I've worked on this "new" type of packet logger based on a article I saw on Reddit. The basic concept is that I've been messing around with creating a basic windows debugger. This will allow me to set breakpoints programmatically at certain addresses and read information off of the registers. This is more like a self-study on how to write a debugger but it might benefit someone around here.
Here are the articles that I based the code on:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
Disclaimer: use the attached code at your own risk.
Those articles describe the code pretty well so I won't really be getting into it. However here is an example on how you can implement the packet logging part for Conquer using the attached code.
As you can see it's pretty simple to do and the Debugger class handles most of the not so pretty code. First we create the debugged process based on the arguments we give it. It's possible to attach to a already active process, but it's not included in the code.
Next up we subscribe to some events (OnAttached, OnMemoryBreakpoint). OnAttached is a event that is fired when we hit the first breakpoint on the newly created process. We always hit this even if we didn't manually place any breakpoints. When this event is fired it is good time to set our own breakpoints
Really simply put, it will replace the first byte code at the address with 0xCC (INT3) which is then read by our Debugger class and we revert it back to normal for normal processing.
The OnMemoryBreakpoint function is just there to keep track when we hit certain breakpoints and as in the example above, we dump the packets from memory when the specific address is hit.
So here is how you can log packets, with not so commonly used way. If you are interested in writing your own debugger / experimenting with it, I would suggest you read those 2 articles, they are pretty good.
Here are the articles that I based the code on:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
Disclaimer: use the attached code at your own risk.
Those articles describe the code pretty well so I won't really be getting into it. However here is an example on how you can implement the packet logging part for Conquer using the attached code.
Code:
const string ConquerFolder = @"C:\Program Files (x86)\NetDragon\Conquer Online 2.0 - Real";
const string CommandLine = ConquerFolder + "\\Conquer.exe blacknull";
const uint RecvMemoryAddress = 0x00739CE4;
const uint SendMemoryAddress = 0x0073A1F7;
static void Main(string[] args)
{
Debugger debugger = new Debugger();
debugger.OpenDebugProcess(CommandLine, ConquerFolder);
debugger.OnAttached += OnAttached;
debugger.OnMemoryBreakpoint += OnMemoryBreakpoint;
while (true)
{
}
}
private static void OnMemoryBreakpoint(Debugger Debugger, uint Address, ref CONTEXT context)
{
if (Address == RecvMemoryAddress)
{
uint Size = context.Ebx;
byte[] Packet = Debugger.ReadByteArray(Debugger.ReadUInt32(context.Ebp - 0x1C), (int)Size);
HexDump("Server -> Client", Packet);
}
else if (Address == SendMemoryAddress)
{
uint Size = context.Ecx;
byte[] Packet = Debugger.ReadByteArray(context.Eax, (int)Size);
HexDump("Client -> Server", Packet);
}
}
private static void OnAttached(Debugger Debugger)
{
Debugger.SetMemoryBreakpoint(RecvMemoryAddress);
Debugger.SetMemoryBreakpoint(SendMemoryAddress);
}
Next up we subscribe to some events (OnAttached, OnMemoryBreakpoint). OnAttached is a event that is fired when we hit the first breakpoint on the newly created process. We always hit this even if we didn't manually place any breakpoints. When this event is fired it is good time to set our own breakpoints
Code:
private static void OnAttached(Debugger Debugger)
{
Debugger.SetMemoryBreakpoint(RecvMemoryAddress);
Debugger.SetMemoryBreakpoint(SendMemoryAddress);
}
The OnMemoryBreakpoint function is just there to keep track when we hit certain breakpoints and as in the example above, we dump the packets from memory when the specific address is hit.
So here is how you can log packets, with not so commonly used way. If you are interested in writing your own debugger / experimenting with it, I would suggest you read those 2 articles, they are pretty good.