Send packet function (ASM) in game

thfire · 03/03/2016, 11:37

I have an ASM code :

PUSHAD()
MOV_ECX(CALL_PACKET)
MOV_EAX(Address) // packet array
PUSH_EAX()
MOV_EDX(0X0048D330)
CALL_EDX()
POPAD()
RET()

My packet array :

Code:

[0X80,0X54,0X61,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X60,0X00,0X02,0X00,0X00]

Then I create an Alloc address and write packet into.

I was successful to send it, but sometime the game will be disconnected.....

I try to use WPE PRO to check the packet which send to server by ASM Injection, it's the same as the packet in WPE PRO!

What should I do now ?

Sorry if my English isnt good....thank you so much....

This is my full code:

Code:

$Address = _AllocEX($Process,100)
$Address_Inject = _AllocEX($Process,1024)

Func _SEND_EX($LENGTH,$PACKET)
	For $i = 0 To ($LENGTH - 1) Step +1
		_WRITEPACKET($i,$PACKET[$i])
	Next
	$OPcode = ""
	PUSHAD()
	MOV_ECX($CALL_PACKET)
	MOV_EAX($Address)
	PUSH_EAX()
	MOV_EDX(0X0048D330)
	CALL_EDX()
	POPAD()
	RET()
	InjectCode($OPcode)
	Sleep(50)
	_CLEAN_PACKET($LENGTH)
EndFunc   ;==>_SEND_EX
Func _CLEAN_PACKET($LENGTH)
	For $i = 0 To ($LENGTH - 1) Step +1
		_WRITEPACKET($i,0X00)
	Next
EndFunc   ;==>_CLEAN_PACKET
Func _WRITEPACKET($i,$PACKET)
	While 1
		_MEMORYWRITE($Address + $i,$MEMID,$PACKET,"byte")
		IF "0X" & Hex(_MEMORYREAD($Address + $i,$MEMID,"BYTE"),2) = $PACKET Then ExitLoop
	WEnd
EndFunc   ;==>_WRITEPACKET
Func InjectCode($OPcode)
	Local $Address = 0,$Thread = 0,$Data = 0
	Local $Data = DllStructCreate("byte[" & StringLen($OPcode) / 2 & "]")
	For $i = 1 To DllStructGetSize($Data)
		DllStructSetData($Data,1,Dec(StringMid($OPcode,($i - 1) * 2 + 1,2)),$i)
	Next
	_WriteMemory($Process,$Data,$Address_Inject)
	$Thread = _CreateRemoteThread($Process,$Address_Inject)
	_WaitForSingelObject($Thread)
	_FreeAllocEX($Process,$Data,$Thread)
	Local $Data = DllStructCreate("byte[" & StringLen($OPcode) / 2 & "]")
	For $i = 1 To DllStructGetSize($Data)
		DllStructSetData($Data,1,0X00,$i)
	Next
	_WriteMemory($Process,$Data,$Address_Inject)
	$OPcode = ""
EndFunc   ;==>InjectCode
#Region INJECTION
Func _AllocEX($Process,$Data)
	$Alloc = DllCall("Kernel32.dll","ptr","VirtualAllocEx","int",$Process,"ptr",0,"int",$Data,"int",0x1000,"int",0x40)
	Return $Alloc[0]
EndFunc   ;==>_AllocEX
Func _WriteMemory($Process,$Data,$Address)
	DllCall("Kernel32.dll","int","WriteProcessMemory","int",$Process,"ptr",$Address,"ptr",DllStructGetPtr($Data),"int",DllStructGetSize($Data),"int",0)
EndFunc   ;==>_WriteMemory
Func _CreateRemoteThread($Process,$Address)
	$ThreadRemote = DllCall("Kernel32.dll","int","CreateRemoteThread","int",$Process,"ptr",0,"int",0,"int",$Address,"ptr",0,"int",0,"int",0)
	Return $ThreadRemote[0]
EndFunc   ;==>_CreateRemoteThread
Func _WaitForSingelObject($Thread)
	DllCall("Kernel32.dll","int","WaitForSingleObject","int",$Thread,"int",5000)
EndFunc   ;==>_WaitForSingelObject
Func _FreeAllocEX($Process,$Data,$Thread)
	DllCall("Kernel32.dll","int","CloseHandle","int",$Thread)
	$RESULT = DllCall("Kernel32.dll","ptr","VirtualFreeEx","hwnd",$Process,"ptr",DllStructGetPtr($Data),"int",DllStructGetSize($Data),"int",32768)
EndFunc   ;==>_FreeAllocEX
Func _ProcessOpen($PID)
	$hProcess = DllCall("Kernel32.dll","int","OpenProcess","int",0x1F0FFF,"int",0,"int",$PID)
	Return $hProcess[0]
EndFunc   ;==>_ProcessOpen
#EndRegion INJECTION

