iktov
Expert Cheater
![]() Reputation: 0
Joined: 06 Sep 2007
Posts: 231
Location: Dead
|
 Posted: Wed Feb 18, 2009 12:41 pm Post subject: Finding Offset of Send[12Sky] |
 |
|
I realize there is a 12Sky section now but this does apply to "General GameHacking" as well, plus I am unsure if I would even get an answer in the 12sky section right now.
Anyways I am trying to track down the offset used by the game to create send packets in order to log them before the encryption takes place in 12Sky. I have been trying to figure it out off and on for a while now. What I have done so far is:
Locate the main Send() call(put a breakpoint on it and it breaks instantly).
Put a memory breakpoint on the buffer and found the address that writes to it.
I also set up a direct hook for the Send() function and send the output to debugger and view it with DBGVIEW. I consistently get the 0x550D60 as the buffer address in the dbg output as well as find that address stored at EAX when breakpointing the address 2 lines up from the main Send() call in olydbg. I am unsure if I am on the right track at this point or completely off and I am looking for advice on how to proceed. If I am doing things correctly and manage to find the correct OFFSET then I am also asking for help on how to set the code(C++) to make of this OFFSET to log the Send() packets before they are encrypted. This is what I have done so far:
Send() Hook at log output to debugger:
| Code: | int WINAPI HOOK_Send(SOCKET s, const char *buf, int len, int flags)
{
Trace("Data: %s", buf);
Trace("Addr: %X", buf);
Trace("Size: %d", len);
return Send_HOOK(s, buf, len, flags);
} |
The output:
| Code: | 00000536 14.67418003 [2852] Data: RETR W001\GodsofSamji.tga
00000537 14.67418003 [2852] wPASS MARK_READ
00000538 14.67424011 [2852] Addr: FCDEC4C
00000539 14.67426682 [2852] Size: 27
00000540 14.67778492 [2852] Data: TYPE I
00000541 14.67778492 [2852] [
00000542 14.67787361 [2852] Addr: 110FEC08
00000543 14.67796040 [2852] Size: 8
00000544 14.73256111 [2852] Data: PASS MARK_READ
00000545 14.73261452 [2852] Addr: 112FEC68
00000546 14.73264694 [2852] Size: 16
00000547 14.73431969 [2852] Data: PASS MARK_READ
00000548 14.73437119 [2852] Addr: 111FEC68
00000549 14.73439884 [2852] Size: 16
00000550 64.07185364 [2852] Data: uڜ,_R�N](���-ډ� w?->?�3~^�7ߐY9E�~ 7:QQ�br��0YV�f��6�5
00000551 64.07185364 [2852] Rq
00000552 64.07191467 [2852] Addr: 550D60
00000553 64.07194519 [2852] Size: 97 |
All of the legible output seems to vary in the address value every time such as this "Data: RETR W001\GodsofSamji.tga " witch is the Icons for the guild flags. However the "Gibberish" output always has the same Address value of 0x550D60 even after reloading the game.
Ok so here is where I put a breakpoint on the Send() call in 12Sky:
| Code: | 004190F2 8B1D 20325200 MOV EBX,DWORD PTR DS:[523220] ; ws2_32.send
004190F8 EB 06 JMP SHORT TwelveSk.00419100
004190FA 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
00419100 8B0D 949F5400 MOV ECX,DWORD PTR DS:[549F94]
00419106 6A 00 PUSH 0
00419108 56 PUSH ESI
00419109 8D042F LEA EAX,DWORD PTR DS:[EDI+EBP]
0041910C 50 PUSH EAX
0041910D 51 PUSH ECX
0041910E FFD3 CALL EBX |
And here is what that looks like in IDA Pro when viewing the 12Sky.exe Dump:
| Code: | mov ebx, send
lea ecx, [ecx+0]
mov ecx, ds:s
push 0 ; flags
push esi ; len
lea eax, [edi+ebp]
push eax ; buf
push ecx ; s
call ebx ; send
|
When I put a BreakPoint on 0x41910C(push, eax // buffer) it shows a value of 0x550D60 stored at eax.
From here I also put a breakpoint on the send call at 0x41910E and I get this:
| Code: | 0012F8E4 000002E8
0012F8E8 00550D60 TwelveSk.00550D60 |
And there is 0x550D60 again.
And then when I remove the breakpoint and continue the program I get this:
| Code: | 0012F8E0 80000000 /CALL to send
0012F8E4 00000000 |Socket = 0
0012F8E8 0012F9B8 |Data = 0012F9B8
0012F8EC 0003002C |DataSize = 3002C (196652.)
0012F8F0 009942FC \Flags = MSG_DONTROUTE|MSG_INTERRUPT|9942E8 |
From there I but a Memory Brakpoint on 0x12F9B8 and get 0x4A8590 as the write address.
At this point I am pretty confident I have made some progress but I am still a little confused and shakey on how to proceed from here and how to set up the code to make use of the located address to be able to log the send packets before encryption. If somebody can confirm the work I have done so far, and if it is somewhat accurate direct on how to proceed to come out with the correct address I would appreciate it alot.
Thanks a lot for reading and hopefully I can get some direction here and come out with a working product.
_________________
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
