Develop Reference

Game Server: Packet Analyzation [closed] - algorithm

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
My favorite racing game server is shutting down shortly. Before that happens I would like to decipher as much information to work with later so my friends and I can still play.
Having hit a brick wall I thought someone with more experience than me might be able to recognize some tell-tale bytes.
I'm looking to find the ecryption and/or compression method used so I can begin to decipher it. If someone would like to take a look, I have a couple notable packets below with some notes about them.
1d 35 05 00 0a d0 83 b5 23 33 00 00 00 01 00 0e
04 c7 00 00 6c 8b 69 28 df 40 8d 30 9b 81 5f b6
e3 8b 8f b7 4e d2 4d 48 35 40 ea 14 ce e8 65 f5
a7 cd a3 42 6c e2 d9 51 45 5f f0 b5 53 51 6d 2b
c0 e2 34 14 8f 5f 06 d4 28 e4 76 3d 5c ba 2d 11
38 76 e8 11 86 d8 58 24 91 0a af ad f4 7c ee db
ca f3 85 2f dd 73 10 cf 30 49 50 c1 77 78 ae 7e
27 2c 5d bf 4a 78 e0 b0 d2 f4 d7 66 40 f0 ad 75
75 9c 9b 9f e8 2b 32 4d 27 10 3c 31 19 73 2c 80
73 3b b8 b3 4a 78 e0 b0 d2 f4 d7 66 8c c3 08 a5
d8 40 fb f6 2b f2 04 61 47 6f 2e 0e 29 59 cc 1b
f2 13 a0 67 4a 78 e0 b0 d2 f4 d7 66 55 68 45 fd
96 21 16 b1 ed e9 86 43 e2 8b 70 5f b7 bd a3 8c
4d c3 8a e2 4a 78 e0 b0 d2 f4 d7 66 ab 6f ac bd
c1 91 f8 8e 4a 78 e0 b0 d2 f4 d7 66 46 0d 43 4f
4a b4 a2 7b 4a 78 e0 b0 d2 f4 d7 66 f7 af c5 c8
41 69 ed 27 ba c5 16 5e c7 cf 46 d1 8a 79 70 a4
7b d6 a3 8f cc a7 76 fb 52 8b 76 6a 70 ff bb b0
01 17 8f 16 8d 5a ec cd 90 7b 11 37 36 e0 7a d5
b7 97 24 41 6d 94 13 39 17 1f f9 fc de 03 3d d4
3b 54 b6 84 1c 63 c7 48 15 de ef 8c 80 95 d3 84
d9 6d 80 47 06 31 fd 39 2d 78 b9 ac 33 40 69 40
72 52 57 fd 9a 3a 84 41 a9 4d 52 95 9f af a7 bf
80 3d 54 61 d5 fc ce 18 c7 7f 8e 3b e2 52 ee 20
a1 49 f8 ec 8a 5e fe 06 97 6c da 06 ce 84 09 95
bd 39 83 b2 20 3b 47 1b 03 a1 d3 d4 2f e0 ee 46
60 54 97 20 5b 2e 6b 3d 01 ee 3a 08 95 46 e5 e3
f0 d2 2d c4 21 0e 71 0b 2a 66 1c 2d 85 0f 55 2f
e8 7c 5c 2b 9e 8f be d3 cb 9e aa 0a f3 87 6d ee
e8 b4 8a c7 94 66 53 6c 62 93 68 e2 ed 4a 25 30
62 fd 7b 4f 3b 89 e3 59 d3 ca 47 2c 57 55 0e ea
a2 a3 f9 e8 3a 1b db 30 a5 71 64 e0 84 ae 68 f5
7c b9 04 40 d7 4e 9d 9e 4e 88 6f 5b 48 dd 7c 75
e8 93 a2 0c d7 4e 9d 9e 4e 88 6f 5b f0 b0 76 40
3b a0 c2 14 a4 4f 70 a0 f6 f9 68 65 10 b8 e3 b3
82 60 c0 e3 7b d5 7e 06 7d 38 d4 0c d7 4e 9d 9e
4e 88 6f 5b 82 f3 da ff f5 ba 01 cd e4 c0 61 13
ed 06 81 ce 94 42 9f 47 7f 61 01 82 d7 4e 9d 9e
4e 88 6f 5b 06 ce 5d 28 17 85 72 e2 d9 09 3f 97
6f f7 a4 29 3c c8 3a 96 b1 20 95 8a aa 89 54 8a
71 2a 06 a9 ce 1f d3 63 61 54 db 95 2b f2 04 61
47 6f 2e 0e c9 16 f9 83 fe fd 59 49 69 6a 5b 9f
36 35 63 c7 df 86 d0 e8 f5 ec 27 21 e6 c0 7f 3e
cd 8c a0 bd ac 98 17 8d dd bf 84 7c e6 c0 7f 3e
cd 8c a0 bd 6f 92 ba d1 4c 8f 37 bd e6 c0 7f 3e
cd 8c a0 bd c0 6a c3 31 ab 6c cf 86 a4 4f 70 a0
f6 f9 68 65 3b a2 22 37 83 39 a5 4e eb 84 25 c5
08 76 1a 53 e6 c0 7f 3e cd 8c a0 bd 82 7e 70 31
d8 1c de 8d 5d f1 b4 76 8d 87 80 b6 41 a5 4c 4d
0e 1c ef a4 e6 c0 7f 3e cd 8c a0 bd b5 06 a1 35
e8 e1 e0 9e 0b 3d a5 8f ad eb 72 ec 09 b4 db d8
f4 0e 27 6d 4f 46 9c 93 8a 6c 99 62 f3 75 f2 a9
52 59 75 90 cd e3 f7 d0 20 de db b9 c6 bd 91 f3
1b 59 c6 14 d7 02 5b de c8 4e 47 14 35 3c 74 f2
50 ae 3f a1 be b4 99 c0 5b 32 06 21 00 60 77 5f
14 37 3f 26 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 f0 95 42 32 ff 36 3a 74 58 b0 0e c4
32 84 82 6d a7 d7 2d 61 ab 31 c7 fd ff 97 d7 ae
28 f0 61 fa 81 6b dd 60 a8 1f d4 55 21 3c 8d 22
5c bb a4 82 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 aa 89 54 8a
71 2a 06 a9 da d8 f4 fd 82 c5 ef 9a a4 89 65 af
ec 9a d7 d9 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 f1 14 06 7a
3e 83 8b ed 58 b0 0e c4 32 84 82 6d 06 75 0b 7b
d4 99 7d 60 aa ba 49 33 7e 03 ce 28 cb a5 7e 41
93 19 ea 5c 95 33 ab ef ca d7 14 d8 a4 4f 70 a0
f6 f9 68 65 9a a4 e8 da 49 b1 e3 4f 28 22 71 95
9c a8 c1 20 ac 42 a3 6e 6e a3 54 2c 22 ba 13 23
cc df 4d f4 aa 9c a0 69 e7 77 91 5f 7b e9 8f ac
70 f0 1a 21 45 aa f0 71 df a0 d3 99 ba 40 64 58
17 2e e9 cf a4 0b 53 d8 86 89 5b 6e fd ab 78 43
98 58 c2 3c 50 ed 3a 9b d9 dc a0 ee fc 18 d5 95
