ScrSetVehicleZAngle = 332
ScrSetMaxArmour = 384
ScrSetPlayerColor = 371
ScrSetCameraPos = 433
ScrCreateObject = 330
SetRaceCheckpoint = 401
ScrUpdateAudioStream = 421
ScrSetCameraLookAt = 419
ScrVehicleParams = 436
ScrAddGangZone = 409
ScrSetPlayerSkin = 375
UpdateScoresPingsIPs = 360
ScrResetPlayerWeapons = 355
ScrDetachTrailerFromVehicle = 312
ScrFlashGangZone = 310
ConnectionRejected = 350
ServerQuit = 321
ScrSetVehicleVelocity = 348
ScrCustomizeVehicle = 385
Weather = 403
ScrPlayRadioStream = 438
ScrResetMoney = 412
ScrSetPlayerHealth = 404
ScrStopObject = 378
ScrSetVehiclePos = 402
ScrSetVehicleHealth = 352
ScrClearPlayerAnimations = 366
SetActorFacingAngle = 342
ScrSetPlayerArmour = 322 ScrSetMaxHealth = 358
ScrDisableMapIcon = 329
ScmEvent = 399
ScrApplyPlayerAnimation = 411
WorldPlayerDeath = 333
SetCheckpoint = 382
ScrClearActorAnimations = 306 ScrRemovePlayerFromVehicle = 335
ScrTogglePlayerSpectating = 304
ScrStopFlashGangZone = 370
EnterVehicle = 308
WorldActorAdd = 389
ScrSetObjectRotation = 324
ScrSetPlayerPosFindZ = 323
ScrInterpolateCamera = 359
SetActorHealth = 316
InitGame = 377
ScrRemoveComponent = 381
ScrCommonStuff = 343
ScrGivePlayerWeapon = 315
ScrAttachTrailerToVehicle = 396 SetTimeEx = 414
ScrSetPlayerAmmo = 415
ScrHaveSomeMoney = 425
ScrSetPlayerWantedLevel = 429
DialogBoxRPC = 361
ScrSetPlayerVelocity = 356
ScrSetMapIcon = 307
WorldVehicleAdd = 346
ScrDestroyObject = 331
ScrLinkVehicle = 327
ClientMessage = 380
ScrSetPlayerFacingAngle = 432
DamageVehicle = 392
DisableCheckpoint = 334
QueueGame = 325
ScrDestroyWayPoint = 376
ScrSetObjectPos = 407
ScrShowTextDraw = 398
WorldTime = 372
ScrPlayAudioStream = 362
ScrSetPlayerArmed = 379
ScrCreateWayPoint = 383
WorldVehicleRemove = 373
ScrApplyActorAnimation = 400
WorldPlayerRemove = 394
ExitVehicle = 435
DisableRaceCheckpoint = 365
Pickup = 406
ScrSelectTextDraw = 340
ChatBubble = 326
ScrSetInterior = 328 ScrHideTextDraw = 357
ScrCreateExplosion = 391
SetActorPos = 424
WorldActorRemove = 302
ScrPlayerSpectatePlayer = 345
ScrEditTextDraw = 393
ScrPutPlayerInVehicle = 397
Create3DTextLabel = 416
ScrSetSpawnInfo = 314
ScrSetCameraBehindPlayer = 422
ScrSetPlayerPos = 301
DestroyPickup = 405
ScrVehicleParamsEx = 338
ScrTogglePlayerControllable = 413
ScrPlayerSpectateVehicle = 390
SetNpcAttachedObject = 303
ServerJoin = 420
ScrRemoveGangZone = 354
WorldPlayerAdd = 369
RequestSpawn = 410
ScrDisplayGameText = 349
ScrSetPlayerName = 388
ScrSetPlayerAttachedObject = 386
Update3DTextLabel = 417
ScrSetEntityOutline = 427
SendChatMessage = 311
ID_CONNECTION_REQUEST = 16
ID_CONNECTION_REQUEST_ACCEPTED = 35
ID_NEW_INCOMING_CONNECTION = 30
ID_DISCONNECTION_NOTIFICATION = 32
ID_CONNECTION_LOST = 33
ID_PING = 6/ID_PONG = 39
ID_MODIFIED_PACKET = 37
ID_INVALID_PASSWORD = 36
ID_RSA_PUBLIC_KEY_MISMATCH = 36
ID_CONNECTION_REQUEST_ACCEPTED = 35
ID_NEW_INCOMING_CONNECTION = 30
ID_DISCONNECTION_NOTIFICATION = 32
ID_CONNECTION_LOST = 33
ID_PING = 6/ID_PONG = 39
ID_MODIFIED_PACKET = 37
ID_INVALID_PASSWORD = 36
ID_RSA_PUBLIC_KEY_MISMATCH = 36
Ниже приложен обход, комнды для луа скрипта: /reg - регистрация /auth - авторизация, активация asi автоматическая, за работоспособность сказать не могу, давно сделан был
Последнее редактирование:
