[Release] Advanced hooking

Belth · 07/09/2011, 23:32

Quote:

Originally Posted by Synsia

SendFunc: 0x6dfee2

I have no idea why he's using edx, but it's not needed to call the function.

Weird I was still seeing the sent packets but with that address at least it no longer crashes. Doesn't seem the packet is being sent (as I'm not getting an appropriate response) but the no crash is great. This is what I have currently:

Code:

public void SendPacket(byte[] packet)
{[INDENT]int packetAddr = (int)this.Dbg.AllocateMemory((uint)packet.Length);
this.Dbg.WriteByteArray(packet, (int)packetAddr);

using (MemoryStream ms = new MemoryStream())
using (BinaryWriter writer = new BinaryWriter(ms))
{
	// push packet size
	writer.Write((byte)0x68);
	writer.Write(packet.Length);

	// push packet address
	writer.Write((byte)0x68);
	writer.Write(packetAddr);

	// store NetWorkClass address in ECX
	writer.Write((byte)0xB9);
	writer.Write(NetworkClass);

	// store SendPacket() address in EAX
	writer.Write((byte)0xB8);
	writer.Write(SendPacketAddress);

	// call function stored in EAX
	writer.Write(new byte[] { 0xFF, 0xD0 });

	// return
	writer.Write((byte)0xC3);

	this.Dbg.ExecuteCode(ms.ToArray());
}

this.Dbg.FreeMemory(packetAddr);[/INDENT]}

private void HandleSentPacket(ref Helper.CONTEXT ctx)
{[INDENT]if (NetworkClass == 0)
{[INDENT]NetworkClass = ctx.Esi;[/INDENT]}[/INDENT]}

phize · 07/10/2011, 00:09

MOV ECX, XXXXXXXX is opcode 0xB9, not 0xB8.

**** I can't read today. I'm not sure why it's not working for you, works fine here. What packet are you testing with?

Belth · 07/10/2011, 00:25

I'm saving a chat packet from OnSent and trying to send it again. I need to get ready for team pk now though so I won't be responding for a while.

~~pro4never~~ · 07/10/2011, 00:57

so I just had the sad realization...

With the encryption change and it being such a 'valuable' secret.... hook based bots are going to take over and essentially remove the viability of making proxies and in the long term the progress of private servers (at least in terms of patches, we've already seen the stagnation in coding practices and source choices).

Not sure if this is a good thing or not... but it will be interesting none the less.

Maybe I'll re-write my ProxyParadise base into a hook based solution and continue the guides from there as I was already moving on to packets and actual bot systems which would work exactly the same way on a hook based bot...

Belth · 07/10/2011, 03:05

Quote:

Originally Posted by Synsia

MOV ECX, XXXXXXXX is opcode 0xB9, not 0xB8.

**** I can't read today. I'm not sure why it's not working for you, works fine here. What packet are you testing with?

Well I can't find anything wrong either (don't know where to look)

Much thnx for the help and hopefully someone else can spot my error.

xmen01235 · 07/10/2011, 03:44

Quote:

Originally Posted by Synsia

SendFunc: 0x6dfee2

I have no idea why he's using edx, but it's not needed to call the function.

How did you find those addresses? Any simple tutorial for assembly please.

~~IAmHawtness~~ · 07/10/2011, 05:07

Quote:

Originally Posted by pro4never

so I just had the sad realization...

With the encryption change and it being such a 'valuable' secret.... hook based bots are going to take over and essentially remove the viability of making proxies and in the long term the progress of private servers (at least in terms of patches, we've already seen the stagnation in coding practices and source choices).

Not sure if this is a good thing or not... but it will be interesting none the less.

Maybe I'll re-write my ProxyParadise base into a hook based solution and continue the guides from there as I was already moving on to packets and actual bot systems which would work exactly the same way on a hook based bot...

It's still possible to make a private server for the current (and future) version(s) of CO, even if you don't know the encryption routines at all. Just hook/detour the SendPacket function inside the client with an injected DLL, and replace the original encryption with your own custom encryption.
Same goes for receiving packets, hook the function in the client where it decrypts server packets and replace with your own decryption routine

xmen01235 · 07/10/2011, 13:42

Quote:

Originally Posted by Synsia

SendFunc: 0x6dfee2

I have no idea why he's using edx, but it's not needed to call the function.

The SendPacketAddress works fine for me and I can map the packet based on my old proxy packet structure. But the receivepacket seems wont work on the entity other than my character. It won't logs the activity caused by other entity like action, character spawn and etc.

