[Help]Problem with bytes

[schim]

Hi everyone
I'm still stuck on the readable part of my winsock application, Apart from being not readable, I'm also unable to print the raw bytes (instead of chars1, ints or huge seemingly random numbers that popup if I print them as a DWORD)

I've so I decided to see if my packets were legit at all, so I fired up wireshark and anilized the packets, just as all references said these packets all start with the most significant bit ( '00' ) my misterious packets all start with '69' (or E, or other blurish shit depending on how you try to print them)
And example of a packet dump from my app:

Code:

E Ü�P@ <gDR^ä’
  — P	»‡üºŠSõšŒP åI²  �TÒ¨yïÅ�C¯ƒ£¼ê‡ÖÙZá$
Y¹ÇŠâìДտ:
Á3%d£$‡YÿØ�î|Ã,LÂÕ**RK×'Ö[}ü¡qÉÊ1t`”߬?"žº´Å™Êipa�>PÊ¢$“|Ö¹Á¨àFq“ƒS9nu‚P¸ÅGzÖxHy(ŠSx7âîa…$Ÿ%Õyt8f�ȪÑ×öêW*3ª;f{Í]Øæ±,ÅüR}>TtXL§¢'p,-¡"¨9ßSÿ¨›n*sö*)šþâ?š£ñp§Ÿ�®aúiœ!$/ìÑMåТ3”õG#j›œ™y ;gfK]œiYa˜ØAEÃYÓTz<j]�6åÓ9
¥–üŸ¤¾ÜŽQ¼GÚ*®�pú¼¹Ìø?Œç‘…Õ¹S?/g´YÛ /BáäàZQÜ}*—‡ ³»ù÷=!sÊ[ìåXœ�cW•ö¾$¼Ä9>¹/fœ3‡Ä_¸V¾þúp
ÈU*RØm[åìpâ&ÀG±¶œåñE^ÄÉ…3ÓØFE”ÿª(ò”Tˆ£U–#Ÿþ?PíD¥ûoôˆ@LÁ=c@B¸äД¢0+ ç*íΦÚ+*)ÞiÝ�62èÆ£›�hÖž+¥�'4d�qtúU(yê3Ë^öIåÉlÚ ÃŸ›Ü¸Ì÷3=\ÙûÛÞ+�» uì¬I»*¡˜}Âñ‡´”£ƒD÷U�&Edc`†LªÉqfd{ÄnY×¼l@É„h=$á,O
I—=÷gc1rÕ×TºgÃÑ?Ç	2A>Æ~ÝyÞ`¤¾SÆçž"� A*‰Š˜*@O½1¶·‚ÈfÅ·Ðj:0>[+X�wäJŠ†Ýd3úåk ]àK7¥hL$¦ùö÷QeÑÐl߇ÞR×9yáÝ#ÀŒakýÒ\ó¦ðaòÇ
ª`úÏèŠÿ “Åù8à ¤L¤ïCܱ¥R²‚õ\Êg-ü½¨0ÉœÐô\UÑ‘|†u´ìhX2|YŒ
Km·pcö£ãàA�ì‰}Iûˆ^	�«7GøÞ¤–ò.I¤® ãâ?XOðƸo@«�3xÅòü^Å8ÕÇ8”�ñÙXñ“šª7Ýj�_mÓË{l¸Ç «˜<ê,íXuyãðAë`}¶Äotbse°£ñS“*á~�}V”#\>mæØn?å!¨½hoNÆ*$·Êh
¾sÈ´PbÓì1¤ccm}ÿ0«F†tçpÑ=‹ÝVˆf-P—²9›þH��BYP`ÕùÕiî�<nºå�—×ËŒ4UA®S�/FÕY1¦+ÝOÀ€©öµb*M¾"ʺР#ÚÓlÚhqó(ëߴˆ9Œaë�–G%kT&°VáU¬º€§ÿ4úü~ò~Q„*“±©v—ô‹[©0
)Åm€»¦WóÃ)>$€
uT†+4Çq¨xÈìªÙ°A•äŠ©…³Ø\™S6‡—#üÄŠ‘˜¨®1”R¤A×z5PiZait�~t®M~Å�fÖ]Vœ–æH¹×Ï(Èl&-° é³s¡s){î€êÏ?ç¥r–8]Í·ƒ–͇wg*I–=DZ©0‡b:xBÍñµw†¨Råä¨@ý¥ý ^t2È!,A—LTvpÃÕÒŸ}{�l“vª‚®Žû+ÕÐðkE…]üc'Õ¸´ªצ^ÐH/EMõ0rôCC¿Ma½I‡ö£’u§Êû/>¤nUXG¡jcÊ‘
Й8e0°ÅëT¶'Pñ~Y	….xoõJãK÷íê^÷,í¾ b§[º*£Á9é¸×úï6—MýÇŸù¨læEùÍzÍÈëªðö,,Ýroi»¿<‘¨¯ÀŒØ~Le/ZÆ(g˜U<Û72Ö«UŽ^.)ùeûï_w&ä¯?,Å`*sKÌì·*I*?ïþ‘‘žÜp8x°olµ±6

