[Question] Sending data

iszoPL · 02/25/2013, 15:42

I have 2 questions.

I know that packets are encrypted. I found address of send in engine, not ws2 send but engineSend func that takes data before it's encrypted.

I am able to use it but i can't hook it because of memory manipulation detection. Mid function hook doesn't work also, so i guess there has to be somekind of checksum of memory part.

I hooked IAT send function, but sniffed sent data is encrypted. I know that I am sending packets to server because when I use engineSend then I see sniffed packets client->server, but they are always different so they has to be encrypted.

Code:

typedef int (__stdcall *Send_org)(DWORD type,LPCSTR szFormat,...);

DWORD dwEngineSendA = CMemory::dwFindPattern(0x401000,0x2bc000,(BYTE*)"\x55\x8B\xEC\x83\xEC\x18\x83\x3D\x00\x00\x00\x00\x00\x00\x00\x33\xC0","xxxxxxxx???????xx");
	sendAdd = CMemory::dwFindPattern(dwEngineSendA+1,0x2bc000,(BYTE*)"\x55\x8B\xEC\x83\xEC\x18\x83\x3D\x00\x00\x00\x00\x00\x00\x00\x33\xC0","xxxxxxxx???????xx");
	LogTextBox("[Send Address]: 0x%x",sendAdd);

void KalTools::SendEngine(DWORD Header,LPCSTR szFormat,...)
{
	((Send_org)sendAdd)(Header,szFormat);
}

This is how I'm finding the address and SendEngine is just using their function.

When i for example write

Code:

KalTools::SendEngine(0x3d,"db",pid,14);

I see in sniffer that it was sent but nothing happens in game. Am i doing something wrong?

bloodx · 02/25/2013, 15:59

u need to decrypt the packets also.
upload unpacked engine for me and I give u encrypt + decrypt call + table

the key u get from 0x2a packet also.

position 7 or smth

and Send is no __stdcall its __cdecl

+ u also dont pass the last " ... " parameter to the send function, so what he should do ?

meak1 · 02/25/2013, 16:13

the Whole engine.exe is checked by HS

Decrypt packets or just use the Send function, u didnt need any hook there... Just use the func for sending them ;d

iszoPL · 02/25/2013, 16:21

I changed calling convention to cdecl already. I've noticed it after posting ;p.

@meak
I am using their send function. I just got address and sendEngine is executing it as u can see. I can't hook it because of hs. I only hooked send function at IAT but it's send from ws2_32 so packets intercepted in there are encrypted already.

What about last parameter? I think I am blind cuz i don't see any error ;p

I attached my dumped engine.exe. Tell me if it's ok

meak1 · 02/25/2013, 16:23

AS I SAID, NOT HOOK IT, ONLY USE IT........................................

GET RECV PACKET, ANSWER WITH CALL SEND, NOT HOOK IT... -.-#

Edit: or for what u wanna hook Send?

iszoPL · 02/25/2013, 16:27

I can hook IAT send. How can i answer to that if it needs socket,buf,len,flags.
It's easier to use engineSend than ws2 send. I'd have to crypt packet first in order to use IAT hooked send.

I didn't hook send in engine. I just have address and i'm trying to use it.

Btw. If i try to call

Code:

((Send_org)sendAdd)(Header,szFormat,...);

It gives me an error and I don't really know why because typedef is ok.

meak1 · 02/25/2013, 16:30

i didnt said any other method, its puplic how to send over engineFunc

PHP Code:



DWORD SendPacketMain_ = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",0x00400000,0x007FFFFF);
DWORD SendPacketMain  = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",SendPacketMain_+1,0x007FFFFF);
DWORD SendPacketBack  = SendPacketMain + 0x06;

int Naked PacketSend(DWORD type,LPCSTR format,...)
{

    __asm
    {
        push ebp
        mov ebp, esp
        sub esp,18h
        jmp SendPacketBack
    }
}

PacketSend(0x0D,"bbd",1,1,TargetID); <- behead

iszoPL · 02/25/2013, 16:37

Yes i know this example. But in order for this to work you need to place JMP over first 5 bytes of this func to ur function right? And if I try that hs detects memory corruption.

Edit.

@blood

I've changed it so it's passing va_list args but it is still not working

Code:

void KalTools::SendEngine(DWORD Header,LPCSTR szFormat,...)
{
    va_list args;
    va_start(args, szFormat);
    ((Send_org)sendAdd)(Header,szFormat,args);
    va_end(args);
}

What's the easiest way of checking it. I mean what packet can I use to check. Maybe my problem is with trying to use it ;p

meak1 · 02/25/2013, 16:50

U DONT UNDERSTAND?
NOT HOOK IT JUST USE IT, THIS IS UR FUNCTION AND THIS JUMP BACK TO ENGINE, ENGINE DIDNT NEED TO JUMP TO UR FUNCTION -.-.................................................. .................................................

Said it now 5 times, if u dont get it, its ur problem.

U Just call the function, engine didnt need to jmp to ur function...

iszoPL · 02/25/2013, 16:59

oh... i get it know. This kind of programming is new for me so don't be angry if i don't undestand how sometimes some things works.

meak1 · 02/25/2013, 17:01

np, i like to rage ;D

U use the function from Engine, u call ur function with ur Paramaters and then the Function jumps to the Engine Send, the engine Send crypt ur Packet and send it..

iszoPL · 02/25/2013, 17:10

Ye so pretty much my engineSend did the same thing but it was calling directly their function and passing parameters. Anyway is this sit packet ok? I want to check if it works

send(0x1F,"b",1);

bloodx · 02/25/2013, 17:26

static int (__cdecl* SendPacket)(DWORD,LPCSTR,...) = (int (__cdecl*)(DWORD,LPCSTR,...))0x005A0100;

u can do this ,too and than just use SendPacket(......);

if u want to sniff packets hook send from ws2 and decrypt packets there.

005A01F3 there should be the Encrypt call and @0073AEE0 should be Encrypt Table

RunzelEier · 02/25/2013, 18:11

Quote:

Originally Posted by meak1

PHP Code:

DWORD SendPacketMain_ = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",0x00400000,0x007FFFFF); DWORD SendPacketMain = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",SendPacketMain_+1,0x007FFFFF); DWORD SendPacketBack = SendPacketMain + 0x06; int Naked PacketSend(DWORD type,LPCSTR format,...) { __asm { push ebp mov ebp, esp sub esp,18h jmp SendPacketBack } }

so you add 6 Bytes to SendPacketMain
so you can reconstruct those 6 Bytes and jump to SendPacketBack.
This is one big NOP

why dont you call SendPacketMain directly?

iszoPL · 02/25/2013, 20:17

Thanks blood

I changed my send to

Code:

void KalTools::SendEngine(DWORD Header,LPCSTR szFormat,...)
{
    va_list args;
    va_start(args, szFormat);
    ((Send_org)sendAdd)(Header,szFormat,args);
    va_end(args);
}

so it should now pass all data to func

But ur way is also great. Good trick xD
Ye i found this encrypt func and ida pseudocode looks like bakabug's one so i guess it is it ;p Encrypt table is pretty big oO. Well i guess i can use pointer to it and use the one from engine directly.

And about that packet sending. I am hooked already to IAT send so i can sniff sent data. Now i have to decrypt them in order to learn more. Are some packets changed now because this sit packet

0x1f,"b",1 is not working I can see that it was sent, because sniffed functions shows it but nothing happens.