|
You last visited: Today at 00:31
Advertisement
[HELP] Conquer auth ip through DLL
Discussion on [HELP] Conquer auth ip through DLL within the CO2 Programming forum part of the Conquer Online 2 category.
07/22/2014, 23:37
|
#1
|
elite*gold: 0 
Join Date: Jun 2007
Posts: 64
Received Thanks: 41
|
[HELP] Conquer auth ip through DLL
Could someone tell me any loader that I could hook .dll on latest co? I need to redirect ip to my proxy. Or any c# code. I would be thankful, guys.
|
|
|
|
07/23/2014, 15:30
|
#2
|
elite*gold: 20
Join Date: Aug 2005
Posts: 1,734
Received Thanks: 1,001
|
Here's a loader made in C#
Code:
private unsafe void SuspendInjectResume(PROCESS_INFORMATION pProcessInfo, string Dll)
{
uint Length = (uint)(Dll.Length + 1);
// Get the LoadLibrary address
UIntPtr hLoadLibrary = Native.GetProcAddress(Native.GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
// Allocate space for DLL.
IntPtr pDllLocation = Native.VirtualAllocEx(pProcessInfo.hProcess, IntPtr.Zero, Length, 0x1000, 0x40);
if (pDllLocation != IntPtr.Zero)
{
// Write DLL path to process memory.
Native.WriteProcessMemory(pProcessInfo.hProcess, pDllLocation, Dll, Length, IntPtr.Zero);
}
byte[] ShellCode = {
0x9C, // PUSH ALL FLAGS
0x60, // PUSH ALL REGISTERS
0x68, 0xAA, 0xAA, 0xAA, 0xAA, // PUSH DLL ADDRESS
0xB8, 0xBB, 0xBB, 0xBB, 0xBB, // MOV EAX, pLoadLib
0xFF, 0xD0, // CALL EAX (pLoadLib)
0x61, // POP ALL REGISTERS
0x9D, // POP ALL FLAGS
0xC3 // RET
};
uint pLoadLibAddress = hLoadLibrary.ToUInt32();
uint pDllAddress = (uint)pDllLocation.ToInt32();
// Load our DLL address to the Shell Code
ShellCode[3] = (byte)(pDllAddress & 0xFF);
ShellCode[4] = (byte)((pDllAddress >> 8) & 0xFF);
ShellCode[5] = (byte)((pDllAddress >> 16) & 0xFF);
ShellCode[6] = (byte)((pDllAddress >> 24) & 0xFF);
// Load LoadLibraryA to the Shell Code
ShellCode[8] = (byte)(pLoadLibAddress & 0xFF);
ShellCode[9] = (byte)((pLoadLibAddress >> 8) & 0xFF);
ShellCode[10] = (byte)((pLoadLibAddress >> 16) & 0xFF);
ShellCode[11] = (byte)((pLoadLibAddress >> 24) & 0xFF);
// Suspend the main thread, allows us to hijack it.
Native.SuspendThread(pProcessInfo.hThread);
CONTEXT context = new CONTEXT();
context.ContextFlags = (uint)CONTEXT_FLAGS.CONTEXT_FULL;
// Get the thread context. Allows us to get access to EIP and ESP.
if (Native.GetThreadContext(pProcessInfo.hThread, ref context))
{
// Write EIP (address of next operation) to ESP-4 (stack).
UIntPtr lpBaseAddress = new UIntPtr(context.Esp - 4);
Native.WriteProcessMemory(pProcessInfo.hProcess, lpBaseAddress, &context.Eip, sizeof(uint), null);
// Allocate space for our shell code
IntPtr ShellCodeAddress = Native.VirtualAllocEx(pProcessInfo.hProcess, IntPtr.Zero, (uint)ShellCode.Length, 0x1000, 0x40);
if (ShellCodeAddress != IntPtr.Zero)
{
// Write our shell code to the application
IntPtr lpNumberBytesWritten = IntPtr.Zero;
Native.WriteProcessMemory(pProcessInfo.hProcess, ShellCodeAddress, ShellCode, ShellCode.Length, out lpNumberBytesWritten);
// Set EIP (address of next operation) to our shell code address
context.Eip = (uint)ShellCodeAddress.ToInt32();
// Update the thread flags / registers
Native.SetThreadContext(pProcessInfo.hThread, ref context);
// Resume thread from our shell code.
