disconnecting

[siruxx]

is there an easy way to get an disconnect/logout in diablo 3 which returns you to the lobby? (not logout to the account information screen)
ie calling an certain function with invalid arguments?

i want to avoid the tlsgetvalue call when you call the logout function which causes my game to crash since i dont hook into the mainthread of the game.

PS: emulating mouseclicks is not an option for me :/

[Valtharak]

i want to avoid the tlsgetvalue call when you call the logout function which causes my game to crash since i dont hook into the mainthread of the game.

i'll share a secret with you. i'm sure some poeple will say it's not clean to do but it work. you can copy the tls value at the index the game use in your own thread at the same index . so when you call D3 functions it will work just as if you called stuff from D3 main thread

[siruxx]

i'll share a secret with you. i'm sure some poeple will say it's not clean to do but it work. you can copy the tls value at the index the game use in your own thread at the same index . so when you call D3 functions it will work just as if you called stuff from D3 main thread

thx for the input , any other ideas? i thought there would be a pretty simply way to do it

[Beaving]

I remember something about suspending and resuming the game thread, try that.

[siruxx]

thank you beaving! it works , the only drawback is that i need to suspend the thread pretty long until i disconnect. so any other ideas or i have to stick with a long logout time

[ValvePro]

How I can check if I'am disconnected, stay in login screen, lobby?


The only solution is copy tls index or tls hook because else you try to get access to locations you havn't the permissions.

Thanks

[siruxx]

you can do it by checking the visible field in the ui element struct

[ValvePro]

you can do it by checking the visible field in the ui element struct

Yeah but I havn't reversed this I've thought there is an value which says if it's connected/kicked
Any other solutions?

[siruxx]

@valcepro you can maybe try to list all tcp connections and just look if you are connected to the d3 gameserver.

btw this is the approach i took for easy out of process disconnecting:
get all tcp connections with: GetTcpTable and then set the gameserver connection to disconnect with SetTcpEntry. Works fine.

But then when i got this working i realized that not only leaving the game requires access to the tls... a lot of other functions which are connected to the ui also require calls to the tls.

Now i am trying again to get the leave game function calling working without hooking the mainthread. I got it working so far that most of the functions which are calling tlsgetvalue are working but leaving the game is still making some trouble.

My approach so far:

1)I create the game with createprocess , thats the way i retrieve the handle to the mainthread
2)I am getting the teb base address with NtQueryInformationThread
3)I am reading the address to the teb by TebBaseAddress+0x18 (from the mainthread)
4) I am writing this value now to my own teb at TebBaseAddress+0x18 (from my thread)

that way it works fine if a function makes a call to the tls.

But now the leaving game function crashes when calling _beginthreadx. so i used ollydbg to trace down the exact crash point.
I finally ended in the function RtlQueryInformationActivationContext which is causing the crash with that code:

Code:

7716BA46   64:A1 18000000   MOV EAX,DWORD PTR FS:[18]
7716BA4C   8B80 A8010000    MOV EAX,DWORD PTR DS:[EAX+1A8]
7716BA52   8B00             MOV EAX,DWORD PTR DS:[EAX]

MOV EAX,DWORD PTR FS:[18] works fine it has the right address from the mainthread's teb.
MOV EAX,DWORD PTR DS:[EAX+1A8] . here is the problem it is 0 so it will crash on the next line. but how can this be zero? the teb base is the correct base of the mainthread. i really have no clue what went wrong here.
I mean , in theory it should be completly the same as if the call comes from the mainthread. any ideas?

(btw teb+0x1a8 = FS:[0x1A8] Activation context stack)


it is making me crazy because when creating a game the same _beginthreadx function is called and calling the creating game function from another thread works without problemes without changing the teb pointer.

[DarthTon]

@siruxx
Actually it's not a very good idea to replace whole TEB structure (btw some routines can still access wrong TEB through FS:[...]).
All you need is to copy 64 TlsSlots values starting from FS:[0xE10], and maybe TlsExpansionSlots if pointer is valid. And I also recommend you to restore original TlsSlots values in your thread before terminating it.

