[Release] Advanced hooking

Page 10 of 13

03/03/2012 22:06 ruievmonteiro#136

Hi. I guess I am using the right address because I can see the packets but I cannot send packets.

I am using:

PHP Code:


			
        const int SendPacketAddress = 0x7155FD;

        const int RecvPacketAddress = 0x7158D2;

        int NetworkClass = 0;

NetworkClass is updated on at PacketHandler and I know it's working properly.

I have two send functions presented on this thread.

The first one crashes my client:

PHP Code:


			
        private void SendPacketFunction(byte[] Packet)

        {

            ushort PacketType = BitConverter.ToUInt16(Packet, 2);            

            uint PacketAddress = Dbg.AllocateMemory((uint)Packet.Length);





            if (PacketAddress > 0)

            {

                Dbg.WriteByteArray(Packet, (int) PacketAddress);



                MemoryStream ByteCode = new MemoryStream();

                BinaryWriter CodeWriter = new BinaryWriter(ByteCode);



                //mov edx, packettype

                CodeWriter.Write(Convert.ToByte(0xba));

                CodeWriter.Write(Convert.ToInt32(PacketType));



                //push packetsize

                CodeWriter.Write(Convert.ToByte(0x68));

                CodeWriter.Write(Convert.ToInt32(Packet.Length));



                //push packetaddress

                CodeWriter.Write(Convert.ToByte(0x68));

                CodeWriter.Write(Convert.ToInt32(PacketAddress));



                //mov esi, networkclass

                CodeWriter.Write(Convert.ToByte(0xbe));

                CodeWriter.Write(Convert.ToInt32(NetworkClass));



                //mov ecx, [esi+14]

                CodeWriter.Write(new byte[] {

                0x8b,

                0x4e,

                0x14

            });



                //mov eax, sendpacketfunction

                CodeWriter.Write(Convert.ToByte(0xb8));

                CodeWriter.Write(Convert.ToInt32(SendPacketAddress));



                //call eax

                CodeWriter.Write(new byte[] {

                0xff,

                0xd0

            });



                //ret

                CodeWriter.Write(Convert.ToByte(0xc3));



                //write to the underlying stream

                CodeWriter.Flush();



                //execute the code

                Dbg.ExecuteCode(ByteCode.ToArray());



                //free memory afterwards

                Dbg.FreeMemory((int)PacketAddress);



            }



        }

The second one doesn't crash the client but doesn't produce output

PHP Code:


			
        public void SendPacket(byte[] packet)

        {

        int packetAddr = (int)this.Dbg.AllocateMemory((uint)packet.Length);

        this.Dbg.WriteByteArray(packet, (int)packetAddr);



        using (MemoryStream ms = new MemoryStream())

        using (BinaryWriter writer = new BinaryWriter(ms))

        {

            // push packet size

            writer.Write((byte)0x68);

            writer.Write(packet.Length);



            // push packet address

            writer.Write((byte)0x68);

            writer.Write(packetAddr);



            // store NetWorkClass address in ECX

            writer.Write((byte)0xB9);

            writer.Write(NetworkClass);



            // store SendPacket() address in EAX

            writer.Write((byte)0xB8);

            writer.Write(SendPacketAddress);



            // call function stored in EAX

            writer.Write(new byte[] { 0xFF, 0xD0 });



            // return

            writer.Write((byte)0xC3);



            this.Dbg.ExecuteCode(ms.ToArray());

        }

     

            this.Dbg.FreeMemory(packetAddr);

       

     }

For testing I am trying to jump in TC from (487,424) to (500,427) with:

PHP Code:


			
            byte[] Packet = new byte[38];

            //Size

            Packets.WriteUInt16(38, 0, Packet);

            Packets.WriteUInt16(10010, 2, Packet);

            

            //UID

            Packets.WriteUInt32(2621234, 4, Packet);

            //Packets.WriteUInt16(30, 6, Packet);

            //Dest

            Packets.WriteUInt16(500, 8, Packet);

            Packets.WriteUInt16(427, 10, Packet);

