[Help] How to modify received Packet?

[anonentity]

Hello,

Can anyone please tell me if it is possible to modify the packet in SendHook/RecvHook?

I'm trying to make all characters other than the current character invisible in order to reduce lag. I've tried returning 0 in RecvHook with 0x00000000 and 0x0000520C packets but the client crashes whenever another character appears in view.

A work around is to receive 0x0000526D after 0x00000000 or 0x0000520C so as to make the character disappear. But the client will still need to load the model & texture of that character which is causing the lag.

Is it possible to edit the data of the packet and remove the race/equipment information so that the other characters are never loaded?

Thanks.

[~Goodnight~]

For the 00000000 packet, are you just returning it as 0? Or all the parameters on the packet as 0?

For the 00000000 packet, are you just returning it as 0? Or all the parameters on the packet as 0?

[anonentity]

Quote:

Originally Posted by ~Goodnight~

For the 00000000 packet, are you just returning it as 0? Or all the parameters on the packet as 0?

For the 00000000 packet, are you just returning it as 0? Or all the parameters on the packet as 0?

As the return value of RecvHook need to be an int, I used:

Code:

return 0;

As I mentioned, I do not know how to modify the elements and clear/set them to be 0 or empty.

[~Goodnight~]

Quote:

Originally Posted by anonentity

As the return value of RecvHook need to be an int, I used:

Code:

return 0;

As I mentioned, I do not know how to modify the elements and clear/set them to be 0 or empty.

You should probably look into source codes of other pake modules and see how they were done. Maybe look into the source code of mod_lieias? (Can't spell)

[anonentity]

Quote:

Originally Posted by ~Goodnight~

You should probably look into source codes of other pake modules and see how they were done. Maybe look into the source code of mod_lieias? (Can't spell)

That's where I got the inspiration to use 'return 0;' which, in my understanding, is supposed to mean 'this packet contains no information' and therefore trick the client to ignore what is inside 'unsigned char *buf'.

However, this does not work with 00000000 packet and I can't find any other method in other source codes.

[Caesarw]

Quote:

Originally Posted by anonentity

Hello,

Can anyone please tell me if it is possible to modify the packet in SendHook/RecvHook?

I'm trying to make all characters other than the current character invisible in order to reduce lag. I've tried returning 0 in RecvHook with 0x00000000 and 0x0000520C packets but the client crashes whenever another character appears in view.

A work around is to receive 0x0000526D after 0x00000000 or 0x0000520C so as to make the character disappear. But the client will still need to load the model & texture of that character which is causing the lag.

Is it possible to edit the data of the packet and remove the race/equipment information so that the other characters are never loaded?

Thanks.

you block the packets and recv another modified one.
e.g.

Code:

int RecvHook(...) {
  if (packet->code==0x00000000||packet->code==0x0000520c) {
    recv(...) // call pake's recv with your own modified 0x00000000,0x0000520C
    return 0;
  }
}

[~Goodnight~]

Quote:

Originally Posted by Caesarw

you block the packets and recv another modified one.
e.g.

Code:

int RecvHook(...) {
  if (packet->code==0x00000000||packet->code==0x0000520c) {
    recv(...) // call pake's recv with your own modified 0x00000000,0x0000520C
    return 0;
  }
}

I gotta start learning how to make pake modules. I know so many exploits to this game but can't use them for my own good since I don't know how to write them down. Most of my exploits are manual.

Do you think you can possibly lead the way for that? Even reading source codes of the modulesthrows me off. Step by step tuts would be nice.

[Seren30]

Quote:

Originally Posted by ~Goodnight~

I gotta start learning how to make pake modules. I know so many exploits to this game but can't use them for my own good since I don't know how to write them down. Most of my exploits are manual.

Do you think you can possibly lead the way for that? Even reading source codes of the modulesthrows me off. Step by step tuts would be nice.

gddmt ztep, how do you know all this asm **** and not a simple pake module

[Caesarw]

Quote:

Originally Posted by ~Goodnight~

I gotta start learning how to make pake modules. I know so many exploits to this game but can't use them for my own good since I don't know how to write them down. Most of my exploits are manual.

Do you think you can possibly lead the way for that? Even reading source codes of the modulesthrows me off. Step by step tuts would be nice.

sure, add my qq.
i will pm you my number.

[[P2933]Step29]

Quote:

Originally Posted by Seren30

gddmt ztep, how do you know all this asm **** and not a simple pake module

[anonentity]

Quote:

Originally Posted by Caesarw

you block the packets and recv another modified one.
e.g.

Code:

int RecvHook(...) {
  if (packet->code==0x00000000||packet->code==0x0000520c) {
    recv(...) // call pake's recv with your own modified 0x00000000,0x0000520C
    return 0;
  }
}

Thank you for your reply. I made an attempt but it is not working as expected. Here's the code:

Code:

CMabiPacket pkt;
pkt.SetOP(recvPacket.GetOP());
pkt.SetReciverId(recvPacket.GetReciverId());
PacketData data;
BYTE* pn;
int lenn;

int i;
for (i = 0; i < recvPacket.GetElementNum(); i++){
	data.type = recvPacket.GetElement(i)->type;
	switch (data.type){
	case T_ID:
		data.ID = recvPacket.GetElement(i)->ID;
		break;
	case T_WORD:
		data.word16 = recvPacket.GetElement(i)->word16;
		break;
	case T_INT:
		data.int32 = recvPacket.GetElement(i)->int32;
		break;
	case T_BYTE:
		data.byte8 = recvPacket.GetElement(i)->byte8;
		break;
	case T_FLOAT:
		data.float32 = recvPacket.GetElement(i)->float32;
		break;
	case T_STR:
		data.mpstr = recvPacket.GetElement(i)->mpstr;
		data.len = recvPacket.GetElement(i)->len;
		break;
	case T_BIN:
		data.str = recvPacket.GetElement(i)->str;
		data.len = recvPacket.GetElement(i)->len;
		break;
	}
	pkt.AddElement(&data);
}

lenn = pkt.BuildPacket(&pn);
if (Recv)
	Recv(pn, lenn);

pkt.FreePacket(pn);
return 0;

I'm simply trying to duplicate the exact received packet and receive it with Recv(). Some of the 00000000 packets went through well but when it comes to loading character, the client crashes right after return 0.

