leonaheidern
4th May 2005, 20:43
Usual method applies
Get Perl installed the extract the files from the text,get disasm and create a batch file (extract-packets.bat) using notpad
disasm Ragexe.exe > disassembled.txt
if not exist disassembled.txt echo Cannot find disassembled.txt
perl extract-packets.pl disassembled.txt recvpackets.txt
for those people who have old extract-packets.pl, or haven't done this before create a new file called extract-packet.pl in notepad and replace the code inside with
#!/usr/bin/env perl
#!/usr/bin/env perl
# extract-packets.pl by VCL
# Modified a little bit by SnT2k and Rasqual
# Modified to use with W32DSM by Karasu (code commented out; they conflict with the original code)
use strict;
use warnings;
my $LINES_BACK_SEARCH_COUNT = 100;
if (@ARGV < 2) {
print STDERR "No input file given. Usage: extract-packets.pl <ASM> <OUTPUT> [ADDRESS]\n" .
" ASM: the disassembled output of ragexe.exe, as generated by disasm.\n" .
" OUTPUT: the filename of the output file to write to.\n" .
" ADDRESS: the address of the packet size function. If not given, this program\n" .
" will attempt to auto-detect it.\n";
exit(1);
}
if (!open (F, "< $ARGV[0]")) {
print STDERR "Unable to open $ARGV[0]\n";
exit(1);
}
my $addr;
if (!$ARGV[2]) {
# Look for the address of the function that determines packet sizes.
my ($found, $lastLine);
while ((my $line = <F>)) {
if ($line =~ /mov ecx, dword( ptr )?\[ebp-0C\]/ && $lastLine =~ /E8ED0[0-9]0000/) {
($found) = $lastLine =~ /^:([A-Z0-9]{8})/;
($addr) = $lastLine =~ /call ([A-Z0-9]+)/;
last;
}
$lastLine = $line;
}
if (!defined($addr)) {
print STDERR "Address of packet size function not found, trying alternate method.\n";
my ($matched_187) = 0;
my ($line_counter) = 0;
seek(F, 0, 0);
while (<F>) {
($line_counter)++;
if ($_ =~ /mov dword( ptr )?\[ebp-08\], 00000187/ ) {
($found) = $_ =~ /^:([A-Z0-9]{8})/;
($matched_187) = 1;
last;
}
}
if (($matched_187) == 1) {
# try to find function prologue in LINES_BACK_SEARCH_COUNT previous lines
$line_counter -= $LINES_BACK_SEARCH_COUNT;
seek(F, 0, 0);
while (<F>) {
($line_counter)--;
if (($line_counter) <= 0) {
if ($_ =~ /push ebp/ ) {
($addr) = $_ =~ /^:([A-Z0-9]{8})/;
}
}
if (($line_counter) == -$LINES_BACK_SEARCH_COUNT) {
last;
}
}
}
if (!defined($addr)) {
print STDERR "Address of packet size function not found using alternate method.\n";
close(F);
exit(1);
}
}
print STDERR "Packet size function: $addr (found at $found)\n";
} else {
$addr = $ARGV[2];
}
print STDERR "Extracting function at $addr...\n";
# Go to that address and get the content of the entire function
our @function;
seek(F, 0, 0);
while ((my $line = <F>)) {
my $stop = 0;
if ($line =~ /^:$addr /) {
while (($line = <F>)) {
$line =~ s/[\r\n]//sg;
#if ($line =~ /nop/) {
if ($line eq '') {
$stop = 1;
last;
}
push(@function, $line);
}
}
last if ($stop);
}
close(F);
if (@function == 0) {
print STDERR "Unable to extract packet size function.\n";
exit (1);
}
# Extract packets
my (%packets, $ebx, $switch);
print STDERR "Extracting packets...\n";
for (my $i = 0; $i < @function; $i++) {
$_ = $function[$i];
# We're only interested in 'mov dword' commands
if (/mov dword\[(.*?)\], (.*?)$/) {
my $a = $1;
my $b = $2;
if ($a =~ /ebp/ && $b =~ /^0000/) {
# Packet switch; client is pushing a value on the stack
$switch = substr($b, length($b) - 4, 4);
} elsif ($a =~ /eax/) {
my $len;
if ($b eq 'ebx') {
$len = $ebx;
} elsif ($b =~ /^0000/) {
$len = hex($b);
} else {
$len = 0;
}
$packets{$switch} = $len;
}
} elsif (/mov ebx, (\d+)$/) {
$ebx = hex($1);
}
}
open(F, "> $ARGV[1]");
foreach my $key (sort keys %packets) {
print F "$key $packets{$key}\n";
}
close(F);
print STDERR "Done.\n";
Run the extractpacket.bat and look for the recvpacket.txt file and ure done
Get Perl installed the extract the files from the text,get disasm and create a batch file (extract-packets.bat) using notpad
disasm Ragexe.exe > disassembled.txt
if not exist disassembled.txt echo Cannot find disassembled.txt
perl extract-packets.pl disassembled.txt recvpackets.txt
for those people who have old extract-packets.pl, or haven't done this before create a new file called extract-packet.pl in notepad and replace the code inside with
#!/usr/bin/env perl
#!/usr/bin/env perl
# extract-packets.pl by VCL
# Modified a little bit by SnT2k and Rasqual
# Modified to use with W32DSM by Karasu (code commented out; they conflict with the original code)
use strict;
use warnings;
my $LINES_BACK_SEARCH_COUNT = 100;
if (@ARGV < 2) {
print STDERR "No input file given. Usage: extract-packets.pl <ASM> <OUTPUT> [ADDRESS]\n" .
