[Release] Advanced hooking

[Belth]

Can someone post the address to the ProcessMessage Function and it's signature, please? x_x

[IAmHawtness]

Quote:

Originally Posted by Belth

Can someone post the address to the ProcessMessage Function and it's signature, please? x_x

The recv-loop:

Code:

006DEB57   $ B8 C4308300    MOV EAX,Conquer.008330C4
006DEB5C   . E8 2F970900    CALL Conquer.00778290
006DEB61   . 51             PUSH ECX
006DEB62   . B8 38160000    MOV EAX,1638
006DEB67   . E8 349B0900    CALL Conquer.007786A0
006DEB6C   . 8365 FC 00     AND DWORD PTR SS:[EBP-4],0
006DEB70   . 53             PUSH EBX
006DEB71   . 56             PUSH ESI
006DEB72   . 8BF1           MOV ESI,ECX
006DEB74   . 57             PUSH EDI
006DEB75   . 8975 D8        MOV DWORD PTR SS:[EBP-28],ESI
006DEB78   . 8B4E 14        MOV ECX,DWORD PTR DS:[ESI+14]
006DEB7B   . 8965 F0        MOV DWORD PTR SS:[EBP-10],ESP
006DEB7E   . 85C9           TEST ECX,ECX
006DEB80   . 0F84 E8010000  JE Conquer.006DED6E
006DEB86   . E8 30360000    CALL Conquer.006E21BB [COLOR="Red"]Call function that checks if there's a packet to be received[/COLOR]
006DEB8B   . 85C0           TEST EAX,EAX [COLOR="Red"]If there's a packet to be received, continue[/COLOR]
006DEB8D   . 0F84 DB010000  JE Conquer.006DED6E
006DEB93   > 8D85 B8F9FFFF  LEA EAX,DWORD PTR SS:[EBP-648]
006DEB99   . 8B4E 14        MOV ECX,DWORD PTR DS:[ESI+14]
006DEB9C   . 8945 E8        MOV DWORD PTR SS:[EBP-18],EAX
006DEB9F   . 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-14]
006DEBA2   . 50             PUSH EAX
006DEBA3   . 8D85 B8F9FFFF  LEA EAX,DWORD PTR SS:[EBP-648]
006DEBA9   . 50             PUSH EAX
006DEBAA   . C745 EC 000400>MOV DWORD PTR SS:[EBP-14],400
006DEBB1   . E8 7F300000    CALL Conquer.006E1C35 [COLOR="Red"]Call decrypt packet function[/COLOR]
006DEBB6   . 85C0           TEST EAX,EAX [COLOR="Red"]If successful, continue 
(This is where you either change Eax to 0 to skip the processing of a packet,
or change the contents of [EBP-18h] to the address of a custom packet that you
wrote yourself and [EBP-14h] to the length of your custom packet)[/COLOR]
006DEBB8   . 0F84 99010000  JE Conquer.006DED57
006DEBBE   > FF75 EC        PUSH DWORD PTR SS:[EBP-14]
006DEBC1   . FF75 E8        PUSH DWORD PTR SS:[EBP-18] 
006DEBC4   . E8 96070000    CALL Conquer.006DF35F
006DEBC9   . 0FB7D8         MOVZX EBX,AX
006DEBCC   . 3B5D EC        CMP EBX,DWORD PTR SS:[EBP-14]
006DEBCF   . 59             POP ECX
006DEBD0   . 59             POP ECX
006DEBD1   . 895D D4        MOV DWORD PTR SS:[EBP-2C],EBX
006DEBD4   .^7F BD          JG SHORT Conquer.006DEB93
006DEBD6   . 85DB           TEST EBX,EBX
006DEBD8   .^76 B9          JBE SHORT Conquer.006DEB93
006DEBDA   . 53             PUSH EBX
006DEBDB   . FF75 E8        PUSH DWORD PTR SS:[EBP-18]
006DEBDE   . E8 84070000    CALL Conquer.006DF367
006DEBE3   . 8BF0           MOV ESI,EAX
006DEBE5   . 59             POP ECX
006DEBE6   . 85F6           TEST ESI,ESI
006DEBE8   . 59             POP ECX
006DEBE9   . 8975 E0        MOV DWORD PTR SS:[EBP-20],ESI
006DEBEC   . 0F84 4D010000  JE Conquer.006DED3F
006DEBF2   . 0FB77E 06      MOVZX EDI,WORD PTR DS:[ESI+6]
006DEBF6   . 897D C4        MOV DWORD PTR SS:[EBP-3C],EDI
006DEBF9   . E8 CAB9E5FF    CALL Conquer.0053A5C8
006DEBFE   . 57             PUSH EDI
006DEBFF   . 8BC8           MOV ECX,EAX
006DEC01   . E8 1BF10800    CALL Conquer.0076DD21
006DEC06   . E8 B310F0FF    CALL Conquer.005DFCBE
006DEC0B   . 57             PUSH EDI
006DEC0C   . 8BC8           MOV ECX,EAX
006DEC0E   . E8 F7F6F9FF    CALL Conquer.0067E30A
006DEC13   . 8B06           MOV EAX,DWORD PTR DS:[ESI]
006DEC15   . 6A 00          PUSH 0
006DEC17   . 8BCE           MOV ECX,ESI
006DEC19   . C645 FC 07     MOV BYTE PTR SS:[EBP-4],7
006DEC1D   . FF50 10        CALL DWORD PTR DS:[EAX+10]

