Could someone tell me any loader that I could hook .dll on latest co? I need to redirect ip to my proxy. Or any c# code. I would be thankful, guys.
[HELP] Conquer auth ip through DLL
07/22/2014 23:37
rytis221#1
07/23/2014 15:30
tanelipe#2
Here's a loader made in C#
Which is used like this:
And here is the Native class
And if you need a DLL, you can check this post: [Only registered and activated users can see links. Click Here To Register...]
Code:
private unsafe void SuspendInjectResume(PROCESS_INFORMATION pProcessInfo, string Dll)
{
uint Length = (uint)(Dll.Length + 1);
// Get the LoadLibrary address
UIntPtr hLoadLibrary = Native.GetProcAddress(Native.GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
// Allocate space for DLL.
IntPtr pDllLocation = Native.VirtualAllocEx(pProcessInfo.hProcess, IntPtr.Zero, Length, 0x1000, 0x40);
if (pDllLocation != IntPtr.Zero)
{
// Write DLL path to process memory.
Native.WriteProcessMemory(pProcessInfo.hProcess, pDllLocation, Dll, Length, IntPtr.Zero);
}
byte[] ShellCode = {
0x9C, // PUSH ALL FLAGS
0x60, // PUSH ALL REGISTERS
0x68, 0xAA, 0xAA, 0xAA, 0xAA, // PUSH DLL ADDRESS
0xB8, 0xBB, 0xBB, 0xBB, 0xBB, // MOV EAX, pLoadLib
0xFF, 0xD0, // CALL EAX (pLoadLib)
0x61, // POP ALL REGISTERS
0x9D, // POP ALL FLAGS
0xC3 // RET
};
uint pLoadLibAddress = hLoadLibrary.ToUInt32();
uint pDllAddress = (uint)pDllLocation.ToInt32();
// Load our DLL address to the Shell Code
ShellCode[3] = (byte)(pDllAddress & 0xFF);
ShellCode[4] = (byte)((pDllAddress >> 8) & 0xFF);
ShellCode[5] = (byte)((pDllAddress >> 16) & 0xFF);
ShellCode[6] = (byte)((pDllAddress >> 24) & 0xFF);
// Load LoadLibraryA to the Shell Code
ShellCode[8] = (byte)(pLoadLibAddress & 0xFF);
ShellCode[9] = (byte)((pLoadLibAddress >> 8) & 0xFF);
ShellCode[10] = (byte)((pLoadLibAddress >> 16) & 0xFF);
ShellCode[11] = (byte)((pLoadLibAddress >> 24) & 0xFF);
// Suspend the main thread, allows us to hijack it.
Native.SuspendThread(pProcessInfo.hThread);
CONTEXT context = new CONTEXT();
context.ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_FULL;
// Get the thread context. Allows us to get access to EIP and ESP.
if (Native.GetThreadContext(pProcessInfo.hThread, ref context))
{
// Write EIP (address of next operation) to ESP-4 (stack).
UIntPtr lpBaseAddress = new UIntPtr(context.Esp - 4);
Native.WriteProcessMemory(pProcessInfo.hProcess, lpBaseAddress, &context.Eip, sizeof(uint), null);
// Allocate space for our shell code
IntPtr ShellCodeAddress = Native.VirtualAllocEx(pProcessInfo.hProcess, IntPtr.Zero, (uint)ShellCode.Length, 0x1000, 0x40);
if (ShellCodeAddress != IntPtr.Zero)
{
// Write our shell code to the application
IntPtr lpNumberBytesWritten = IntPtr.Zero;
Native.WriteProcessMemory(pProcessInfo.hProcess, ShellCodeAddress, ShellCode, ShellCode.Length, out lpNumberBytesWritten);
// Set EIP (address of next operation) to our shell code address
context.Eip = (uint)ShellCodeAddress.ToInt32();
// Update the thread flags / registers
Native.SetThreadContext(pProcessInfo.hThread, ref context);
// Resume thread from our shell code.
Native.ResumeThread(pProcessInfo.hThread);
// Executes our code and then jumps back to original code once our shellcode is done.
