[Q] How to find recv/send function addresses

02/18/2014 12:52 Doctor2#1

Hi.

I've read some general tutorials about that, but most of them use OllyDbg, which is detected by hack shield.
I wonder how do you guys get those addresses which are then used for detouring ...
Maybe some hints which tools to use ... ?
And maybe how to find the functions?

:eek:

EDIT:
[Only registered and activated users can see links. Click Here To Register...]
Seems like the sending is done in ntdll ... do I get anything closer .. waaaawh

EDIT2: So, the mov edi, edi actually does nothing. Or in other words, it provides a space for hooking.
If I use this as a sending function:
push ebp
mov ebp, esp
sub esp, 18
JMP PBACK

.. what address does needs to be in PBACK? Before "mov edi, edi", right on that address, after or on PUSH?

02/18/2014 18:22 meak1#2

y normal hackshield detects Ollydbg but with modded it works.
But for normal People like u, understand what and how search patterns work -> then download Private server without an Hackshield and work there to find those addresses.
(at Pserv sup esp, 14) <- just change to 18 in ur Pattern

Or just unpack engine.exe and search for ws2_32 send or string 'send() fail' and jump backwards till u come to the push ebp mov ebp, esp sup esp, 18

normaly u breakpoint ws2_32 send and write 'hello' into the chat and u just jump backwards till u got the decrypted packet and use those function for your own code.

02/18/2014 20:01 Doctor2#3

[Only registered and activated users can see links. Click Here To Register...]

So, if I'm correct, those are send and recv functions. But here the data is already encrypted isn't it? So I need to go backward.

[Only registered and activated users can see links. Click Here To Register...]

This function starts as you've said and it's calling the send function on the first picture. So that might be it?
In this case, what is the search pattern?
55 8B EC 83 EC 18 57 89 4D E8

That is the unpacked engine I found ... I think it's from year 2010. That pattern should still be the same?

Thanks for your answer.

02/18/2014 21:01 meak1#4

sure patterns never changed
and u can just run engine.exe with ollydbg, runtime = unpacked

02/20/2014 16:15 nonosocr1986#5

you can also use IDA by hex-rays or any disassembler and search for send/recv/connect etc..

02/20/2014 16:29 Doctor2#6

Thanks for the answers. :)
I've tried IDA and I'm lost there lol ... I like ollydbg

02/20/2014 18:19 meak1#7

i only using IDA with the plugin Hex-Rays for copy&paste long asm functions into c++
not for reversing

02/21/2014 15:28 Doctor2#8

I've used this pattern to search for (encrypted) receive function:
"55 8B EC 83 EC 08 89 4D F8 8B 45 14 50 8B 4D 10 51 8B 55 0C 52 8B 45 08 50 FF 15".
Scan from 0x00400000 to 0x007FFFFFF.
As a result I got the address 5D23C0.
Then I hook it and my function is never called. Could be that my search pattern is wrong? Am I getting the right address back?

02/21/2014 18:17 meak1#9

[Only registered and activated users can see links. Click Here To Register...]

02/22/2014 14:41 Doctor2#10

Thanks for this, but I'm still stuck here.

I've tried this signature:
\x55\x8B\xEC\x83\xEC\x08\x89\x4D\xF8\x8B\x45\x14\x 50\x8B\x4D\x10\x51\x8B\x55\x0C\x52\x8B\x45\x08\x50 \xFF\x15\x00\x00\x00\x00\x89\x45\xFC\x83\x7D\xFC\x FF\x75\x25\xFF\x15\x00\x00\x00\x00\x3D\x00\x00\x00 \x00\x74\x18\xB9\x00\x00\x00\x00\x85\xC9\x74\x02\x EB\x0D\x68\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x83 \xC4\x04\x8B\x45\xFC\x8B\xE5\x5D\xC2\x10\x00
Mask: xxxxxxxxxxxxxxxxxxxxxxxxxxx????xxxxxxxxxxx????x??? ?xxx????xxxxxxx????x????xxxxxxxxxxxx

and
\x55\x8B\xEC\x83\xEC\x20\x89\x4D\xE0\x8B\x45\xE0\x 83\xB8\x48\x5F\x00\x00\x02\x0F\x83\x00\x00\x00\x00 \x8B\x4D\xE0\xBA\x00\x00\x00\x00\x2B\x91\x00\x00\x 00\x00\x89\x55\xF8\x8B\x45\xE0\x8B\x88\x00\x00\x00 \x00\x8B\x55\xE0\x8D\x84\x0A\x00\x00\x00\x00\x89\x 45\xF4\x8B\x4D\xE0\x8B\x91\x00\x00\x00\x00\x89\x55 \xF0\x6A\x00\x8B\x45\xF8\x50\x8B\x4D\xF4\x51\x8B\x 55\xF0\x8B\x42\x04\x50\x8B\x4D\xF0\xE8\x00\x00\x00 \x00
Mask:
xxxxxxxxxxxxxxxxxxxxx????xxxx????xx????xxxxxxxx??? ?xxxxxx????xxxxxxxx????xxxxxxxxxxxxxxxxxxxxxxxx??? ?

The address is found but my hook function is still not getting called. :|

02/22/2014 15:53 meak1#11

the pattern exist more then once (;?

And i guess the hook is detected, so hackshield remove it u can hook the recv normaly just with

PHP Code:


			
#pragma comment(lib, "Ws2_32.lib")
oRecv = (tRecv)DetourFunction((PBYTE)recv, (PBYTE)MyRecvHook);

But its normaly the encrypted but ur lucky, kal Recv crypt works such -> Kal function crypt it and before the Recv call it decrypt again XD(But send is rly crypted and the engine functions hook is detected at Send, So ur Pro or just use Send to Send ur Packets not hook it..)

So its ~0,5sec slower but works very well too but my old source still works fine i guess just with my tipp: Hackshield remove detours/hook at the start from the Recv/Send so u need to place them +5 bytes