HackShield 5.6.8.240 通信演算法

只是一些記錄而已 沒有實做細節

5.6.13 之後 AhnLab 又擴充了其通信內容,尚未分析

每個 Packet 包含 3 個 key
key1 for seq1
key2 for NKCS response
key3 for decrypt shellcode / crc( generate from shellcode ) in NKCS


GUID : Grab from game client
HASH: Generate from ehsvc.dll / E_MD5
CRC: Generate from 3n.mhe + 0xA2 / E_MD5


Request type 0x5101:
initialize packet
length = 0x138
encrypted shellcode / encrypted offset

Response:
type = 2
length = 0x180
GUID
hshield.dat Header
3n.mhe Header
HASH


Request type 0x5103:
crc check packet
length = 0x48
imagebase / section count / offset,range?

Response:
type = 4
length = 0x34
HASH


Request type 0x5105:
Get HASH
length = 0x38

Response:
type = 6
length = 0x34
HASH


Request type 0x5805:
Get CRC
length = 0x38

Response:
type = 6
length = 0x34
CRC