(ASM) Nostale Send Function

Page 1 of 2 1 2
11/06/2013 22:41 Sm•ke#1
Hi guys, today i have a question and not a release, eheh !

I'm not very good in reverse engineering but i want learn it..

I chose a random packet ( c_skill, it's simple & fast ) and now i want try to write a function that send the packets to server ( dll with gui )

..I haven't problems to make the dll, so easy..

Then i got this with ollydbg:

Code:
0061908B   A1 A0B06600      MOV EAX,DWORD PTR DS:[66B0A0]
00619090   8B00             MOV EAX,DWORD PTR DS:[EAX]
00619092   BA F4926100      MOV EDX,nostalex.006192F4                ; ASCII "c_skill"
00619097   E8 F85BF0FF      CALL nostalex.0051EC94
0061909C   E9 32010000      JMP nostalex.006191D3
006190A1   A1 F8BF6600      MOV EAX,DWORD PTR DS:[66BFF8]
006190A6   8B00             MOV EAX,DWORD PTR DS:[EAX]
006190A8   8B40 40          MOV EAX,DWORD PTR DS:[EAX+40]
I tryed with:

Code:
char *packet = "c_skill";
DWORD send_addr = 0x0051EC94;
_asm
{
	MOV EDX, packet
	CALL send_addr
}
But the client crash when i click on the button, it's doesn't work..

So i thought i'd had to add this:

Code:
0061908B   A1 A0B06600      MOV EAX,DWORD PTR DS:[66B0A0]
00619090   8B00             MOV EAX,DWORD PTR DS:[EAX]
Then i written this:

Code:
char *packet = "c_skill";
DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
_asm
{
	MOV EAX, DWORD PTR DS:[send_eax]
	MOV EAX, DWORD PTR DS:[EAX]
	MOV EDX, packet
	CALL send_addr
}
But i get the same problem..
Somebody, that know how to reverse, can help me ? thanks, i waiting answers..
11/06/2013 23:10 Elektrochemie#2
You have to zoidberg the sendadress pointer.

Code:
char *packet = "c_skill";
DWORD send_addr = const_cast<whoop*>0x0051EC94, send_eax = const_cast<whoop*>0x0066B0A0;
_asm
{
	MOV EAX, DWORD WHOOP[PTR DS:[send_eax]]
	MOV EAX, DWORD WHOOP[PTR DS:[EAX]]
	MOV EDX, WHOOP[packet]
	CALL send_addr
}
11/06/2013 23:21 Sm•ke#3
what do exactly the whoop ? and what is the library for it ? thanks man !
11/06/2013 23:58 Elektrochemie#4

Haha no dude, it was a joke.
Your code looks correct.

Code:
char *packet = "c_skill";
DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
_asm
{
	MOV EAX, DWORD PTR DS:[send_eax]
	MOV EAX, DWORD PTR DS:[EAX]
	MOV EDX, packet
	CALL send_addr
}
are you sure that send_addr is correct?
maybe somethings wrong with
char *packet = "c_skill";
i know its working with ansii strings of VCL, so try a 0x00 termination at the end of the packet.
did you try to set a breakpoint at send_addr and see at the register whats different?
11/07/2013 00:09 Sm•ke#5
Quote:
Originally Posted by Elektrochemie View Post
[Only registered and activated users can see links. Click Here To Register...]

Haha no dude, it was a joke.
Your code looks correct.

Code:
char *packet = "c_skill";
DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
_asm
{
	MOV EAX, DWORD PTR DS:[send_eax]
	MOV EAX, DWORD PTR DS:[EAX]
	MOV EDX, packet
	CALL send_addr
}
are you sure that send_addr is correct?
maybe somethings wrong with
char *packet = "c_skill";
i know its working with ansii strings of VCL, so try a 0x00 termination at the end of the packet.
did you try to set a breakpoint at send_addr and see at the register whats different?
Mmmh !! funny the video, ahah XD
You totally fucked me, man ! lol..

A moment and i say you what is wrong in the register at send_addr, the address is right like you can see on the asm code that i written in first post.. and all packets have it ( the call ) after eax and edx.. and with breakpoint i see all packets that client send..

If you want test, [Only registered and activated users can see links. Click Here To Register...] it's the download of dll.. only inject to the client xD

PS. I already tryed to add 0x00 at the end of packet but don't change nothing..

