| View previous topic :: View next topic |
| Author |
Message |
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
 Posted: Wed Aug 13, 2008 2:31 am Post subject: Kinda Hooking question how I do this.. |
 |
|
I'm very new to c++ and assembly both together but i want to do this for teachings on how to hack games with that..
I have found the encryption of packet before its sent to game call and I could edit it in debugger to send different packet when it encrypts..
I also managed to redirect call to different function and sniff at the unencrypted data and modify it if i want to.. as it sends.
Now the last thing I want to do and I tried for 2 days now I can't.. is send my own packets at will without the use of depending on client to cough up some packet so I could modify it.
Here is the assembly where the original call is to encryption
| Code: |
0057CDD0 . 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0057CDD4 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
0057CDD8 . 50 PUSH EAX
0057CDD9 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
0057CDDD . 52 PUSH EDX
0057CDDE . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
0057CDE2 . 50 PUSH EAX
0057CDE3 . 52 PUSH EDX
0057CDE4 . 81C1 482C0100 ADD ECX,12C48
0057CDEA . E8 41721200 CALL debug.006A4030 ;<- trying to hook this!
0057CDEF . 83F8 FF CMP EAX,-1
0057CDF2 . 74 0C JE SHORT debug.0057CE00
0057CDF4 . 85C0 TEST EAX,EAX
0057CDF6 . 74 08 JE SHORT debug.0057CE00
0057CDF8 . B8 01000000 MOV EAX,1
0057CDFD . C2 1400 RETN 14
0057CE00 > 33C0 XOR EAX,EAX
0057CE02 . C2 1400 RETN 14
|
I tried this.
| Code: |
void test(int sizeofPacket, char *data) {
unsigned int classNumber = 0x12C48;
unsigned int CryptAddr = 0x006A4030;
__asm {
//Start Registers import so we can return them after we done.
PUSHAD
//IDK THIS COULD BE USELESS DATA JUST TO MAKE FORM STRUCTUE OR SOMETHING
//BUT STILL NEEDS TO BE SENT OTHERWISE IT CRASHES GAME CUZ CryptAddr uses this data.
MOV EAX,DWORD PTR SS:[ESP+0x14] //ADDR OF ESP + 20 = EAX
MOV EDX,DWORD PTR SS:[ESP+0xC] //ADDR OF ESP + 12 = EDX
PUSH EAX //GET NEXT EAX VALUE
MOV EAX,DWORD PTR SS:[ESP+0xC] //ADDR OF ESP + 12 = EAX
PUSH EDX //GET NEXT EDX VALUE
MOV EDX,DWORD PTR SS:[ESP+0xC] //ADDR OF ESP + 12 = EDX
//THIS WHERE IT ALL HAPPENS
PUSH sizeofPacket //size packet (17) also 2nd byte in packet has to equal same.
PUSH data //pointer to packet
ADD ECX, classNumber //Pass classNumber into ECX
CALL CryptAddr //Call the encryption function
POPAD
}
}
|
But the game crashes without any errors
I also tried more simpler versions I made my self.
such as
| Code: |
__asm{
push sizeofPacket
push data
call CryptAddr
}
|
and finally
| Code: |
__asm{
push sizeofPacket
push data
mov edx,CryptAddr
call edx
}
|
People told me use naked..
#define Naked __declspec( naked )
But thing is I don't want to re-route the function.. I already have that done without any nakeds.
Like I have
MySendFunction() and OriginalSendFunction() both binded on different memory addresses..
but the OrginalSendFunction() uses data which I can't replicate to form my own send function like it uses some kind of number that goes up by 3000 or even more.. i think something related to stack.. eax ecx every packet.. sometimes it goes up by less.. so I want to make a function that sends unecrypted packets and automatically encrypts em inside game.. but without those extra parameters.
So please someone help me out I know how you guys know what your doing here and im struggling here.. I want this completed to feel some sense of accompaniment and excitement + I want to hack in my game xD  
|
|
| Back to top |
|
 |
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Wed Aug 13, 2008 3:09 am Post subject: |
|
|
| The function you want to hook probably takes more than 2 parameters, and for something like that you should use __declspec( naked ) . POP after you PUSH.
