spt/Website
spt/Website
2
2
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Improve dump guide readability

Browse Source
This commit is contained in:
SPT-dev 2023-03-02 21:09:54 -05:00
parent b936b5da5b
commit e7112f6ff0
1 changed files with 16 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
docs/md/development/dump_data.md
View File

@ -12,15 +12,14 @@ For dumping asset data, see 4.
## Theory ## Theory
The game uses HTTP-secured (TLS 1.2) protocol to obtain data (mostly not related to a match) from the server. The game uses HTTP-secured (TLS 1.2) protocol to obtain data (mostly not related to a match) from the server.
While the game's security is lacking, it does block conventional tools to obtain this data. While the game's security is lacking, it does block conventional tools for packet capturing.
Of course, we cannot just simply run with altered assembly either, because the launcher does an integrity check. Of course, we cannot just simply run with altered assembly either, because the launcher does an integrity check.
The game however does not check for integrity. The game however does not check for integrity.
We write a specialized assembly to bypass the security mechanisms in place to dump our data. We patch the assembly to bypass the security mechanisms in place to dump our data.
The way we do this is by injecting custom logic into the assembly.
To be specific, we make the checks of battleye and certificate checking always return successfully. To be specific, we make the checks of battleye and certificate checking always return successfully.
We also add logic for saving received data from the server so we won't require addional tools for packet capturing. We also add logic for saving received data from the server to save data obtained.
We use the "swap exploit" by quickly replacing the assembly when the game starts. We use the "swap exploit" by quickly replacing the assembly when the game starts to load our custom assembly.
## Legenda ## Legenda
@ -43,8 +42,8 @@ We use the "swap exploit" by quickly replacing the assembly when the game starts
2. Copy-paste `Assembly-CSharp.dll` to your de4dot folder 2. Copy-paste `Assembly-CSharp.dll` to your de4dot folder
3. Drag `Assembly-CSharp.dll` on top of `de4ot-x64.exe` 3. Drag `Assembly-CSharp.dll` on top of `de4ot-x64.exe`
4. Open `Assembly-CSharp-cleaned.dll` from the de4dot folder in dnSpy 4. Open `Assembly-CSharp-cleaned.dll` from the de4dot folder in dnSpy
5. Find the deobfuscation method (see appendix 1.1) 5. Find the deobfuscation method (appendix 1.1)
6. Run the specialized cleaning command using the token from the deobfuscation method (see appendix 1.2) 6. Run the specialized cleaning command using the token from the deobfuscation method (appendix 1.2)
7. Cut-paste `Assembly-CSharp-cleaned-cleaned.dll` into `%gamedir%/EscapeFromTarkov_Data/Managed/` 7. Cut-paste `Assembly-CSharp-cleaned-cleaned.dll` into `%gamedir%/EscapeFromTarkov_Data/Managed/`
8. Open `Assembly-CSharp-cleaned-cleaned.dll` from Managed in dnSpy 8. Open `Assembly-CSharp-cleaned-cleaned.dll` from Managed in dnSpy
9. dnSpy > File > Save Module 9. dnSpy > File > Save Module
@ -55,9 +54,9 @@ We use the "swap exploit" by quickly replacing the assembly when the game starts
2. Copy-paste `Assembly-CSharp.dll` to `%gamedir%/EscapeFromTarkov_Data/Managed/backup/` 2. Copy-paste `Assembly-CSharp.dll` to `%gamedir%/EscapeFromTarkov_Data/Managed/backup/`
