 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Odecey
Master Cheater
 Reputation: 1
Joined: 19 Apr 2007
Posts: 259
Location: Scandinavia
|
 Posted: Mon Jan 05, 2009 3:25 pm Post subject: A few questions about packets |
 |
|
I'm just wondering about a few things about packets sent and received by the maple client:
1. Am I right in my impression that its a series of bytes, where the first ones describe what kind of infomation it contains, followed by the actual information?
2. Is the process of peeking at these packets as easy as hooking send and recv, and storing the parameters passed to the functions?
3. Is it possible to get the packets without the client knowing?
4. Do the packets change in structure/otherwise get modified in any way from patch to patch that would make creating a dynamic packet receiver hard to make?
Thanks in advance ^_^.
_________________
Never confuse activity with productivity. You can be busy without a purpose, but what's the point?- Rick Warren |
|
| Back to top |
|
 |
Snootae
Grandmaster Cheater
![]() Reputation: 0
Joined: 16 Dec 2006
Posts: 969
Location: --->
|
| Posted: Mon Jan 05, 2009 5:24 pm Post subject: |
|
|
1. I think youll find most different programs have different headers to packets and whatnot, im not sure about the specifics
2. Not Sure
3. Possible but not easy, they dont really know but they have several measures to prevent you from doing so
4. I dont think they do, fairly sure programs and not likely to change their entire packet structure very often, would require a lot of work on servers, and for such a big amount of servers in the case of nexon, it would be a waste of money
_________________
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Mon Jan 05, 2009 5:30 pm Post subject: Re: A few questions about packets |
|
|
| Odecey wrote: | I'm just wondering about a few things about packets sent and received by the maple client:
1. Am I right in my impression that its a series of bytes, where the first ones describe what kind of infomation it contains, followed by the actual information?
2. Is the process of peeking at these packets as easy as hooking send and recv, and storing the parameters passed to the functions?
3. Is it possible to get the packets without the client knowing?
4. Do the packets change in structure/otherwise get modified in any way from patch to patch that would make creating a dynamic packet receiver hard to make?
Thanks in advance ^_^. |
1. For most online games, this is the case.
2. You could, but it would be a jumble of useless bytes since they have to be decrypted first. Hook the end of the decryption function.
3. Yes, through a proxy client.
4. Generally not, but every so often it will happen.
|
|
| Back to top |
|
|
Odecey
Master Cheater
Reputation: 1
Joined: 19 Apr 2007
Posts: 259
Location: Scandinavia
|
| Posted: Tue Jan 06, 2009 12:59 am Post subject: |
|
|
Thanks. 2 more questions though:
1. Is it necessary to do this undetected?
2. How do I find the address of the decryption function?
_________________
Never confuse activity with productivity. You can be busy without a purpose, but what's the point?- Rick Warren |
|
| Back to top |
|
|
Snootae
Grandmaster Cheater
![]() Reputation: 0
Joined: 16 Dec 2006
Posts: 969
Location: --->
|
| Posted: Tue Jan 06, 2009 2:52 am Post subject: |
|
|
1. That's a complicated question, if your talking about hooking stuff, yes, obviously. if your talking about sending packets, they a monitored, if you send dodgy ones you probably will get banned
2. Very hard (i dont really know)
_________________
|
|
| Back to top |
|
|
Zerith
Master Cheater
 Reputation: 1
Joined: 07 Oct 2007
Posts: 468
|
| Posted: Tue Jan 06, 2009 4:11 am Post subject: |
|
|
| Snootae wrote: | 1. That's a complicated question, if your talking about hooking stuff, yes, obviously. if your talking about sending packets, they a monitored, if you send dodgy ones you probably will get banned
2. Very hard (i dont really know) |
It's not very hard at all :\, you just set a breakpoint on send/recv and trace back to find the routines.