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Wed Aug 13, 2008 3:13 am Post subject: |
|
|
| Zand wrote: | | The function you want to hook probably takes more than 2 parameters, and for something like that you should use __declspec( naked ) . POP after you PUSH. |
you dont need to pop after you push since the call will take care of it with the RETN. To figure out how much parameters it takes just look at the RETN XX.
_________________
|
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Wed Aug 13, 2008 3:25 am Post subject: |
|
|
so how exactly should the whole function look in C++? I've posted the assembly where I hook it from. 
|
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Wed Aug 13, 2008 4:06 am Post subject: |
|
|
Exactly which address are you placing the jump at?
| sponge wrote: | | you dont need to pop after you push since the call will take care of it with the RETN. To figure out how much parameters it takes just look at the RETN XX. |
You can't be sure from the RETN XX because you don't know the size of the arguments.
|
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Wed Aug 13, 2008 4:26 am Post subject: |
|
|
| Code: |
0057CDD0 . 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0057CDD4 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
0057CDD8 . 50 PUSH EAX
0057CDD9 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
0057CDDD . 52 PUSH EDX
0057CDDE . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
0057CDE2 . 50 PUSH EAX
0057CDE3 . 52 PUSH EDX
0057CDE4 . 81C1 482C0100 ADD ECX,12C48
0057CDEA . E8 41721200 CALL debug.006A4030 ;<- TRYING TO HOOK THIS!
0057CDEF . 83F8 FF CMP EAX,-1
0057CDF2 . 74 0C JE SHORT debug.0057CE00
0057CDF4 . 85C0 TEST EAX,EAX
0057CDF6 . 74 08 JE SHORT debug.0057CE00
0057CDF8 . B8 01000000 MOV EAX,1
0057CDFD . C2 1400 RETN 14
0057CE00 > 33C0 XOR EAX,EAX
0057CE02 . C2 1400 RETN 14
|
Yah i guessed the arguments for the proxy hook.. that 006A4030 is what I want to hook with a function but I dont want it too have FULL arguments one of the arugments being a value that increases everytime its called.. by its not a static increase by 1 or something it increases the randomy going up as the program is ran.. seems to be some kindof a pointer to a stream or something but its useless to me.
If i can edit the packet in ollydbg and send it back no problem.. and I also could proxy re-route it no problem then why cant I send it directly?
But Proxy send I mean..
in game I chat and say the letter a.
after I do a packet is received on send I could modify it before its encrypted and make it attack a monster.. but for the bot to work I have too.. in chat keep spamming a.. LOL and the game does have a spam limiter built into clientside so its pointless.
I want to be able to send packets as a dll injection without relying on spamming a's in game!.
I saved the address with a auto assembly sequence scanner I coded so it would update my hack everytime game gets a new patch or something.
anyways I saved 006A4030 the address I want to hook as the OriFunction() for proxying and it got replaced with a address to another function where I do the proxying
but now the real question how do i jsut call 006A4030 .. with my own arugments? maybe ignore the useless ones
|
|
| Back to top |
|
|
Robotex
Master Cheater
 Reputation: 0
Joined: 05 Sep 2006
Posts: 378
Location: The pizza country!
|
| Posted: Wed Aug 13, 2008 5:16 am Post subject: |
|
|
| Quote: | | you dont need to pop after you push since the call will take care of it with the RETN. To figure out how much parameters it takes just look at the RETN XX. |
there are different calling conventions, with different parameters management, so there are time when you have to clean up the stack (cdecl as example)
http://www.programmersheaven.com/2/Calling-conventions
| Code: |
0057CDD0 . 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0057CDD4 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
0057CDD8 . 50 PUSH EAX
0057CDD9 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
0057CDDD . 52 PUSH EDX
0057CDDE . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
0057CDE2 . 50 PUSH EAX
0057CDE3 . 52 PUSH EDX
0057CDE4 . 81C1 482C0100 ADD ECX,12C48
0057CDEA . E8 41721200 CALL debug.006A4030 ;<- TRYING TO HOOK THIS! |
If it's a c++ written game, I'm almost sure you're forgetting ECX wich is the class instance, look somewhere above the assembly you posted, and check for a mov ecx, [R32]
if you find that, you have to either find out a base pointer wich points to the instance, or create a one-time hook and store the instance (like I do)
| Code: |
void __declspec(naked) EncryptionHook(void* arg1, blabla)
{
__asm
{
mov SOMEVAR, ECX
// Call unhook function
}
}
DWORD EncryptPacket(blabla)
{
DWORD retval;
__asm
{
PUSHAD
MOV ECX, SOMEVAR
//arguments pushes and call
MOV retval, eax
POPAD
}
return retval;
} |
//ps. you have always to push and eventually clean all the arguments, or the stack will mess up and the game can have undefined behaviours (mostly crash)
so even if it requires some static or weird values, always push them
_________________
ASM/C++ Coder
Project Speranza lead developer |
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Wed Aug 13, 2008 5:30 am Post subject: |
|
|
yes its written in visual studio 8.0 or so anyways
thats the whole calling code as deep as I could possibly go.. above it is a bunch of..