cc fd 31 be 2d 5b 5e 33 d7 fa 22 a7 69 c8 ae 34
48 7e d4 fc 37 de 4a 2c 36 5c d8 a8
1d 35 05 00 0a d0 83 b5 23 33 00 00 00 01 00 0e
04 c7 00 00 29 c0 fa 0f 59 3c fc b6 13 24 b3 d3
ce cc 1e 87 4e d2 4d 48 35 40 ea 14 ce e8 65 f5
a7 cd a3 42 6c e2 d9 51 45 5f f0 b5 53 51 6d 2b
c0 e2 34 14 8f 5f 06 d4 28 e4 76 3d 5c ba 2d 11
38 76 e8 11 86 d8 58 24 91 0a af ad f4 7c ee db
ca f3 85 2f dd 73 10 cf 30 49 50 c1 77 78 ae 7e
27 2c 5d bf 4a 78 e0 b0 d2 f4 d7 66 40 f0 ad 75
75 9c 9b 9f e8 2b 32 4d 27 10 3c 31 19 73 2c 80
73 3b b8 b3 2b f2 04 61 47 6f 2e 0e 8c c3 08 a5
d8 40 fb f6 2b f2 04 61 47 6f 2e 0e 29 59 cc 1b
f2 13 a0 67 2b f2 04 61 47 6f 2e 0e 55 68 45 fd
96 21 16 b1 4f 46 9c 93 8a 6c 99 62 b7 bd a3 8c
4d c3 8a e2 2b f2 04 61 47 6f 2e 0e ab 6f ac bd
c1 91 f8 8e 4a 78 e0 b0 d2 f4 d7 66 46 0d 43 4f
4a b4 a2 7b 4a 78 e0 b0 d2 f4 d7 66 f7 af c5 c8
41 69 ed 27 ba c5 16 5e c7 cf 46 d1 8a 79 70 a4
7b d6 a3 8f cc a7 76 fb 52 8b 76 6a 70 ff bb b0
01 17 8f 16 8d 5a ec cd 90 7b 11 37 36 e0 7a d5
b7 97 24 41 6d 94 13 39 17 1f f9 fc de 03 3d d4
3b 54 b6 84 1c b2 d0 c3 73 5c 25 0b 80 95 d3 84
d9 6d 80 47 bb a2 a9 62 49 53 d3 62 33 40 69 40
72 52 57 fd 89 f3 14 bf bd 15 f4 2d 9f af a7 bf
80 3d 54 61 d5 fc ce 18 c7 7f 8e 3b e2 52 ee 20
a1 49 f8 ec b5 8e d6 79 85 9d cd 7c ce 84 09 95
bd 39 83 b2 20 3b 47 1b 03 a1 d3 d4 2f e0 ee 46
60 54 97 20 3e 7f 7a e7 e0 2a f1 77 95 46 e5 e3
f0 d2 2d c4 21 0e 71 0b 2a 66 1c 2d 85 0f 55 2f
e8 7c 5c 2b 9e 8f be d3 cb 9e aa 0a f3 87 6d ee
e8 b4 8a c7 cd 7e ce 4f 73 4c fd 0d ed 4a 25 30
62 fd 7b 4f 3b 89 e3 59 d3 ca 47 2c 57 55 0e ea
a2 a3 f9 e8 3a 1b db 30 a5 71 64 e0 84 ae 68 f5
7c b9 04 40 d7 4e 9d 9e 4e 88 6f 5b 48 dd 7c 75
e8 93 a2 0c d7 4e 9d 9e 4e 88 6f 5b f0 b0 76 40
3b a0 c2 14 a4 4f 70 a0 f6 f9 68 65 10 b8 e3 b3
82 60 c0 e3 7b d5 7e 06 7d 38 d4 0c d7 4e 9d 9e
4e 88 6f 5b 82 f3 da ff f5 ba 01 cd e4 c0 61 13
ed 06 81 ce 94 42 9f 47 7f 61 01 82 d7 4e 9d 9e
4e 88 6f 5b 06 ce 5d 28 17 85 72 e2 d9 09 3f 97
6f f7 a4 29 3c c8 3a 96 b1 20 95 8a aa 89 54 8a
71 2a 06 a9 ce 1f d3 63 61 54 db 95 2b f2 04 61
47 6f 2e 0e c9 16 f9 83 fe fd 59 49 69 6a 5b 9f
36 35 63 c7 df 86 d0 e8 f5 ec 27 21 e6 c0 7f 3e
cd 8c a0 bd ac 98 17 8d dd bf 84 7c e6 c0 7f 3e
cd 8c a0 bd 6f 92 ba d1 4c 8f 37 bd e6 c0 7f 3e
cd 8c a0 bd c0 6a c3 31 ab 6c cf 86 a4 4f 70 a0
f6 f9 68 65 9c b3 25 70 7c 21 66 1d eb 84 25 c5
08 76 1a 53 90 57 0c b7 3a 8f 07 50 82 7e 70 31
d8 1c de 8d f7 2a 0e 09 c5 0c 9a 39 41 a5 4c 4d
0e 1c ef a4 e6 c0 7f 3e cd 8c a0 bd b5 06 a1 35
e8 e1 e0 9e 0b 3d a5 8f ad eb 72 ec 09 b4 db d8
f4 0e 27 6d 4f 46 9c 93 8a 6c 99 62 f3 75 f2 a9
52 59 75 90 ad 8a 17 b8 b5 b4 5d a3 c6 bd 91 f3
1b 59 c6 14 e7 15 64 f5 d5 62 49 51 35 3c 74 f2
50 ae 3f a1 be b4 99 c0 5b 32 06 21 00 60 77 5f
14 37 3f 26 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 f0 95 42 32 ff 36 3a 74 58 b0 0e c4
32 84 82 6d a7 d7 2d 61 ab 31 c7 fd 2d 61 4e d8
2a a8 9f 96 c6 36 d8 6e 07 6b 2f bd 7a c1 9a f0
66 3f c7 ed a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 aa 89 54 8a
71 2a 06 a9 da d8 f4 fd 82 c5 ef 9a 8b ff 8e 2e
7c 8c b2 cb d8 b4 32 d5 89 09 75 3a 34 0a 46 15
33 a0 78 70 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0
f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 f1 14 06 7a
3e 83 8b ed 58 b0 0e c4 32 84 82 6d 06 75 0b 7b
d4 99 7d 60 aa ba 49 33 7e 03 ce 28 cb a5 7e 41
93 19 ea 5c 95 33 ab ef ca d7 14 d8 a4 4f 70 a0
f6 f9 68 65 9a a4 e8 da 49 b1 e3 4f 01 53 da 40
25 58 9d 0a ac 42 a3 6e 6e a3 54 2c 22 ba 13 23
cc df 4d f4 e0 31 28 a3 52 33 f5 a7 49 ec 01 d3
83 ce 13 01 dc ad 3b 01 22 14 00 b4 82 28 d3 38
8a bf 02 82 ce 88 c3 0f 1f f5 4d 50 eb 8a b7 3c
4c 87 9a a2 78 15 c6 05 66 24 dd 18 1a 01 e9 d9
61 e6 91 8d 2d 5b 5e 33 d7 fa 22 a7 69 c8 ae 34
48 7e d4 fc 25 4b 63 94 90 c2 1f 24
The prior packets (UDP, I've shown data only) are sent when I refresh the list of races people have. There are two packets (refreshed list twice), however both should contain similar data. They are different in places, so I posted both in case it gives any clues. It could be just the ordering of the list sent.