            //

            Packets.WriteUInt16(0, 12, Packet);

            Packets.WriteUInt16(0, 14, Packet);

            //

            Packets.WriteUInt32((UInt32)Environment.TickCount , 16 , Packet);            

            //

            Packets.WriteUInt16(137, 20, Packet);

            Packets.WriteUInt16(0, 22, Packet);

            //

            Packets.WriteUInt16(487, 24, Packet);

            Packets.WriteUInt16(424, 26, Packet);



            Packets.WriteUInt16(1002, 28, Packet);

            Packets.WriteUInt16(0, 30, Packet);



            Packets.WriteUInt16(65535, 32, Packet);

            Packets.WriteUInt16(65535, 34, Packet);

            Packets.WriteUInt16(0, 36, Packet);

            



            SelectedClient.SendPacket(Packet);

Could anyone help me? What am I doing wrong?

03/03/2012 23:37 { Angelius }#137

Use this one

PHP Code:


			
public void SendPacket(byte[] packet)
        {
        int packetAddr = (int)this.Dbg.AllocateMemory((uint)packet.Length);
        this.Dbg.WriteByteArray(packet, (int)packetAddr);

        using (MemoryStream ms = new MemoryStream())
        using (BinaryWriter writer = new BinaryWriter(ms))
        {
            // push packet size
            writer.Write((byte)0x68);
            writer.Write(packet.Length);

            // push packet address
            writer.Write((byte)0x68);
            writer.Write(packetAddr);

            // store NetWorkClass address in ECX
            writer.Write((byte)0xB9);
            writer.Write(NetworkClass);

            // store SendPacket() address in EAX
            writer.Write((byte)0xB8);
            writer.Write(SendPacketAddress);

            // call function stored in EAX
            writer.Write(new byte[] { 0xFF, 0xD0 });

            // return
            writer.Write((byte)0xC3);

            this.Dbg.ExecuteCode(ms.ToArray());
        }
        this.Dbg.FreeMemory(packetAddr);
     }

And try something like this for the jump packet

PHP Code:


			
        byte[] Buffer = new byte[38];
        Packets.WriteUInt16(38, 0, Buffer);
        Packets.WriteUInt16(10010, 2, Buffer);
        Packets.WriteUInt32(ClientUID, 4, Buffer);
        Packets.WriteUInt16(487, 8, Buffer;//ToX,
        Packets.WriteUInt16(424, 10, Buffer);//ToY
        Packets.WriteUInt32(0, 12, Buffer);
        Packets.WriteUInt32((uint)Environment.TickCount, 16, Buffer);
        Packets.WriteUInt32(137, 20, Buffer);
        Packets.WriteUInt16(500, 24, Buffer);//Client.X
        Packets.WriteUInt16(427, 26, Buffer);//Client.Y
        SelectedClient.SendPacket(Buffer);

PS. make sure you are not calling the send packet function while reading the process memory.

Thats just what i can think of and if its still not working then IAmHawtness is the one :P

03/04/2012 05:59 ruievmonteiro#138

I can't make it work :S

I already tried with chat packets but no use. I can't make it work. If anyone wants to help I can send my code via PM.

Edit:
I don't know what can be wrong. After I try to send the packet the handleSentPacket function should be called but it is not so I guess the function this.Dbg.ExecuteCode(ms.ToArray()) is not working properly.
I returns me 259, but I guess it should return -1 in case of faillure as it returns when not hooked at the client.

Thx

03/12/2012 12:58 kudo2002#139

Hello, can some upload AdvancedHooking library Source code in c# .
if can someone make some tutorial about how to get SendPacket Address using ollydbg .

03/12/2012 14:48 ruievmonteiro#140

Just read the thread. Belth said how to do it and so have i

03/12/2012 17:56 kudo2002#141

Quote:

Originally Posted by ruievmonteiro

Just read the thread. Belth said how to do it and so have i

I have read the whole thread searching for tutorial about how to get the SendPacket and RecPacket address, I couldn't find anything useful, actually someone said search for Reverse Engineer .

but this is not what i mean't, I want someone show us how get those address .