Shadow992 · 03/03/2016, 15:06

Quote:

Originally Posted by thfire

I have an ASM code :

PUSHAD()
MOV_ECX(CALL_PACKET)
MOV_EAX(Address) // packet array
PUSH_EAX()
MOV_EDX(0X0048D330)
CALL_EDX()
POPAD()
RET()

My packet array :

Code:

[0X80,0X54,0X61,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X00,0X60,0X00,0X02,0X00,0X00]

Then I create an Alloc address and write packet into.

I was successful to send it, but sometime the game will be disconnected.....

I try to use WPE PRO to check the packet which send to server by ASM Injection, it's the same as the packet in WPE PRO!

What should I do now ?

Sorry if my English isnt good....thank you so much....

This is my full code:

Code:

$Address = _AllocEX($Process,100)
$Address_Inject = _AllocEX($Process,1024)

Func _SEND_EX($LENGTH,$PACKET)
	For $i = 0 To ($LENGTH - 1) Step +1
		_WRITEPACKET($i,$PACKET[$i])
	Next
	$OPcode = ""
	PUSHAD()
	MOV_ECX($CALL_PACKET)
	MOV_EAX($Address)
	PUSH_EAX()
	MOV_EDX(0X0048D330)
	CALL_EDX()
	POPAD()
	RET()
	InjectCode($OPcode)
	Sleep(50)
	_CLEAN_PACKET($LENGTH)
EndFunc   ;==>_SEND_EX
Func _CLEAN_PACKET($LENGTH)
	For $i = 0 To ($LENGTH - 1) Step +1
		_WRITEPACKET($i,0X00)
	Next
EndFunc   ;==>_CLEAN_PACKET
Func _WRITEPACKET($i,$PACKET)
	While 1
		_MEMORYWRITE($Address + $i,$MEMID,$PACKET,"byte")
		IF "0X" & Hex(_MEMORYREAD($Address + $i,$MEMID,"BYTE"),2) = $PACKET Then ExitLoop
	WEnd
EndFunc   ;==>_WRITEPACKET
Func InjectCode($OPcode)
	Local $Address = 0,$Thread = 0,$Data = 0
	Local $Data = DllStructCreate("byte[" & StringLen($OPcode) / 2 & "]")
	For $i = 1 To DllStructGetSize($Data)
		DllStructSetData($Data,1,Dec(StringMid($OPcode,($i - 1) * 2 + 1,2)),$i)
	Next
	_WriteMemory($Process,$Data,$Address_Inject)
	$Thread = _CreateRemoteThread($Process,$Address_Inject)
	_WaitForSingelObject($Thread)
	_FreeAllocEX($Process,$Data,$Thread)
	Local $Data = DllStructCreate("byte[" & StringLen($OPcode) / 2 & "]")
	For $i = 1 To DllStructGetSize($Data)
		DllStructSetData($Data,1,0X00,$i)
	Next
	_WriteMemory($Process,$Data,$Address_Inject)
	$OPcode = ""
EndFunc   ;==>InjectCode
#Region INJECTION
Func _AllocEX($Process,$Data)
	$Alloc = DllCall("Kernel32.dll","ptr","VirtualAllocEx","int",$Process,"ptr",0,"int",$Data,"int",0x1000,"int",0x40)
	Return $Alloc[0]
EndFunc   ;==>_AllocEX
Func _WriteMemory($Process,$Data,$Address)
	DllCall("Kernel32.dll","int","WriteProcessMemory","int",$Process,"ptr",$Address,"ptr",DllStructGetPtr($Data),"int",DllStructGetSize($Data),"int",0)
EndFunc   ;==>_WriteMemory
Func _CreateRemoteThread($Process,$Address)
	$ThreadRemote = DllCall("Kernel32.dll","int","CreateRemoteThread","int",$Process,"ptr",0,"int",0,"int",$Address,"ptr",0,"int",0,"int",0)
	Return $ThreadRemote[0]
EndFunc   ;==>_CreateRemoteThread
Func _WaitForSingelObject($Thread)
	DllCall("Kernel32.dll","int","WaitForSingleObject","int",$Thread,"int",5000)
EndFunc   ;==>_WaitForSingelObject
Func _FreeAllocEX($Process,$Data,$Thread)
	DllCall("Kernel32.dll","int","CloseHandle","int",$Thread)
	$RESULT = DllCall("Kernel32.dll","ptr","VirtualFreeEx","hwnd",$Process,"ptr",DllStructGetPtr($Data),"int",DllStructGetSize($Data),"int",32768)
EndFunc   ;==>_FreeAllocEX
Func _ProcessOpen($PID)
	$hProcess = DllCall("Kernel32.dll","int","OpenProcess","int",0x1F0FFF,"int",0,"int",$PID)
	Return $hProcess[0]
EndFunc   ;==>_ProcessOpen
#EndRegion INJECTION