The races listed have a name, entry fee, and prize amount. So at the minimum this information has to be contained in these packets:
Grand Tantalus $100 $2970
Anya (Top-Model) $110 $5193
The judgement way $130 $2151
Pearl City $50 $18585
East to West - LH $0 $9000
Kelekole Pass $10 $72
Makiki****no cheater! $300 $79020
Koko Head Park||||| $950 $185130
nicmax -chit,go home! $50 $19260
$0 $0
The last race was one I created and named with only spaces (22 spaces total) to help with deciphering the information.
Also of note, it appears when you initually boot up the game, the first few packets exchanged are not encrypted:
I send this (which includes game version, my name "Mctittles", and CD key
in plain text)
00000000 fd c7 00 3f 00 00 2a 7b 4d 43 20 31 2e 36 36 20 ...?..*{ MC 1.66
00000010 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000040 00 00 00 00 00 00 00 00 00 47 53 43 41 2d 32 4b ........ .GSCA-2K
00000050 51 4b 2d 41 59 33 43 2d 4c 43 51 58 00 4d 63 74 QK-AY3C- LCQX.Mct
00000060 69 74 74 6c 65 73 00 00 00 00 00 00 00 00 00 00 ittles.. ........
00000070 00 00 00 3d ...=
Server sends this back
00000000 1d 35 01 00 ae 47 65 1c 22 b9 52 75 00 00 00 00 .5...Ge. ".Ru....
00000010 00 00 52 75 00 00 2a 7b 4d 43 20 31 2e 36 36 20 ..Ru..*{ MC 1.66
00000020 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3a 9d ........ ......:.
00000060 00 00 52 37 00 00 06 3a 68 74 74 70 3a 2f 2f 77 ..R7...: http://w
00000070 77 77 2e 61 74 61 72 69 2e 63 6f 6d 2f 73 75 70 ww.atari .com/sup
00000080 70 6f 72 74 2f 6b 62 2f 33 32 36 36 00 00 00 00 port/kb/ 3266....
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000260 00 00 00 00 00 00 00 03 ........
I send the same information again
00000074 fd c7 02 01 00 00 2a 7b 4d 43 20 31 2e 36 36 20 ......*{ MC 1.66
00000084 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A....... ........
00000094 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000A4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000B4 00 00 00 00 00 00 00 00 00 29 62 00 00 00 3a 9d ........ .)b...:.
000000C4 00 00 52 37 00 00 06 3a 9c 2f 44 2d c4 e6 ff 0f ..R7...: ./D-....
000000D4 bc 2b 5f 0b 47 53 43 41 2d 32 4b 51 4b 2d 41 59 .+_.GSCA -2KQK-AY
000000E4 33 43 2d 4c 43 51 58 00 4d 63 74 69 74 74 6c 65 3C-LCQX. Mctittle
000000F4 73 00 00 00 00 00 00 00 00 00 00 00 00 00 62 00 s....... ......b.
Server responds
00000268 1d 35 03 00 00 01 00 0e 0a d0 83 b5 23 28 01 00 .5...... ....#(..
00000278 68 74 74 70 3a 2f 2f 77 77 77 2e 61 74 61 72 69 http://w ww.atari
00000288 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 2f 6b 62 2f .com/sup port/kb/
00000298 33 32 36 36 00 00 00 00 00 00 00 00 00 00 00 00 3266.... ........
000002A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000308 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000318 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000328 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000338 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000348 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000358 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000368 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000378 00 00 00 00 00 00 00 9d 3a 00 00 37 52 00 00 3a ........ :..7R..:
00000388 06 00 00 2d 44 2f 9c 0f ff e6 c4 0b 5f 2b bc 45 ...-D/.. ...._+.E
00000398 34 45 32 44 45 42 34 00 00 00 00 48 64 41 00 c0 4E2DEB4. ...HdA..
000003A8 f8 29 03 00 01 01 00 f8 9e 3a 03 a8 99 3a 03 00 .)...... .:...:..
000003B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000003C8 00 00 00 00 00 00 00 00 00 00 00 7a 1d 62 25 00 ........ ...z.b%.
000003D8 00 00 a4 76 65 72 73 69 6f 6e 73 2f 54 65 73 74 ...versi ons/Test
000003E8 44 72 69 76 65 55 6e 6c 69 6d 69 74 65 64 2d 4f DriveUnl imited-O
000003F8 6e 6c 69 6e 65 44 69 73 74 72 69 62 2d 4d 43 20 nlineDis trib-MC
00000408 31 2e 36 36 20 41 2e 65 78 65 00 00 00 00 00 00 1.66 A.e xe......
00000418 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000428 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000438 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000448 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000458 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000468 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
After this it becomes encrypted
Me:
00000104 fd c7 04 01 0a d0 83 b5 23 28 06 00 00 01 00 0e ........ #(......
