As a very popular PC-side online game recently, "Path of Exile" has done some processing on the packet sending function and protocol encryption. Let's briefly analyze it.
After simply processing the thread, load the OD, we found that the game will not be interrupted when the breakpoints are placed on the WSASend, send, and sendto functions, indicating that the game has rewritten the packet sending function, so we go to the inner WSPSend head to break , found that the game can be interrupted. From execution to return, I come to a function that is very similar to the code of the send function (as shown in the figure).
I found that thread sending is not used here, so it can easily return to the external function function. Take the call function as an example (as shown in the figure)
The function in the figure will call the sending function internally, but after analyzing its parameters and registers, it is found that there is no plaintext related to the call, maybe the plaintext content is hidden in some offsets, and it is not easy to find the call plaintext that appears in the stack (as shown in the figure
) After rewriting, the actual shouting content cannot be changed. So we went to analyze the source of the parameters of the sending function internally to see where the plaintext finally appeared (as shown in the figure)
It can be seen from the comments in the figure that the plaintext protocol is encrypted at the call dword ptr [edx+4]. Analyzing the source of the plaintext, it is found that the plaintext stored in the outer ecx+130 has not been passed as a parameter through push. Analyze the inside of the encryption function to get the source of the encryption code (as shown in the figure).
After analyzing the source of the key, the plaintext protocol can be encrypted by calling the function, and most of the functions can be realized through the sending function.