This part is working fine :

Code:

    Private Sub HandleSentPacket(ByRef ctx As CONTEXT)

        If NetworkClass = 0 Then NetworkClass = ctx.Esi

        Dim lpPacket As Integer = Me._dbg.ReadInt32(ctx.Esp + 4)
        Dim Size As Integer = Me._dbg.ReadInt32(ctx.Esp + 8)

        Dim data() As Byte = Me._dbg.ReadByteArray(lpPacket, Size)

        Dim mPacket As packet.myPacket
        mPacket = New packet.myPacket(Data)
        If Packet.Chat.IsThisType(mPacket) Then
            Dim mchat As packet.Chat = New packet.Chat(mPacket)
            ' mchat.Message = "123"
        End If
        If packet.Action.IsThisType(mPacket) Then
            Dim maction As packet.Action = New packet.Action(mPacket)
            ' Blah blah
            ' Blah blah
            End If
        End If
        Me._dbg.WriteByteArray(data, lpPacket)
    End Sub

This part will not update on any activities cause by other entity:

Code:

Private Sub HandleRecvPacket(ByRef ctx As CONTEXT)

        Dim lpPacket As Integer = Me._dbg.ReadInt32(ctx.Esp + 4)
        Dim Size As Integer = Me._dbg.ReadInt32(ctx.Esp + 8)

        Dim data() As Byte = Me._dbg.ReadByteArray(lpPacket, Size)

        Dim mPacket As packet.myPacket
        mPacket = New packet.myPacket(data)
        If packet.CharacterInformation.IsThisType(mPacket) Then
            Dim CharInfo As packet.CharacterInformation = New packet.CharacterInformation(mPacket)
            mychar = New character(CharInfo)
            charInfoIsLoadedFlg = True
            AddUpdateNearbyEntities(CharInfo.FirstName, CharInfo.AcountID, 0, 0)
        End If
        If packet.CharacterSpawning.IsThisType(mPacket) Then
            'Dim charspawn As packet.CharacterSpawning = New packet.CharacterSpawning(mPacket)
            'AddUpdateNearbyEntities(charspawn.CharacterName, charspawn.CharacterID, charspawn.CharacterCoordX, charspawn.CharacterCoordY)
            'If charspawn.CharacterStatus = &H4200000000000C8 Then
            ' UpdateDeathAliveChar(charspawn.CharacterID, 0)
            'Else
            'UpdateDeathAliveChar(charspawn.CharacterID, 1)
            'End If

        End If
        If packet.GeneralData.IsThisType(mPacket) Then
            Dim gendata As packet.GeneralData = New packet.GeneralData(mPacket)

            If gendata.DataType = 137 Then
                Me.OnCharMovement = True
                AddUpdateNearbyEntities(getName(gendata.EntityID), gendata.EntityID, gendata.CoordX, gendata.CoordY)
            End If

        End If
        If packet.Walk.IsThisType(mPacket) Then
            Dim mwalk As packet.Walk = New packet.Walk(mPacket)
            UpdateNearbyEntitiesWalking(mwalk)
        End If
        If packet.EntityStatus.IsThisType(mPacket) Then
            Dim estat As packet.EntityStatus = New packet.EntityStatus(mPacket)
            If estat.StatusType = 25 Then
                If estat.StatusValue = 32 Then
                    UpdateDeathAliveChar(estat.CharacterID, 0)
                ElseIf estat.StatusValue = 0 Then
                    UpdateDeathAliveChar(estat.CharacterID, 1)
                End If
            End If
        End If
    End Sub

I am using these addresses(I am clueless also on how did you guys get that values):
SendPacketAddress= &H6DFEE2
RecvPacketAddress= &H6E2809

Hope someone will enlighten me. Thanks.

~~IAmHawtness~~ · 07/10/2011, 17:59

Quote:

Originally Posted by xmen01235

This part will not update on any activities cause by other entity:

Code:

Private Sub HandleRecvPacket(ByRef ctx As CONTEXT)

        Dim lpPacket As Integer = Me._dbg.ReadInt32(ctx.Esp + 4)
        Dim Size As Integer = Me._dbg.ReadInt32(ctx.Esp + 8)

        Dim data() As Byte = Me._dbg.ReadByteArray(lpPacket, Size)