00000114 01 1a 81 7c cf 45 60 14 53 6f 5f b9 8b ff e7 2b ...|.E`. So_....+
00000124 61 29 de 13 94 67 0e 25 e5 ac 8b 02 63 f1 25 7e a)...g.% ....c.%~
00000134 a4 f7 99 be 21 40 7f c0 f5 22 8a 35 b4 ac 2d 34 ....!#.. .".5..-4
00000144 23 b7 a7 80 79 4c 68 85 1e 74 60 15 8e 65 2b 11 #...yLh. .t`..e+.
00000154 c5 45 0e 50 9e 31 ba a5 d0 5f b6 d6 a4 4f 70 a0 .E.P.1.. ._...Op.
00000164 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000174 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000184 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000194 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000001A4 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000001B4 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000001C4 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000001D4 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000001E4 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000001F4 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000204 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000214 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000224 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000234 f6 f9 68 65 ..he
Server:
00000478 1d 35 05 00 0a d0 83 b5 23 28 00 00 00 01 00 0e .5...... #(......
00000488 04 0a 00 00 50 47 4d 5a e8 bb 11 6c ee 82 22 a5 ....PGMZ ...l..".
00000498 15 1b 74 18 59 09 12 b0 a4 59 dd ed 17 10 62 f1 ..t.Y... .Y....b.
000004A8 e4 35 c5 6e df f7 63 51 9d 0f 68 25 cf ac 1f 60 .5.n..cQ ..h%...`
000004B8 35 6c 33 3d 9c 29 fb bf 6a 8a e6 8e a2 7f 9d dc 5l3=.).. j.......
000004C8 62 a6 40 ac d8 92 70 66 ad 76 fb e5 16 3d 03 89 b.#...pf .v...=..
000004D8 a5 d3 b4 a4 41 9e 67 86 be 1f f4 17 d6 8b b8 a2 ....A.g. ........
000004E8 52 58 03 1a 7c 7a 0c 50 78 e2 ca b1 bb 9f 7a 07 RX..|z.P x.....z.
000004F8 78 cd be ec 57 77 88 6b 09 fa 14 b9 6f 0c ac c0 x...Ww.k ....o...
00000508 4c 9a 16 e9 11 d8 b7 c2 f7 4f a0 3e e0 dd be fe L....... .O.>....
00000518 ce 1a 3a a0 63 c0 01 15 6d ec 8c 1b 3e e7 a0 00 ..:.c... m...>...
00000528 2c 5b 5d 86 ed ee 6c 69 df 7a b8 47 d8 82 69 e6 ,[]...li .z.G..i.
00000538 c7 21 eb e0 b9 47 9e a1 ca 5c 5d 3e 00 01 c7 51 .!...G.. .\]>...Q
00000548 3f 04 c4 06 f5 5a 43 14 03 65 84 ef a4 4f 70 a0 ?....ZC. .e...Op.
00000558 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000568 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000578 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000588 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000598 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000005A8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000005B8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000005C8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000005D8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000005E8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000005F8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000608 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000618 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000628 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000638 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000648 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000658 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000668 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000678 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000688 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000698 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000006A8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000006B8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000006C8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000006D8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000006E8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000006F8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000708 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000718 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000728 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000738 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000748 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000758 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000768 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000778 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000788 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000798 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000007A8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000007B8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000007C8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000007D8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000007E8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
000007F8 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000808 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000818 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000828 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000838 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000848 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000858 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000868 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000878 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 a4 4f 70 a0 ..he.Op. ..he.Op.
00000888 f6 f9 68 65 a4 4f 70 a0 f6 f9 68 65 00 d8 ad 79 ..he.Op. ..he...y
00000898 a8 ef 0c 3e ...>
and so on...
The server does not appear to do much outside of connecting players and listing games. The main bulk of gameplay is transferred from player to player ip, which incidentally is in plain text. If I could just decipher these packets I should be able to replace their connection/listing server and still play.
Thanks for having a look, maybe I'll get lucky and someone will see something I haven't.

It's almost impossible just to look at the data and figure out the format. In the best case scenario, it could work for super simple formats (as example, just a list of strings separated by null terminator). However, as soon as you have anything a little bit more complex, you will have no idea what the data mean.
I recommend to come to this from another angle. As I understand you should have a client for the server. You can reverse engineer it and look inside how it communicates with the server.
It also quite time consuming. However, this way you will be able to learn way more about the protocol which they are using.

Related

I'm developing a minimal x86-64 OS from scratch and I am attempting to detect memory to be able to map the higher half of the virtual address space to all physical memory available.
From this link: https://www.kernel.org/doc/html/latest/x86/x86_64/mm.html, I think this is what the Linux kernel does also. Probably to be able to reach all physical addresses if the need arises at some point.
ffff888000000000 | -119.5 TB | ffffc87fffffffff | 64 TB | direct mapping of all physical memory (page_offset_base)
I want to do the same in my kernel but I need to detect the amount of physical memory installed currently on my system. I can always use the Memory Map returned by UEFI but this doesn't necessarily tell me how much memory is actually installed.