[Cyanogen]

Thanks IAmHawtness
Do you know the encrypt function location too? pleazzzzzzzzzzzzzzzzzzzzzz xx

[Belth]

Quote:

Originally Posted by IAmHawtness

The recv-loop:

(This is where you either change Eax to 0 to skip the processing of a packet,
or change the contents of [EBP-18h] to the address of a custom packet that you
wrote yourself and [EBP-14h] to the length of your custom packet)

Correct me where I'm wrong.

Why would I want to skip the processing of a packet when I can just skip "receiving" the packet by setting ESI to a RTN8 statement?

I guess I can understand replacing the processing of 1 packet with another but I prefer to just "block" all packets and re-send them myself via a queue. For that I need a direct SendPacketToClient()-like function. I figured the routine for a such a function would be similar to "SendPacketToServer()" so something like:

push packet size
push packet address
store network class in ECX
store ProcessMsg() address in EAX - is the address 6DEBBE?
call EAX

[IAmHawtness]

Quote:

Originally Posted by Belth

Correct me where I'm wrong.

Why would I want to skip the processing of a packet when I can just skip "receiving" the packet by setting ESI to a RTN8 statement?

I guess I can understand replacing the processing of 1 packet with another but I prefer to just "block" all packets and re-send them myself via a queue. For that I need a direct SendPacketToClient()-like function. I figured the routine for a such a function would be similar to "SendPacketToServer()" so something like:

push packet size
push packet address
store network class in ECX
store ProcessMsg() address in EAX - is the address 6DEBBE?
call EAX

Set Esi to a Retn8 statement? I think you mean Eip, right? You could do that, I just use the Eax = 1 or 0 though

From what I've experienced, calling the "ProcessMsg" function directly the way you described would sometimes cause the client to crash, for instance when updating character coordinates with either the pullback+jump responce packets or the fatal strike step packet. I'm not sure, but I believe this could be caused by invalid data read/writes due to not being synchronized with the recv loop. That's why I switched to this method.

I just block all packets, add them to my own queue, and every time the recv loop is checking for incoming packets, I check my own queue if there's any packets that the client needs to process. If yes, I set Eax to 1 and change [EBP-18] to point to the address of my packet and [EBP-14] to the packet size.

[Belth]

Quote:

Originally Posted by IAmHawtness

Set Esi to a Retn8 statement? I think you mean Eip, right? You could do that, I just use the Eax = 1 or 0 though

From what I've experienced, calling the "ProcessMsg" function directly the way you described would sometimes cause the client to crash, for instance when updating character coordinates with either the pullback+jump responce packets or the fatal strike step packet. I'm not sure, but I believe this could be caused by invalid data read/writes due to not being synchronized with the recv loop. That's why I switched to this method.

I just block all packets, add them to my own queue, and every time the recv loop is checking for incoming packets, I check my own queue if there's any packets that the client needs to process. If yes, I set Eax to 1 and change [EBP+18] to point to the address of my packet and [EBP+14] to the packet size.

Yep, I meant EIP. Hmm so this is what I understand of your routine:

1. You queue a chat packet.

2. The recv loop runs and breaks at 006DEB8B just before checking if a packet is there to be processed. You check your queue and change EAX to 1.