3. Rename `Assembly-CSharp.dll` in backup to `Assembly-CSharp.dll.bak` 3. Rename `Assembly-CSharp.dll` in backup to `Assembly-CSharp.dll.bak`
4. Open `Assembly-CSharp-cleaned-cleaned.dll` from Managed in dnSpy 4. Open `Assembly-CSharp-cleaned-cleaned.dll` from Managed in dnSpy
5. Apply dumper patch (see appendix 1.3) 5. Apply dumper patch (appendix 1.3)
6. Apply ssl patch (see appendix 1.4) 6. Apply ssl patch (appendix 1.4)
7. Apply battleye patch (see appendix 1.5) 7. Apply battleye patch (appendix 1.5)
8. dnSpy > File > Save Module 8. dnSpy > File > Save Module
9. Cut-paste `Assembly-CSharp-cleaned-cleaned.dll` to `%gamedir%/EscapeFromTarkov_Data/Managed/backup/` 9. Cut-paste `Assembly-CSharp-cleaned-cleaned.dll` to `%gamedir%/EscapeFromTarkov_Data/Managed/backup/`
10. Rename `Assembly-CSharp-cleaned-cleaned.dll` in backup to `Assembly-CSharp.dll` 10. Rename `Assembly-CSharp-cleaned-cleaned.dll` in backup to `Assembly-CSharp.dll`
@ -70,7 +69,7 @@ We use the "swap exploit" by quickly replacing the assembly when the game starts
4. Start the game 4. Start the game
5. As soon as the launcher closes, override the file 5. As soon as the launcher closes, override the file
6. When you reached the main menu, the folder `%gamedir%/HTTP_DATA/` will appear 6. When you reached the main menu, the folder `%gamedir%/HTTP_DATA/` will appear
7. Dump the data you need (see appendix) 7. Dump the data you need (appendix 2)
8. When the game closed, replace `Assembly-CSharp.dll` with `Assembly-CSharp.dll.bak` 8. When the game closed, replace `Assembly-CSharp.dll` with `Assembly-CSharp.dll.bak`
## 4. Dumping asset data ## 4. Dumping asset data
@ -94,11 +93,11 @@ The data does contain sensitive information such as you account id, so be carefu
`aki-analyzer` strips out the sensitive information when it converts the data to the right format. `aki-analyzer` strips out the sensitive information when it converts the data to the right format.
And no, the data dumped from the game server cannot be uploaded back to the game server. And no, the data dumped from the game server cannot be uploaded back to the game server.
## Appendix 1: code ## Appendix 1: Code
All code is based on Escape From Tarkov 0.12.8.9819 All code is based on Escape From Tarkov 0.12.8.9819
### 1. Deobfuscation method in assembly ### 1.1. Deobfuscation method in assembly
```csharp ```csharp
// Token: 0x0600C93A RID: 51514 RVA: 0x0012038D File Offset: 0x0011E58D // Token: 0x0600C93A RID: 51514 RVA: 0x0012038D File Offset: 0x0011E58D
@ -108,13 +107,13 @@ Class2019.smethod_0()
} }
``` ```
### 2. Specialized deobfuscation command ### 1.2. Specialized deobfuscation command
```powershell ```powershell
de4dot-x64.exe --un-name "!^<>[a-z0-9]$&!^<>[a-z0-9]__.$&![A-Z][A-Z]\$<>.$&^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$" "Assembly-CSharp-cleaned.dll" --strtyp delegate --strtok 0x0600C93A de4dot-x64.exe --un-name "!^<>[a-z0-9]$&!^<>[a-z0-9]__.$&![A-Z][A-Z]\$<>.$&^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$" "Assembly-CSharp-cleaned.dll" --strtyp delegate --strtok 0x0600C93A
``` ```
### 3. Dumper patch ### 1.3. Dumper patch
```csharp ```csharp
Class157.method_10() Class157.method_10()
@ -129,7 +128,7 @@ Class157.method_10()
} }
``` ```
### 4. Ssl cert patch ### 1.4. Ssl cert patch
```csharp ```csharp
Class505.ValidateCertificate() Class505.ValidateCertificate()
@ -139,7 +138,7 @@ Class505.ValidateCertificate()
} }
``` ```
### 5. Battleye patch ### 1.5. Battleye patch
```csharp ```csharp
Class784.RunValidation() Class784.RunValidation()