(ASM) Nostale Send Function

~~Sm•ke~~ · 11/06/2013, 22:41

Hi guys, today i have a question and not a release, eheh !

I'm not very good in reverse engineering but i want learn it..

I chose a random packet ( c_skill, it's simple & fast ) and now i want try to write a function that send the packets to server ( dll with gui )

..I haven't problems to make the dll, so easy..

Then i got this with ollydbg:

Code:

0061908B   A1 A0B06600      MOV EAX,DWORD PTR DS:[66B0A0]
00619090   8B00             MOV EAX,DWORD PTR DS:[EAX]
00619092   BA F4926100      MOV EDX,nostalex.006192F4                ; ASCII "c_skill"
00619097   E8 F85BF0FF      CALL nostalex.0051EC94
0061909C   E9 32010000      JMP nostalex.006191D3
006190A1   A1 F8BF6600      MOV EAX,DWORD PTR DS:[66BFF8]
006190A6   8B00             MOV EAX,DWORD PTR DS:[EAX]
006190A8   8B40 40          MOV EAX,DWORD PTR DS:[EAX+40]

I tryed with:

Code:

char *packet = "c_skill";
DWORD send_addr = 0x0051EC94;
_asm
{
	MOV EDX, packet
	CALL send_addr
}

But the client crash when i click on the button, it's doesn't work..

So i thought i'd had to add this:

Code:

0061908B   A1 A0B06600      MOV EAX,DWORD PTR DS:[66B0A0]
00619090   8B00             MOV EAX,DWORD PTR DS:[EAX]

Then i written this:

Code:

char *packet = "c_skill";
DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
_asm
{
	MOV EAX, DWORD PTR DS:[send_eax]
	MOV EAX, DWORD PTR DS:[EAX]
	MOV EDX, packet
	CALL send_addr
}

But i get the same problem..
Somebody, that know how to reverse, can help me ? thanks, i waiting answers..

~~Elektrochemie~~ · 11/06/2013, 23:10

You have to zoidberg the sendadress pointer.

Code:

char *packet = "c_skill";
DWORD send_addr = const_cast<whoop*>0x0051EC94, send_eax = const_cast<whoop*>0x0066B0A0;
_asm
{
	MOV EAX, DWORD WHOOP[PTR DS:[send_eax]]
	MOV EAX, DWORD WHOOP[PTR DS:[EAX]]
	MOV EDX, WHOOP[packet]
	CALL send_addr
}

~~Sm•ke~~ · 11/06/2013, 23:21

what do exactly the whoop ? and what is the library for it ? thanks man !

~~Elektrochemie~~ · 11/06/2013, 23:58

Haha no dude, it was a joke.
Your code looks correct.

Code:

char *packet = "c_skill";
DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
_asm
{
	MOV EAX, DWORD PTR DS:[send_eax]
	MOV EAX, DWORD PTR DS:[EAX]
	MOV EDX, packet
	CALL send_addr
}

are you sure that send_addr is correct?
maybe somethings wrong with
char *packet = "c_skill";
i know its working with ansii strings of VCL, so try a 0x00 termination at the end of the packet.
did you try to set a breakpoint at send_addr and see at the register whats different?

~~Sm•ke~~ · 11/07/2013, 00:09

Quote:
Originally Posted by Elektrochemie
Haha no dude, it was a joke.
Your code looks correct.
Code:
char *packet = "c_skill";
DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
_asm
{
	MOV EAX, DWORD PTR DS:[send_eax]
	MOV EAX, DWORD PTR DS:[EAX]
	MOV EDX, packet
	CALL send_addr
}
are you sure that send_addr is correct?
maybe somethings wrong with
char *packet = "c_skill";
i know its working with ansii strings of VCL, so try a 0x00 termination at the end of the packet.
did you try to set a breakpoint at send_addr and see at the register whats different?

Mmmh !! funny the video, ahah XD
You totally fucked me, man ! lol..

A moment and i say you what is wrong in the register at send_addr, the address is right like you can see on the asm code that i written in first post.. and all packets have it ( the call ) after eax and edx.. and with breakpoint i see all packets that client send..

If you want test,

it's the download of dll.. only inject to the client xD

PS. I already tryed to add 0x00 at the end of packet but don't change nothing..

