traffic webbrowser c# or vb net that run a flash application

Jun 21, 2012 at 9:34 PM

Hello. Sorry for the english.

 I have a vb net webbrowser that run a poker flash application.

I'd like to intercept the card whene hand is finished to save it to analize in the future.

In wich way can i obtain the flas application traffic?

Public CreateRecvHook As LocalHook

 Private Sub Button1_Click_1(sender As System.Object, e As System.EventArgs) Handles Button1.Click
        Try
            CreateRecvHook = LocalHook.Create(LocalHook.GetProcAddress("Ws2_32.dll", "recv"), New Drecv(AddressOf recv_Hooked), Me)
            CreateRecvHook.ThreadACL.SetInclusiveACL (New Int32() {0})
        Catch ExtInfo As Exception
            Debug.WriteLine("Error creating the Hook")
            Return
        End Try
        RemoteHooking.WakeUpProcess()
    End Sub

    Public Sub New()
        InitializeComponent()
    End Sub

    <DllImport("Ws2_32.dll")> _
    Private Shared Function recv(socketHandle As IntPtr, buf As IntPtr, count As Integer, socketFlags As Integer) As Integer
    End Function
    <UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet:=CharSet.Unicode, SetLastError:=True)> _
    Private Delegate Function Drecv(socketHandle As IntPtr, buf As IntPtr, count As Integer, socketFlags As Integer) As Integer    Private Shared Function recv_Hooked(socketHandle As IntPtr, buf As IntPtr, count As Integer, socketFlags As Integer) As Integer
        Dim bytesCount As Integer = recv(socketHandle, buf, count, socketFlags)
        If bytesCount > 0 Then
            Dim newBuffer As Byte() = New Byte(bytesCount - 1) {}
            Marshal.Copy(buf, newBuffer, 0, bytesCount)
            Dim s As String = System.Text.ASCIIEncoding.ASCII.GetString(newBuffer)
            Dim tw As TextWriter = New StreamWriter("log.txt")
            tw.Write(s)
            tw.Close()
            File.AppendAllText("hook.txt", vbNewLine + vbNewLine + s)
            Debug.WriteLine("Hooked:>" & s)

        End If
        Return bytesCount
    End Function

In hook.txt  file i obtain this: 

16 10007 
4 20244 25 7/40/30 
4 20245 28 7,160; 4 20246 10 9 
4 20247 25 9/40/40 
4 20248 28 9,501; 4 20249 10 0 
4 20250 26 0 
4 20251 28 0,1000; 4 20252 10 2 
4 20253 25 2/40/35 
4 20254 28 2,1094; 4 20255 10 4 
4 20256 26 4 
4 20257 28 4,990; 1 20258 4 
4 20259 29 0,170; 4 20260 30 8 
4 20261 15 As 9h 9s 
4 20262 10 2 
4 20263 22 2 4 20264 28 2,1094; 4 20265 10 5 
4 20266 22 5 
4 20267 28 5,560; 4 20268 10 7 
4 20269 22 7   ecc ecc ecc ecc.

 Thanks

 

Jun 28, 2012 at 9:37 AM

up sorry. 

Jun 28, 2012 at 10:50 AM
Edited Jun 28, 2012 at 10:51 AM

I'll try to have a look for you marino, but from what I know that is probably correct. What is it you are expecting it to return?

Jun 28, 2012 at 5:24 PM

I'm aspecting to receive string that indicate the action of player and the card on board.

The string that i receive is unreadeble for me. Is it decode in some way? 

Thanks for reply and sorry for english (i'm italian)

Jun 28, 2012 at 5:44 PM
This is off-topic, but you'll have to decode the protocol. The protocol
looks very simple and not obfuscated, so it shouldn't be too hard.
My best guess:
4 is the player-number of yourself, the 5 digit numbers are an
incrementing id for each message, the following 2 digit number is the
code for the message type that follows.
15 seems to be the code for open cards (Ace of spades, 9 hearts, 9
spades in this case). 28 could be followed by a message of type
"playerid,stacksize". 10 could be followed by the a player id
(indicating who's turn it is to act perhaps). 25 could indicate some
sort of action (playerid,action1, action2). Note that the number
following 10 re-eappears in the next 25 and 28 messages, that's where my
guess
comes from.

But I'm just guessing here, you just have to simply watch the game and
correlate the output.

> I'm aspecting to receive string that indicate the action of player and
> the card on board.
>
> The string that i receive is unreadeble for me. Is it decode in some way?
>
> Thanks for reply and sorry for english (i'm italian)
>
> Read the full discussion online
> <http://easyhook.codeplex.com/discussions/360533#post855087>.
>
> To add a post to this discussion, reply to this email
> (easyhook@discussions.codeplex.com
> <mailto:easyhook@discussions.codeplex.com?subject=[easyhook:360533]>)
>
> To start a new discussion for this project, email
> easyhook@discussions.codeplex.com <mailto:easyhook@discussions.codeplex.com>
>
> You are receiving this email because you subscribed to this discussion
> on CodePlex. You can unsubscribe or change your settings
> <https://easyhook.codeplex.com/subscriptions/thread/project/edit> on
> codePlex.com.
>
> Please note: Images and attachments will be removed from emails. Any
> posts to this discussion will also be available online at codeplex.com
>
Jun 28, 2012 at 5:47 PM
Also, last time I checked flash was decompiled quite easily, that might
make it easier to reverse engineer the protocol.