        Dim mPacket As packet.myPacket
        mPacket = New packet.myPacket(data)
        If packet.CharacterInformation.IsThisType(mPacket) Then
            Dim CharInfo As packet.CharacterInformation = New packet.CharacterInformation(mPacket)
            mychar = New character(CharInfo)
            charInfoIsLoadedFlg = True
            AddUpdateNearbyEntities(CharInfo.FirstName, CharInfo.AcountID, 0, 0)
        End If
        If packet.CharacterSpawning.IsThisType(mPacket) Then
            'Dim charspawn As packet.CharacterSpawning = New packet.CharacterSpawning(mPacket)
            'AddUpdateNearbyEntities(charspawn.CharacterName, charspawn.CharacterID, charspawn.CharacterCoordX, charspawn.CharacterCoordY)
            'If charspawn.CharacterStatus = &H4200000000000C8 Then
            ' UpdateDeathAliveChar(charspawn.CharacterID, 0)
            'Else
            'UpdateDeathAliveChar(charspawn.CharacterID, 1)
            'End If

        End If
        If packet.GeneralData.IsThisType(mPacket) Then
            Dim gendata As packet.GeneralData = New packet.GeneralData(mPacket)

            If gendata.DataType = 137 Then
                Me.OnCharMovement = True
                AddUpdateNearbyEntities(getName(gendata.EntityID), gendata.EntityID, gendata.CoordX, gendata.CoordY)
            End If

        End If
        If packet.Walk.IsThisType(mPacket) Then
            Dim mwalk As packet.Walk = New packet.Walk(mPacket)
            UpdateNearbyEntitiesWalking(mwalk)
        End If
        If packet.EntityStatus.IsThisType(mPacket) Then
            Dim estat As packet.EntityStatus = New packet.EntityStatus(mPacket)
            If estat.StatusType = 25 Then
                If estat.StatusValue = 32 Then
                    UpdateDeathAliveChar(estat.CharacterID, 0)
                ElseIf estat.StatusValue = 0 Then
                    UpdateDeathAliveChar(estat.CharacterID, 1)
                End If
            End If
        End If
    End Sub

I am using these addresses(I am clueless also on how did you guys get that values):
SendPacketAddress= &H6DFEE2
RecvPacketAddress= &H6E2809

Hope someone will enlighten me. Thanks.

The way you're reading the packet is correct, it's most likely something in your packet classes that's wrong. Also, for your packet handler, I suggest using something a little more managable, like this:

Code:

Private Sub HandleRecvPacket(ByRef ctx As CONTEXT)

        Dim lpPacket As Integer = Me._dbg.ReadInt32(ctx.Esp + 4)
        Dim Size As Integer = Me._dbg.ReadInt32(ctx.Esp + 8)

        Dim data() As Byte = Me._dbg.ReadByteArray(lpPacket, Size)

        Dim PacketType As Short = BitConverter.ToInt16(data, 2)

        Select Case PacketType

                Case &H271A '(General data)
                        Dim DataPacket As New Packet.GeneralData(data)

                        Select Case DataPacket.SubType

                                Case &H89 '(Jump)
                                        OnJump(DataPacket)

                        End Select

                Case &H2715
                        OnWalk(New Packet.WalkPacket(data))

        End Select

End Sub

~~pro4never~~ · 07/10/2011, 19:09

Quote:

Originally Posted by IAmHawtness

It's still possible to make a private server for the current (and future) version(s) of CO, even if you don't know the encryption routines at all. Just hook/detour the SendPacket function inside the client with an injected DLL, and replace the original encryption with your own custom encryption.
Same goes for receiving packets, hook the function in the client where it decrypts server packets and replace with your own decryption routine

Yah.... cause people involved with pserver coding are

A: capable
B: willing

to put that much effort into their servers xD

(few exceptions)

~~IAmHawtness~~ · 07/10/2011, 20:26

Quote:

Originally Posted by pro4never

Yah.... cause people involved with pserver coding are

A: capable
B: willing

to put that much effort into their servers xD

(few exceptions)

True, although I'd say that it would be an easier approach than trying to reverse the encryption. That depends on one's level of reversing knowledge though, of course.

Belth · 07/11/2011, 01:08

Quote:

Originally Posted by xmen01235

SendPacketAddress= &H6DFEE2
RecvPacketAddress= &H6E2809

Hope someone will enlighten me. Thanks.

The receive address is wrong I believe as it seems to point to the same function as the send address. It was just a guess on my end as I don't know what to look for either.

~~IAmHawtness~~ · 07/11/2011, 01:51

Oh yeah, RecvPacketAddress = &H6E01B7

xmen01235 · 07/11/2011, 15:43

Quote:

Originally Posted by IAmHawtness

Oh yeah, RecvPacketAddress = &H6E01B7

I love you bro

, it is working now. I will figure out that address later when I will finish updating my new memory based bot.

~~pro4never~~ · 07/11/2011, 15:57

Re-downloading the latest framework.

Once I move into my boss' house tomorrow I'll have a **** ton of boredom and free time so I'll prob whip something together with this so I can continue with the bot tutorials.

**** you hawtness

How dare you make me do work.