Native.ResumeThread(pProcessInfo.hThread);
// Executes our code and then jumps back to original code once our shellcode is done.
}
}
}
Which is used like this:
Code:
string CommandLine = PathTextBox.Text + "\\Conquer.exe blacknull";
SECURITY_ATTRIBUTES ProcessAttributes = new SECURITY_ATTRIBUTES();
SECURITY_ATTRIBUTES ThreadAttributes = new SECURITY_ATTRIBUTES();
STARTUPINFO StartupInformation = new STARTUPINFO();
PROCESS_INFORMATION ProcessInformation = new PROCESS_INFORMATION();
Native.CreateProcess(null, CommandLine, ref ProcessAttributes, ref ThreadAttributes, false, 0x00000004, IntPtr.Zero, PathTextBox.Text, ref StartupInformation, out ProcessInformation);
Native.ResumeThread(ProcessInformation.hThread);
Native.Sleep(2000);
SuspendInjectResume(ProcessInformation, HookTextBox.Text);
And here is the Native class
Code:
using System;
using System.Runtime.InteropServices;
namespace ConquerProxy
{
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public unsafe struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int nLength;
public unsafe byte* lpSecurityDescriptor;
public int bInheritHandle;
}
[StructLayout(LayoutKind.Sequential)]
public unsafe struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
public enum CONTEXT_FLAGS : uint
{
CONTEXT_i386 = 0x10000,
CONTEXT_i486 = 0x10000, // same as i386
CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP
CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI
CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS
CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state
CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7
CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions
CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,
CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS
}
[StructLayout(LayoutKind.Sequential)]
public struct FLOATING_SAVE_AREA
{
public uint ControlWord;
public uint StatusWord;
public uint TagWord;
public uint ErrorOffset;
public uint ErrorSelector;
public uint DataOffset;
public uint DataSelector;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
public byte[] RegisterArea;
public uint Cr0NpxState;
}
[StructLayout(LayoutKind.Sequential)]
public struct CONTEXT
{
public uint ContextFlags; //set this to an appropriate value
// Retrieved by CONTEXT_DEBUG_REGISTERS
public uint Dr0;
public uint Dr1;
public uint Dr2;
public uint Dr3;
public uint Dr6;
public uint Dr7;
// Retrieved by CONTEXT_FLOATING_POINT
public FLOATING_SAVE_AREA FloatSave;
// Retrieved by CONTEXT_SEGMENTS
public uint SegGs;
public uint SegFs;
public uint SegEs;
public uint SegDs;
// Retrieved by CONTEXT_INTEGER
public uint Edi;
public uint Esi;
public uint Ebx;
public uint Edx;
public uint Ecx;
public uint Eax;
// Retrieved by CONTEXT_CONTROL
public uint Ebp;
public uint Eip;
public uint SegCs;
public uint EFlags;
public uint Esp;
public uint SegSs;
// Retrieved by CONTEXT_EXTENDED_REGISTERS
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
public byte[] ExtendedRegisters;
}
public unsafe partial class Native
{
[DllImport("Kernel32.dll")]
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, UIntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);
[DllImport("Kernel32.dll")]
public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, Int32 dwProcessId);
[DllImport("Kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hObject);
[DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
public static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);
[DllImport("Kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
public static extern UIntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("Kernel32.dll")]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, string lpBuffer, uint nSize, IntPtr lpNumberOfBytesWritten);
[DllImport("Kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
public static extern Int32 WaitForSingleObject(IntPtr handle, Int32 milliseconds);
[DllImport("kernel32.dll")]
public static extern uint ResumeThread(IntPtr hThread);
[DllImport("Kernel32.dll")]
public static extern void Sleep(uint milliSeconds);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT lpContext);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenThread(uint dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
[DllImport("kernel32.dll")]
public static extern bool SetThreadContext(IntPtr hThread,
[In] ref CONTEXT lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
int nSize,
out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
UIntPtr lpBaseAddress,
void *lpBuffer,
int nSize,
void *lpNumberOfBytesWritten);
[DllImport("Kernel32.dll")]
public static extern bool AllocConsole();
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool CreateProcess(string lpApplicationName,
string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles,
uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory,
[In] ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
}
}
And if you need a DLL, you can check this post: 
|
|
|
|
|
07/23/2014, 23:07
|
#3
|
elite*gold: 0
Join Date: Jun 2007
Posts: 64
Received Thanks: 41
|
Thanks for the reply, I don't know why, but loader in the client says "failed 1" when I try to inject DLL to Conquer client and it doesn't work.