}
}
}
Code:
string CommandLine = PathTextBox.Text + "\\Conquer.exe blacknull";
SECURITY_ATTRIBUTES ProcessAttributes = new SECURITY_ATTRIBUTES();
SECURITY_ATTRIBUTES ThreadAttributes = new SECURITY_ATTRIBUTES();
STARTUPINFO StartupInformation = new STARTUPINFO();
PROCESS_INFORMATION ProcessInformation = new PROCESS_INFORMATION();
Native.CreateProcess(null, CommandLine, ref ProcessAttributes, ref ThreadAttributes, false, 0x00000004, IntPtr.Zero, PathTextBox.Text, ref StartupInformation, out ProcessInformation);
Native.ResumeThread(ProcessInformation.hThread);
Native.Sleep(2000);
SuspendInjectResume(ProcessInformation, HookTextBox.Text);
Code:
using System;
using System.Runtime.InteropServices;
namespace ConquerProxy
{
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public unsafe struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int nLength;
public unsafe byte* lpSecurityDescriptor;
public int bInheritHandle;
}
[StructLayout(LayoutKind.Sequential)]
public unsafe struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
public enum CONTEXT_FLAGS : uint
{
CONTEXT_i386 = 0x10000,
CONTEXT_i486 = 0x10000, // same as i386
CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP
CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI
CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS
CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state
CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7
CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions
CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,
CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS
}
[StructLayout(LayoutKind.Sequential)]
public struct FLOATING_SAVE_AREA
{
public uint ControlWord;
public uint StatusWord;
public uint TagWord;
public uint ErrorOffset;
public uint ErrorSelector;
public uint DataOffset;
public uint DataSelector;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
public byte[] RegisterArea;
public uint Cr0NpxState;
}
[StructLayout(LayoutKind.Sequential)]
public struct CONTEXT
{
public uint ContextFlags; //set this to an appropriate value
// Retrieved by CONTEXT_DEBUG_REGISTERS
public uint Dr0;
public uint Dr1;
public uint Dr2;
public uint Dr3;
public uint Dr6;
public uint Dr7;
// Retrieved by CONTEXT_FLOATING_POINT
public FLOATING_SAVE_AREA FloatSave;
// Retrieved by CONTEXT_SEGMENTS
public uint SegGs;
public uint SegFs;
public uint SegEs;
public uint SegDs;
// Retrieved by CONTEXT_INTEGER
public uint Edi;
public uint Esi;
public uint Ebx;
public uint Edx;
public uint Ecx;
public uint Eax;
// Retrieved by CONTEXT_CONTROL
public uint Ebp;
public uint Eip;
public uint SegCs;
public uint EFlags;
public uint Esp;
public uint SegSs;
// Retrieved by CONTEXT_EXTENDED_REGISTERS
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
public byte[] ExtendedRegisters;
}
public unsafe partial class Native
{
[DllImport("Kernel32.dll")]
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, UIntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);
[DllImport("Kernel32.dll")]
public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, Int32 dwProcessId);
[DllImport("Kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hObject);
[DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
public static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);
[DllImport("Kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
public static extern UIntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("Kernel32.dll")]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, string lpBuffer, uint nSize, IntPtr lpNumberOfBytesWritten);
[DllImport("Kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
public static extern Int32 WaitForSingleObject(IntPtr handle, Int32 milliseconds);
[DllImport("kernel32.dll")]
public static extern uint ResumeThread(IntPtr hThread);
[DllImport("Kernel32.dll")]
public static extern void Sleep(uint milliSeconds);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT lpContext);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenThread(uint dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
[DllImport("kernel32.dll")]
public static extern bool SetThreadContext(IntPtr hThread,
[In] ref CONTEXT lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
int nSize,
out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
UIntPtr lpBaseAddress,
void *lpBuffer,
int nSize,
void *lpNumberOfBytesWritten);
[DllImport("Kernel32.dll")]
public static extern bool AllocConsole();
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool CreateProcess(string lpApplicationName,
string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles,
uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory,
[In] ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
}
}
07/23/2014 23:07
rytis221#3
Thanks for the reply, I don't know why, but loader in the client says "failed 1" when I try to inject DLL to Conquer client and it doesn't work.
07/24/2014 11:41
tanelipe#4
Here's the DLL code (C++) that I used.
The Hook.h/cpp can be found from the previously link and the download.
