Disconnect... How to??

Page 1 of 2 1 2
10/23/2008 08:06 Azothoras#1
What does COTOBO and all other programs do when they disconnect the client... Do they write to a memory something or do they just block Conquer.exe access to internet. If it's memory based does anyone know what I need to write to which adress etc? Ty in advance.
10/23/2008 08:58 high6#2
They most likely create a remote thread with the function to disconnect.
10/23/2008 09:54 ChingChong23#3
Quote:
Originally Posted by high6 View Post
They most likely create a remote thread with the function to disconnect.
Then hes asking how do you create the function.

You can Disconnect by sending fake/bullshit packets. Conquer will kick you for that.
10/23/2008 10:16 DarkMessiah#4
Quote:
Originally Posted by ChingChong23 View Post
Then hes asking how do you create the function.

You can Disconnect by sending fake/bullshit packets. Conquer will kick you for that.
or you could log the /dc packet from the pm commands and send that...
10/23/2008 11:28 ChingChong23#5
Quote:
Originally Posted by DarkMessiah View Post
or you could log the /dc packet from the pm commands and send that...
and to send the correct packet youd need to decrypt them first which this threadstarter won't be able to do, if he didnt understand how you could dc your self.
10/23/2008 15:17 tanelipe#6
Correct command is /break and it doesn't use packets, what it does (as far as I know) is that it 'selects' the socket that is connected to server and then just closes it. (That's why you can /break on private servers too even tho there are no packets related to it.)
10/23/2008 16:13 high6#7
Quote:
Originally Posted by DarkMessiah View Post
or you could log the /dc packet from the pm commands and send that...
Or if you don't want to make a proxy. You can create a remote thread pointed at that function.
10/24/2008 08:21 Azothoras#8
Thanks for all replies!

Although I have absolutely no idea how to send packets etc... Isn't there anything I can do with the memory etc?

Or perhaps someone know how to send the packet I need in autoit?
10/24/2008 16:38 tanelipe#9
Did you actually read my post? I already explained that it doesn't use packets. So the way how you would do is memory based.
10/24/2008 16:56 Azothoras#10
Quote:
Originally Posted by tanelipe View Post
Did you actually read my post? I already explained that it doesn't use packets. So the way how you would do is memory based.
I'm sorry mr. pms. but how do I find that memory adress or that socket?
10/24/2008 19:45 Some-Guy#11
Quote:
Originally Posted by Azothoras View Post
I'm sorry mr. pms. but how do I find that memory adress or that socket?
OllyDBG > conquer.exe > right click > search for > all referenced text strings > Ctrl+f > "/break"

Gives you the address of the function you would need to call.
10/24/2008 20:01 tanelipe#12
Look how the '/break' command does it, this is part of the command parsing.

Code:
004AE3E8  |> \8D85 D4FEFFFF LEA EAX,[EBP-12C]
004AE3EE  |.  68 C4E35600   PUSH OFFSET Conquer.0056E3C4             ; ASCII "break"
004AE3F3  |.  50            PUSH EAX
004AE3F4  |.  FFD7          CALL EDI
004AE3F6  |.  59            POP ECX
004AE3F7  |.  85C0          TEST EAX,EAX
004AE3F9  |.  59            POP ECX
004AE3FA  |.  75 0F         JNE SHORT 004AE40B
004AE3FC  |.  B9 F0FB5700   MOV ECX,OFFSET Conquer.0057FBF0
004AE401  |.  E8 8E3F0100   CALL 004C2394                            ; [Conquer.004C2394
The last two lines are what you should be intrested in, since they 'handle' the dcing. Find a way to replicate/or execute that function and you have your disconnect tool.
10/24/2008 23:51 high6#13
Here is an exampe in C#.

