SendPacket C++

krangsak · 09/20/2022, 18:02

Hollo,

I try to edit and sendpacket for use skill or walk on my exe game.

As picture, i set breakpoint on 00787FA3 it triggered when i use skill or walk only.

Walk packet is 5F 03 0B CE D0

How can I edit packet in 00191F7C and send to exe game with C++, please show me for example code or have other method?

Thanks.

Omdi · 09/30/2022, 14:45

Is the packet buffer passed to 008F9CA0 in ECX? If yes you can easily call it by injecting your own DLL.

krangsak · 09/30/2022, 18:38

Quote:

Originally Posted by Omdi

Is the packet buffer passed to 008F9CA0 in ECX? If yes you can easily call it by injecting your own DLL.

Thank you for your response.

The packet buffer address is 00191F7C (Correct me if I'm wrong)
I think packet buffer passed to 008FA0A0 in EAX (as Picture 01). Can i use this function?

Picture 01 (set Breakpoint at 00787F8F)

Picture 02 (set Breakpoint at 00787F96)

Picture 03 (set Breakpoint at 00787F9C)

Picture 04 (set Breakpoint at 00787FA3)

Omdi · 09/30/2022, 19:41

Quote:

Originally Posted by krangsak

Thank you for your response.

The packet buffer address is 00191F7C (Correct me if I'm wrong)
I think packet buffer passed to 008FA0A0 in EAX (as Picture 01). Can i use this function?

Picture 01 (set Breakpoint at 00787F8F)

Picture 02 (set Breakpoint at 00787F96)

Picture 03 (set Breakpoint at 00787F9C)

Picture 04 (set Breakpoint at 00787FA3)

Could you upload the binary, so I could take a quick look?

krangsak · 09/30/2022, 20:08

Quote:

Originally Posted by Omdi

Could you upload the binary, so I could take a quick look?

Sorry, I don't understand you. Do you mean upload EXE file or use binary copy menu in Ollydbg?

This my EXE and file dll for debug.

I'm try to make like this

Additional picture

PIC-ADD-01

PIC-ADD-02

PIC-ADD-03

PIC-ADD-04

krangsak · 10/01/2022, 20:53

Now. i think I found it.

Arg1 = 2E >> is Movement X
Arg2 = EC >> is Movement Y

Can someone guide me for hook code?

krangsak · 10/08/2022, 16:30

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
00785173  |.^\E9 6EABFFFF   JMP 0077FCE6
00785178  |>  B8 37040000   MOV EAX,437
0078517D  |.  8895 5604FFFF MOV BYTE PTR SS:[EBP+FFFF0456],DL
00785183  |.  66:8985 5004F MOV WORD PTR SS:[EBP+FFFF0450],AX
0078518A  |.  8D85 5004FFFF LEA EAX,[EBP+FFFF0450]
00785190  |.  50            PUSH EAX
00785191  |.  898D 5204FFFF MOV DWORD PTR SS:[EBP+FFFF0452],ECX
00785197  |.  68 37040000   PUSH 437
0078519C  \.  E9 EE2D0000   JMP 00787F8F
007851A1  />  8BCF          MOV ECX,EDI
007851A3  |.  E8 787FFFFF   CALL 0077D120                            ; [Ragnarok.0077D120
007851A8  |.  3C 01         CMP AL,1
007851AA  |.^ 0F84 8CACFFFF JE 0077FE3C
007851B0      8B8D 4C06FFFF MOV ECX,DWORD PTR SS:[EBP+FFFF064C]      ; //MovementX
007851B6      B8 5F030000   MOV EAX,35F
007851BB      8B95 4806FFFF MOV EDX,DWORD PTR SS:[EBP+FFFF0648]      ; //MovementY
007851C1  |.  66:8985 4C2BF MOV WORD PTR SS:[EBP+FFFF2B4C],AX
007851C8  |.  8BC1          MOV EAX,ECX
007851CA  |.  C1F8 02       SAR EAX,2
007851CD  |.  8885 4E2BFFFF MOV BYTE PTR SS:[EBP+FFFF2B4E],AL
007851D3  |.  8BC2          MOV EAX,EDX
007851D5  |.  C1F8 04       SAR EAX,4
007851D8  |.  24 3F         AND AL,3F
007851DA  |.  C0E1 06       SHL CL,6
007851DD  |.  0AC1          OR AL,CL
007851DF  |.  C0E2 04       SHL DL,4
007851E2  |.  8885 4F2BFFFF MOV BYTE PTR SS:[EBP+FFFF2B4F],AL
007851E8  |.  8D85 4C2BFFFF LEA EAX,[EBP+FFFF2B4C]
007851EE  |.  50            PUSH EAX
007851EF  |.  8895 502BFFFF MOV BYTE PTR SS:[EBP+FFFF2B50],DL
007851F5  |.  68 5F030000   PUSH 35F
007851FA  \.  E9 902D0000   JMP 00787F8F
007851FF  />  8B95 4C06FFFF MOV EDX,DWORD PTR SS:[EBP+FFFF064C]

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
00787F71  |. /7C 02         JL SHORT 00787F75
00787F73  |> |33C0          XOR EAX,EAX
00787F75  |> \8985 D203FFFF MOV DWORD PTR SS:[EBP+FFFF03D2],EAX
00787F7B  |.  B9 6D0B0000   MOV ECX,0B6D
00787F80  |.  8D85 D003FFFF LEA EAX,[EBP+FFFF03D0]
00787F86  |.  66:898D D003F MOV WORD PTR SS:[EBP+FFFF03D0],CX
00787F8D  |.  50            PUSH EAX
00787F8E  |.  51            PUSH ECX
00787F8F  |>  E8 2CCCB45F   CALL Hooks::Send_Packet_Hook_P2
00787F94  |.  8BC8          MOV ECX,EAX
00787F96  |.  E8 25171700   CALL 008F96C0                            ; \Ragnarok.008F96C0
00787F9B  |.  50            PUSH EAX
00787F9C  |>  E8 FF201700   CALL 008FA0A0
00787FA1  |.  8BC8          MOV ECX,EAX
00787FA3  |.  E8 F81C1700   CALL 008F9CA0                            ; \Ragnarok.008F9CA0
00787FA8  |.  33C0          XOR EAX,EAX
00787FAA  \.  EB 13         JMP SHORT 00787FBF
00787FAC  />  8B95 4C06FFFF MOV EDX,DWORD PTR SS:[EBP+FFFF064C]

Code:

Naked void Hooks::Send_Packet_Hook_P2(void) //00787F8F
{
	__asm
	{
		POP Outgoing_Packet_Return_Address
		//PUSHAD
		MOV ECX, 0x2A //Movement X
		MOV EAX, 0x35F
		MOV EDX, 0x0EB //Movement Y
		MOV WORD PTR SS : [EBP + 0xFFFF2B4C] , AX
		MOV EAX, ECX
		SAR EAX, 0x2
		MOV BYTE PTR SS : [EBP + 0xFFFF2B4E] , AL
		MOV EAX, EDX
		SAR EAX, 0x4
		AND AL, 0x3F
		SHL CL, 0x6
		OR AL, CL
		SHL DL, 0x4
		MOV BYTE PTR SS : [EBP + 0xFFFF2B4F] , AL
		LEA EAX, [EBP + 0xFFFF2B4C]
		PUSH EAX
		MOV BYTE PTR SS : [EBP + 0xFFFF2B50] , DL
		PUSH 0x35F
		//POPAD
		CALL Properties::Send_Packet_Original_Address
		PUSH Outgoing_Packet_Return_Address
		RET
	}
}