I'm emulating on QEMU and I thought of locating the SMBIOS table to do that. If I print memory from 0xf0000 to 0xfffff, I don't find the signature of the SMBIOS table:
(gdb) dump memory result.bin 0xf0000 0xfffff
user#user-System-Product-Name:~$ hexdump -C result.bin
00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
0000fd00 ff ff ff ff ff ff ff ff 2e 06 a0 1b 79 c7 82 45 |............y..E|
0000fd10 85 66 33 6a e8 f7 8f 09 08 aa 01 08 f8 02 00 f8 |.f3j............|
0000fd20 0c 00 00 19 00 00 00 00 00 00 00 00 d4 02 00 19 |................|
0000fd30 31 c0 2d 00 10 00 00 3d 00 00 00 ff 72 33 81 78 |1.-....=....r3.x|
0000fd40 10 78 e5 8c 8c 75 eb 81 78 14 3d 8a 1c 4f 75 e2 |.x...u..x.=..Ou.|
0000fd50 81 78 18 99 35 89 61 75 d9 81 78 1c 85 c3 2d d3 |.x..5.au..x...-.|
0000fd60 75 d0 83 78 24 00 75 ca 89 c3 03 58 20 75 c3 eb |u..x$.u....X u..|
0000fd70 09 b8 bf bf bf bf 89 c5 eb fe 89 c5 e9 37 02 00 |.............7..|
0000fd80 00 31 db 89 de 89 e8 66 8b 5d 30 01 d8 72 3b eb |.1.....f.]0..r;.|
0000fd90 03 40 72 36 85 c0 74 32 83 c0 07 72 2d 24 f8 8a |.#r6..t2...r-$..|
0000fda0 58 17 f6 c3 20 74 ea 8b 48 14 81 e1 ff ff ff 00 |X... t..H.......|
0000fdb0 09 c9 74 dd 01 c1 74 02 72 d7 80 78 12 03 75 06 |..t...t.r..x..u.|
0000fdc0 eb 17 85 c0 75 06 89 c8 eb ca 31 c0 89 c6 85 f6 |....u.....1.....|
0000fdd0 75 02 74 fe e9 e4 01 00 00 85 c0 74 5f 83 c0 18 |u.t........t_...|
0000fde0 39 c8 73 58 80 78 03 10 74 1b 80 78 03 12 74 32 |9.sX.x..t..x..t2|
0000fdf0 8b 18 81 e3 ff ff ff 00 01 d8 72 40 83 c0 03 72 |..........r#...r|
0000fe00 3b 24 fc eb db 83 c0 04 66 81 38 4d 5a 75 2d 0f |;$......f.8MZu-.|
0000fe10 b7 58 3c 01 c3 81 3b 50 45 00 00 75 1f 03 43 28 |.X<...;PE..u..C(|
0000fe20 eb 1f 83 c0 04 89 c3 66 81 3b 56 5a 75 0e 03 43 |.......f.;VZu..C|
0000fe30 08 83 c0 28 0f b7 5b 06 29 d8 eb 05 b8 00 00 00 |...(..[.).......|
0000fe40 00 e9 7c ff ff ff eb 60 0f 20 e0 0f ba e8 05 0f |..|....`. ......|
0000fe50 22 e0 b9 80 00 00 c0 0f 32 0f ba e8 08 0f 30 0f |".......2.....0.|
0000fe60 20 c0 0f ba e8 1f 0f 22 c0 ea 70 fe ff ff 18 00 | ......"..p.....|
0000fe70 e9 4d 01 00 00 b8 00 00 00 80 0f a2 3d 1f 00 00 |.M..........=...|
0000fe80 80 7c 21 b8 1f 00 00 80 0f a2 0f ba e0 01 73 14 |.|!...........s.|
0000fe90 b9 31 01 01 c0 0f 32 0f ba e0 00 73 07 89 d8 83 |.1....2....s....|
0000fea0 e0 3f eb 02 31 c0 eb 02 eb cb 31 d2 85 c0 74 06 |.?..1.....1...t.|
0000feb0 83 e8 20 0f ab c2 b9 00 18 00 00 31 c0 89 04 8d |.. ........1....|
0000fec0 fc ff 7f 00 e2 f7 c7 05 00 00 80 00 23 10 80 00 |............#...|
0000fed0 89 15 04 00 80 00 c7 05 00 10 80 00 23 20 80 00 |............# ..|
0000fee0 89 15 04 10 80 00 c7 05 08 10 80 00 23 30 80 00 |............#0..|
0000fef0 89 15 0c 10 80 00 c7 05 10 10 80 00 23 40 80 00 |............##..|
0000ff00 89 15 14 10 80 00 c7 05 18 10 80 00 23 50 80 00 |............#P..|
0000ff10 89 15 1c 10 80 00 b9 00 08 00 00 89 c8 48 c1 e0 |.............H..|
0000ff20 15 05 e3 00 00 00 89 04 cd f8 1f 80 00 89 14 cd |................|
0000ff30 fc 1f 80 00 e2 e5 b8 00 00 80 00 0f 22 d8 e9 05 |............"...|
0000ff40 ff ff ff fa bb 00 f0 8e db bb 7a ff 2e 66 0f 01 |..........z..f..|
0000ff50 17 66 b8 23 00 00 40 0f 22 c0 66 ea 62 ff ff ff |.f.#..#.".f.b...|
0000ff60 10 00 b8 40 06 00 00 0f 22 e0 66 b8 08 00 8e d8 |...#....".f.....|
0000ff70 8e c0 8e e0 8e e8 8e d0 eb 39 1f 00 80 ff ff ff |.........9......|
0000ff80 00 00 00 00 00 00 00 00 ff ff 00 00 00 93 cf 00 |................|
0000ff90 ff ff 00 00 00 9b cf 00 ff ff 00 00 00 9b af 00 |................|
0000ffa0 bf 42 50 eb 0a bf 41 50 eb 05 66 89 c4 eb 02 eb |.BP...AP..f.....|
0000ffb0 f9 eb 90 e9 78 fd ff ff e9 c4 fd ff ff e9 84 fe |....x...........|
0000ffc0 ff ff b8 ff ff ff ff 48 21 c6 48 21 c5 48 21 c4 |.......H!.H!.H!.|
0000ffd0 48 89 e0 ff e6 90 90 90 90 90 90 90 90 90 90 90 |H...............|
0000ffe0 eb c3 90 90 90 90 90 90 00 00 00 00 56 54 46 00 |............VTF.|
0000fff0 90 90 eb ac 90 90 90 90 90 90 90 90 90 90 90 |...............|
0000ffff
I did try to add the -smbios type=0 flag when I launch QEMU from the command line.
I was wondering how the Linux kernel, when it runs within QEMU, does to detect memory and hardware. Does it use ACPI tables instead? I think SMBIOS is much more easy to use.
Is SMBIOS reliable enough so that operating-systems that run on newer hardware can assume its presence?

I'm currently working on old system that uses RDP. According to 4.1.4 Server MCS Connect Response PDU with GCC Conference Create Response described in [MS-RDPBCGR], packet is containing modulus, which should be part of RSA key. And I need to know where this came from because I need to decrypt some RDP packets stored as log.
First thing I've done is looking up certificates by using mmc. But there was no certificate matching with modulus. Even if I issued new self-signed certificate, there was no luck. Modulus is not changing by it.
More specifically, this is response packet from testing server(VM) containing modulus.
0000: 03 00 02 15 02 f0 80 7f 66 82 02 09 0a 01 00 02 | ......f......
0016: 01 00 30 1a 02 01 22 02 01 03 02 01 00 02 01 01 | ..0...".........
0032: 02 01 00 02 01 01 02 03 00 ff f8 02 01 02 04 82 | .............
0048: 01 e3 00 05 00 14 7c 00 01 2a 14 76 0a 01 01 00 | .....|..*.v....
