[Release] Advanced hooking

[kudo2002]

how can i send packet to the Client ...

when i do this the client crash

Code:

                int packetAddr = (int)m_dbg.AllocateMemory((uint)packet.Length);
                m_dbg.WriteByteArray(packet, packetAddr);

                using (MemoryStream ms = new MemoryStream())
                using (BinaryWriter writer = new BinaryWriter(ms))
                {
                    // push packet size
                    writer.Write((byte)0x68);
                    writer.Write(packet.Length);

                    // push packet address
                    writer.Write((byte)0x68);
                    writer.Write(packetAddr);
                    
                    // store NetWorkClass address in ESI
                    // ESI 0xBE
                    writer.Write((byte)0xBE);
                    writer.Write(NetworkClass);

                    // store RecvPacket() address in EAX                    
                    writer.Write((byte)0xB8);
                    writer.Write(0x71422F);

                    // call function stored in EAX
                    writer.Write(new byte[] { 0xFF, 0xD0 });

                    // return
                    writer.Write((byte)0xC3);

                    m_dbg.ExecuteCode(ms.ToArray());
                }

                m_dbg.FreeMemory(packetAddr);

[-Shunsui-]

Quote:

Originally Posted by kudo2002

how can i send packet to the Client ...

when i do this the client crash

im trying to figure out the same thing.
#Also does anyone know if when doing something on the client do i have to forward the packets to the server?

[ruievmonteiro]

Quote:

Originally Posted by { Angelius }

Happens when you hook Conquer.exe not all the time but it does happen, Conquer starts to run really slow and the cpu usage jumps up.

I`m not sure but i think its related to the AdvancedHooking Library it self So many Exceptions/access validations/etc

And the only way to fix that is by making some changes to the debug loop inside the dll.

Not sure its just a theory. it happens that i`m coding my own hooker lib and same thing happened cept that after handling those Exceptions it went away.

How would I handle these exceptions???
I'm trying to recompile de debug_loop function but I get lots of undefined references for the other functions. What can be the problem?

I'm using Reflector with reflexil plugin

[{ Angelius }]

@kudo2002
What you posted should send packets to the Server not to the client and to send packets to the client you should look into the receive loop in the client, understand how it works, and then think about sending packets i guess.

@-Shunsui-
I Don't understand your question, are you talking about blocking packets from being sent to the server?

@ruievmonteiro
Handling those exceptions is something that you should be looking up online google it or something.

And the reflector job is to give you an idea of whats going on in side that dll not a copy paste source code.

[-Shunsui-]

@Angelius im talking about, When catching the packets that are sent to the server
and recieved from the server, do i have to forward them using SendPacket function.

[Belth]

Quote:

Originally Posted by -Shunsui-

@Angelius im talking about, When catching the packets that are sent to the server
and recieved from the server, do i have to forward them using SendPacket function.

No. If you are not blocking packets you do not need to call SendPacket().

[kudo2002]

Quote:

Originally Posted by { Angelius }

@kudo2002
What you posted should send packets to the Server not to the client and to send packets to the client you should look into the receive loop in the client, understand how it works, and then think about sending packets i guess.

thank you, could you help I'm still nop in assmebly i can't fully understand those

LOCAL.1
LOCAL.3
what LOCAL mean i can't understand, i googled but with no result .

[-Shunsui-]

so how exactly does this loop packet receive work?

[Belth]

Quote:

Originally Posted by -Shunsui-

so how exactly does this loop packet receive work?

Check .

For client 5580 the address is 713A7E.

[xmen01235]

what is now the new address for send and receive?

[ruievmonteiro]

I've been away for a while and now I've noticed that the send and receive functions do not work the same way as before. TQ may have updated the communications module inside the client. Am I right? Does anyone know how these functions work now?

[{ Angelius }]

The send function is still the same. only its address has changed.
The receive loop has been changed for sure.

private const int SendPacketAddress = 0x6C0A81;
private const int NetworkClass = 0x96FC78;
private const int RecvLoopAddress = 0x6C05E8;

Some of the receive loop:

 Spoiler

PHP Code:

006C056A   $ 55             PUSH EBP
006C056B   . 8DAC24 FCE9FFF>LEA EBP,DWORD PTR SS:[ESP-1604]
006C0572   . B8 04160000    MOV EAX,1604
006C0577   . E8 44F11200    CALL Conquer.007EF6C0
006C057C   . 6A FF          PUSH -1
006C057E   . 68 E6EA8300    PUSH Conquer.0083EAE6
006C0583   . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
006C0589   . 50             PUSH EAX
006C058A   . 83EC 58        SUB ESP,58
006C058D   . A1 C4B69600    MOV EAX,DWORD PTR DS:[96B6C4]
006C0592   . 33C5           XOR EAX,EBP
006C0594   . 8985 00160000  MOV DWORD PTR SS:[EBP+1600],EAX
006C059A   . 53             PUSH EBX
006C059B   . 56             PUSH ESI
006C059C   . 57             PUSH EDI
006C059D   . 50             PUSH EAX
006C059E   . 8D45 F4        LEA EAX,DWORD PTR SS:[EBP-C]
006C05A1   . 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
006C05A7   . 8965 F0        MOV DWORD PTR SS:[EBP-10],ESP
006C05AA   . 8BD9           MOV EBX,ECX
006C05AC   . 895D D8        MOV DWORD PTR SS:[EBP-28],EBX
006C05AF   . 8365 FC 00     AND DWORD PTR SS:[EBP-4],0
006C05B3   . 8B4B 14        MOV ECX,DWORD PTR DS:[EBX+14]
006C05B6   . 85C9           TEST ECX,ECX
006C05B8   . 0F84 0A020000  JE Conquer.006C07C8
006C05BE   . E8 7EF5FFFF    CALL Conquer.006BFB41
006C05C3   . 85C0           TEST EAX,EAX
006C05C5   . 0F84 FD010000  JE Conquer.006C07C8
006C05CB   > C745 EC 000400>MOV DWORD PTR SS:[EBP-14],400
006C05D2   . 8D45 00        LEA EAX,DWORD PTR SS:[EBP]
006C05D5   . 8945 E4        MOV DWORD PTR SS:[EBP-1C],EAX
006C05D8   . 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-14]
006C05DB   . 50             PUSH EAX
006C05DC   . 8D45 00        LEA EAX,DWORD PTR SS:[EBP]
006C05DF   . 50             PUSH EAX
006C05E0   . 8B4B 14        MOV ECX,DWORD PTR DS:[EBX+14]
006C05E3   . E8 BCF9FFFF    CALL Conquer.006BFFA4
006C05E8   . 85C0           TEST EAX,EAX
006C05EA   . 75 2F          JNZ SHORT Conquer.006C061B
006C05EC   . 8B4B 14        MOV ECX,DWORD PTR DS:[EBX+14]
006C05EF   . E8 ABF4FFFF    CALL Conquer.006BFA9F
006C05F4   . 834D FC FF     OR DWORD PTR SS:[EBP-4],FFFFFFFF
006C05F8   > 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]
006C05FB   . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
006C0602   . 59             POP ECX
006C0603   . 5F             POP EDI
006C0604   . 5E             POP ESI
006C0605   . 5B             POP EBX
006C0606   . 8B8D 00160000  MOV ECX,DWORD PTR SS:[EBP+1600]
006C060C   . 33CD           XOR ECX,EBP
006C060E   . E8 55EA1200    CALL Conquer.007EF068
006C0613   . 81C5 04160000  ADD EBP,1604
006C0619   . C9             LEAVE
006C061A   . C3             RETN
006C061B   > FF75 EC        PUSH DWORD PTR SS:[EBP-14]
006C061E   . FF75 E4        PUSH DWORD PTR SS:[EBP-1C]
006C0621   . E8 C7C7FFFF    CALL Conquer.006BCDED
006C0626   . 83C4 08        ADD ESP,8
006C0629   . 0FB7F8         MOVZX EDI,AX
006C062C   . 897D E0        MOV DWORD PTR SS:[EBP-20],EDI
006C062F   . 3B7D EC        CMP EDI,DWORD PTR SS:[EBP-14]
006C0632   .^7F 97          JG SHORT Conquer.006C05CB
006C0634   . 85FF           TEST EDI,EDI
006C0636   .^76 93          JBE SHORT Conquer.006C05CB
006C0638   . 57             PUSH EDI
006C0639   . FF75 E4        PUSH DWORD PTR SS:[EBP-1C]
006C063C   . E8 B4C7FFFF    CALL Conquer.006BCDF5
006C0641   . 59             POP ECX
006C0642   . 59             POP ECX
006C0643   . 8BF0           MOV ESI,EAX
006C0645   . 8975 DC        MOV DWORD PTR SS:[EBP-24],ESI
006C0648   . 85F6           TEST ESI,ESI
006C064A   . 0F84 63010000  JE Conquer.006C07B3
006C0650   . 0FB746 06      MOVZX EAX,WORD PTR DS:[ESI+6]
006C0654   . 0FB7D8         MOVZX EBX,AX
006C0657   . 895D D4        MOV DWORD PTR SS:[EBP-2C],EBX 


Ps: the addresses i provided are not an actual calls i only breakpoint at those addresses to pull whatever data i need. but i think its enough to get you started.

[PKDemon]

how do you get the address as i have asked but no one has answered me about it an i have been trying to figure it out how to do it but cant figure it out

[{ Angelius }]

There is a lot of ways to got those addresses and i believe that a few pages back in this thread Belth mentioned a way or 2 on how to find them.

As for how I find them i breakpoint on certain addresses near the win_sock Send/rec calls and trace them back to where they were called from (call stack/call tree) makes it easy as finding a string name.

[chrisSch]

I really like this dll, but the "advanced hooking" doesn't attach to new threads, why not ?
Can you add it please, IAmHawtness ?? Or can't you just post the sourcecode please ? with reflector its possible to get it out anyway, but the formatting is lost, also some variable names are missing :/

It's a very important feature for me!

Sorry if i didn't see it, if you already released it