|
You last visited: Today at 19:40
Advertisement
[Q] How to find recv/send function addresses
Discussion on [Q] How to find recv/send function addresses within the Kal Online forum part of the MMORPGs category.
02/18/2014, 12:52
|
#1
|
elite*gold: 0 
Join Date: Mar 2008
Posts: 50
Received Thanks: 3
|
[Q] How to find recv/send function addresses
Hi.
I've read some general tutorials about that, but most of them use OllyDbg, which is detected by hack shield.
I wonder how do you guys get those addresses which are then used for detouring ...
Maybe some hints which tools to use ... ?
And maybe how to find the functions?
EDIT:
Seems like the sending is done in ntdll ... do I get anything closer .. waaaawh
EDIT2: So, the mov edi, edi actually does nothing. Or in other words, it provides a space for hooking.
If I use this as a sending function:
push ebp
mov ebp, esp
sub esp, 18
JMP PBACK
.. what address does needs to be in PBACK? Before "mov edi, edi", right on that address, after or on PUSH?
|
|
|
|
02/18/2014, 18:22
|
#2
|
elite*gold: 220
Join Date: Jun 2007
Posts: 3,768
Received Thanks: 1,126
|
y normal hackshield detects Ollydbg but with modded it works.
But for normal People like u, understand what and how search patterns work -> then download Private server without an Hackshield and work there to find those addresses.
(at Pserv sup esp, 14) <- just change to 18 in ur Pattern
Or just unpack engine.exe and search for ws2_32 send or string 'send() fail' and jump backwards till u come to the push ebp mov ebp, esp sup esp, 18
normaly u breakpoint ws2_32 send and write 'hello' into the chat and u just jump backwards till u got the decrypted packet and use those function for your own code.
|
|
|
|
|
02/18/2014, 20:01
|
#3
|
elite*gold: 0
Join Date: Mar 2008
Posts: 50
Received Thanks: 3
|
So, if I'm correct, those are send and recv functions. But here the data is already encrypted isn't it? So I need to go backward.
This function starts as you've said and it's calling the send function on the first picture. So that might be it?
In this case, what is the search pattern?
55 8B EC 83 EC 18 57 89 4D E8
That is the unpacked engine I found ... I think it's from year 2010. That pattern should still be the same?
Thanks for your answer.
|
|
|
|
|
02/18/2014, 21:01
|
#4
|
elite*gold: 220
Join Date: Jun 2007
Posts: 3,768
Received Thanks: 1,126
|
sure patterns never changed
and u can just run engine.exe with ollydbg, runtime = unpacked
|
|
|
|
|
02/20/2014, 16:15
|
#5
|
elite*gold: 0
Join Date: Oct 2005
Posts: 112
Received Thanks: 23
|
you can also use IDA by hex-rays or any disassembler and search for send/recv/connect etc..
|
|
|
|
|
02/20/2014, 16:29
|
#6
|
elite*gold: 0
Join Date: Mar 2008
Posts: 50
Received Thanks: 3
|
Thanks for the answers. 
I've tried IDA and I'm lost there lol ... I like ollydbg
|
|
|
|
|
02/20/2014, 18:19
|
#7
|
elite*gold: 220
Join Date: Jun 2007
Posts: 3,768
Received Thanks: 1,126
|
i only using IDA with the plugin Hex-Rays for copy&paste long asm functions into c++
not for reversing
|
|
|
|
|
02/21/2014, 15:28
|
#8
|
elite*gold: 0
Join Date: Mar 2008
Posts: 50
Received Thanks: 3
|
I've used this pattern to search for (encrypted) receive function:
"55 8B EC 83 EC 08 89 4D F8 8B 45 14 50 8B 4D 10 51 8B 55 0C 52 8B 45 08 50 FF 15".
Scan from 0x00400000 to 0x007FFFFFF.
As a result I got the address 5D23C0.
Then I hook it and my function is never called. Could be that my search pattern is wrong? Am I getting the right address back?
|
|
|
|
|
02/21/2014, 18:17
|
#9
|
elite*gold: 220
Join Date: Jun 2007
Posts: 3,768
Received Thanks: 1,126
|
|
|
|
|
|
02/22/2014, 14:41
|
#10
|
elite*gold: 0
Join Date: Mar 2008
Posts: 50
Received Thanks: 3
|
Thanks for this, but I'm still stuck here.