------------------------------------------------------------------------------
Ok, i post for you 3 screens..

1) c_skill from client ( normal, not dll ): [Only registered and activated users can see links. Click Here To Register...]
2) c_skill from dll: [Only registered and activated users can see links. Click Here To Register...]
3) error: [Only registered and activated users can see links. Click Here To Register...]
11/07/2013 14:42 PainToTheWorld#6
Code:
__asm{
		mov eax, dwRawPacketPTR
		mov eax,DWORD PTR DS:[eax]
		mov eax,DWORD PTR DS:[eax]
		mov edx, szPacket
		call dwSendRawPacket
   }
maybe this will help you ;D
11/07/2013 15:06 Sm•ke#7
Thanks PainToTheWorld but it's doesn't work..

dwRawPacketPTR = 0066B0A0 ?
dwSendRawPacket = 0051EC94 ?

I tryed so:

Code:
void SEND_TO_SERVER(char *packet)
{
	DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
	__asm
	{
		mov eax, send_eax
		mov eax, DWORD PTR DS:[eax]
		mov eax, DWORD PTR DS:[eax]
		mov edx, packet
		call send_addr
	}
}
And when i try to use on the client, this crash :O
11/07/2013 17:45 PainToTheWorld#8
it crashes? or you just get an access violation message?
it should work.. if you give the function a null-terminated string...
send me your code for testing
11/07/2013 18:26 Hatish#9
try this ;)
Quote:
__asm{
MOV EDX,packet
MOV EAX,DWORD PTR DS:[654DDC]//654DDC it's old address you need to put new one ;)
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX]
CALL send_addr
}
11/07/2013 19:20 Sm•ke#10
Code:
void SEND_TO_SERVER(char *packet)
{
	DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
	__asm
	{
		MOV EDX, packet
		MOV EAX, DWORD PTR DS:[send_eax]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		CALL send_addr
	}
}
doesn't work..

Paint if u read my post i already said to you the code that i've tryed..
it crash, not access violation..
11/07/2013 20:45 _RowLegend_#11
Look at the function (as example. There are more singlepackets)
Quote:
snap
There u can See the complete sendfunction. copy it 1:1
11/07/2013 23:43 Sm•ke#12
don't change nothing, c_skill do the same.. xD

Code:
00657223   A1 A0B06600      MOV EAX,DWORD PTR DS:[66B0A0]
00657228   8B00             MOV EAX,DWORD PTR DS:[EAX]
0065722A   BA F4726500      MOV EDX,nostalex.006572F4                ; ASCII "snap"
0065722F   E8 607AECFF      CALL nostalex.0051EC94
but i don't know why the function doesn't work..

OK GUYS !!

i tryed with:

Code:
void SEND_TO_SERVER(char *packet)
{
	packet[strlen(packet)] = 0;

	DWORD SEND_EAX = 0x66B0A0, C_SKILL = 0x006192F4, SEND_ADDR = 0x0051EC94;

	__asm
	{
		MOV EAX, DWORD PTR DS:[SEND_EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EDX, packet
		CALL SEND_ADDR
	}
}
And the client crash.. I replaced MOV EDX, packet with MOV EDX, C_SKILL and it worked..

The problem is in char *packet = "c_skill";

Elektrochemie said that nostale client use AnsiString, i need to use it ? embarcadero include it ?
11/09/2013 15:45 Sm•ke#13
Somebody can help me ?
11/09/2013 17:14 ernilos#14
Try with this
Code:
void SEND_TO_SERVER(char *packet)
{
	packet[strlen(packet)] = 0;

	DWORD SEND_EAX = 0x66B0A0, PACKET = &packet, SEND_ADDR = 0x0051EC94;

	__asm
	{
		MOV EAX, DWORD PTR DS:[SEND_EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EDX, PACKET
		CALL SEND_ADDR
	}
}
------
Edit i don't want up to 500 posts yet.
You need move the pointer(& <- Show's the pointer) to DWORD i think, then you set at DWORD the pointer of char* :P
11/09/2013 18:42 Sm•ke#15
ernilos it's impossible..
you cantt use char** for initialize a dword entity..

first that you say me.. i already tryed with:

Code:
PACKET = (DWORD)&packet
but doesn't work, client crash <.<
Page 1 of 2 1 2