Could you help me identify the problem with the code? By the way I'm not even sure if this is the correct way of dealing with T_STR and T_BIN.

Thank you very much.

[Caesarw]

Quote:

Originally Posted by anonentity

Thank you for your reply. I made an attempt but it is not working as expected. Here's the code:

Code:

CMabiPacket pkt;
pkt.SetOP(recvPacket.GetOP());
pkt.SetReciverId(recvPacket.GetReciverId());
PacketData data;
BYTE* pn;
int lenn;

int i;
for (i = 0; i < recvPacket.GetElementNum(); i++){
	data.type = recvPacket.GetElement(i)->type;
	switch (data.type){
	case T_ID:
		data.ID = recvPacket.GetElement(i)->ID;
		break;
	case T_WORD:
		data.word16 = recvPacket.GetElement(i)->word16;
		break;
	case T_INT:
		data.int32 = recvPacket.GetElement(i)->int32;
		break;
	case T_BYTE:
		data.byte8 = recvPacket.GetElement(i)->byte8;
		break;
	case T_FLOAT:
		data.float32 = recvPacket.GetElement(i)->float32;
		break;
	case T_STR:
		data.mpstr = recvPacket.GetElement(i)->mpstr;
		data.len = recvPacket.GetElement(i)->len;
		break;
	case T_BIN:
		data.str = recvPacket.GetElement(i)->str;
		data.len = recvPacket.GetElement(i)->len;
		break;
	}
	pkt.AddElement(&data);
}

lenn = pkt.BuildPacket(&pn);
if (Recv)
	Recv(pn, lenn);

pkt.FreePacket(pn);
return 0;

I'm simply trying to duplicate the exact received packet and receive it with Recv(). Some of the 00000000 packets went through well but when it comes to loading character, the client crashes right after return 0.

Could you help me identify the problem with the code? By the way I'm not even sure if this is the correct way of dealing with T_STR and T_BIN.

Thank you very much.

Don't know what the data.mpstr is, can you paste the full definition of PacketData here?

Also, it's better to alloc your own str/bin and memcpy the contents.
Because Mabinogi uses multiple threads to handle recv, it's possible that the pointer or the content being pointed to you get from packets are modified.

e.g.

Code:

int len;
case T_STR:
case T_BIN:
  len=recvPacket.GetElement(i)->len;
  data.str=new char[len+1];
  memcpy(data.str,recvPacket.GetElement(i)->str,len);
  data.str[len]=0;
  break;

[anonentity]

Quote:

Originally Posted by Caesarw

Don't know what the data.mpstr is, can you paste the full definition of PacketData here?

Also, it's better to alloc your own str/bin and memcpy the contents.
Because Mabinogi uses multiple threads to handle recv, it's possible that the pointer or the content being pointed to you get from packets are modified.

e.g.

Code:

int len;
case T_STR:
case T_BIN:
  len=recvPacket.GetElement(i)->len;
  data.str=new char[len+1];
  memcpy(data.str,recvPacket.GetElement(i)->str,len);
  data.str[len]=0;
  break;

Code:

typedef WCHAR   MPCHAR;

typedef struct{
	unsigned char type;
	union{
		unsigned int int32;
		unsigned short word16;
		unsigned char byte8;
		float float32;
		char* str;
		MPCHAR* mpstr;
		__int64 ID;
	};
	int len;
}PacketData;

I have modified part of the code as follows:

Code:

case T_STR:
	data.len = recvPacket.GetElement(i)->len;
	data.mpstr = new WCHAR(data.len + 1);
	memcpy(data.mpstr, recvPacket.GetElement(i)->mpstr, data.len);
	data.mpstr[data.len] = L'\0';
	break;
case T_BIN:
	data.len = recvPacket.GetElement(i)->len;
	data.str = new char[data.len + 1];
	memcpy(data.str, recvPacket.GetElement(i)->str, data.len);
	data.str[data.len] = 0;
	break;

However, it still causes the client to crash when the 00000000 packet contains T_BIN (works well when there are T_STRs and other types).

[Caesarw]

Quote:

Originally Posted by anonentity

Code:

typedef WCHAR   MPCHAR;

typedef struct{
	unsigned char type;
	union{
		unsigned int int32;
		unsigned short word16;
		unsigned char byte8;
		float float32;
		char* str;
		MPCHAR* mpstr;
		__int64 ID;
	};
	int len;
}PacketData;

I have modified part of the code as follows:

Code:

case T_STR:
	data.len = recvPacket.GetElement(i)->len;
	data.mpstr = new WCHAR(data.len + 1);
	memcpy(data.mpstr, recvPacket.GetElement(i)->mpstr, data.len);
	data.mpstr[data.len] = L'\0';
	break;
case T_BIN:
	data.len = recvPacket.GetElement(i)->len;
	data.str = new char[data.len + 1];
	memcpy(data.str, recvPacket.GetElement(i)->str, data.len);
	data.str[data.len] = 0;
	break;

However, it still causes the client to crash when the 00000000 packet contains T_BIN (works well when there are T_STRs and other types).

hmm, sorry can't help.
just debug more to see what happened.

[ohaiithar]

Wouldn't it be len +3 for strings and bins?