I've tried this signature:
\x55\x8B\xEC\x83\xEC\x08\x89\x4D\xF8\x8B\x45\x14\x 50\x8B\x4D\x10\x51\x8B\x55\x0C\x52\x8B\x45\x08\x50 \xFF\x15\x00\x00\x00\x00\x89\x45\xFC\x83\x7D\xFC\x FF\x75\x25\xFF\x15\x00\x00\x00\x00\x3D\x00\x00\x00 \x00\x74\x18\xB9\x00\x00\x00\x00\x85\xC9\x74\x02\x EB\x0D\x68\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x83 \xC4\x04\x8B\x45\xFC\x8B\xE5\x5D\xC2\x10\x00
Mask: xxxxxxxxxxxxxxxxxxxxxxxxxxx????xxxxxxxxxxx????x??? ?***????xxxxxxx????x????xxxxxxxxxxxx
and
\x55\x8B\xEC\x83\xEC\x20\x89\x4D\xE0\x8B\x45\xE0\x 83\xB8\x48\x5F\x00\x00\x02\x0F\x83\x00\x00\x00\x00 \x8B\x4D\xE0\xBA\x00\x00\x00\x00\x2B\x91\x00\x00\x 00\x00\x89\x55\xF8\x8B\x45\xE0\x8B\x88\x00\x00\x00 \x00\x8B\x55\xE0\x8D\x84\x0A\x00\x00\x00\x00\x89\x 45\xF4\x8B\x4D\xE0\x8B\x91\x00\x00\x00\x00\x89\x55 \xF0\x6A\x00\x8B\x45\xF8\x50\x8B\x4D\xF4\x51\x8B\x 55\xF0\x8B\x42\x04\x50\x8B\x4D\xF0\xE8\x00\x00\x00 \x00
Mask:
xxxxxxxxxxxxxxxxxxxxx????xxxx????xx????xxxxxxxx??? ?xxxxxx????xxxxxxxx????xxxxxxxxxxxxxxxxxxxxxxxx??? ?
The address is found but my hook function is still not getting called. :|
|
|
|
|
|
02/22/2014, 15:53
|
#11
|
elite*gold: 220
Join Date: Jun 2007
Posts: 3,768
Received Thanks: 1,126
|
the pattern exist more then once (;?
And i guess the hook is detected, so hackshield remove it u can hook the recv normaly just with
PHP Code:
#pragma comment(lib, "Ws2_32.lib")
oRecv = (tRecv)DetourFunction((PBYTE)recv, (PBYTE)MyRecvHook);
But its normaly the encrypted but ur lucky, kal Recv crypt works such -> Kal function crypt it and before the Recv call it decrypt again XD(But send is rly crypted and the engine functions hook is detected at Send, So ur Pro or just use Send to Send ur Packets not hook it..)
So its ~0,5sec slower but works very well too but my old source still works fine i guess just with my tipp: Hackshield remove detours/hook at the start from the Recv/Send so u need to place them +5 bytes
|
|
|
|
 |
Similar Threads
|
guide: debug pwi, find function addresses and offsets, write a bot(c++ code included)
09/04/2022 - PW Hacks, Bots, Cheats, Exploits - 123 Replies
hi,
let's start right away.
what you can learn:
- trace and call ingame-functions like attack, cast spell, pick up, moveto, ...
- traverse object lists like items, mobs, players
- read ingame structures (class objects) and how they play together
- write your own fully client-side bot that doesnt need to simulate mouse/keyboard input and doesnt need to read pixels
|
recv function of Sockets :/
09/24/2012 - C/C++ - 2 Replies
Hi huys! I have a big error in my program. When i received the packets, don't apear all packet, only shows one part (little) and chang's on every packet D:
char recvbuf;
recv(sConnect, recvbuf, 256, 0);
string login_packet = DecryptLoginPacket(recvbuf).c_str();
cout << " Packet Received Lenght: " << login_packet.length() << endl;
cout << login_packet.c_str() << endl;
Image:
http://i.epvpimg.com/go9Rb.png
|
recv() function
09/02/2012 - C/C++ - 4 Replies
hi friends ..
I receive a packet with the function recv ();
I receive with:
recvbuf char ;
recv (Connect, recvbuf, 255.0);
ok, no problem ..
|
recv/send int kal
06/01/2012 - Kal Online - 9 Replies
Does anyone have a working recv/send for int today?
|
[Question] Hooking send() & recv() works, but recv hiding data for co???
05/06/2009 - CO2 Programming - 2 Replies
Hey guys, I've been making a DLL to allow another program to intercept the packets of conquer using windows pipes. (Then its the job of the main program to decrypt the packets, the DLL only gives a communication channel for the main program)
(winsock functions btw)
- hooking send() works fine for my internet browser
- hooking recv() works fine for my internet browser
- hooking send() works fine for conquer online
|
All times are GMT +1. The time now is 19:41.
|
|
![[Q] How to find recv/send function addresses](https://www.elitepvpers.com/forum/iconimages/kal-online/q-how-find-recv-send-function-addresses_ltr.gif){kind=small}
