Published on

HackShield 5.6.8.240 通信演算法

只是一些記錄而已 沒有實做細節

5.6.13 之後 AhnLab 又擴充了其通信內容,尚未分析

每個 Packet 包含 3 個 key

key1 for seq1
key2 for NKCS response
key3 for decrypt shellcode / crc( generate from shellcode ) in NKCS

GUID :  Grab from game client
HASH: Generate from ehsvc.dll / E_MD5
CRC: Generate from 3n.mhe + 0xA2 / E_MD5

Request type 0x5101:
initialize packet
length = 0x138
encrypted shellcode / encrypted offset

Response:
type = 2
length = 0x180
GUID
hshield.dat Header
3n.mhe Header
HASH

Request type 0x5103:
crc check packet
length = 0x48
imagebase / section count / offset,range?

Response:
type = 4
length = 0x34
HASH

Request type 0x5105:
Get HASH
length = 0x38

Response:
type = 6
length = 0x34
HASH

Request type 0x5805:
Get CRC
length = 0x38

Response:
type = 6
length = 0x34
CRC