mmotony
by on December 30, 2018
154 views

The target

Path of Exile (POE) is often a Diablo-like looting/trading/number increasing game which, other than being free to experience, also offers a rather permissive EULA regarding reverse engineering clauses. Modifying the buyer is banned, out of the box scraping data from your POE Currency website, but reversing and extracting data in the client isn't mentioned - so now we go.

I haven't really played the overall game seriously (eg: never levelled a form of art gem to 20) but back within the days before builtin item filtering I wanted a means to figure out what items dropped and ping a stern warning, therefore you didn't miss valuable things from the mess of loot during fast placed gameplay. Shortly after starting develop it the developers added some really rich item filtering functionality, so from a bit of work decoding the protocol I shelved the project. A several years on and I obtained a shiny new Binary Ninja licence and wanted some experience reversing an enormous production-quality C++ application by it - POE gave the look of a good choice.

POE supplies a standalone client and another bundled with Steam - you can use the standalone anyone to avoid needing to worry about any Valve-Anti-Cheat shenanigans.

Initial traffic analysis

While playing the experience, Sysinternals TCPView informs us that PathOfExile_x64.exe incorporates a TCP connection established into a remote server on port 6112.

Capturing a amount of traffic in Wireshark, you can see a lot of packets with 2 byte payloads coming over to and because of this port and many bigger payloads too but nothing with any readable strings in. We can assume the stream is encrypted, because that is the fashion nowadays, but like a further check we could do a quick entropy test. By the way, if you are interested to Buy POE Items, stay tuned for more at mmoah.

Posted in: Business