0064: 01 c0 00 4d 63 44 6e 81 cc 01 0c 10 00 0c 00 08 | ..McDn.......
0080: 00 00 00 00 00 04 00 00 00 03 0c 10 00 eb 03 04 | ...............
0096: 00 ec 03 ed 03 ee 03 ef 03 02 0c ac 01 02 00 00 | ...........
0112: 00 02 00 00 00 20 00 00 00 78 01 00 00 bb e4 de | ..... ...x...
0128: 58 1a 05 8f 26 89 f8 94 0b 88 d4 79 d4 00 ac bf | X..&.y.
0144: e0 07 72 3a e5 9b 17 7f 17 d6 18 92 7f 01 00 00 | .r:........
0160: 00 01 00 00 00 01 00 00 00 06 00 1c 01 52 53 41 | .............RSA
0176: 31 08 01 00 00 00 08 00 00 ff 00 00 00 01 00 01 | 1..............
0192: 00 2d 13 bc 1d a9 5b c8 60 9b be 66 61 ab 09 13 | .-..[`fa..
0208: 4e 0a 1f 64 27 72 df 92 18 42 ea 2c 05 5d 0d a7 | N..d'r..B,.].
0224: f7 06 51 5d 22 2e 4a fa 03 c5 8d 52 47 7c fa 13 | .Q]".J..RG|.
0240: ec dd bb 81 15 50 4b b3 f0 7b e4 75 0e e6 0d b5 | ..PK{u..
0256: ab d2 4a 9c ab f6 8c 83 a3 53 0b 87 b1 07 fc 0f | JS...
0272: 29 12 f4 c8 18 fb 9f 6d 29 10 34 af 34 d0 ca 8d | )..m).44.
0288: 48 a9 2e 9e 85 9a 39 d6 6c be cb f3 36 75 60 a5 | H.9l6u`
0304: 56 a5 a3 f5 b0 6f af c3 8e 5b 03 11 e4 27 27 bf | Vo.[..''
0320: a0 05 51 aa f1 8d 84 11 53 43 59 b8 83 4f f2 2d | .Q.SCYO-
0336: 40 44 b1 f9 5a 5b e6 2d 32 e4 d8 ef 2a 5a f8 01 | #DZ[-2*Z.
0352: 08 7a 68 a0 05 e2 5b fe 50 b5 38 cd a6 f0 ef e0 | .zh.[P8.
0368: c4 6f 4e f3 f1 9d 0a 89 ce 79 4e 3d 6f e3 a2 b3 | oN.yN=o.
0384: c7 fd dc b2 d8 c6 76 e8 79 67 ca fe 71 5d a5 3d | .vygq]=
0400: d3 40 c4 a4 28 5c 11 b7 2a 51 cd 65 e4 5f fc 2a | #.(\.*Qe_*
0416: bf 4c b1 e0 96 89 05 4b c6 72 1a 62 eb a2 51 0d | L.Kr.bQ.
0432: 45 2f 23 27 67 0e a8 c6 12 ed 81 ee 09 58 10 02 | E/#'g...X..
0448: b2 00 00 00 00 00 00 00 00 08 00 48 00 e9 95 02 | ..........H..
0464: 48 e7 84 d6 fc 60 cd 29 b2 91 7c f4 e8 b4 36 5d | H`)|6]
0480: e5 5e b4 90 d4 d4 5d 6a a1 42 69 c6 4e 5c 87 f2 | ^]jBiN\
0496: 0a cd 86 f5 64 e3 4d 61 60 0a 17 c2 f8 94 93 83 | ..dMa`..
0512: cf 23 7d c4 a3 07 ad f0 b6 bc 1a b1 00 00 00 00 | #}.......
0528: 00 00 00 00 00 | .....
Public exponent is 01 00 01 00, modulus is 2d 13 bc 1d ... 58 10 02 b2 with additional 8 bytes of zero-padding.
After that, if I know what private exponent is, then I can decrypt Client Random and generate session key.
But as I've mentioned, I can't find where modulus is coming from. How can I obtain RSA key(or certificate, so I can use Mimikatz) for it?
Edit
I found there is Proprietary Certificate. It seems this is what I need to find, but I still don't know where it is.
Edit: I came across the Proprietary Certificate, but where is private key?
It was located at registry HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM and is just public key BLOB. Still need to find private key...
Currently I'm looking into registry key Secrets under RCM, but I don't know what are these values right now.

I'm closing this because I found public key BLOB at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Certificate from registry though I don't know what private key is.

I am trying to post a public key from a server with Bash to Github as part of an automation set-up. I am using cURL for that like so:
# Make API call to Github
api_token="some string"
pub_key="$(cat /home/${project_name}/.ssh/id_rsa.pub)"
echo $pub_key
curl -H "Authorization: token ${api_token}" -H "Content-Type: application/json" -X POST -d '{"title":"'"$project_name"'","key":"'"$pub_key"'"}' https://api.github.com/user/keys
As you can see I echo the pub_key just to make sure its getting it correctly, this is the output and the result of the API call to Github:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDi62x5maR2U42+asddDSF322dsdkjTNeG69QvV3crOeDgjiZZJTCwqoxkk9lDbfkfycS6QBazA8cPv4scxL1K1bWgXQ6p8/9TWP89/oUJcf+C9+bMzIFmJ6jOGA2ikA0+K6l7Gr4Y7SZR9UuctawFR56vFqWj9YEW7JhBQEVES9TNb+WJLZ6QPwl+PaTOt/6QXIvrnh0ffI5uuTkMg1m7XGMNuTnBnHYa2OQ0GIfL0zG8CEqLWch4AkP2gkBOFH3LnIwucS00ii9xpPVBLRv5O5WCHM9m6A7RtHtKyELu5Z6IOtLVHC6SRPnVdUaw4oEmt3aekqEEnXkq4Jom8arpiULWCYB9d5C4x6CGRrKqophHAfumoQFFh6GMtNrDLcVGUXmIa8qapOQNvsSzcDeVkyCbNu6RlurwyWYG8MH48XCrFDU3L+hmYptGEARgGd9IZSctMng/elUOIz1DL3ZGH43flMelXEZ8Umy8tAkat7/T8Yuu9tU8N8DKqKV16s= stackoverflowtest#rasenberg
{
"id": 46506612,
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDi62x5maR2U42+asddDSF322dsdkjTNeG69QvV3crOeDgjiZZJTCwqoxkk9lDbfkfycS6QBazA8cPv4scxL1K1bWgXQ6p8/9TWP89/oUJcf+C9+bMzIFmJ6jOGA2ikA0+K6l7Gr4Y7SZR9UuctawFR56vFqWj9YEW7JhBQEVES9TNb+WJLZ6QPwl+PaTOt/6QXIvrnh0ffI5uuTkMg1m7XGMNuTnBnHYa2OQ0GIfL0zG8CEqLWch4AkP2gkBOFH3LnIwucS00ii9xpPVBLRv5O5WCHM9m6A7RtHtKyELu5Z6IOtLVHC6SRPnVdUaw4oEmt3aekqEEnXkq4Jom8arpiULWCYB9d5C4x6CGRrKqophHAfumoQFFh6GMtNrDLcVGUXmIa8qapOQNvsSzcDeVkyCbNu6RlurwyWYG8MH48XCrFDU3L+hmYptGEARgGd9IZSctMng/elUOIz1DL3ZGH43flMelXEZ8Umy8tAkat7/T8Yuu9tU8N8DKqKV16s=",
"url": "https://api.github.com/user/keys/46506612",
"title": "stackoverflowtest",
"verified": true,
"created_at": "2020-09-27T04:23:30Z",
"read_only": false
}
As you can see in the API call, Curl cuts of the = stackoverflowtest#rasenberg part at the end, and therefore I post an invalid pub key to Github, resulting it in not working. What is going wrong?