|
|
| Back to top |
|
|
Snootae
Grandmaster Cheater
![]() Reputation: 0
Joined: 16 Dec 2006
Posts: 969
Location: --->
|
| Posted: Tue Jan 06, 2009 6:13 am Post subject: |
|
|
fair enough, i said that because i dont know but i would not think maplestory/gameguard would make it easy for you to do so
_________________
|
|
| Back to top |
|
|
Reak
I post too much
 Reputation: 0
Joined: 15 May 2007
Posts: 3496
|
| Posted: Tue Jan 06, 2009 9:11 am Post subject: |
|
|
| Odecey wrote: | Thanks. 2 more questions though:
1. Is it necessary to do this undetected?
2. How do I find the address of the decryption function? |
1. Depends on the client. E.g. on MapleStory you'd need a to bypass the CRC.
2. Trace thourgh the client and try to find it.
| Snootae wrote: | | fair enough, i said that because i dont know but i would not think maplestory/gameguard would make it easy for you to do so |
You can do it on an unpacked/gameguard-less client 
|
|
| Back to top |
|
|
Odecey
Master Cheater
Reputation: 1
Joined: 19 Apr 2007
Posts: 259
Location: Scandinavia
|
| Posted: Tue Jan 06, 2009 10:12 am Post subject: |
|
|
So I'd need a CRC bypass to even take a look at the packets? If so that is very dissapointing.
_________________
Never confuse activity with productivity. You can be busy without a purpose, but what's the point?- Rick Warren |
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Tue Jan 06, 2009 4:15 pm Post subject: |
|
|
You do not need a CRC bypass to look at the packets, because you are hooking "recv" and "send" in the Winsock DLL, not Maplestory.exe. The DLL is not monitored by GG.
To find the decryption routine, I just use a GG-less client, put a breakpoint on send/recv, and then put a hardware breakpoint on write on the buffer. Press run, and you will break at the encryption or decryption routine, depending on whether the packet is sent or received.
|
|
| Back to top |
|
|
Odecey
Master Cheater
Reputation: 1
Joined: 19 Apr 2007
Posts: 259
Location: Scandinavia
|
| Posted: Tue Jan 06, 2009 5:50 pm Post subject: |
|
|
Thats good ^_^. Do I set the breakpoints with OllyDbg? Never got familiar with the program. Oh, and I can't find a .63 version of GGless, all I found was the GG disabling script and old versions. Where can I find it, would it be possible to make my own? I'm guessing I just need it unpacked. Also, how do I hook the end of a function? I only know how to execute something before the call to the original function is made.
_________________
Never confuse activity with productivity. You can be busy without a purpose, but what's the point?- Rick Warren |
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Tue Jan 06, 2009 6:48 pm Post subject: |
|
|
To get a look at the decrypted packets, you would need to hook the beginning of maplestory's encrypt routine (for send), and the end of the decrypt routine (for recv). In order to do this you would need to a crc bypass, but if you tried to recreate the encrypt/decrypt functions, then you could just hook send/recv without the need of a bypass.
A hook is basically a code cave. Trace through the function until you get to the points where the data is encrypted then set up a hook at that address where you would copy/modify whatever variables and then execute whatever you overwrote and jump back to the real code.
_________________
|
|
| Back to top |
|
|
Odecey
Master Cheater
Reputation: 1
Joined: 19 Apr 2007
Posts: 259
Location: Scandinavia
|
| Posted: Wed Jan 07, 2009 9:25 am Post subject: |
|
|
OK, so I've got 2 options then? Seems like number two would be the easiest considering there hasn't been a public CRC bypass for quite a while. Would this work if I had the decryption function: | Code: |
#define SIZE 6
typedef int (WINAPI *pRecv)(SOCKET, char*, int, int);
int WINAPI altRecv(SOCKET, char*, int, int);
void BeginRedirect(LPVOID);
pRecv origRecvAddress = NULL;
char* packet[20];
BYTE oldBytes[SIZE] = {0};
BYTE JMP[SIZE] = {0};
DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE;
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
origRecvAddress = (pRecv)
GetProcAddress(GetModuleHandle("Ws2_32.dll"),
"recv");
if(origRecvAddress != NULL)
BeginRedirect(altRecv);
break;
case DLL_PROCESS_DETACH:
memcpy(origRecvAddress, oldBytes, SIZE);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void BeginRedirect(LPVOID newFunction)
{
BYTE tempJMP[SIZE] = {0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3};
memcpy(JMP, tempJMP, SIZE);
DWORD JMPSize = ((DWORD)newFunction - (DWORD)origRecvAddress - 5);
VirtualProtect((LPVOID)origRecvAddress, SIZE,
PAGE_EXECUTE_READWRITE, &oldProtect);
memcpy(oldBytes, origRecvAddress, SIZE);
memcpy(&JMP[1], &JMPSize, 4);
memcpy(origRecvAddress, JMP, SIZE);
VirtualProtect((LPVOID)origRecvAddress, SIZE, oldProtect, NULL);
}
int WINAPI altRecv(SOCKET s, char* buf, int len, int flags)
{
VirtualProtect((LPVOID)origRecvAddress, SIZE, myProtect, NULL);
memcpy(origRecvAddress, oldBytes, SIZE);
int retValue = recv(s, buf, len, flags);
strcpy(packet, Decrypt(buf));
memcpy(origRecvAddress, JMP, SIZE);
VirtualProtect((LPVOID)origRecvAddress, SIZE, oldProtect, NULL);
return retValue;
}
char* Decrypt (char* p)
{
/*Maple Story's decryption method goes here*/
return decryptedPacket;
}
|
? And how would I get the decryption function anyway? It would seem anything but logical to me that they left it unprotected >.>.
