haloproxy

SilentK · **Joined:** 15 Jul 2008 01:38 **Posts:** 12

I wanted to expand upon your haloproxy application, but instead it is a DLL project. So far I have hooked the recvfrom function using simple IAT address replacement:

Code:

#define IAT_RECVFROM 0x00634454
*((DWORD*)IAT_RECVFROM) = (DWORD)&myrecvfrom;

int __stdcall far myrecvfrom(SOCKET s, char *buf, int len, int flags, sockaddr *from, int *fromlen)
{
  int result = recvfrom(s, buf, len, flags, from, fromlen);
  sockaddr_in *peer = (sockaddr_in*)from;
  
  DEBUG("Address: %s:%i", inet_ntoa(peer->sin_addr), peer->sin_port);
  show_dump((unsigned char*)buf, len);
  return result;
}

I am doing this so I don't have mess with all the winsock code, I have not yet learned the API well enough. That and I don't have to manually put in IP addresses. DEBUG() just formats data and prints it to a file. Thank you for show_dump, it's very very nice but I modified it to print to my file.

My goal is to interface between client and server to decrypt and analyze packets for your Halo/gamespy expoits. I know this stuff has been patched in Halo 1.08, but Halo Trial version still has a big community and there is no patches, so why not make a decent one for it. I am great at reversing data structures and functions in assembler, but when it comes to packet exploits, I have no idea what to look for when patching a binary executable. I am good at hooking and analyzing, so this is the route I am taking.

One thing I don't understand is the first 7 bytes of Halo packets and your use of it in haloproxy. You have it defined like this:

Code:

typedef struct {
    u16     sign;
    u8      type;
    u16     gs1;
    u16     gs2;
} gh_t;

What do these struct members represent? What do the different types mean? What's the difference between the signs, 0xFEFE and 0xFEFD? If you can go in detail about this little stuff, it would help a lot!

I captured a bunch of packets in a Halo Trial server, but not all of the packets began with the gh_t struct, meaning there was no FEFE or FEFD at the beginning. Most of them did though, only some didn't. I will get to the decrypting part later today, I just wanted to figure this out first.

aluigi · **Posted:** 05 Oct 2009 21:18

that structure is used for the games built on the gamespy sdk like Halo and some others.
the sign is ever 0xfefe (in this moment I don't remember when 0xfefd is used) while the other type/gs1/gs2 fields are like a seq/ack counter, anyway it's not important because they must have some specific values for each step of the connection:
- 1 0 0
- 3 1 1
- 0 2 3
- 0 3 4
- ...
- 0 100 7
- 0 and so on

anyway I find useless to hook recvfrom, because that's a step necessary in case you don't know when and what packet causes the bad effect while you already knows it and have also the source code.
and then there is ever the fact that halo uses a particular encryption and so it becomes very crazy.

anyway as far as I remember Tavrin said that he released his fix for these bugs, have you already searched and tested it?

P.S.: ok, Tavrin confirmed it: http://forum.xetav.net/index.php?topic=23.0

Luigi Auriemma

haloproxy