[Question] Recv hook

iszoPL · 01/10/2013, 17:21

I'm having a bit weird problem with that. I've managed to hook recv function directly in winsock dll and i can sniff the data being exchanged between client and server. I guess that they are encrypted because i didn't hook recv in engine exactly but in dll.

In main thread:

Code:

RealRecv = (RecvPtr)GetProcAddress(GetModuleHandle(L"ws2_32.dll"), "recv");
RealRecv = (RecvPtr)Detour((BYTE*)RealRecv, (BYTE*)&OurRecv, 5);

OurRecv func:

Code:

INT WINAPI OurRecv(SOCKET sock, CHAR* buf, INT len, INT flags)
{
	cout << "Received: ";
	for(int i=0;i<strlen(buf);i++)
		cout <<  hex << static_cast<WORD>(buf[i]) << ' ';
	cout << '\n';
	return RealRecv(sock, buf, len, flags);
}

This works and i'm getting sniffed data but only for a while. After minute or so it just stops receiving data. My guess was that maybe it somehow maganed to unhook function so i was checking if some func addresses changed but it wasn't it. Trying to hook again also doesn't work. The wird think is that hook on send function seems to be working all the time.

So is the game using some alternative function to recv data? Even that i know asm i don't know how to use olly so it can be useful. Tried to set a bp on loadlibrary in engine so i can look when ehsvc.dll is loaded or doing the same with recv but i guess i was doing something wrong because i failed

Any idea how to solve the problem?

meak1 · 01/10/2013, 17:31

First 5 bytes get proofed...

Just place ur hook after those 5 bytes and GJ ;D

iszoPL · 01/10/2013, 17:50

I don't know if i understood. U are saying that address of my hook func got proofed so it's no longer called? If I for example make OurRecv2 and detour original func again with the new one it will work right?

meak1 · 01/10/2013, 18:02

Hackshield proof if Recv is hooked by another programm....

So just hook after 5 bytes to bypass it?