Direct from the servers

Lee- · Jul 19, 2017

smersh said:
I've just seen your EDIT now. Athough broker isn't communicating through HTTP(S), you gave me a couple of good ideas from where to look for inital authentication...
Those guys are so worried about it that they store all their servers and remote ports(there's a lot of them) in a xml file inside the program dir...
More...

OK yeah one of the brokers I used was a purely HTTP/HTTPS protocol. They used HTTPS for authentication, got a token, and then made a websockets style plaintext HTTP request to the market data servers, so it was actually pretty easy to reverse and get data. It was a very wasteful protocol because pricing and all data was transmitted in a pure string format like:
{quote,AAPL,155.00,3500,154.00,400,NYSE,<timestamp>,<a few more columns of ascii junk which I think was the market maker and some other flags, i forget>}\r\n

Anyway as far as the encryption / proxying, how can you be sure they're not using HTTPS if you've not yet decrypted the data? If they're using standard cryptographic libraries provided by .NET, you can still do a similar method of proxying the data. It's either you're going to have to find a different proxy that supports the associated encryption or write your own.

I'd start by making some curl requests (or hell, just use a web browser) to the hostorts they're using and see if you get any meaningful response. You may find they actually are using HTTPS. Anyway next step is determining encryption type, then determining how to run your own server to decrypt and proxy it. If they're using standard cryptographic functions, they almost certainly rely on the operating system's certificate verification, so creating self signed certs and adding them to the certificate store should still work and you can use the same cryptographic library to write your proxy server even if it's not using HTTP as the underlying protocol.

If they're using some proprietary encryption or internally verifying the certificates, then you're going to have to look in to how to inject code / hook function calls in .NET (I've never done this kind of stuff with .NET, so idk what's possible, but it's fairly straight forward with PE format executables). If you can decompile, edit, and recompile .NET code you could potentially even insert your own calls to write the data to a file immediately prior to the call to the encrypt() functions.

Let us know how you make out. I'm curious.

smersh · Jul 19, 2017

Lee- said:
OK yeah one of the brokers I used was a purely HTTP/HTTPS protocol. They used HTTPS for authentication, got a token, and then made a websockets style plaintext HTTP request to the market data servers, so it was actually pretty easy to reverse and get data. It was a very wasteful protocol because pricing and all data was transmitted in a pure string format like:
{quote,AAPL,155.00,3500,154.00,400,NYSE,<timestamp>,<a few more columns of ascii junk which I think was the market maker and some other flags, i forget>}\r\n

Anyway as far as the encryption / proxying, how can you be sure they're not using HTTPS if you've not yet decrypted the data? If they're using standard cryptographic libraries provided by .NET, you can still do a similar method of proxying the data. It's either you're going to have to find a different proxy that supports the associated encryption or write your own.

I'd start by making some curl requests (or hell, just use a web browser) to the hostorts they're using and see if you get any meaningful response. You may find they actually are using HTTPS. Anyway next step is determining encryption type, then determining how to run your own server to decrypt and proxy it. If they're using standard cryptographic functions, they almost certainly rely on the operating system's certificate verification, so creating self signed certs and adding them to the certificate store should still work and you can use the same cryptographic library to write your proxy server even if it's not using HTTP as the underlying protocol.

If they're using some proprietary encryption or internally verifying the certificates, then you're going to have to look in to how to inject code / hook function calls in .NET (I've never done this kind of stuff with .NET, so idk what's possible, but it's fairly straight forward with PE format executables). If you can decompile, edit, and recompile .NET code you could potentially even insert your own calls to write the data to a file immediately prior to the call to the encrypt() functions.

Let us know how you make out. I'm curious.
More...

I didn't decrypt only the authorization 3-way handshake (SYN/SYN-ACK/SYN).
However, Wireshark tells me which connection is TCP. It can even display all parts of an usual TCP/IP encapsulation. There's no doubt about it. One thing you wrote in your last reply gave the idea to monitor the memory with forensic tools like Volatility or Ram-Capturer.
Let's see...

Log in or Sign up

Direct from the servers

Lee-

smersh