Code:
using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace ExampleCreateRemoteThread
{
    class Program
    {
        [DllImport("kernel32.dll")]
        private static extern int CreateRemoteThread(int hProcess, int lpThreadAttributes, int dwStackSize, int lpStartAddress, int lpParameter, int dwCreationFlags, int lpThreadId);
        [DllImport("kernel32.dll")]
        private static extern int OpenProcess(int dwDesiredAccess, int bInheritHandle, int dwProcessId);
        [DllImport("kernel32.dll")]
        private static extern int CloseHandle(int hObject);
        [DllImport("kernel32.dll")]
        private static extern int ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int nSize, int lpNumberOfBytesWritten);
        [DllImport("kernel32.dll")]
        private static extern int WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int nSize, int lpNumberOfBytesWritten);

        const int PROCESS_ALL_ACCESS = 0x1F0FFF;
        const int CodeCave = 0x00530FF0;
        /// <summary>
        /// MOV ECX,57FBF0
        /// </summary>
        static byte[] Instruction1 = { 0xB9,0xF0,0xFB,0x57,0x00};
        const int BreakCall = 0x004C2394;

        #region ReadX
        static int ReadInt(int handle, int addr)
        {
            byte[] buf = new byte[4];
            ReadProcessMemory(handle, addr, buf, 4, 0);
            return BitConverter.ToInt32(buf, 0);
        }
        static int ReadShort(int handle, int addr)
        {
            byte[] buf = new byte[2];
            ReadProcessMemory(handle, addr, buf, 2, 0);
            return BitConverter.ToInt16(buf, 0);
        }
        static byte ReadByte(int handle, int addr)
        {
            byte[] buf = new byte[1];
            ReadProcessMemory(handle, addr, buf, 1, 0);
            return buf[0];
        }
        static byte[] ReadBytes(int handle, int addr, int size)
        {
            byte[] buf = new byte[size];
            ReadProcessMemory(handle, addr, buf, size, 0);
            return buf;
        }
        #endregion
        #region WriteX
        static void WriteInt(int handle, int addr,int val)
        {
            WriteProcessMemory(handle, addr, BitConverter.GetBytes(val), 4, 0);
        }
        static void WriteShort(int handle, int addr, short val)
        {
            WriteProcessMemory(handle, addr, BitConverter.GetBytes(val), 2, 0);
        }
        static void WriteByte(int handle, int addr, byte val)
        {
            WriteProcessMemory(handle, addr, BitConverter.GetBytes(val), 1, 0);
        }
        static void WriteBytes(int handle, int addr, byte[] b)
        {
            WriteProcessMemory(handle, addr, b, b.Length, 0);
        }
        static void WriteCall(int handle, int addr, int call)
        {
            WriteByte(handle, addr, 0xE8);
            WriteInt(handle, addr+1, call - addr - 5);
        }
        #endregion

        static void Break(Process p)
        {
            Break(p.Id);
        }
        static void Break(int id)
        {
            int h = OpenProcess(PROCESS_ALL_ACCESS, 0, id); //OpenProcess
            if (h == 0)
                throw new Exception("Could not open process");

            if (ReadByte(h, CodeCave) == 0) //If code is not there, write it.
            {
                WriteBytes(h, CodeCave, Instruction1); //Mov ecx,0x0057FBF0
                WriteCall(h, CodeCave + 5, BreakCall); //Call 0x004C2394
                WriteByte(h, CodeCave + 10, 0xC3); //Ret
            }

            CreateRemoteThread(h, 0, 0, CodeCave, 0, 0, 0); //Call function

            CloseHandle(h); //CloseHandle
        }
        static void Main(string[] args)
        {
            Process[] procs = Process.GetProcessesByName("conquer");
            if (procs.Length > 0)
            {
                Break(procs[0]);
            }
        }
    }
}
10/26/2008 19:38 null#14
In short, here's how to do it if using C++
Code:
mov ecx, dword ptr ds:[0057FBF0]
call 004C2394
Not a hard peice of code, but implementing code is always the tricky part when it comes to ASM for me.
10/26/2008 19:38 null#15
In short, here's how to do in olly/asm.
Code:
mov ecx, dword ptr ds:[0057FBF0]
call 004C2394
Not a hard peice of code, but implementing code is always the tricky part when it comes to ASM for me.
Page 1 of 2 1 2