Thanks,
Great work guys

03/12/2012 20:03 ruievmonteiro#142

What about 2nd Belth comment at page 11?

Read these tuts about reverse engineering:
[Only registered and activated users can see links. Click Here To Register...]

03/12/2012 20:22 kudo2002#143

Quote:

Originally Posted by ruievmonteiro

What about 2nd Belth comment at page 11?

Read these tuts about reverse engineering:
[Only registered and activated users can see links. Click Here To Register...]

thanks

03/16/2012 20:47 kudo2002#144

Hello guys, i have found the new address to the new client .
but i have a new problem, I don't know why my cpu loaded 100% .
So i need help with that .

PS: sorry for my bad english .

03/17/2012 12:22 { Angelius }#145

Quote:

Originally Posted by kudo2002

Hello guys, i have found the new address to the new client .
but i have a new problem, I don't know why my cpu loaded 100% .
So i need help with that .

PS: sorry for my bad english .

Happens when you hook Conquer.exe not all the time but it does happen, Conquer starts to run really slow and the cpu usage jumps up.

I`m not sure but i think its related to the AdvancedHooking Library it self So many Exceptions/access validations/etc

And the only way to fix that is by making some changes to the debug loop inside the dll.

Not sure its just a theory. it happens that i`m coding my own hooker lib and same thing happened cept that after handling those Exceptions it went away.

03/17/2012 16:58 -Shunsui-#146

So do any of you guys have the Send Packet Adress?

03/17/2012 23:04 Belth#147

Quote:

Originally Posted by { Angelius }

Happens when you hook Conquer.exe not all the time but it does happen, Conquer starts to run really slow and the cpu usage jumps up.

I`m not sure but i think its related to the AdvancedHooking Library it self So many Exceptions/access validations/etc

And the only way to fix that is by making some changes to the debug loop inside the dll.

Not sure its just a theory. it happens that i`m coding my own hooker lib and same thing happened cept that after handling those Exceptions it went away.

I've noticed this exact same thing among other issues; some related to the library and some (I assume) related to anti-debugging routines in the client. See my earlier post:

[Only registered and activated users can see links. Click Here To Register...]

P. S. I've also created my own library which resolved some of these issues.

03/18/2012 15:04 { Angelius }#148

Quote:

Originally Posted by -Shunsui-

So do any of you guys have the Send Packet Adress?

private const int SendPacketAddress = 0x7155FD;
private const int NetworkClass = 0x9E34C0;

03/18/2012 21:04 -Shunsui-#149

Quote:

Originally Posted by { Angelius }

private const int SendPacketAddress = 0x7155FD;
private const int NetworkClass = 0x9E34C0;

Thanks,
I got this Jump Function Some what working, Thing is it does not update my client i have no clue why,
But it works.

Quote:

DataPacket jump = new DataPacket();
jump.Identifier = Player.Identifier;
jump.Type = DataPacket.DataTypes.Jump;
jump.TimeStamp = Native.TIME.Now.Time;
jump.dwParam = NewX;
jump.dwParam10 = NewY;
jump.wParam1 = Player.X;
jump.wParam2 = Player.Y;
jump.Map = Player.Map;
//jump.wParam3 = 0xFFFFFFFF;
Player.Hooker.SendPacket((Byte[])jump);

anyone knows what im missing to send?

03/20/2012 01:59 Belth#150

The server's response to the jump packet does not update the the coords you see on screen. Most people use the "FatalStrikeStep" packet to update the client.

Code:

bw.Write(this.Size); // 0 - 1
bw.Write(this.Type); // 2 - 3
bw.Write(this.EntityId); // 4 - 7
bw.Write(this.NewMapId); // 8 - 9
bw.BaseStream.Position = 20;
bw.Write((ushort)156); // 20 - 21
bw.BaseStream.Position = 24;
bw.Write(this.NewX); // 24 - 25
bw.Write(this.NewY); // 26 - 27

Page 10 of 13

« First

Last »