INT3's
and below it is a bunch of
INT3's
I call
0057CDE4 . 81C1 482C0100 ADD ECX,12C48
this the class since someone pointed it out to me before..
Anyways your example confuses me even more lol
Logically I dont see how this is possible to do.. If I call the encrypt function at any random time tne ECX or EAX whatever is always processed by other lines of code of the game so it's always random..
I can't depend on those to hold the information I need for this to work right?
Can you show me a working example 
I dont even know what you mean by unhook function?
I thought it was simple like
| Code: |
... ignore useless lines above and below and jsut do
__asm{
push sizeofPacket
push data
call 0x006A4030
}
|
and it did somehow call the encrypt function I was following it in OllyDbg.. but the stuff it pushed in where totally screwed up like the size was 5000h or something instead of 16h and the packet was pointing to somewhere in game basically everytime I pressed it It corrupted it self!
|
|
| Back to top |
|
|
Robotex
Master Cheater
Reputation: 0
Joined: 05 Sep 2006
Posts: 378
Location: The pizza country!
|
| Posted: Wed Aug 13, 2008 5:45 am Post subject: |
|
|
| Quote: | Logically I dont see how this is possible to do.. If I call the encrypt function at any random time tne ECX or EAX whatever is always processed by other lines of code of the game so it's always random..
I can't depend on those to hold the information I need for this to work right? |
check this example:
class CFooTwo
{
void func(int);
};
class CFooOne
{
void lmao() {m_foo.func(12345);}
CFooTwo m_foo;
};
static CFooOne g_moo;
let's say CFooOne is an abstract class or some kind of interface for the game, maybe CNetworkInterface
CFooTwo is the encryption class CPacketEncryption
in c++, you write for calling CFooTwo's func
g_moo.lmao();
the compiler translates that code to something like that
calling lmao:
pushad
mov ecx, g_moo // class instance
call lmao
popad
function lmao:
push ebx
mov ebx, ecx // remember we stored in ecx the g_moo instance
mov ecx, [ebx+offset] // It's the address to CFooTwo instance in g_moo (m_foo)
push 12345
call func
c++ always uses ecx as class instance storage, an instance is a piece of memory where all the class variables are stored
ps. sometimes the compiler doesn't do mov ecx, [base instance+offset], it does straight
add baseinstance, offset
and stores it to ecx like your assembly
//ps2: by unhook function I mean restore the original opcodes, because we need just to retrieve the parameters once
| Quote: |
and it did somehow call the encrypt function I was following it in OllyDbg.. but the stuff it pushed in where totally screwed up like the size was 5000h or something instead of 16h and the packet was pointing to somewhere in game basically everytime I pressed it It corrupted it self! |
| Quote: |
//ps. you have always to push and eventually clean all the arguments, or the stack will mess up and the game can have undefined behaviours (mostly crash)
so even if it requires some static or weird values, always push them |
_________________
ASM/C++ Coder
Project Speranza lead developer |
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Wed Aug 13, 2008 1:12 pm Post subject: |
|
|
| Zand wrote: | Exactly which address are you placing the jump at?
| sponge wrote: | | you dont need to pop after you push since the call will take care of it with the RETN. To figure out how much parameters it takes just look at the RETN XX. |
You can't be sure from the RETN XX because you don't know the size of the arguments. |
Rarely do people ever push words or bytes onto the stack. The RETN is your best bet if your analyzer doesnt already show you the parameters.
_________________
|
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Wed Aug 13, 2008 6:54 pm Post subject: |
|
|
sorry for being thick lol.. I know what a instance is.. like a array of struct Player that array would contain instances of Player struct 1 for each player..
