[Guide:olly]Override Server.dat checks

01/20/2014 11:25 Santa#1
Hey there!
This is my first attempt at creating a guide, I think :p, so please bare with me. As you will probably be able to tell i'm just beginning my adventure into the assembly world, so please let me know if there are more efficient ways to go about doing this. Thanks to Angelius i'm digging into hooks/patching and in-line asm. If anyone wants to lend me a hand on overwriting an asm line using C++ that would be great! Finally, all criticism is welcome but, please, keep it constructive and professional. Lets begin!

First off, I did all of my testing with a 5065 client, i'd imagine it would be a similar process with newer/older patches. I don't have a newer client and don't plan to download it tonight.

Problem:
The client typically does not allow you to directly connect to a local IP address, be it 127.x.x.x, any loop-back, or hamachi. When developing a private server or bot this is very problematic. Sure, you could use Nullables loader but that's a hassle if you want to develop your own loader or memory based bot.

What this does:This allows you to connect to any IP address without getting the annoying "Failed to load Server.dat" message.

Step 1:
Open up Conquer.exe using ollydbg or simple attach olly to an already opened client.

Step 2:
Make sure you are viewing the Conquer module in the cpu window. To do this hit Alt+E and find conquer.exe in the list that pops up. It's usually located towards the top of the list.

Digging through the client I discovered that they compare the first part of the ip (eg. 127 in 127.0.0.1) to 0x7F, or 127, using the CMP op-code.

Step 3:
Right-Click in the CPU window. Select "Search For -> All Commands..." In the window that appears type CMP AL, 7F. Another window should now appear with all the locations that command was found. In my case it is 2 places.

Step 4:
Double click on the first occurrence in the window that appeared, it should take you to op-code, highlighting it, in the CPU window. Just below this op-code you will have a jump command (JNE or JE in my case).
Case 1: JNE SHORT XXXXXX
JNE stands for, I believe "jump if not equal." If you set a breakpoint and debug this function you would see that it takes the jump if the first part of your IP does not equal 127.
Step 4.1a:Double-Click JNE SHORT XXXXXX.
Step 4.1b:In the window that appears change JNE to JMP so it will always take the jump, not matter what the IP.
Case 2: JE SHORT XXXXXX
JE stands for, I believe "jump if equal." Again, debug it to see if the jump is taken, if you want.
Step 4.2a:Double-Click JE SHORT XXXXXX
Step 4.2b:In the window that appears, change JE SHORT XXXXXX to NOP so no jump is taken and the code continues along like nothing happened.
Alright, if you just wanted to be able to use 127.x.x.x to log-in to your server or w/e this is where you could stop.

Step 5:In the CPU window, Right-Click -> Search for -> All intermodular calls. Along the top click "Dest Name" to sort it using that data. Next, Type connect

.I will finish this guide tomorrow, if people would like itm if I have the chance. Ran out of time today, sorry. I know, the formatting is terrible, its making my OCD yell at me haha.
01/20/2014 17:31 turk55#2
Nice guide and great job, this sure can help out when it comes to developing. +1
01/22/2014 23:42 Real~Death#3
Real easy to understand.

Nice ppl are still posting ups tut's on using olly :)
01/23/2014 00:22 Santa#4
Sorry I haven't finished this up yet. The second part is going to be a little harder to explain in words. I'm thinking about creating a video to accompany/replace the text for that part. Then I remembered, the new server.dat is encrypted so I may actually download a newer/latest client and figure out how to bypass the decryption. But that all takes time being an engineering student I don't have much of it.

Also! No one knows how to overwrite/replace the opcodes at runtime? If you do, and could PM me with some links/info that would be great, I'm trying to shift from C# to C++ so any C++ info would be awesome!
01/23/2014 01:10 CptSky#5
Something I used few years ago to rewrite the executable (would patch the hacks like PM commands). It was an injected DLL.

Far from being good I think, it works.