------------------------------------------------------------------------------
Ok, i post for you 3 screens..

1) c_skill from client ( normal, not dll ):

2) c_skill from dll:

3) error:

PainToTheWorld · 11/07/2013, 14:42

Code:

__asm{
		mov eax, dwRawPacketPTR
		mov eax,DWORD PTR DS:[eax]
		mov eax,DWORD PTR DS:[eax]
		mov edx, szPacket
		call dwSendRawPacket
   }

maybe this will help you ;D

~~Sm•ke~~ · 11/07/2013, 15:06

Thanks PainToTheWorld but it's doesn't work..

dwRawPacketPTR = 0066B0A0 ?
dwSendRawPacket = 0051EC94 ?

I tryed so:

Code:

void SEND_TO_SERVER(char *packet)
{
	DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
	__asm
	{
		mov eax, send_eax
		mov eax, DWORD PTR DS:[eax]
		mov eax, DWORD PTR DS:[eax]
		mov edx, packet
		call send_addr
	}
}

And when i try to use on the client, this crash :O

PainToTheWorld · 11/07/2013, 17:45

it crashes? or you just get an access violation message?
it should work.. if you give the function a null-terminated string...
send me your code for testing

Hatish · 11/07/2013, 18:26

try this

Quote:

__asm{
MOV EDX,packet
MOV EAX,DWORD PTR DS:[654DDC]//654DDC it's old address you need to put new one
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX]
MOV EAX,DWORD PTR DS:[EAX]
CALL send_addr
}

~~Sm•ke~~ · 11/07/2013, 19:20

Code:

void SEND_TO_SERVER(char *packet)
{
	DWORD send_addr = 0x0051EC94, send_eax = 0x0066B0A0;
	__asm
	{
		MOV EDX, packet
		MOV EAX, DWORD PTR DS:[send_eax]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		CALL send_addr
	}
}

doesn't work..

Paint if u read my post i already said to you the code that i've tryed..
it crash, not access violation..

_RowLegend_ · 11/07/2013, 20:45

Look at the function (as example. There are more singlepackets)

Quote:

snap

There u can See the complete sendfunction. copy it 1:1

~~Sm•ke~~ · 11/07/2013, 23:43

don't change nothing, c_skill do the same.. xD

Code:

00657223   A1 A0B06600      MOV EAX,DWORD PTR DS:[66B0A0]
00657228   8B00             MOV EAX,DWORD PTR DS:[EAX]
0065722A   BA F4726500      MOV EDX,nostalex.006572F4                ; ASCII "snap"
0065722F   E8 607AECFF      CALL nostalex.0051EC94

but i don't know why the function doesn't work..

OK GUYS !!

i tryed with:

Code:

void SEND_TO_SERVER(char *packet)
{
	packet[strlen(packet)] = 0;

	DWORD SEND_EAX = 0x66B0A0, C_SKILL = 0x006192F4, SEND_ADDR = 0x0051EC94;

	__asm
	{
		MOV EAX, DWORD PTR DS:[SEND_EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EDX, packet
		CALL SEND_ADDR
	}
}

And the client crash.. I replaced MOV EDX, packet with MOV EDX, C_SKILL and it worked..

The problem is in char *packet = "c_skill";

Elektrochemie said that nostale client use AnsiString, i need to use it ? embarcadero include it ?

~~Sm•ke~~ · 11/09/2013, 15:45

Somebody can help me ?

ernilos · 11/09/2013, 17:14

Try with this

Code:

void SEND_TO_SERVER(char *packet)
{
	packet[strlen(packet)] = 0;

	DWORD SEND_EAX = 0x66B0A0, PACKET = &packet, SEND_ADDR = 0x0051EC94;

	__asm
	{
		MOV EAX, DWORD PTR DS:[SEND_EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EAX, DWORD PTR DS:[EAX]
		MOV EDX, PACKET
		CALL SEND_ADDR
	}
}

------
Edit i don't want up to 500 posts yet.
You need move the pointer(& <- Show's the pointer) to DWORD i think, then you set at DWORD the pointer of char* :P

~~Sm•ke~~ · 11/09/2013, 18:42

ernilos it's impossible..
you cantt use char** for initialize a dword entity..

first that you say me.. i already tryed with:

Code:

PACKET = (DWORD)&packet

but doesn't work, client crash <.<