" ASM: the disassembled output of ragexe.exe, as generated by disasm.\n" .
" OUTPUT: the filename of the output file to write to.\n" .
" ADDRESS: the address of the packet size function. If not given, this program\n" .
" will attempt to auto-detect it.\n";
exit(1);
}
if (!open (F, "< $ARGV[0]")) {
print STDERR "Unable to open $ARGV[0]\n";
exit(1);
}
my $addr;
if (!$ARGV[2]) {
# Look for the address of the function that determines packet sizes.
my ($found, $lastLine);
while ((my $line = <F>)) {
if ($line =~ /mov ecx, dword( ptr )?\[ebp-0C\]/ && $lastLine =~ /E8ED0[0-9]0000/) {
($found) = $lastLine =~ /^:([A-Z0-9]{8})/;
($addr) = $lastLine =~ /call ([A-Z0-9]+)/;
last;
}
$lastLine = $line;
}
if (!defined($addr)) {
print STDERR "Address of packet size function not found, trying alternate method.\n";
my ($matched_187) = 0;
my ($line_counter) = 0;
seek(F, 0, 0);
while (<F>) {
($line_counter)++;
if ($_ =~ /mov dword( ptr )?\[ebp-08\], 00000187/ ) {
($found) = $_ =~ /^:([A-Z0-9]{8})/;
($matched_187) = 1;
last;
}
}
if (($matched_187) == 1) {
# try to find function prologue in LINES_BACK_SEARCH_COUNT previous lines
$line_counter -= $LINES_BACK_SEARCH_COUNT;
seek(F, 0, 0);
while (<F>) {
($line_counter)--;
if (($line_counter) <= 0) {
if ($_ =~ /push ebp/ ) {
($addr) = $_ =~ /^:([A-Z0-9]{8})/;
}
}
if (($line_counter) == -$LINES_BACK_SEARCH_COUNT) {
last;
}
}
}
if (!defined($addr)) {
print STDERR "Address of packet size function not found using alternate method.\n";
close(F);
exit(1);
}
}
print STDERR "Packet size function: $addr (found at $found)\n";
} else {
$addr = $ARGV[2];
}
print STDERR "Extracting function at $addr...\n";
# Go to that address and get the content of the entire function
our @function;
seek(F, 0, 0);
while ((my $line = <F>)) {
my $stop = 0;
if ($line =~ /^:$addr /) {
while (($line = <F>)) {
$line =~ s/[\r\n]//sg;
#if ($line =~ /nop/) {
if ($line eq '') {
$stop = 1;
last;
}
push(@function, $line);
}
}
last if ($stop);
}
close(F);
if (@function == 0) {
print STDERR "Unable to extract packet size function.\n";
exit (1);
}
# Extract packets
my (%packets, $ebx, $switch);
print STDERR "Extracting packets...\n";
for (my $i = 0; $i < @function; $i++) {
$_ = $function[$i];
# We're only interested in 'mov dword' commands
if (/mov dword\[(.*?)\], (.*?)$/) {
my $a = $1;
my $b = $2;
if ($a =~ /ebp/ && $b =~ /^0000/) {
# Packet switch; client is pushing a value on the stack
$switch = substr($b, length($b) - 4, 4);
} elsif ($a =~ /eax/) {
my $len;
if ($b eq 'ebx') {
$len = $ebx;
} elsif ($b =~ /^0000/) {
$len = hex($b);
} else {
$len = 0;
}
$packets{$switch} = $len;
}
} elsif (/mov ebx, (\d+)$/) {
$ebx = hex($1);
}
}
open(F, "> $ARGV[1]");
foreach my $key (sort keys %packets) {
print F "$key $packets{$key}\n";
}
close(F);
print STDERR "Done.\n";
Run the extractpacket.bat and look for the recvpacket.txt file and ure done