I've tried almost everything I could think of but I still cann't print them in pure hex

For example is I do this:

cout<<(int)wbuf.buf[ai]<<" "; it somehow menages to print numbers like:
-104 and -128

The code I use:

Main.h

Code:

#pragma comment "Main.h"

#define MAX_IP_SIZE 65535
#define HI_WORD(byte)    (((byte) >> 4) & 0x0F)
#define LO_WORD(byte)    ((byte) & 0x0F)

#include <iostream>
#include <winsock2.h>
#include <iphlpapi.h>
#include <Mstcpip.h>

#include <string>
#include <fstream>

#pragma comment(lib, "iphlpapi.lib")
#pragma comment(lib, "ws2_32.lib")

int Initialize();

using namespace std;

Capture Trafic.cpp

Code:

#include "Main.h"

DWORD dwBytesRet;
DWORD dwFlags;
WSADATA wsaData;
WSABUF wbuf;
SOCKET s1;

struct sockaddr_in Lip;
char rcvbuf[MAX_IP_SIZE];
char ac[80];
unsigned int optval;
void* buffer;   // I've also changed the bufer type a few times, no effect
string str;

ostream& operator<<(ostream& out, const WSADATA& WsaData) {  //Overloading for WSADATA
	out<< "MaxSockets: "<< WsaData.iMaxSockets << endl;
	out<< "MaxiMaxUdpDg: "<< WsaData.iMaxUdpDg << endl; 
	out<< "Description: "<< WsaData.szDescription << endl;
	out<< "SystemStatus: "<< WsaData.szSystemStatus << endl;
	out<< "Winsock High Version: "<< WsaData.wHighVersion << endl;
	out<< "Version: "<< WsaData.wVersion << endl;
	    return out;  //return exectution
	}

 int Initialize(){
cout<<"\n\n#########DATA TRAFIC ANILIZING COMPONENT#########\n\n";

 if( WSAStartup( MAKEWORD(2, 2), &wsaData ) != NO_ERROR )  //initialize winsock 
    {
        cerr<<"Socket Initialization: wsa startup error\n";
        WSACleanup();
        return -1;
    }
 
 cout<<"WsaStartup succesfully initialized\n\nWSADATA: "<< wsaData <<"\n\n";  //using overloaded operator
 
 // ( s1 = socket( AF_UNSPEC, SOCK_RAW, IPPROTO_ICMP ) ) //initialize raw socket
  
 if (  (s1 = WSASocket(AF_INET, SOCK_RAW,  IPPROTO_IP, NULL, 0, WSA_FLAG_OVERLAPPED) ) == INVALID_SOCKET) { //check for errors
	 cout << "Invailid socket error: "<< WSAGetLastError() << endl;  // call wsagetlasterror if there are any errors
	 WSACleanup();
	 return -2;
 } else {
	 cout<<"Raw socket is succesfully bound: "<< s1 << endl;
 }


 
 if (gethostname(ac, sizeof(ac)) == SOCKET_ERROR) {
	 cout<<"Can not resolve host name: "<< WSAGetLastError() << endl;
	 WSACleanup();
	 return -3;
 } else {
	 cout<<"Host address name is: "<< ac << endl;
 }

    struct hostent *phe = gethostbyname(ac);
    if (phe == 0) {
        cerr << "Hostlookup failed" << endl;
        return -4;
    }
	struct in_addr addr;
	memcpy(&addr, phe->h_addr_list[0], sizeof(struct in_addr));
	cout<<"Host address is: "<< inet_ntoa(addr) << endl;
    