_________________
Never confuse activity with productivity. You can be busy without a purpose, but what's the point?- Rick Warren |
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Wed Jan 07, 2009 6:03 pm Post subject: |
|
|
I believe there's been a crc bypass out since v.62 that just stops gamemon.des from loading. Some people have said it works as a bypass, but I've never tested it myself.
As for the code, yes, it does seem like the general method would work.
To get the decryption routine, you'd have to go looking around for it. I have no idea how it's implemtented, but the private server section might be helpful to see how they manage packets.
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed Jan 07, 2009 6:10 pm Post subject: |
|
|
| Odecey wrote: | OK, so I've got 2 options then? Seems like number two would be the easiest considering there hasn't been a public CRC bypass for quite a while. Would this work if I had the decryption function: | Code: |
#define SIZE 6
typedef int (WINAPI *pRecv)(SOCKET, char*, int, int);
int WINAPI altRecv(SOCKET, char*, int, int);
void BeginRedirect(LPVOID);
pRecv origRecvAddress = NULL;
char* packet[20];
BYTE oldBytes[SIZE] = {0};
BYTE JMP[SIZE] = {0};
DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE;
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
origRecvAddress = (pRecv)
GetProcAddress(GetModuleHandle("Ws2_32.dll"),
"recv");
if(origRecvAddress != NULL)
BeginRedirect(altRecv);
break;
case DLL_PROCESS_DETACH:
memcpy(origRecvAddress, oldBytes, SIZE);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void BeginRedirect(LPVOID newFunction)
{
BYTE tempJMP[SIZE] = {0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3};
memcpy(JMP, tempJMP, SIZE);
DWORD JMPSize = ((DWORD)newFunction - (DWORD)origRecvAddress - 5);
VirtualProtect((LPVOID)origRecvAddress, SIZE,
PAGE_EXECUTE_READWRITE, &oldProtect);
memcpy(oldBytes, origRecvAddress, SIZE);
memcpy(&JMP[1], &JMPSize, 4);
memcpy(origRecvAddress, JMP, SIZE);
VirtualProtect((LPVOID)origRecvAddress, SIZE, oldProtect, NULL);
}
int WINAPI altRecv(SOCKET s, char* buf, int len, int flags)
{
VirtualProtect((LPVOID)origRecvAddress, SIZE, myProtect, NULL);
memcpy(origRecvAddress, oldBytes, SIZE);
int retValue = recv(s, buf, len, flags);
strcpy(packet, Decrypt(buf));
memcpy(origRecvAddress, JMP, SIZE);
VirtualProtect((LPVOID)origRecvAddress, SIZE, oldProtect, NULL);
return retValue;
}
char* Decrypt (char* p)
{
/*Maple Story's decryption method goes here*/
return decryptedPacket;
}
|
? And how would I get the decryption function anyway? It would seem anything but logical to me that they left it unprotected >.>. |
A simpler way would be calling the function that is already in maplestory  seriously why make your own function when you already have maple's function.
You could try tracing the eip from the send() function. That should point to where maple's encryptor function calls send() and scroll up until you see a push ebp and mov ebp,esp.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
