Memory Address's Update

Quote:

Originally posted by giacometti@Jan 12 2007, 02:33 Quote: just kill the client or make it sense to let it open? Well, It does. The reason I am thinking is a pratical issue. If you have like 10 conquers loaded, re-opening and re-setting the bots can be really boring... Anyway, killing the client is what we have in hands, at least it works for the moment.

found a solution to disconnect without killing process (a bit complicated but works)

1. inject a dll in Co which can give us the socket handle at a fix address (hooking function send() of ws2_32.dll by inline hooking)
2. a proggy that closes that socket by means of DuplicateHandle (2 params: Co processID and sockhandle as int)

Quote:

Originally posted by coder62+Jan 12 2007, 00:55--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (coder62 @ Jan 12 2007, 00:55)</td></tr><tr><td id='QUOTE'> Quote: Originally posted by -Maybe It's Maybelline@Jan 11 2007, 23:15 <!--QuoteBegin--giacometti Quote: @Jan 11 2007, 21:55 So now how could we make a disconnect funtion? I dont know if writing to memory could help us (or me! ;) ). Maybe learn how to hook winsock connection and close from there... There are many ways, more common is using softice and debugging Co to find out the functions offset for logging out. The easiest way would be making a service control and just dc the lan, but alot of people still use a modem so it wont work that way.

softice sucks :bandit: [/b][/quote]
Yea, for those who can't handle it. :bandit:

ok elementary you lost me lol..maybe u can give me a better example of hooking or rather injecting this dll into it ..,
as far as disconnecting im not too worried about..just finding the bluename value of the other player first lol, Maybe u can use a packet Editor to capture the packets of when u jump back and forth and d/c yourself..then maybe resend that packet to the client causing it to error out..I could have a memory writing one but it'll crash the whol client not just d/c you.

Quote:

Originally posted by Maybe It's Maybelline+Jan 12 2007, 12:58--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Maybe It's Maybelline @ Jan 12 2007, 12:58)</td></tr><tr><td id='QUOTE'> Quote: Originally posted by -coder62@Jan 12 2007, 00:55 Quote: Originally posted by -Maybe It's Maybelline@Jan 11 2007, 23:15 <!--QuoteBegin--giacometti Quote: Quote: @Jan 11 2007, 21:55 So now how could we make a disconnect funtion? I dont know if writing to memory could help us (or me! ;) ). Maybe learn how to hook winsock connection and close from there... There are many ways, more common is using softice and debugging Co to find out the functions offset for logging out. The easiest way would be making a service control and just dc the lan, but alot of people still use a modem so it wont work that way. softice sucks :bandit:

Yea, for those who can't handle it. :bandit: [/b][/quote]
ollydbg = free and does all i need why using a not free debugger that sits such deep in the system like softice does without having any real benefits ;)

and to the disconnect things i have an easier way to you:

if you want to disconnect write "c3" at "4889f4" after you dced write "8d" to the same function it blocks the send function so you dont send anymore the onlinecheck packets and dc so with writing 8d you reenable the send function.

Quote:

Originally posted by blinko@Jan 12 2007, 13:59 ok elementary you lost me lol..maybe u can give me a better example of hooking or rather injecting this dll into it .., as far as disconnecting im not too worried about..just finding the bluename value of the other player first lol, Maybe u can use a packet Editor to capture the packets of when u jump back and forth and d/c yourself..then maybe resend that packet to the client causing it to error out..I could have a memory writing one but it'll crash the whol client not just d/c you.

1.Inline hooking is done in a DLL in which i rewrite entrypoint of function send() from ws2_32.dll to a push address of my function then a ret

delphi code for it:

function IHook(DllName:Pchar;ProcName:Pchar;NewProc:Pointer ;var ACode:NewCode;var BackupCode:Oldcode):Pointer;
var LHandle:THandle;
p:pointer;
cRead:cardinal;
cWrite:cardinal;
begin

ACode.op_push :=$68;
ACode.op_address:=Cardinal(NewProc);
ACode.op_ret :=$C3;

