理解/逆向工程顶层网络协议的好工具 [英] Good tools to understand / reverse engineer a top layer network protocol

问题描述

手头有一个有趣的问题.我有一个角色扮演 MMOG 通过客户端应用程序(而不是浏览器)运行，该应用程序将我的玩家的动作发送到服务器，该服务器通过发回数据包使所有玩家保持同步.

There is an interesting problem at hand. I have a role-playing MMOG running through a client application (not a browser) which sends the actions of my player to a server which keeps all the players in sync by sending packets back.

现在，游戏使用 TCP/IP 上的顶层协议来发送数据.但是，wireshark 不知道正在使用什么协议，并且将 TCP 标头之外的所有内容都显示为转储.

Now, the game uses a top layer protocol over TCP/IP to send the data. However, wireshark does not know what protocol is being used and shows everything beyond the TCP header as a dump.

此外，此转储没有任何纯文本字符串.虽然游戏有聊天功能，但发送的聊天字符串在此转储中不会以纯文本形式出现在任何地方.

Further, this dump does not have any plain text strings. Although the game has a chat feature, the chat string being sent is not seen in this dump as plain text anywhere.

我的任务是对协议进行一点逆向工程，以找到有关数据包中包含的数据的一些非常基本的内容.

My task is to reverse engineer the protocol a little to find some very basic stuff about the data contained in the packets.

有谁知道为什么聊天字符串不能以纯文本形式显示以及是否可能使用了标准的顶级协议?

Does anybody know why is the chat string not visible as plain text and whether it is likely that a standard top level protocol is being used?

另外，有没有什么工具可以帮助从转储中获取数据?

Also, are there any tools which can help to get the data from the dump?

推荐答案

如果它被加密了，你确实有机会(事实上，如果你处理得当，你有 100% 的机会):密钥必须位于您计算机上的某个位置.只需打开你最喜欢的调试器，观察一点(错误，我希望一百个字节左右)从套接字进入的数据，在该数据上设置一个观察点，并查看访问的事物的堆栈跟踪它.如果你真的很幸运，你甚至可能会看到它被原地解密.如果没有，您可能会通过查看堆栈跟踪(如果幸运的话)或通过使用其中一种 IV/S-box 分析器(避免使用学术分析器，它们中的大多数都不会在没有很多麻烦的情况下工作).许多加密算法使用可以检测到的标准数据"块(这些是 IV/S 盒)，这些是您在没有其他信息的情况下寻找的.无论你找到什么，谷歌它，并尝试覆盖他们的加密库以转储正在加密/解密的数据.从这些转储中，应该比较容易看出发生了什么.

If it's encrypted you do have a chance (in fact, you have a 100% chance if you handle it right): the key must reside somewhere on your computer. Just pop open your favorite debugger, watch for a bit (err, a hundred bytes or so I'd hope) of data to come in from a socket, set a watchpoint on that data, and look at the stack traces of things that access it. If you're really lucky, you might even see it get decrypted in place. If not, you'll probably pick up on the fact that they're using a standard encryption algorithm (they'd be fools not to from a theoretical security standpoint) either by looking at stack traces (if you're lucky) or by using one of the IV / S-box profilers out there (avoid the academic ones, most of them don't work without a lot of trouble). Many encryption algorithms use blocks of "standard data" that can be detected (these are the IVs / S-boxes), these are what you look for in the absence of other information. Whatever you find, google it, and try to override their encryption library to dump the data that's being encrypted/decrypted. From these dumps, it should be relatively easy to see what's going on.

重新创建加密会话可能会很有趣，但这需要您的调试器技巧和大量阅读.这可能令人沮丧，但如果你花时间学习如何去做，你不会后悔:)

REing an encrypted session can be a lot of fun, but it requires skill with your debugger and lots of reading. It can be frustrating but you won't be sorry if you spend the time to learn how to do it :)

这篇关于理解/逆向工程顶层网络协议的好工具的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！