Alright, well, after being flamed and accused and a number of other unwarranted things, it came down to being accused of stealing something someone PM'd to me. Here is what I got on another forum:
Yes you stole that from me from PM's I sent you on Blizzhackers.
Again I'm "Fairlight" on there because I couldn't initaly register on there and
been using freind Fairlight's account since then.
It was me that spent many hours tracking those two offsets down when that patch came out.
And I still continued to help you when you were trying to get the follow NPC thing going.
You can give me some credit for it, but then it's probably fairly common knowledge around here.
And I thought you gave me your word not to share those kind of things?
So since I've been so directly accused of stealing it anyway, I might as well release the packet decryption stuff. It is my hopes that through this, some public code or a PM will end up in my lap for decrypting packets without hooking, but since this is what I have, this is what I'll share.
Let it be known that the sole reason I'm doing this is I'm tired of being flamed and accused of shit that isn't true. So I might as well make it true. Now I am releasing what I promised I never would, and I hope that public packet structures will be popping up soon.
Here's what you need to get yourself started with packet decryption:
1) madCodeHook, or another means to inject DLL's into a process
2) These offsets:
#define OFFSET_RECVHOOK 0x5B0390
#define OFFSET_SENDHOOK 0x536F70
3) And some assembly to stub those locations:
Code:
// Pick off recive data after its decoded
JumpPatch(RecvHookPatch, OFFSET_RECVHOOK);
// Get send data before its encrypted
JumpPatch(SendHookPatch, OFFSET_SENDHOOK);
void JumpPatch(void *pSrcAddr, UINT uDstAddr)
{
// Make the jump location writeable
DWORD dwIgnore = 0;
if(VirtualProtectEx(GetCurrentProcess(), (void *) uDstAddr, 32, PAGE_EXECUTE_READWRITE, &dwIgnore))
{
// Install the jump patch
BYTE *pDst = (BYTE *) uDstAddr;
pDst[0] = 0xE9; // Jump instruction
*((int *) &pDst[1]) = ((int) pSrcAddr - (int) uDstAddr - (int) 5);
}
else
TraceOut("\nCD: JumpPatch() -> VirtualProtectEx() failed! SRC: 0x%X DST: 0x%X\n", (int) pSrcAddr, uDstAddr);
}
NAKED void RecvHookPatch(void)
{
_asm
{
mov eax,[esi + 1CH]
mov edx,[esi + 20H]
add edx,eax
mov ecx,[ebp + -8 /*var_8*/]
mov g_dwRecvData,edx
mov g_dwRecvSize,ecx
pushad
call RecvHook
popad
// Original code
mov edx,[esi + 20H]
mov eax,05B0396H
mov edi,[ebp + -10H /*var_10*/]
jmp eax
};
}
NAKED void SendHookPatch(void)
{
_asm
{
// Get arg_0
mov edx,[esp + (1 * 4)]
// Default to no abort
mov g_bAbortSend,FALSE
// Get data pointer from structure
mov eax,[edx + (1 * 4)]
mov g_dwSendData,eax
// Get size from structure
mov eax,[edx + (4 * 4)]
mov g_dwSendSize,eax
pushad
call SendHook
popad
// Abort send?
cmp g_bAbortSend,FALSE
mov eax,0536F77H // Jump point
jz short Continue
// Abort
retn 4
// Original code
Continue:
push ebp
mov ebp,esp
push ebx
push esi
mov esi,ecx
jmp eax
};
}
The only thing you need to know, is that the values stored into the global variables are not the complete size of the packet. It is the size returned from recv or send calls. As such, it may contain 2 bytes. This would be the first 2 bytes of the packet, which represent the size of the packet in big endian order (just reverse the 2 bytes and convert to uint16).
I have written a RelayServer that injects this DLL and acts as a TCP server to pass packets to any connected TCP client in a similar structure. If anyone is interested, I may post the RelayServer.
In addition, I've written a client that uses the server. It is a complex scripting engine using CodeDom from .NET, and is already quite advanced. I may look at releasing some of my work, since people like Fairlight have pissed me off to the point of leaving the whole hacking scene altogether.
For the record, I never stole anything, one day I woke up with a PM and the offsets. Secondly, I gave Fairlight credit for what he did, and still do. He chooses to read only the posts he wants to, then whines in an educated fashion. Many times in the original post I indicated that I was given the offsets, but still he chooses to claim I gave him no credit.
So, in following the attitude of the hacking community in general, FUCK YOU FAIRLIGHT. I never shared the stuff you gave me to learn from, I thank you for that, but fuck you for accusing me of shit I didn't do. I never shared it on the forums, I never stole it in the first place either. And while I DID promise I wouldn't share it, you voided any honor I held in that promise when you accused me of shit.
As for this follow NPC patch thing, now he's trying to take credit for shit he DIDN'T do as well. I did that on my own thanks. You didn't give me no offset, you didn't tell me how to hack it, you had nothing to do with that.
I give Fairlight credit for his skills, but his personality sucks. Sounds like whoever actually posted this, wasn't even Fairlight but rather one of his associates. All the same, if you're going to accuse me, know your shit. I hold Fairlight responsible for his associates comments in this case. I stole nothing, it was given to me. And on the next patch, if I found the new offsets myself, would I be accused of stealing that too?
So here's what you all need, and I hope that people who can read assembly will post the new offsets in future patches. Unfortunately, there is a patch expected on the 7th, so you better use this information quickly and figure out how to find the offsets again. I hope some of you will drop me a PM with your support in this matter, and will help to progress forward.
With any luck this will get us past the first hurdle and the community can start to work together.
