[Problem] Simple sending packets

[WalrossGreat]

Hi I'm having problem with simple packet sender
That's the "walk call"

Code:

00625D83   A1 C0816700      MOV EAX,DWORD PTR DS:[6781C0]
00625D88   8B00             MOV EAX,DWORD PTR DS:[EAX]
00625D8A   BA E45D6200      MOV EDX,nostalex.00625DE4                ; ASCII "walk"
00625D8F   E8 2C50F0FF      CALL nostalex.0052ADC0

So i tried implement it to code and i got some errors (tried with char and wchar_t)

There are the errors:



Full code:

Code:

#include <windows.h>
#include <iostream>
#include <stdio.h>

class PacketString 
{
public:
	char char_t[256];
	PacketString(char* str)
	{
		char* str2 = str;
		int len = strlen(str2);
		memcpy(char_t, str2, len);
		char_t[len] = 0x0;
	}

	char* _return()
	{
		return char_t;
	}
};

void SendPacket(char* packet)
{
	DWORD adress = 0x0052ADC0;
	__asm
	{
			MOV EAX, DWORD PTR DS : [0x6781C0]
			MOV EAX, DWORD PTR DS : [EAX]
			MOV EDX, packet
			CALL adress
	}
}

void Start()
{
	PacketString example("c_info");

	SendPacket(example._return());
}

BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
	switch (dwReason) {
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls(hModule);
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Start, 0, 0, 0);
		break;
	}
	return TRUE;
}

Maybe it's simple question but what's wrong here? I probably do something bad with pointer but actually I don't know what
Thanks for help.

[BladeTiger12]

Probier das mal so:

Code:

#include <windows.h>
#include <iostream>
#include <stdio.h>

class PacketString 
{
public:
	char char_t[256];
	PacketString(char* str)
	{
		char* str2 = str;
		int len = strlen(str2);
		memcpy(char_t, str2, len);
		char_t[len] = 0x0;
	}

	char* _return()
	{
		return char_t;
	}
};

void SendPacket(char* packet)
{
	DWORD adress = 0x0052ADC0;
	__asm
	{
			MOV EAX, DWORD PTR DS : [0x6781C0]
			MOV EAX, DWORD PTR DS : [EAX]
                        MOV EAX, DWORD PTR DS : [EAX]
			MOV EDX, packet
			CALL adress
	}
}

void Start()
{
	PacketString example("c_info");

	SendPacket(example._return());
}

BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
	switch (dwReason) {
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls(hModule);
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Start, 0, 0, 0);
		break;
	case DLL_PROCESS_DETACH:
		break;
	case DLL_THREAD_ATTACH:
		break;
	case DLL_THREAD_DETACH:
		break;
	}
	return TRUE;
}

So viel ich weiß musst du nochmals den Wert auslesen von EAX.
(Also 2x MOV EAX, DWORD PTR DS : [EAX])

[WalrossGreat]

@BladeTiger12
Thanks for answer, anyway it's still crash NosTale (now without errors).

Anyway i saw some source and in a few of them were 2x MOV EAX, DWORD PTR DS : [EAX]
instead of 1x, but i still don't know why. In the "walk call" it's called only one time. :/

[BladeTiger12]

Try release mode.

Edit:
You got the wrong call. Here: 0x0052AD74
Impossible that 0x0052ADC0 is the call, because in walk function will is edx just "walk".(No params)

[WalrossGreat]

@BladeTiger12
Thanks, i will try it.
Anyway from what you got this 0x0052AD74?

[BladeTiger12]

Check out other packets. (e.g: In say packet)
Or reverse walk function.
Then you will find this address.

[WalrossGreat]

You are talking about this say or something others?

Code:

0052E815   8B06             MOV EAX,DWORD PTR DS:[ESI]
0052E817   50               PUSH EAX
0052E818   68 F0126100      PUSH nostalex.006112F0
0052E81D   BA 7CFC5200      MOV EDX,nostalex.0052FC7C                ; ASCII "say"
0052E822   8BC3             MOV EAX,EBX
0052E824   E8 EB73FFFF      CALL nostalex.00525C14

Anyway I should reserve it more too, shouldn't I? (Because there aren't the 0x0052AD74)

[BladeTiger12]

Yep you should more reverse.
I think you're on the wrong place.
Address is: 0x626F85.

It gives say as receive packet and as send packet.

[WalrossGreat]

@BladeTiger12
Ok, thank you, I got this place but it still crash NosTale and I don't know why. :/
Yes, i tried bulid it in relase mode, same result. I probably did something wrong with constructor of PacketString but i don't see any errors :/

(Actually it bulid and inject without errors but still crash)

[BladeTiger12]

Can I see currently code?

[WalrossGreat]

Ofc.

Code:

#include <windows.h>
#include <iostream>
#include <stdio.h>

class PacketString 
{
public:
	char char_t[256];
	PacketString(char* str)
	{
		char* str2 = str;
		int len = strlen(str2);
		memcpy(char_t, str2, len);
		char_t[len] = 0x0;
	}

	char* _return()
	{
		return char_t;
	}
};

void SendPacket(char* packet)
{
	DWORD adress = 0x0052AD74;
	__asm
	{
			MOV EAX, DWORD PTR DS : [0x6781C0]
			MOV EAX, DWORD PTR DS : [EAX]
			MOV EAX, DWORD PTR DS : [EAX]
			MOV EDX, packet
			CALL adress
	}
}

void Start()
{
	PacketString example("c_info");

	SendPacket(example._return());
}

BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
	switch (dwReason) {
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls(hModule);
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Start, 0, 0, 0);
		break;
                //specially for you

	}
	return TRUE;
}

[iArtrix]

Delete one MOV EAX, DWORD PTR DS : [EAX] :v

If you use variable write 2x MOV EAX, DWORD PTR DS : [EAX] if not write one.

[BladeTiger12]

Don't work.
Hmm... I dunno why, that's strange.

Edit: It crashes if you call ASM Code in seperate Thread(CreateThread).

[k4r3r]

1. Your send function is ok.
2. Use patterns

Code:

addrPtr = Memory::Scan("\xDC\x2F\x80\x00\x68\x69\x52", "xxxxxxx", 0x400000, 0x443000);
addrSend = Memory::Scan("\x53\x56\x8B\xF2\x8B\xD8\xEB\x04", "xxxxxxxx", 0x400000, 0x442000);

3. Try to use NTString -

[Bejine]

As iArtrix said, if you don't have variable there:

Code:

MOV EAX, DWORD PTR DS : [0x6781C0]

then you write this once:

Code:

MOV EAX, DWORD PTR DS : [EAX]

If you've got variable, write it twice.
Your adresses are OK.