Code:
CKDefender::CKDefender()
{
	pCurrentDirectory = new Char[BIG_BUFFER_SIZE];
	GetCurrentDirectoryA(BIG_BUFFER_SIZE, pCurrentDirectory);

	hProcess = GetCurrentProcess();
	hWindow = GetActiveWindow();
};

CKDefender::~CKDefender()
{
	free(pCurrentDirectory);
	hProcess = NULL;
	hWindow = NULL;
};

void CKDefender::BlockPMCommands()
{
	void* Address = (void*)0x0048B903;
	UInt8 Buffer[] = { 
		0x74, 0x17,							//je      short 0048B91C
		0xBF, 0xEC, 0x65, 0x50, 0x00,		//mov     edi, 5065EC
		0x2B, 0xF8,							//sub     edi, eax
		0x8A, 0x08,							//mov     cl, byte ptr [eax]
		0x3A, 0x0C, 0x07,					//cmp     cl, byte ptr [edi+eax]
		0x0F, 0x85, 0x08, 0x05, 0x00, 0x00,	//jnz     0048BE1F
		0x40,								//inc     eax
		0x3B, 0xC6,							//cmp     eax, esi
		0x75, 0xF0};						//jnz     short 0048B90C

	if (!WriteProcessMemory(hProcess, Address, Buffer, sizeof(Buffer), NULL))
	{
		UInt32 Error = GetLastError();
		Char* pWords = new Char[BIG_BUFFER_SIZE];

		FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, Error, 0, pWords, BIG_BUFFER_SIZE, NULL);
		MessageBoxA(hWindow, pWords, "ERROR!", 0);
		return;
	}
};
01/23/2014 01:10 Lateralus#6
Depending on what you want to do...

1. WriteProcessMemory will work for static addresses, but I can't remember if it's - image base or if it takes the image base into account. If you want a simple way to decode assembly instructions to their respective opcodes, I don't think there's a way to do it. I always just hardcode them in byte arrays.

2. If you're wanting to make changes to the section from a code cave like I've tried to do, there's a flag for each section in the PE header (called characteristics in LordPE) that controls whether it's self-modifying/can write to other sections. If you attempt to write to a section from a section without the writeable characteristic, the OS will throw an exception in the program. It can be changed in roughly 2 seconds with any PE editor, or a hex editor, but it may (rarely) trigger anti-virus.
01/23/2014 01:36 SteveRambo#7
Quote:
Originally Posted by Lateralus View Post
Depending on what you want to do...

1. WriteProcessMemory will work for static addresses, but I can't remember if it's - image base or if it takes the image base into account. If you want a simple way to decode assembly instructions to their respective opcodes, I don't think there's a way to do it. I always just hardcode them in byte arrays.

There are plenty of libraries that can turn a string of assembly instructions into actual bytecode, but it's probably still much easier to just hardcode it.

2. If you're wanting to make changes to the section from a code cave like I've tried to do, there's a flag for each section in the PE header (called characteristics in LordPE) that controls whether it's self-modifying/can write to other sections. If you attempt to write to a section from a section without the writeable characteristic, the OS will throw an exception in the program. It can be changed in roughly 2 seconds with any PE editor, or a hex editor, but it may (rarely) trigger anti-virus.

Or you could just use VirtualProtect(Ex) to change the memory protection of that section of memory. Actually, the WriteProcessMemory function does that for you already.
.
01/23/2014 01:54 Lateralus#8
Quote:
Originally Posted by SteveRambo View Post
Or you could just use VirtualProtect(Ex) to change the memory protection of that section of memory. Actually, the WriteProcessMemory function does that for you already./
I suppose you could do that, but it'd be annoying doing library calls in assembly every time, lol.

Edit: Or I guess you would just need to do that once? Can you call VirtualProtect in a non-writeable section to change characteristics? Probably would need to allocate more space?
01/23/2014 11:28 SteveRambo#9
Quote:
Originally Posted by Lateralus View Post
I suppose you could do that, but it'd be annoying doing library calls in assembly every time, lol.

Edit: Or I guess you would just need to do that once? Can you call VirtualProtect in a non-writeable section to change characteristics? Probably would need to allocate more space?
You can make any memory inside a module writeable, read-only, write-only, etc. and it'll stay that way until you or someone/something else change it back by a call to the VirtualProtect function.