|
|
|
|
|
07/24/2014, 11:41
|
#4
|
elite*gold: 20
Join Date: Aug 2005
Posts: 1,734
Received Thanks: 1,001
|
Here's the DLL code (C++) that I used.
Code:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <WinSock2.h>
#include "Hook.h"
#pragma comment(lib, "ws2_32.lib")
#define lib_func(lib, func) (GetProcAddress(GetModuleHandleA(lib), func))
char szConfig[MAX_PATH];
HOOK_STUB connect_stub;
void SetupConsole();
int __stdcall myconnect(SOCKET s, sockaddr_in* name, int len)
{
char szIPAddress[32];
int nPort, rPort;
rPort = ntohs(name->sin_port);
if (rPort >= 9950 && rPort <= 9970)
{
GetPrivateProfileStringA("config", "host", "127.0.0.1", szIPAddress, 32, szConfig);
nPort = GetPrivateProfileIntA("config", "port", 9958, szConfig);
name->sin_addr.s_addr = inet_addr(szIPAddress);
name->sin_port = htons(nPort);
}
else if (rPort == 5816)
{
GetPrivateProfileStringA("config", "gamehost", "127.0.0.1", szIPAddress, 32, szConfig);
nPort = GetPrivateProfileIntA("config", "gameport", 5816, szConfig);
name->sin_addr.s_addr = inet_addr(szIPAddress);
name->sin_port = htons(nPort);
}
typedef int (__stdcall *LPFCONNECT)(SOCKET,sockaddr_in*,int);
return ((LPFCONNECT)connect_stub.Address)(s, name, len);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH: {
SetupConsole();
GetModuleFileNameA(GetModuleHandle(TEXT("ConquerHook.dll")), szConfig, MAX_PATH);
for (int i = strlen(szConfig) - 1; i >= 0; i--)
{
if (szConfig[i] == '\\')
{
szConfig[i+1] = NULL;
break;
}
}
strcat_s(szConfig, "config.ini");
printf(szConfig);
CreateHook32(lib_func("ws2_32.dll", "connect"), myconnect, &connect_stub);
} break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
void SetupConsole()
{
int hCrt;
FILE *hf;
AllocConsole();
hCrt = _open_osfhandle( (long)GetStdHandle( STD_OUTPUT_HANDLE ), _O_TEXT );
hf = _fdopen( hCrt, "w" );
*stdout = *hf;
hCrt = _open_osfhandle((long)GetStdHandle( STD_INPUT_HANDLE ), _O_TEXT);
hf = _fdopen( hCrt, "r" );
*stdin = *hf;
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stdin, NULL, _IONBF, 0);
}
The Hook.h/cpp can be found from the previously link and the download.
|
|
|
|
|
07/24/2014, 21:53
|
#5
|
elite*gold: 0
Join Date: Jun 2007
Posts: 64
Received Thanks: 41
|
When I am trying to connect to the server it says that there is a maintainance for 30 minutes, but in fact, there shouldn't be it. What's wrong with it?
Edited: I don't know how to bypass protection.
|
|
|
|
|
08/14/2014, 23:21
|
#6
|
elite*gold: 0
Join Date: Aug 2010
Posts: 951
Received Thanks: 76
|
Just curious but does this
Code:
byte[] ShellCode = {
0x9C, // PUSH ALL FLAGS
0x60, // PUSH ALL REGISTERS
0x68, 0xAA, 0xAA, 0xAA, 0xAA, // PUSH DLL ADDRESS
0xB8, 0xBB, 0xBB, 0xBB, 0xBB, // MOV EAX, pLoadLib
0xFF, 0xD0, // CALL EAX (pLoadLib)
0x61, // POP ALL REGISTERS
0x9D, // POP ALL FLAGS
0xC3 // RET
};
change depending on the game?
