只是一些記錄而已 沒有實做細節
5.6.13 之後 AhnLab 又擴充了其通信內容,尚未分析
每個 Packet 包含 3 個 key
key1 for seq1
key2 for NKCS response
key3 for decrypt shellcode / crc( generate from shellcode ) in NKCS
GUID : Grab from game client
HASH: Generate from ehsvc.dll / E_MD5
CRC: Generate from 3n.mhe + 0xA2 / E_MD5
Request type 0x5101:
initialize packet
length = 0x138
encrypted shellcode / encrypted offset
Response:
type = 2
length = 0x180
GUID
hshield.dat Header
3n.mhe Header
HASH
Request type 0x5103:
crc check packet
length = 0x48
imagebase / section count / offset,range?
Response:
type = 4
length = 0x34
HASH
Request type 0x5105:
Get HASH
length = 0x38
Response:
type = 6
length = 0x34
HASH
Request type 0x5805:
Get CRC
length = 0x38
Response:
type = 6
length = 0x34
CRC