Code:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <WinSock2.h>
#include "Hook.h"
#pragma comment(lib, "ws2_32.lib")
#define lib_func(lib, func) (GetProcAddress(GetModuleHandleA(lib), func))
char szConfig[MAX_PATH];
HOOK_STUB connect_stub;
void SetupConsole();
int __stdcall myconnect(SOCKET s, sockaddr_in* name, int len)
{
char szIPAddress[32];
int nPort, rPort;
rPort = ntohs(name->sin_port);
if (rPort >= 9950 && rPort <= 9970)
{
GetPrivateProfileStringA("config", "host", "127.0.0.1", szIPAddress, 32, szConfig);
nPort = GetPrivateProfileIntA("config", "port", 9958, szConfig);
name->sin_addr.s_addr = inet_addr(szIPAddress);
name->sin_port = htons(nPort);
}
else if (rPort == 5816)
{
GetPrivateProfileStringA("config", "gamehost", "127.0.0.1", szIPAddress, 32, szConfig);
nPort = GetPrivateProfileIntA("config", "gameport", 5816, szConfig);
name->sin_addr.s_addr = inet_addr(szIPAddress);
name->sin_port = htons(nPort);
}
typedef int (__stdcall *LPFCONNECT)(SOCKET,sockaddr_in*,int);
return ((LPFCONNECT)connect_stub.Address)(s, name, len);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH: {
SetupConsole();
GetModuleFileNameA(GetModuleHandle(TEXT("ConquerHook.dll")), szConfig, MAX_PATH);
for (int i = strlen(szConfig) - 1; i >= 0; i--)
{
if (szConfig[i] == '\\')
{
szConfig[i+1] = NULL;
break;
}
}
strcat_s(szConfig, "config.ini");
printf(szConfig);
CreateHook32(lib_func("ws2_32.dll", "connect"), myconnect, &connect_stub);
} break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
void SetupConsole()
{
int hCrt;
FILE *hf;
AllocConsole();
hCrt = _open_osfhandle( (long)GetStdHandle( STD_OUTPUT_HANDLE ), _O_TEXT );
hf = _fdopen( hCrt, "w" );
*stdout = *hf;
hCrt = _open_osfhandle((long)GetStdHandle( STD_INPUT_HANDLE ), _O_TEXT);
hf = _fdopen( hCrt, "r" );
*stdin = *hf;
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stdin, NULL, _IONBF, 0);
}
07/24/2014 21:53
rytis221#5
When I am trying to connect to the server it says that there is a maintainance for 30 minutes, but in fact, there shouldn't be it. What's wrong with it?
Edited: I don't know how to bypass protection.
Edited: I don't know how to bypass protection.
08/14/2014 23:21
denominator#6
Just curious but does this
change depending on the game?
Code:
byte[] ShellCode = {
0x9C, // PUSH ALL FLAGS
0x60, // PUSH ALL REGISTERS
0x68, 0xAA, 0xAA, 0xAA, 0xAA, // PUSH DLL ADDRESS
0xB8, 0xBB, 0xBB, 0xBB, 0xBB, // MOV EAX, pLoadLib
0xFF, 0xD0, // CALL EAX (pLoadLib)
0x61, // POP ALL REGISTERS
0x9D, // POP ALL FLAGS
0xC3 // RET
};
08/15/2014 03:02
Best Coder 2014#7
No.Quote:
Just curious but does this
change depending on the game?Code:byte[] ShellCode = { 0x9C, // PUSH ALL FLAGS 0x60, // PUSH ALL REGISTERS 0x68, 0xAA, 0xAA, 0xAA, 0xAA, // PUSH DLL ADDRESS 0xB8, 0xBB, 0xBB, 0xBB, 0xBB, // MOV EAX, pLoadLib 0xFF, 0xD0, // CALL EAX (pLoadLib) 0x61, // POP ALL REGISTERS 0x9D, // POP ALL FLAGS 0xC3 // RET };
Edit:
Why are you creating the process suspended, then resuming the main thread just to suspend it again 2 seconds later?Quote:
Code:string CommandLine = PathTextBox.Text + "\\Conquer.exe blacknull"; SECURITY_ATTRIBUTES ProcessAttributes = new SECURITY_ATTRIBUTES(); SECURITY_ATTRIBUTES ThreadAttributes = new SECURITY_ATTRIBUTES(); STARTUPINFO StartupInformation = new STARTUPINFO(); PROCESS_INFORMATION ProcessInformation = new PROCESS_INFORMATION(); Native.CreateProcess(null, CommandLine, ref ProcessAttributes, ref ThreadAttributes, false, 0x00000004, IntPtr.Zero, PathTextBox.Text, ref StartupInformation, out ProcessInformation); Native.ResumeThread(ProcessInformation.hThread); Native.Sleep(2000); SuspendInjectResume(ProcessInformation, HookTextBox.Text);
And also in your "SuspendInjectResume" method, you're writing the return address (EIP) directly on the stack of the remote process, why not just put "push EIP" in your shell code instead?
08/15/2014 17:24
denominator#8
Thank you :D