Result:=Nil;
LHandle:= LoadLibrary(Dllname);
if LHandle<>0 then begin
p:=GetProcAddress(LHandle,ProcName);
if p<>NIL then begin
ReadProcessMemory(INVALID_HANDLE_VALUE,p,@BackupCo de,6,cRead);
WriteProcessMemory(INVALID_HANDLE_VALUE,p,@ACode,6 ,cWrite);
Result:=P;
end;
end;

end;

inside my function i put back the BackupCode (which is overwritten by the 6 bytes of push addr, ret) and call to old send :

function sendw(s: integer; var Buf; len, flags: Integer): Integer; stdcall;
begin
//restore old call
WriteProcessMemory(INVALID_HANDLE_VALUE,p_send,@OC ode_send,6,eWrite);
oldsend:=p_send;
result:=oldsend(s,buf,len,flags);
//restore new
WriteProcessMemory(INVALID_HANDLE_VALUE,p_send,@NC ode_send,6,eWrite);
//here i log the socket and packet
logs(s,buf,len);
end;

so in dll at load i do

p_send:=ihook('ws2_32.dll','send',@sendw,NCode_sen d,OCode_send);


and as soon as this library is loaded in co...it hooks send()

as for loading the dll into co...i use a createremotethread in my loader.


Here you have the example...i'll post an proof of concept in few hours if needed :)

another method to my first one the first one takes it times this does almost instant dc:

offset1:004889F4
offset2:004889FA

write to offset1:00516f7c0d8b
write to offset2:c300000e7de8

do any action ingame that send something, instead of sending something it will be redirected to the winsock close function and you will be dced instant

to restore it for normal working

write to offset1:08b70f04418d
write to ofset2:516f68b95051

advantage you dont need to inject anything and even can use it in tools like autoit.

Quote:

Originally posted by coder62+Jan 12 2007, 14:15--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (coder62 @ Jan 12 2007, 14:15)</td></tr><tr><td id='QUOTE'> Quote: Originally posted by -Maybe It's Maybelline@Jan 12 2007, 12:58 Quote: Originally posted by -coder62@Jan 12 2007, 00:55 Quote: Originally posted by -Maybe It's Maybelline@Jan 11 2007, 23:15 <!--QuoteBegin--giacometti Quote: Quote: Quote: @Jan 11 2007, 21:55 So now how could we make a disconnect funtion? I dont know if writing to memory could help us (or me! ;) ). Maybe learn how to hook winsock connection and close from there... There are many ways, more common is using softice and debugging Co to find out the functions offset for logging out. The easiest way would be making a service control and just dc the lan, but alot of people still use a modem so it wont work that way. softice sucks :bandit: Yea, for those who can't handle it. :bandit:

ollydbg = free and does all i need why using a not free debugger that sits such deep in the system like softice does without having any real benefits ;) [/b][/quote]
No benefits? Maybe not for you, some games and tools really depend on it and softice has much more functions and tools than ollydbg offers, I dont wanna have to use 41351 tools just to get the same result as SoftIce or IDA does.

ok but with the auto d/cing..does it crash the client or just show the Instruction window saying you've been disconnected from the server?

just show the Instruction window saying you've been disconnected from the server

p.s. important to switch after the code back otherwise the client will crash if you try reconnect

ok, Im a CS student, and I've taken software engineering and all that crap, but ya'll are programming in VB and Im not familiar with that, since ur just modifying memory it is possible to do this in other languages right? like java or C?

Justin Fox

Quote:

Originally posted by MonkFox@Jan 12 2007, 21:14 ok, Im a CS student, and I've taken software engineering and all that crap, but ya'll are programming in VB and Im not familiar with that, since ur just modifying memory it is possible to do this in other languages right? like java or C? Justin Fox

It's possible in every language that offers you somehow access to the Windows Debugging Functions.
Since Java runs in a Virtual Machine its a bit more complicated than in other languages, but there is
a toolkit which does most of the work for you:
[Only registered and activated users can see links. Click Here To Register...]

Quote:

Originally posted by coder62@Jan 12 2007, 17:53 just show the Instruction window saying you've been disconnected from the server p.s. important to switch after the code back otherwise the client will crash if you try reconnect

well i used cheat engine and wrote values you said to those offsets...and beforwe i coudl even get the popup Instruction window the client crashed..

alright im new on the hack scene so what does this master piece do, i mean if u change ur class will it stay that way and work?

ok so, u can find where addresses are by using the
window debugger? I found the different commands, but
I dont really know how to use them...

when i use dump

it gives me hex values.... well some kind of number like

13B9:0010 0E 1F BA 0E 00 B4 etc..

now is there some way to get a memory address out of this? and if there is, how to you track it, and then get
its value?

Justin Fox

also, ive used hex/binary to decode tcp headers,
but you can decode this .exe file the same way huh?

hex -> binary -> unicode?


Thanks,

Justin