I know but im asking for exactly how to do this as I have No Idea how to do it.
I don't believe I need anything with classes in this case becasue my poor attempts actually called the encryption function without ANY problem except the crashing which is because the data the encryption function wants was incorrent and maybe corrupt..
I was thinking maybe make a code cave to put in the shit it really needs or something then my own data.. but again for me is too hard.. with all the jumpings and shit.. I always end up making endless loops
whatever I gotta download some hack dll sources and learn from them. 
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Wed Aug 13, 2008 7:28 pm Post subject: |
|
|
| Are you sure you understand the routine completely? For example, what is the value at [esp+14], [esp+0C]? I think that the function takes a structure as a pointer and gets members from the struct. Most likely, it's an access violation because the program silently exits. Try seeing what the parameters do and step into the function.
|
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Wed Aug 13, 2008 11:44 pm Post subject: |
|
|
Ok.. Ill put here what every line gives as output by step into.
| Code: |
0057CDCD CC INT3 <-useless crap
0057CDCE CC INT3 <-useless crap
0057CDCF CC INT3 <-useless crap
0057CDD0 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14] <- Stack SS:[0012F7E0]=00000000, EAX=0057CDD0
0057CDD4 . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] <- Stack SS:[0012F7D8]=00000002, EDX=00000000
0057CDD8 . 50 PUSH EAX <- EAX=00000000
0057CDD9 . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] <- Stack SS:[0012F7D4]=0000000E, EAX=00000000
0057CDDD . 52 PUSH EDX <- EDX=00000002
0057CDDE . 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] <- Stack SS:[0012F7D0]=01BD0254, EDX=00000002
0057CDE2 . 50 PUSH EAX <- EAX=0000000E (size of packet) same 3 lines up.
0057CDE3 . 52 PUSH EDX <- EDX=01BD0254 (pointer to packet char*) same as 2 lines up
0057CDE4 . 81C1 482C0100 ADD ECX,12C48 <- ECX=00894860 (no idea??)
0057CDEA . E8 41721200 CALL game.006A4030 <- encrypt function..
all this below gets called when encrypt function done but do i need to know below stuff?? since I already did encrypt function
0057CDEF . 83F8 FF CMP EAX,-1 <-EAX=FFFFFFFF (sometimes it doesnt jump do does it all)
0057CDF2 . 74 0C JE SHORT game.0057CE00 <-Jump taken near last line. the XOR EAX, EAX
0057CDF4 . 85C0 TEST EAX,EAX <-Nothing since it jumped
0057CDF6 . 74 08 JE SHORT game.0057CE00 <-Nothing since it jumped
0057CDF8 . B8 01000000 MOV EAX,1 <-Nothing since it jumped
0057CDFD . C2 1400 RETN 14 <-Nothing since it jumped
0057CE00 > 33C0 XOR EAX,EAX <-EAX=FFFFFFFF
0057CE02 . C2 1400 RETN 14 <-Finish! Return to 0066138C, next packet jumps to 005BEBD1. recursive?
0057CE05 CC INT3 <- useless crap
0057CE06 CC INT3 <- useless crap
|
looks better in notepad.
Anyways this is even worse then I thought
EDIT!!!!!!!!
DONT WORRY GUYS I GOT IT WORKING IM SOO HAPPY ROFL!
IT WORKS LIKE A CHARM I JUST CRASHED SERVER WITH 2000 PLAYERS ROFL BY SPAMMING CHAT!
hahaha ok i wont do that again but nice stuff I got now thanks all who helped didn't really help me much I took a different logical approach and came up with same answer with only using 1 line of ASM
_asm mov basepointer, esp
basepointer++ gave me the next number i needed Idk how stable this is but so far its all fixed
[/b]
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Thu Aug 14, 2008 6:53 am Post subject: |
|
|
| basepointer++ works because it just happens that the pointer to the packet is the last parameter. Therefore, when you +1, it goes to the next char. Have fun with packet editing lol.
|
|
| Back to top |
|
|
GMZorita
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 21 Mar 2007
Posts: 1361
|
| Posted: Thu Aug 14, 2008 11:10 am Post subject: |
|
|
I got curious for what game is it?
_________________
Gone |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
