Hook Send problem (UK)

blackmorpheus · 10/17/2011, 17:03

Hello folks,

I'm trying to hook the "send" function of nostale.

I wrote this little piece of code

Code:

#include <Windows.h>
#include <fstream>
#include <detours.h>

using namespace std; // byte me
void __cdecl add_log (char *fmt, ...);

//int __usercall sub_5D9464<eax>(int a1<eax>, int a2<edx>, int a3<edi>)
DWORD orgAddress = 0x5d9464;
DWORD jumpAddress;

void *DetourCreate(BYTE *src, const BYTE *dst, const int len);

// wrapper for __usercall
__declspec(naked) void send_unencrypted_hook()
{
	
	_asm pushad;
	_asm pushfd;
	
	DWORD a1,a2;
	char * command;

	__asm{
		
		mov a1,eax;
		mov command,edx;
		mov a2,edi;
	}

	add_log("Send hook: %d %d %s",a1,a2,command);

	
	_asm popfd;
	_asm popad;
	_asm jmp jumpAddress
	_asm ret // never gets here
}


DWORD initHook()
{
	add_log("Inside hook thread");
	//jumpAddress = (DWORD)DetourFunction((PBYTE)orgAddress,(PBYTE)send_unencrypted_hook);
	 jumpAddress = (DWORD)DetourCreate((PBYTE)orgAddress,(PBYTE)send_unencrypted_hook,6);
	return true;
}

void __cdecl add_log (char *fmt, ...)
{
	ofstream ofile;    
	ofile.open("mylog.txt", ios::app);
    if(ofile != NULL)
    {
        if(!fmt) { return; }

        va_list va_alist;
        char logbuf[256] = {0};

        va_start (va_alist, fmt);
        _vsnprintf (logbuf+strlen(logbuf), sizeof(logbuf) - strlen(logbuf), fmt, va_alist);
        va_end (va_alist);

        ofile << logbuf << endl;
    }
	ofile.close();
}


BOOL WINAPI DllMain(HMODULE hMod, DWORD dwReason, LPVOID lpReserved)
{
	DisableThreadLibraryCalls(hMod);

	switch(dwReason)
	{
	case DLL_PROCESS_ATTACH:
		CreateThread(0,0,(LPTHREAD_START_ROUTINE)initHook,0,0,0);
		break;
	}
	
	return TRUE;
}



void *DetourCreate(BYTE *src, const BYTE *dst, const int len)
{
	BYTE *jmp = (BYTE*)malloc(len+5);
	DWORD dwBack;

	VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &dwBack);
	memcpy(jmp, src, len);	
	jmp += len;
	jmp[0] = 0xE9;
	*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
	src[0] = 0xE9;
	*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
	for (int i=5; i<len; i++)  src[i]=0x90;
	VirtualProtect(src, len, dwBack, &dwBack);
	return (jmp-len);
}

this is the sendhook function:

Spoiler

Code:

CODE:005D9464 sub_5D9464      proc near               ; CODE XREF: sub_5D9120+62p
CODE:005D9464                                         ; sub_5D9B8C+1A2p ...
CODE:005D9464                 push    ebx
CODE:005D9465                 push    esi
CODE:005D9466                 mov     esi, edx
CODE:005D9468                 mov     ebx, eax
CODE:005D946A                 jmp     short loc_5D9470
CODE:005D946A ; ---------------------------------------------------------------------------
CODE:005D946C                 dd 193905EBh
CODE:005D9470 ; ---------------------------------------------------------------------------
CODE:005D9470
CODE:005D9470 loc_5D9470:                             ; CODE XREF: sub_5D9464+6j
CODE:005D9470                 mov     edx, esi
CODE:005D9472                 mov     eax, ebx
CODE:005D9474                 call    sub_5D9260
CODE:005D9479                 test    al, al
CODE:005D947B                 jz      short loc_5D9497
CODE:005D947D                 call    sub_461498
CODE:005D9482                 mov     [ebx+70h], eax
CODE:005D9485                 cmp     word ptr [ebx+22h], 0
CODE:005D948A                 jz      short loc_5D94A8
CODE:005D948C                 mov     edx, esi
CODE:005D948E                 mov     eax, [ebx+24h]
CODE:005D9491                 call    dword ptr [ebx+20h]
CODE:005D9494                 pop     esi
CODE:005D9495                 pop     ebx
CODE:005D9496                 retn
CODE:005D9497 ; ---------------------------------------------------------------------------
CODE:005D9497
CODE:005D9497 loc_5D9497:                             ; CODE XREF: sub_5D9464+17j
CODE:005D9497                 cmp     word ptr [ebx+2Ah], 0
CODE:005D949C                 jz      short loc_5D94A8
CODE:005D949E                 mov     ecx, esi
CODE:005D94A0                 mov     dl, 2
CODE:005D94A2                 mov     eax, [ebx+2Ch]
CODE:005D94A5                 call    dword ptr [ebx+28h]
CODE:005D94A8
CODE:005D94A8 loc_5D94A8:                             ; CODE XREF: sub_5D9464+26j
CODE:005D94A8                                         ; sub_5D9464+38j
CODE:005D94A8                 pop     esi
CODE:005D94A9                 pop     ebx
CODE:005D94AA                 retn
CODE:005D94AA sub_5D9464      endp

Somehow, i'm still not doing something right with the registers, and I can't figure out what.

When I do something in game i get the error msg: Error in address: xxx, couldnt write address: xxx.

The data that the hook gets is alright:

Send hook: 72055760 4837768 say hello
Send hook: 72055760 500 ncif 1 455015
Send hook: 72055760 100 walk 34 103 0 11

yoyoboss09 · 10/17/2011, 17:52

what exactly are you trying to do? o-o

Rorc · 10/17/2011, 17:55

I think the hook is just for a test right now, as I'm seeing.
And from what it looks like, it's gonna be some sort of packet Bot?

~~ms~~ · 10/17/2011, 18:56

Using Microsoft's Detours-library instead of your own detour-function would make your hook easier since you wouldn't have to deal with the registers.

blackmorpheus · 10/17/2011, 19:27

Quote:

Originally Posted by Metin2Spieler97

Using Microsoft's Detours-library instead of your own detour-function would make your hook easier since you wouldn't have to deal with the registers.

I don't really see what you're saying here.

I'm dealing with a __usercall function. Parameters are not pushed onto the stack, they are inside the eax edx etc registers.
This is why i have to do a naked function, to handle the registers myself.

What this does is it logs all the actions that user does.
Later on i'll add a simple wrapper to call this function so you can let it act like a bot.

~~ms~~ · 10/17/2011, 19:54

Perhaps the local variables inside your detour-function are overwriting some other values on the stack. Try saving the registers into global variables instead, maybe that will do the trick.

blackmorpheus · 10/17/2011, 21:19

Quote:

Originally Posted by Metin2Spieler97

Perhaps the local variables inside your detour-function are overwriting some other values on the stack. Try saving the registers into global variables instead, maybe that will do the trick.

Thanks, this did the trick.

I was quickly browsing through the german threads, and i saw they had a similar tools, that's why i made this. My german is not that good so i don't really understand what they're doing with it.

~~Mr.Crunch~~ · 10/18/2011, 18:32

So it's working?

(So the question in my thread is allready answered?)

blackmorpheus · 10/18/2011, 19:34

Quote:

Originally Posted by Mr.Crunch

So it's working?
(So the question in my thread is allready answered?)

No, i still cannot send packets myself...
Where do you actually call this function?

In another thread, or do you hook somewhere in nostalex.dat ?