As https://stackoverflow.com/users/3266847/benjamin-w commented (!), the comment portion of an OpenSSH-format pubkey is optional and not needed, and was almost certainly removed by github (after receipt) not by curl. However, your key is in fact invalid and I'm a bit surprised github considers it verified.
$ printf AAAAB3NzaC1yc2EAAAADAQABAAABgQDi62x5maR2U42+asddDSF322dsdkjTNeG69QvV3crOeDgjiZZJTCwqoxkk9lDbfkfycS6QBazA8cPv4scxL1K1bWgXQ6p8/9TWP89/oUJcf+C9+bMzIFmJ6jOGA2ikA0+K6l7Gr4Y7SZR9UuctawFR56vFqWj9YEW7JhBQEVES9TNb+WJLZ6QPwl+PaTOt/6QXIvrnh0ffI5uuTkMg1m7XGMNuTnBnHYa2OQ0GIfL0zG8CEqLWch4AkP2gkBOFH3LnIwucS00ii9xpPVBLRv5O5WCHM9m6A7RtHtKyELu5Z6IOtLVHC6SRPnVdUaw4oEmt3aekqEEnXkq4Jom8arpiULWCYB9d5C4x6CGRrKqophHAfumoQFFh6GMtNrDLcVGUXmIa8qapOQNvsSzcDeVkyCbNu6RlurwyWYG8MH48XCrFDU3L+hmYptGEARgGd9IZSctMng/elUOIz1DL3ZGH43flMelXEZ8Umy8tAkat7/T8Yuu9tU8N8DKqKV16s= |openssl base64 -d -A|od -Ax -tx1
000000 00 00 00 07 73 73 68 2d 72 73 61 00 00 00 03 01
000010 00 01 00 00 01 81 00 e2 eb 6c 79 99 a4 76 53 8d
000020 be 6a c7 5d 0d 21 77 db 67 6c 76 48 d3 35 e1 ba
000030 f5 0b d5 dd ca ce 78 38 23 89 96 49 4c 2c 2a a3
000040 19 24 f6 50 db 7e 47 f2 71 2e 90 05 ac c0 f1 c3
000050 ef e2 c7 31 2f 52 b5 6d 68 17 43 aa 7c ff d4 d6
000060 3f cf 7f a1 42 5c 7f e0 bd f9 b3 33 20 59 89 ea
000070 33 86 03 68 a4 03 4f 8a ea 5e c6 af 86 3b 49 94
000080 7d 52 e7 2d 6b 01 51 e7 ab c5 a9 68 fd 60 45 bb
000090 26 10 50 11 51 12 f5 33 5b f9 62 4b 67 a4 0f c2
0000a0 5f 8f 69 33 ad ff a4 17 22 fa e7 87 47 df 23 9b
0000b0 ae 4e 43 20 d6 6e d7 18 c3 6e 4e 70 67 1d 86 b6
0000c0 39 0d 06 21 f2 f4 cc 6f 02 12 a2 d6 72 1e 00 90
0000d0 fd a0 90 13 85 1f 72 e7 23 0b 9c 4b 4d 22 8b dc
0000e0 69 3d 50 4b 46 fe 4e e5 60 87 33 d9 ba 03 b4 6d
0000f0 1e d2 b2 10 bb b9 67 a2 0e b4 b5 47 0b a4 91 3e
000100 75 5d 51 ac 38 a0 49 ad dd a7 a4 a8 41 27 5e 4a
000110 b8 26 89 bc 6a ba 62 50 b5 82 60 1f 5d e4 2e 31
000120 e8 21 91 ac aa a8 a6 11 c0 7e e9 a8 40 51 61 e8
000130 63 2d 36 b0 cb 71 51 94 5e 62 1a f2 a6 a9 39 03
000140 6f b1 2c dc 0d e5 64 c8 26 cd bb a4 65 ba bc 32
000150 59 81 bc 30 7e 3c 5c 2a c5 0d 4d cb fa 19 98 a6
000160 d1 84 01 18 06 77 d2 19 49 cb 4c 9e 0f de 95 43
000170 88 cf 50 cb dd 91 87 e3 77 e5 31 e9 57 11 9f 14
000180 9b 2f 2d 02 46 ad ef f4 fc 62 eb bd b5 4f 0d f0
000190 32 aa 29 5d 7a
000195
The length of n, 00 00 01 81 at byte offsets 0x12-0x15, would correspond to a 3072-bit RSA key (with the sign byte required by SSH mpint) but implies the total length of the blob (after base64 decoding, or before encoding) should be 0x197 and instead it's actually 0x195, making it invalid and unusable. Check whatever program or process you used to create this key; there's a bug somewhere.

The question is based on the output of the following command:
$ hexdump -C acpid.pid
00000000 36 39 37 0a |697.|
00000004
As expected, 0x36 0x39 0x37 are resolved to their associated symbols 6 9 7.
Since 0x0A is a line feed their is no ordinary symbol to respresent it (according to the ASCII table), but
Why is 0x0A getting resolved to a dot?
My operating system is Ubuntu 18.04.3.