3. You skip the decrypt function somehow?

4. Break at 006DEBB8 just before ProcessMsg (?), set EAX to 1, change EBP+18 to packet address and EBP+14 to packet size.

[IAmHawtness]

Quote:

Originally Posted by Belth

Yep, I meant EIP. Hmm so this is what I understand of your routine:

1. You queue a chat packet.

2. The recv loop runs and breaks at 006DEB8B just before checking if a packet is there to be processed. You check your queue and change EAX to 1.

3. You skip the decrypt function somehow?

4. Break at 006DEBB8 just before ProcessMsg (?), set EAX to 1, change EBP+18 to packet address and EBP+14 to packet size.

Actually, I place a breakpoint on the TEST EAX,EAX instruction at 0x6DEBB6. I then check if Eax is 1 or 0.

If Eax is 1, I read the packet from [EBP-18] and [EBP-14], handle the packet in my packet handler, and add it to my packet queue, unless I want to skip the packet, of course.
I then set [EBP-18] and [EBP-14] to point to the first element in my packet queue and of course remove that packet from my queue (Dequeue).

If Eax is 0, I check if there's any packets in my queue, and if yes, I set Eax to 1 and set [EBP-18] to point to the first element in my packet queue and set [EBP-14] to the size of the packet.

[Belth]

Quote:

Originally Posted by IAmHawtness

Actually, I place a breakpoint on the TEST EAX,EAX instruction at 0x6DEBB6. I then check if Eax is 1 or 0.

If Eax is 1, I read the packet from [EBP-18] and [EBP-14], handle the packet in my packet handler, and add it to my packet queue, unless I want to skip the packet, of course.
I then set [EBP-18] and [EBP-14] to point to the first element in my packet queue and of course remove that packet from my queue (Dequeue).

If Eax is 0, I check if there's any packets in my queue, and if yes, I set Eax to 1 and set [EBP-18] to point to the first element in my packet queue and set [EBP-14] to the size of the packet.

But if you break at 006DEBB6... that's after the function that checks if a packet was received/is to be processed. If there's no packet then it just jumps to Conquer.006DED6E. Is it because the client should be processing packets constantly that it doesn't matter or am I missing something?

[IAmHawtness]

Quote:

Originally Posted by Belth

But if you break at 006DEBB6... that's after the function that checks if a packet was received/is to be processed. If there's no packet then it just jumps to Conquer.006DED6E. Is it because the client should be processing packets constantly that it doesn't matter or am I missing something?

Actually, you're right. I haven't really looked into how the client checks for packets, I'm probably wrong about how it does it, 'cause my explanation doesn't make sense. What I do know though, is that the client keeps looping at the

Code:

006DEBB6   . 85C0           TEST EAX,EAX

and if Eax is 1, it means that there's a packet to be processed, and that packet is already decrypted. I also know that the code is still called if there's no packets to be processed. It's a little weird, actually. It still checks if there's a decrypted packet that needs to be processed, even if it never received an encrypted packet to decrypt.

I'm not really sure about it though, I never looked into it because I know my method works fine

[Belth]

Quote:

Originally Posted by IAmHawtness

I'm not really sure about it though, I never looked into it because I know my method works fine

Works perfectly at that

Much thnx

[.Kinshi]

I assume the addresses have changed?
Tis not working for me

[Belth]

Quote:

Originally Posted by .Kinshi

I assume the addresses have changed?
Tis not working for me

private const int SendPacketFxnAddress = 0x6DF092;
private const int RecvPacketFxnAddress = 0x6DF367;
private const int RecvLoopAddress = 0x6DEBB6;
private const int Return8Address = 0x7C1AA3;
private const int NetworkClass = 0x96DD28;

^Those are what I use for patch 5528 (explicitly stated in case anyone checks later).

[BaussHacker]

Bookmarked :3

[.Kinshi]

What would be the best way to disconnect the client using this?

Also, does the Send function make the client send the packet to the server? Or just send to the client?
Does TQServer/TQClient need to be appended or does the client do after the send is hit?

[phize]

Quote:

Originally Posted by .Kinshi

What would be the best way to disconnect the client using this?

Also, does the Send function make the client send the packet to the server? Or just send to the client?
Does TQServer/TQClient need to be appended or does the client do after the send is hit?

Either call the client's own disconnect wrapper function or call closesocket() with the correct socket (which you can get from hooking connect())

There's no need to append packets with TQ stamps when you're using the client functions, they will do this for you.