diff --git a/docs/md/development/dump_data.md b/docs/md/development/dump_data.md index 750d952..7aeed7d 100644 --- a/docs/md/development/dump_data.md +++ b/docs/md/development/dump_data.md @@ -12,15 +12,14 @@ For dumping asset data, see 4. ## Theory The game uses HTTP-secured (TLS 1.2) protocol to obtain data (mostly not related to a match) from the server. -While the game's security is lacking, it does block conventional tools to obtain this data. +While the game's security is lacking, it does block conventional tools for packet capturing. Of course, we cannot just simply run with altered assembly either, because the launcher does an integrity check. The game however does not check for integrity. -We write a specialized assembly to bypass the security mechanisms in place to dump our data. -The way we do this is by injecting custom logic into the assembly. +We patch the assembly to bypass the security mechanisms in place to dump our data. To be specific, we make the checks of battleye and certificate checking always return successfully. -We also add logic for saving received data from the server so we won't require addional tools for packet capturing. -We use the "swap exploit" by quickly replacing the assembly when the game starts. +We also add logic for saving received data from the server to save data obtained. +We use the "swap exploit" by quickly replacing the assembly when the game starts to load our custom assembly. ## Legenda @@ -43,8 +42,8 @@ We use the "swap exploit" by quickly replacing the assembly when the game starts 2. Copy-paste `Assembly-CSharp.dll` to your de4dot folder 3. Drag `Assembly-CSharp.dll` on top of `de4ot-x64.exe` 4. Open `Assembly-CSharp-cleaned.dll` from the de4dot folder in dnSpy -5. Find the deobfuscation method (see appendix 1.1) -6. Run the specialized cleaning command using the token from the deobfuscation method (see appendix 1.2) +5. Find the deobfuscation method (appendix 1.1) +6. Run the specialized cleaning command using the token from the deobfuscation method (appendix 1.2) 7. Cut-paste `Assembly-CSharp-cleaned-cleaned.dll` into `%gamedir%/EscapeFromTarkov_Data/Managed/` 8. Open `Assembly-CSharp-cleaned-cleaned.dll` from Managed in dnSpy 9. dnSpy > File > Save Module @@ -55,9 +54,9 @@ We use the "swap exploit" by quickly replacing the assembly when the game starts 2. Copy-paste `Assembly-CSharp.dll` to `%gamedir%/EscapeFromTarkov_Data/Managed/backup/` 3. Rename `Assembly-CSharp.dll` in backup to `Assembly-CSharp.dll.bak` 4. Open `Assembly-CSharp-cleaned-cleaned.dll` from Managed in dnSpy -5. Apply dumper patch (see appendix 1.3) -6. Apply ssl patch (see appendix 1.4) -7. Apply battleye patch (see appendix 1.5) +5. Apply dumper patch (appendix 1.3) +6. Apply ssl patch (appendix 1.4) +7. Apply battleye patch (appendix 1.5) 8. dnSpy > File > Save Module 9. Cut-paste `Assembly-CSharp-cleaned-cleaned.dll` to `%gamedir%/EscapeFromTarkov_Data/Managed/backup/` 10. Rename `Assembly-CSharp-cleaned-cleaned.dll` in backup to `Assembly-CSharp.dll` @@ -70,7 +69,7 @@ We use the "swap exploit" by quickly replacing the assembly when the game starts 4. Start the game 5. As soon as the launcher closes, override the file 6. When you reached the main menu, the folder `%gamedir%/HTTP_DATA/` will appear -7. Dump the data you need (see appendix) +7. Dump the data you need (appendix 2) 8. When the game closed, replace `Assembly-CSharp.dll` with `Assembly-CSharp.dll.bak` ## 4. Dumping asset data @@ -94,11 +93,11 @@ The data does contain sensitive information such as you account id, so be carefu `aki-analyzer` strips out the sensitive information when it converts the data to the right format. And no, the data dumped from the game server cannot be uploaded back to the game server. -## Appendix 1: code +## Appendix 1: Code All code is based on Escape From Tarkov 0.12.8.9819 -### 1. Deobfuscation method in assembly +### 1.1. Deobfuscation method in assembly ```csharp // Token: 0x0600C93A RID: 51514 RVA: 0x0012038D File Offset: 0x0011E58D @@ -108,13 +107,13 @@ Class2019.smethod_0() } ``` -### 2. Specialized deobfuscation command +### 1.2. Specialized deobfuscation command ```powershell de4dot-x64.exe --un-name "!^<>[a-z0-9]$&!^<>[a-z0-9]__.$&![A-Z][A-Z]\$<>.$&^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$" "Assembly-CSharp-cleaned.dll" --strtyp delegate --strtok 0x0600C93A ``` -### 3. Dumper patch +### 1.3. Dumper patch ```csharp Class157.method_10() @@ -129,7 +128,7 @@ Class157.method_10() } ``` -### 4. Ssl cert patch +### 1.4. Ssl cert patch ```csharp Class505.ValidateCertificate() @@ -139,7 +138,7 @@ Class505.ValidateCertificate() } ``` -### 5. Battleye patch +### 1.5. Battleye patch ```csharp Class784.RunValidation()