All the unprintable characters are showed as dots in the ASCII column. See e.g. the following printout of the bytes 0x00 to 0xff:
$ for ((i=0; i<=255; ++i)); do printf "\x$(printf %x $i)"; done | hexdump -C
00000000 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................|
00000010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................|
00000020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f | !"#$%&'()*+,-./|
00000030 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f |0123456789:;<=>?|
00000040 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f |#ABCDEFGHIJKLMNO|
00000050 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f |PQRSTUVWXYZ[\]^_|
00000060 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f |`abcdefghijklmno|
00000070 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f |pqrstuvwxyz{|}~.|
00000080 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f |................|
00000090 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f |................|
000000a0 a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af |................|
000000b0 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf |................|
000000c0 c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf |................|
000000d0 d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df |................|
000000e0 e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef |................|
000000f0 f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff |................|
00000100

I'm currently working on an old MS-DOS application, which uses DMI to identify the hardware. It worked fine in the past, but it seems to provide invalid data on newer systems (e.g. Skylake). As stated in the spec, we are scanning 0xF0000-0xFFFFF for the "SM" anchor string, this is still working as expected.
But now it seems that the data located at the "Structure table adress" (stored at offset 0x18h in the) are invalid (see dumps below). Tools like dmidecoe deliver correct information (however, it uses GetSystemFirmwareTable() on Windows). What I am doing wrong here?
EDIT (clarify situation)
On an older system I get expected data (dump is done in FreeDOS' debug98 utility) - following come from an IvyBridge system (3rd gen.):
-d F000:04C0
F000:04C0 5F 53 4D 5F 03 1F 02 07-77 00 00 00 00 00 00 00 _SM_....w.......
F000:04D0 5F 44 4D 49 5F E0 6E 04-10 BA 0E 00 17 00 27 00 _DMI_.n.......'.
F000:04E0 1E 66 60 68 00 F0 1F B8-90 D0 83 C0 0F 24 F0 A3 .f`h.........$..
F000:04F0 1D 03 B9 00 E0 2B C8 79-02 33 C9 89 0E 1F 03 33 .....+.y.3.....3
F000:0500 C0 66 2E 8B 1E 63 00 66-83 FB 00 74 0B 66 81 FB .f...c.f...t.f..
F000:0510 00 00 0E 00 72 02 8B C3-A3 19 03 F7 D0 A3 1B 03 ....r...........
F000:0520 66 61 1F C3 00 1E 50 68-00 F0 1F 0B DB 74 28 F7 fa....Ph.....t(.
F000:0530 C3 80 00 74 1C 2E 80 3E-24 05 00 75 43 83 F9 3E ...t...>$..uC..>
-d E000:BA10
E000:BA10 00 18 00 00 01 02 00 F0-03 7F 80 98 89 3F 01 00 .............?..
E000:BA20 00 00 03 0D 04 06 FF FF-41 6D 65 72 69 63 61 6E ........American
E000:BA30 20 4D 65 67 61 74 72 65-6E 64 73 20 49 6E 63 2E Megatrends Inc.
E000:BA40 00 42 51 37 37 52 31 31-31 00 30 37 2F 30 35 2F .BQ77R111.07/05/
E000:BA50 32 30 31 33 00 00 01 1B-01 00 01 02 03 04 00 00 2013............
E000:BA60 01 26 60 24 00 05 00 06-00 07 00 08 00 09 06 05 .&`$............
E000:BA70 06 20 00 20 00 20 00 30-30 30 30 30 31 32 36 36 . . . .000001266
E000:BA80 30 32 34 00 20 00 20 00-00 02 0F 02 00 01 02 03 024. . .........
Newer systems - in this case a Skylake based one (6th gen.) data are different. In the adress the SMI structure points to i do not get the expected data (I expcted to see the BIOS strings, but they are not there):
-d f000:05e0
F000:05E0 5F 53 4D 5F F3 1F 03 00-8C 01 00 00 00 00 00 00 _SM_............
F000:05F0 5F 44 4D 49 5F 15 CE 07-00 90 1D 87 1A 00 30 00 _DMI_.........0.
F000:0600 5F 53 4D 33 5F 4A 18 03-00 00 01 00 CE 07 00 00 _SM3_J..........
F000:0610 00 90 1D 87 00 00 00 00-00 00 00 00 00 00 00 00 ................
F000:0620 1E 66 60 68 00 F0 1F B8-00 C6 83 C0 0F 24 F0 A3 .f`h.........$..
F000:0630 8E 03 B9 00 E0 2B C8 79-02 33 C9 89 0E 90 03 33 .....+.y.3.....3
F000:0640 C0 66 2E 8B 1E 63 00 66-83 FB 00 74 0B 66 81 FB .f...c.f...t.f..
F000:0650 00 00 0E 00 72 02 8B C3-A3 8A 03 F7 D0 A3 8C 03 ....r...........
-d 871d:9000
871D:9000 76 06 D1 E9 73 08 8A 05-A4 88 44 FF 74 08 8B 05 v...s.....D.t...
871D:9010 A5 89 44 FE E2 F8 5F 5E-5D C2 04 00 55 8B EC 4C ..D..._^]...U..L
871D:9020 4C 56 57 83 7E 04 02 73-2D 83 7E 04 02 74 03 E9 LVW.~..s-.~..t..
871D:9030 18 01 8B 46 06 03 06 AC-10 8B F8 50 FF 76 06 FF ...F.......P.v..
871D:9040 16 AE 10 59 59 0B C0 7F-03 E9 FE 00 FF 76 06 57 ...YY........v.W
871D:9050 E8 9D FF E9 F4 00 8B 46-04 48 F7 2E AC 10 8B 56 .......F.H.....V
871D:9060 06 03 D0 8B FA 8B 46 04-D1 E8 F7 2E AC 10 8B 56 ......F........V
871D:9070 06 03 D0 8B F2 57 56 FF-16 AE 10 59 59 0B C0 7E .....WV....YY..~

Your SMBIOS structures are located at physical address 0x871d9000 (as seen from offset f000:0610, or offset x10 from the '_SM3_' anchor string), as Michael Petch points out.
This is a minor point but could be important depending on how your software is constructed. Keep in mind this is a SMBIOS 3.0 conforming structure (per the "_SM3_" anchor string) and that the structure table address can be on any 64-bit address. To ensure your software works in all systems, you should use the _SM3_ structure table address when present and enable your software to read any 64-bit physical address using big-real mode or other mechanism. When the _SM3_ structure is not present, then revert back to your old software flow.
As for why you are just now seeing this, is this the first time you have encountered a data structure that is above 1MB physical address?