[Question] Sending data

Page 1 of 3 1 23
02/25/2013 15:42 iszoPL#1
I have 2 questions.

I know that packets are encrypted. I found address of send in engine, not ws2 send but engineSend func that takes data before it's encrypted.

I am able to use it but i can't hook it because of memory manipulation detection. Mid function hook doesn't work also, so i guess there has to be somekind of checksum of memory part.

I hooked IAT send function, but sniffed sent data is encrypted. I know that I am sending packets to server because when I use engineSend then I see sniffed packets client->server, but they are always different so they has to be encrypted.

Code:
typedef int (__stdcall *Send_org)(DWORD type,LPCSTR szFormat,...);

DWORD dwEngineSendA = CMemory::dwFindPattern(0x401000,0x2bc000,(BYTE*)"\x55\x8B\xEC\x83\xEC\x18\x83\x3D\x00\x00\x00\x00\x00\x00\x00\x33\xC0","xxxxxxxx???????xx");
	sendAdd = CMemory::dwFindPattern(dwEngineSendA+1,0x2bc000,(BYTE*)"\x55\x8B\xEC\x83\xEC\x18\x83\x3D\x00\x00\x00\x00\x00\x00\x00\x33\xC0","xxxxxxxx???????xx");
	LogTextBox("[Send Address]: 0x%x",sendAdd);

void KalTools::SendEngine(DWORD Header,LPCSTR szFormat,...)
{
	((Send_org)sendAdd)(Header,szFormat);
}
This is how I'm finding the address and SendEngine is just using their function.

When i for example write

Code:
KalTools::SendEngine(0x3d,"db",pid,14);
I see in sniffer that it was sent but nothing happens in game. Am i doing something wrong?
02/25/2013 15:59 bloodx#2
u need to decrypt the packets also.
upload unpacked engine for me and I give u encrypt + decrypt call + table

the key u get from 0x2a packet also.

position 7 or smth

and Send is no __stdcall its __cdecl

+ u also dont pass the last " ... " parameter to the send function, so what he should do ?
02/25/2013 16:13 meak1#3
the Whole engine.exe is checked by HS

Decrypt packets or just use the Send function, u didnt need any hook there... Just use the func for sending them ;d
02/25/2013 16:21 iszoPL#4
I changed calling convention to cdecl already. I've noticed it after posting ;p.

@meak
I am using their send function. I just got address and sendEngine is executing it as u can see. I can't hook it because of hs. I only hooked send function at IAT but it's send from ws2_32 so packets intercepted in there are encrypted already.

What about last parameter? I think I am blind cuz i don't see any error ;p

I attached my dumped engine.exe. Tell me if it's ok ;)
02/25/2013 16:23 meak1#5
AS I SAID, NOT HOOK IT, ONLY USE IT........................................

GET RECV PACKET, ANSWER WITH CALL SEND, NOT HOOK IT... -.-#

Edit: or for what u wanna hook Send?
02/25/2013 16:27 iszoPL#6
I can hook IAT send. How can i answer to that if it needs socket,buf,len,flags.
It's easier to use engineSend than ws2 send. I'd have to crypt packet first in order to use IAT hooked send.

I didn't hook send in engine. I just have address and i'm trying to use it.

Btw. If i try to call

Code:
((Send_org)sendAdd)(Header,szFormat,...);
It gives me an error and I don't really know why because typedef is ok.
02/25/2013 16:30 meak1#7
i didnt said any other method, its puplic how to send over engineFunc

PHP Code:
DWORD SendPacketMain_ SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",0x00400000,0x007FFFFF);
DWORD SendPacketMain  SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",SendPacketMain_+1,0x007FFFFF);
DWORD SendPacketBack  SendPacketMain 0x06;

int Naked PacketSend(DWORD type,LPCSTR format,...)
{

    __asm
    {
        push ebp
        mov ebpesp
        sub esp,18h
        jmp SendPacketBack
    }
}

PacketSend(0x0D,"bbd",1,1,TargetID); <- behead 
02/25/2013 16:37 iszoPL#8
Yes i know this example. But in order for this to work you need to place JMP over first 5 bytes of this func to ur function right? And if I try that hs detects memory corruption.

Edit.

@blood

I've changed it so it's passing va_list args but it is still not working ;)

Code:
void KalTools::SendEngine(DWORD Header,LPCSTR szFormat,...)
{
    va_list args;
    va_start(args, szFormat);
    ((Send_org)sendAdd)(Header,szFormat,args);
    va_end(args);
}
What's the easiest way of checking it. I mean what packet can I use to check. Maybe my problem is with trying to use it ;p
02/25/2013 16:50 meak1#9
U DONT UNDERSTAND?
NOT HOOK IT JUST USE IT, THIS IS UR FUNCTION AND THIS JUMP BACK TO ENGINE, ENGINE DIDNT NEED TO JUMP TO UR FUNCTION -.-.................................................. .................................................

Said it now 5 times, if u dont get it, its ur problem.

U Just call the function, engine didnt need to jmp to ur function...
02/25/2013 16:59 iszoPL#10
oh... i get it know. This kind of programming is new for me so don't be angry if i don't undestand how sometimes some things works.
02/25/2013 17:01 meak1#11
np, i like to rage ;D

U use the function from Engine, u call ur function with ur Paramaters and then the Function jumps to the Engine Send, the engine Send crypt ur Packet and send it..
02/25/2013 17:10 iszoPL#12
Ye so pretty much my engineSend did the same thing but it was calling directly their function and passing parameters. Anyway is this sit packet ok? I want to check if it works

send(0x1F,"b",1);
02/25/2013 17:26 bloodx#13
static int (__cdecl* SendPacket)(DWORD,LPCSTR,...) = (int (__cdecl*)(DWORD,LPCSTR,...))0x005A0100;

u can do this ,too and than just use SendPacket(......);

if u want to sniff packets hook send from ws2 and decrypt packets there.

005A01F3 there should be the Encrypt call and @0073AEE0 should be Encrypt Table
02/25/2013 18:11 RunzelEier#14
Quote:
Originally Posted by meak1 View Post
PHP Code:
DWORD SendPacketMain_ SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",0x00400000,0x007FFFFF);
DWORD SendPacketMain  SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",SendPacketMain_+1,0x007FFFFF);
DWORD SendPacketBack  SendPacketMain 0x06;

int Naked PacketSend(DWORD type,LPCSTR format,...)
{

    __asm
    {
        push ebp
        mov ebpesp
        sub esp,18h
        jmp SendPacketBack
    }

so you add 6 Bytes to SendPacketMain
so you can reconstruct those 6 Bytes and jump to SendPacketBack.
This is one big NOP :D
why dont you call SendPacketMain directly?
02/25/2013 20:17 iszoPL#15
Thanks blood ;)

I changed my send to

Code:
void KalTools::SendEngine(DWORD Header,LPCSTR szFormat,...)
{
    va_list args;
    va_start(args, szFormat);
    ((Send_org)sendAdd)(Header,szFormat,args);
    va_end(args);
}
so it should now pass all data to func ;) But ur way is also great. Good trick xD
Ye i found this encrypt func and ida pseudocode looks like bakabug's one so i guess it is it ;p Encrypt table is pretty big oO. Well i guess i can use pointer to it and use the one from engine directly.

And about that packet sending. I am hooked already to IAT send so i can sniff sent data. Now i have to decrypt them in order to learn more. Are some packets changed now because this sit packet

0x1f,"b",1 is not working I can see that it was sent, because sniffed functions shows it but nothing happens.
Page 1 of 3 1 23