|
|
|
|
|
08/15/2014, 03:02
|
#7
|
elite*gold: 0
Join Date: Jul 2014
Posts: 402
Received Thanks: 540
|
Quote:
Originally Posted by denominator
Just curious but does this
Code:
byte[] ShellCode = {
0x9C, // PUSH ALL FLAGS
0x60, // PUSH ALL REGISTERS
0x68, 0xAA, 0xAA, 0xAA, 0xAA, // PUSH DLL ADDRESS
0xB8, 0xBB, 0xBB, 0xBB, 0xBB, // MOV EAX, pLoadLib
0xFF, 0xD0, // CALL EAX (pLoadLib)
0x61, // POP ALL REGISTERS
0x9D, // POP ALL FLAGS
0xC3 // RET
};
change depending on the game? |
No.
Edit:
Quote:
Originally Posted by tanelipe
Which is used like this:
Code:
string CommandLine = PathTextBox.Text + "\\Conquer.exe blacknull";
SECURITY_ATTRIBUTES ProcessAttributes = new SECURITY_ATTRIBUTES();
SECURITY_ATTRIBUTES ThreadAttributes = new SECURITY_ATTRIBUTES();
STARTUPINFO StartupInformation = new STARTUPINFO();
PROCESS_INFORMATION ProcessInformation = new PROCESS_INFORMATION();
Native.CreateProcess(null, CommandLine, ref ProcessAttributes, ref ThreadAttributes, false, 0x00000004, IntPtr.Zero, PathTextBox.Text, ref StartupInformation, out ProcessInformation);
Native.ResumeThread(ProcessInformation.hThread);
Native.Sleep(2000);
SuspendInjectResume(ProcessInformation, HookTextBox.Text);
|
Why are you creating the process suspended, then resuming the main thread just to suspend it again 2 seconds later?
And also in your "SuspendInjectResume" method, you're writing the return address (EIP) directly on the stack of the remote process, why not just put "push EIP" in your shell code instead?
|
|
|
|
|
08/15/2014, 17:24
|
#8
|
elite*gold: 0
Join Date: Aug 2010
Posts: 951
Received Thanks: 76
|
Thank you 
|
|
|
|
 |
Similar Threads
|
Editing conquer auth ip through dll injection
07/14/2011 - CO2 Programming - 8 Replies
Ok so I've been working on a proxy and been using nulls loader so far. I want to be able to redirect the client without using the loader. I messed around with the client through cheat engine and managed to redirect the client to my proxy, and I built a simple dll injector, and a dll in c++ that simply brings up a popup window. But I don't know were to go from there.
Would I just simple use a pointer to point to and change all address's that contain TQ's auth ip. Or do I have to use inline...
|
Selling Runescape Both Auth Codes Only 5$ each for ANY auth regular price is 10$-30$
02/19/2011 - Runescape Trading - 5 Replies
Any auth code is 5$ send me a Pm or leave a post to tell me which ones you would like http://img260.imageshack.us/img260/2675/runescapea uths.png
|
hab in auth ordner usr/rain/auth den kompletten inhalt gelöscht
04/09/2010 - Metin2 Private Server - 2 Replies
hi
ich hab in auth ordner also usr/rain/auth den kompletten inhalt gelöscht
und eine datei erstellt mit
#!/bin/sh
./auth
sleep 60*5
./auth.sh
nochmal ne kurzfassung:
ich hab versucht den login bug zu fixxen
bin in /usr/rain/auth und hab dort alles gelöscht
|
Auth Pack: Auth Request
12/23/2009 - CO2 Private Server - 8 Replies
I know this pops up often, and I've searched everywhere for an answer, only to not get one. I've scanned over this site, as well as 4botters for an answer, and every one of them, didn't help.
I'm trying to run a 4267 server with source, and so far, this is the biggest issue. I've spent several days of scanning google for this one issue for several hours at a time now.
I've changed the IP from my server to everything from my Hamachi, my router, my default gateway, and my internal (I think...
|
All times are GMT +1. The time now is 00:31.
|
|
![[HELP] Conquer auth ip through DLL](https://www.elitepvpers.com/forum/iconimages/co2-programming/help-conquer-auth-ip-through-dll_ltr.gif){kind=small}
