[Tutorial] Modifying/Using client-internal Functions

while analyzing the client with your favorite debugger, you might run into some client functions...

especially if you're trying to break/bypass some special stuff, you'll allways have to find the client function, which handles it.

if you wanna break the swearfilter (badword-filter) in the client, you'll allways start with searching for the ChatInputHandler function =)

in this tutorial, i'm not going to explain, how to trace through the client, to find such things. if you're intrested in learning the basics about rever engineering, you should google for tutorials...

a basic binary snipet, to find the ChatInputHandler function looks like this for 4Story:

Code:

64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 24 55 56 8B F1 33 ED 89 6C 24 18

once you've found that function, you should set a breakpoint on that function, and trace through it with a "bad word" and a "good" one of the same length.

you can simply make olly log tracings to files. this will make it more easy to compare both logs later.

comparing those logs, you'll find a place, where both codes run into different directions. as an example, here's my comparisson of log files:
[Only registered and activated users can see links. Click Here To Register...]
looks like that jge only jumps, if the text gets filtered. so all we have to do, to disable the badword filter, is to never make that jge jump (simply nop it)

this way, we can start playing around a little more with the client.

since i'm not really playin the game, i don't know, which limitations could be more interesting.

but here are some examples for client limitations, which can be easily desabled by a few nops:

Spoiler

ZoomLimit: (BinarySearchString: DFE0F6C441741885D275A6)

Spoiler

Code:

005648A0  /$ 8B5424 04           MOV EDX,DWORD PTR SS:[ESP+4]
005648A4  |. 85D2                TEST EDX,EDX
005648A6  |. 0F84 82000000       JE TClient.0056492E
005648AC  |. DB4424 08           FILD DWORD PTR SS:[ESP+8]
005648B0  |. D95C24 04           FSTP DWORD PTR SS:[ESP+4]
005648B4  |> 83FA 0A             /CMP EDX,0A
005648B7  |. 8BC2                |MOV EAX,EDX
005648B9  |. 72 05               |JB SHORT TClient.005648C0
005648BB  |. B8 0A000000         |MOV EAX,0A
005648C0  |> 85C0                |TEST EAX,EAX
005648C2  |. 894424 08           |MOV DWORD PTR SS:[ESP+8],EAX
005648C6  |. DB4424 08           |FILD DWORD PTR SS:[ESP+8]
005648CA  |. 7D 06               |JGE SHORT TClient.005648D2
005648CC  |. D805 44326800       |FADD DWORD PTR DS:[683244]
005648D2  |> D889 78010000       |FMUL DWORD PTR DS:[ECX+178]
005648D8  |. 2BD0                |SUB EDX,EAX
005648DA  |. D84C24 04           |FMUL DWORD PTR SS:[ESP+4]
005648DE  |. D805 D0296800       |FADD DWORD PTR DS:[6829D0]
005648E4  |. D889 88010000       |FMUL DWORD PTR DS:[ECX+188]
005648EA  |. D891 7C010000       |FCOM DWORD PTR DS:[ECX+17C]
005648F0  |. D991 88010000       |FST DWORD PTR DS:[ECX+188]
005648F6  |. DFE0                |FSTSW AX
005648F8  |. F6C4 05             |TEST AH,5
005648FB  |. 7B 14               |JPO SHORT TClient.00564911          <-- Zoom in NOP (0x9090)
005648FD  |. D899 80010000       |FCOMP DWORD PTR DS:[ECX+180]
00564903  |. DFE0                |FSTSW AX
00564905  |. F6C4 41             |TEST AH,41
00564908  |. 74 18               |JE SHORT TClient.00564922           <-- Zoom Out NOP (0x9090)
0056490A  |. 85D2                |TEST EDX,EDX
0056490C  |.^75 A6               \JNZ SHORT TClient.005648B4
0056490E  |. C2 0800             RETN 8
00564911  |> 8B81 7C010000       MOV EAX,DWORD PTR DS:[ECX+17C]
00564917  |. DDD8                FSTP ST
00564919  |. 8981 88010000       MOV DWORD PTR DS:[ECX+188],EAX
0056491F  |. C2 0800             RETN 8
00564922  |> 8B91 80010000       MOV EDX,DWORD PTR DS:[ECX+180]
00564928  |. 8991 88010000       MOV DWORD PTR DS:[ECX+188],EDX
0056492E  \> C2 0800             RETN 8

SwearFilter: (BinarySearchString: 7D0D83C8FF2BC6)

Spoiler

Code:

00564A30  /$ 53                  PUSH EBX
00564A31  |. 8B5C24 0C           MOV EBX,DWORD PTR SS:[ESP+C]
00564A35  |. 57                  PUSH EDI
00564A36  |. 8B7C24 14           MOV EDI,DWORD PTR SS:[ESP+14]
00564A3A  |. 2BFB                SUB EDI,EBX
00564A3C  |. C1FF 02             SAR EDI,2
00564A3F  |. 85FF                TEST EDI,EDI
00564A41  |. 7E 3F               JLE SHORT TClient.00564A82
00564A43  |. 55                  PUSH EBP
00564A44  |. 8B6C24 1C           MOV EBP,DWORD PTR SS:[ESP+1C]
00564A48  |. 56                  PUSH ESI
00564A49  |. 8DA424 00000000     LEA ESP,DWORD PTR SS:[ESP]
00564A50  |> 8BC7                /MOV EAX,EDI
00564A52  |. 99                  |CDQ
00564A53  |. 2BC2                |SUB EAX,EDX
00564A55  |. 8BF0                |MOV ESI,EAX
00564A57  |. 8B45 00             |MOV EAX,DWORD PTR SS:[EBP]
00564A5A  |. D1FE                |SAR ESI,1
00564A5C  |. 8B0CB3              |MOV ECX,DWORD PTR DS:[EBX+ESI*4]
00564A5F  |. 50                  |PUSH EAX
00564A60  |. 51                  |PUSH ECX
00564A61  |. E8 03CE0D00         |CALL TClient.00641869
00564A66  |. 83C4 08             |ADD ESP,8
00564A69  |. 85C0                |TEST EAX,EAX
00564A6B  |. 7D 0D               |JGE SHORT TClient.00564A7A             <-- NOP (0x9090)
00564A6D  |. 83C8 FF             |OR EAX,FFFFFFFF
00564A70  |. 2BC6                |SUB EAX,ESI
00564A72  |. 8D5CB3 04           |LEA EBX,DWORD PTR DS:[EBX+ESI*4+4]
00564A76  |. 03F8                |ADD EDI,EAX
00564A78  |. EB 02               |JMP SHORT TClient.00564A7C
00564A7A  |> 8BFE                |MOV EDI,ESI
00564A7C  |> 85FF                |TEST EDI,EDI
00564A7E  |.^7F D0               \JG SHORT TClient.00564A50
00564A80  |. 5E                  POP ESI
00564A81  |. 5D                  POP EBP
00564A82  |> 8B4424 0C           MOV EAX,DWORD PTR SS:[ESP+C]
00564A86  |. 5F                  POP EDI
00564A87  |. 8918                MOV DWORD PTR DS:[EAX],EBX
00564A89  |. 5B                  POP EBX
00564A8A  \. C3                  RETN

JumpLimit: (BinarySearchString: 83EC64568BF18B06FF90F400000084C00F85640100008B16)

Spoiler

well so far, i only explained, how to modify such functions.
since i removed the jump limit, i'll take the jump function as example.

if we wanna jump ingame, we'd have to send a [space] key to our game...
there's an even better way to perform a jump, by simply calling the jump function itself =)

if you're setting a breakpoint on the entry point of the jump function, and trace it back, u'll see something like this:

Code:

00514043  |. 8B8E A80A0000  MOV ECX,DWORD PTR DS:[ESI+AA8]  <--- ESI contains [MainCharBase]
00514049  |. 8B01           MOV EAX,DWORD PTR DS:[ECX]
0051404B  |. FF90 50020000  CALL DWORD PTR DS:[EAX+250]        <--- Calls the JumpFunction

some of you might think, that we have to inject dlls to use inline functions. this is simply wrong. everything we need for doing stuff like this, is given us by the winapis.
all we need to do, is to allocate some memory in the client, fill it with our code logic, and run it as a new thread.

here's a simple autoit example for using the Jump function in the eg client:

Code:

;~ Jump:
;~ 60             PUSHAD                          Save all registers
;~ 8B35 D0116F00  MOV ESI,DWORD PTR DS:[6F11D0]   Set ESI to [MainCharBase]
;~ 8B8E A80A0000  MOV ECX,DWORD PTR DS:[ESI+AA8]  Client code
;~ B8 E0C35300    MOV EAX,TClient.0053C3E0        Move the Jump function to eax
;~ FFD0           CALL EAX                        Call the Jump function
;~ 61             POPAD                           Restore the original registers
;~ C3             RETN                            Return to the main programm

$mid = OpenProcess(ProcessExists('TClient.exe'))
$codeSection = VirtualAllocEx($mid)
WriteProcessMemory($mid, $codeSection, '608B35D0116F008B8EA80A0000B8E0C35300FFD061C3')
$thread = CreateRemoteThread($mid, $codeSection)
WaitForSingleObject($thread)
VirtualFreeEx($mid, $codeSection)
CloseHandle($mid)

Func OpenProcess($pid)
	Local $mid = DllCall('kernel32.dll', 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
	Return $mid[0]
EndFunc

Func WriteProcessMemory($process_hwnd, $adress, $data, $type = 'binary')
	Local $struct, $i
	If $type = 'binary' Then
		Local $struct = DllStructCreate('byte[' & BinaryLen('0x' & $data) & ']')
		For $i = DllStructGetSize($struct) To 1 Step -1
			DllStructSetData($struct, 1, BinaryMid('0x' & $data, $i, 1), $i)
		Next
	ElseIf $type = 'string' Then
		$struct = DllStructCreate('char['&StringLen($data)+1&']')
		For $i = 1 To StringLen($data)
			DllStructSetData($struct, 1, StringMid($data, $i, 1), $i)
		Next
	Else
		$struct = DllStructCreate($type)
		DllStructSetData($struct, 1, $data)
	EndIf
	DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $process_hwnd, 'int', $adress, 'int', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', 0)
EndFunc

Func CloseHandle($hwnd)
	DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hwnd)
EndFunc

Func VirtualAllocEx($process_hwnd, $size = 1024)
	Local $adress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $process_hwnd, 'ptr', 0, 'int', $size, 'int', 0x1000, 'int', 0x40)
	Return $adress[0]
EndFunc

Func VirtualFreeEx($process_hwnd, $adress)
	DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $process_hwnd, 'int', $adress, 'int', 0, 'int', 0x8000)
EndFunc

Func CreateRemoteThread($process_hwnd, $adress)
	Local $thread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $process_hwnd, 'int', 0, 'int', 0, 'int', $adress, 'ptr', 0, 'int', 0, 'int', 0)
	Return $thread[0]
EndFunc

Func WaitForSingleObject($thread)
	Do
		$return = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $thread, 'int', 50)
	Until $return[0] <> 258
EndFunc