Lip.sin_family = AF_INET;
Lip.sin_addr.s_addr = inet_addr( inet_ntoa( addr ) );
Lip.sin_port = htons( 0 );

cout<<"Addres bound to inet_addr! "<< Lip.sin_addr.s_addr <<endl; 

if (  bind(s1,  (SOCKADDR*) &Lip, sizeof(Lip)) != 0 ){
	cout<<"Cannot bind socket: "<< WSAGetLastError() << endl;
	 WSACleanup();
	 closesocket(s1);
	 return -5;
} else {
	cout<<"Socket succesfully bound: "<< s1 << endl;
}

int i =  WSAIoctl( s1, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL);
if( i != 0) {
 cout << "WSAIoctl error: "<< WSAGetLastError() << endl;  // call wsagetlasterror if there are any errors
	 WSACleanup();
	 closesocket(s1);
	 return -6;
} else{
cout<<"WSAioctl succesfully called"<<endl;
}
    
     wbuf.len = MAX_IP_SIZE;
     wbuf.buf = rcvbuf;
     dwFlags  = 0;

	 while(1){
 int ret = WSARecv(s1, &wbuf,1 , &dwBytesRet, &dwFlags, NULL, NULL);
// recv(s1, buffer, sizeof(buffer), NULL);
  if (ret == SOCKET_ERROR){
	  cout<<"WSARecv ERROR: "<<WSAGetLastError() << endl;
      WSACleanup();
	  closesocket(s1);
	  return -7;
  }else{ 
	  cout<<"\n                 #######Packet Length: "<<wbuf.len<<endl;
	  cout<<"                 #######Packet data#######\n";
	  
	  for(int ai = 0; ai < dwBytesRet; ai++){
	  
		  cout<<(int)wbuf.buf[ai]<<" ";  //I've tried litraly everything here, all data types I know have ended up casting it....
    
        
	  }

	  

  
  
  
  }
	 }
	
 cout<<"\n\n#########DATA TRAFIC ANILIZING COMPONENT#########\n\n#########END#########\n\n";
 return 0;
 
 }

Please anyone, help me out, I've been stuck here for days now and I don't like being stuck

[radnomguywfq3]

You can use sprintf, which will write the byte to an allocated buffer in the desired format. Read here : sprintf - C++ Reference Note, some ascii keys have no character representation, and pasting the dump in ascii form on a thread will likely cause damage to the data as the forum posting system usually filters these obscure characters out.

If your logging some sort of secure application, It is very likely this data goes under some sort of encryption process, and thus I would recommend you open your target in a disassembler and follow the execution back from the send routine. You need to find the source of the data buffer, so a breakpoint on read\write would be worth a go. Ofc it's always safer to do offline analysis, so if you can get your target unpacked then you're good to go.

After you get the decrypted form of the data, you need to perform what is called "data reverse engineering". Which is the process of figuring out what the data fields inside the send dump mean. I.e, the first word may be a signature, the second may be a array of characters describing the player's name. This will likely require tracing the buffer back to it's source and determining where all the fields are set.

Good luck.

[Hell_Demon]

cout<<hex<<(int)wbuf.buf[ai]; ?

[schim]

You can use sprintf, which will write the byte to an allocated buffer in the desired format. Read here : sprintf - C++ Reference Note, some ascii keys have no character representation, and pasting the dump in ascii form on a thread will likely cause damage to the data as the forum posting system usually filters these obscure characters out.

If your logging some sort of secure application, It is very likely this data goes under some sort of encryption process, and thus I would recommend you open your target in a disassembler and follow the execution back from the send routine. You need to find the source of the data buffer, so a breakpoint on read\write would be worth a go. Ofc it's always safer to do offline analysis, so if you can get your target unpacked then you're good to go.

After you get the decrypted form of the data, you need to perform what is called "data reverse engineering". Which is the process of figuring out what the data fields inside the send dump mean. I.e, the first word may be a signature, the second may be a array of characters describing the player's name. This will likely require tracing the buffer back to it's source and determining where all the fields are set.

Good luck.

It's not encypted or anything because I'm logging all packets on my system so maybe this packet is encrypted, but all the packets I'm receiving are like this....

But I'll look into sprintf

cout<<hex<<(int)wbuf.buf[ai]; ?

I've tried this, it works, but I still have a weir mixture of bytes and... er non bytes

Code:

40 0 5 ffffffffdc 77 fffffffc 40 0 3c 6 7f ffffff9a 52 5e ffffffe4 ffffff90 a 0 0

As you can see, bytes and hex are kide mushed together

But well I ques this is step forward...