I am quite sure this is due to synchronization problems.
You call "CreateRemoteThread" on a probably not thread-safe function. This means whenever there occurs some multi-threading problems (e.g. two ASM instructions want to write simultaneously to one address) the game may (in worst case) crash or at least disconnect.

There are two possible solutions to solve this:
1. Guarantee your thread that the function you call is atomic (this seems to be quite hard to be honest)
2. Do not use "CreateRemoteThread" but use something which forces non-parallel working (e.g. Code-Cave-Injection).

However solution one seems to be more interesting to me. I guess you should be able to inject some SpinLock-ASM-Code. However this should be done by directly injecting ASM-Code (and not by calling CreateRemoteThread).
Have a look at this:

and this (maybe linux kernel may help you too):

Another problem may be that the server somehow counts how many packets per second a client sends. So if you send some packets the server may notice that you sent too much packets and that you may try to hack/inject something.

Also possible problem could be that if you send two packets at the same time the server does not know which packets to process first and therefore disconnects (for security reason or similar).

However these are all possible reasons but the synchronization problem seems to me the problem with the biggest impact. So you should at first try this (or at least verify that the called code does not share any addresses).

thfire · 03/03/2016, 15:17

Yes! I found this problem, same as you said that (thks very much <3)
"the server may notice that you sent too much packets and that you may try to hack/inject something"
I sure that cause after disconnected, my account was banned and I have to unban on website
.........What should I do now?? Maybe I have to sleep my function??

Shadow992 · 03/03/2016, 16:09

Quote:

Originally Posted by thfire

Yes! I found this problem, same as you said that (thks very much <3)
"the server may notice that you sent too much packets and that you may try to hack/inject something"
I sure that cause after disconnected, my account was banned and I have to unban on website
.........What should I do now?? Maybe I have to sleep my function??

This highly depends on how many packets you send per second. If you are only sending 1 or 2 this will not be the reason for sure.

But if you send like 10-20 this may be the problem.

You should also double check that you did not miss any kind of security check (e.g. a packet that is sent all 15sec which contains the count of sent packets) or some restrictions like "minimum/maximum packetsize".

thfire · 03/03/2016, 20:53

I will check it again and reply for you....Its midnight now sorry for late reply...

Yes, I found this problem!! The server may notice try to hack/inject something
But I dont know how to check same as you said! Can you give me more e.g...? Please....

ASM in Cheat Engine:

Code:

pushad
mov ecx,[0064577C]
mov eax,0018F14 // Address packet 
push eax
call 0048D330
popad
ret

Maybe my code injection was wrong?

Shadow992 · 03/04/2016, 14:49

Quote:
Originally Posted by thfire
I will check it again and reply for you....Its midnight now sorry for late reply...

Yes, I found this problem!! The server may notice try to hack/inject something
But I dont know how to check same as you said! Can you give me more e.g...? Please....

ASM in Cheat Engine:
Code:
pushad
mov ecx,[0064577C]
mov eax,0018F14 // Address packet 
push eax
call 0048D330
popad
ret
Maybe my code injection was wrong?

There is not much we can do for you. Your ASM code looks ok (and you also said it works). So ASM will most likely not be a problem directly. However have a look at the suggestions I made.

thfire · 03/04/2016, 15:27

is this "[Release] AutoIt-UDF for Easy Code-Cave injection and Memory Manipulation" ?

Shadow992 · 03/04/2016, 19:17

Quote:

Originally Posted by thfire

is this "[Release] AutoIt-UDF for Easy Code-Cave injection and Memory Manipulation" ?

I have not tested it for long time, but it should work with this UDF (however I dont knoe if this will solve all your problems maybe it will not change anything). But you could at least try it to be sure it is not the synchronization fact.

thfire · 03/05/2016, 04:00

Tks very much! I hope it will solve my problem xD