P.S. Main thread TID can also be retrieved from FS:[0x3C] of any other thread. And it is possible to get main thread TEB address from another thread.

[hb123220]

i inject dll into d3,,any one knows how to make my dll function act on main thread when i AfxBeginThread..?

[siruxx]

@siruxx
Actually it's not a very good idea to replace whole TEB structure (btw some routines can still access wrong TEB through FS:[...]).
All you need is to copy 64 TlsSlots values starting from FS:[0xE10], and maybe TlsExpansionSlots if pointer is valid. And I also recommend you to restore original TlsSlots values in your thread before terminating it.

P.S. Main thread TID can also be retrieved from FS:[0x3C] of any other thread. And it is possible to get main thread TEB address from another thread.

thank you for these tips. i tried to just copy the tls values but the problem still exist. maybe i forgot to mention something important: starting the logout countdown works without crash. the crash occurs after the countdown is finished and at this point the thread from which the logout countdown has been called is already terminated. (i tried to keep the thread alive until the logout was finished but still crashing).

I know , things would be a lot easier if i hook the mainthread but i am here to learn and want to try it this way .


@hb123220 . you have to hook a function which runs in the context of the mainthread i guess. (iirc endscene is working)

[hb123220]

@hb123220 . you have to hook a function which runs in the context of the mainthread i guess. (iirc endscene is working)

i hook EndScene when i do it out of process,, since i inject dll,i dont want to hook mainthread,,,
when i call d3 function from MFC ui thread,it works, but when i call the function in AfxBeginThread...it fails..any solution?

[DarthTon]

@siruxx
Strange, because this code works just fine for me:

Code:

SuspendThread(Core.m_hMainThd);

hThread = CreateRemoteThread(Core.m_hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pCodecave, NULL, CREATE_SUSPENDED, NULL);

CopyTLS(Core.m_hMainThd, hThread);

ResumeThread(hThread);

WaitForSingleObject(hThread, INFINITE);

ResumeThread(Core.m_hMainThd);

pCodecave contents:

Code:

	mov eax, Handler_addr
	call eax

	mov ecx, 64
	mov edi, fs:[18h]
	add edi, 0E10h
	xor esi, esi

zero_tls:
	mov dword ptr [edi], esi
	add edi, 4
	dec ecx
	jnz zero_tls

	ret

[siruxx]

@DarthTon oh thank you very much that is pretty much the same way i do it. I found a bug in my tls copy code so now it copies the tls correctly and doesnt crash anymore. but somehow i ran directly in a new problem: Instead of crashing the game instantly disconnects me now if i call a function which contains a call to tls. So i hit up ollydbg and checked if the copied values are correct. they are correct. so now i am stuck and dont know how to trace down the code which is causing the disconnect.

DarthTon what exactly do you copy in your TLSCopy function? only the 64 tls slots and expansion slots?

that is how i copy the tls values into the teb of my thread

Code:

DWORD pTLSVal = 0;
			for(int i = 0;i<64;i++)
			{
			ReadProcessMemory(g_process,LPCVOID(basicInfo.TebBaseAddress+0xE10+i*4),&pTLSVal,sizeof(DWORD),NULL);
			WriteProcessMemory(g_process, (BYTE*)(basicInfo.TebBaseAddress+0xE10+i*4), &TLSValue[i], sizeof(DWORD), NULL);
			printf("rewriting tls slot[%d] from %x to %x\n",i,pTLSVal,TLSValue[i]);
			}

and thats the code snippet with which i read it from the mainthread:

Code:

DWORD TLSValue[64];
			for(int i = 0;i<64;i++)
			{
			ReadProcessMemory(g_process,LPCVOID(basicInfo.TebBaseAddress+0xE10+i*4),&TLSValue[i],sizeof(DWORD),NULL);
			printf("TLS val[%d]:%x\n",i,TLSValue[i]);
			}

edit: i got it now working in a little bit hacky way. if i copy only the tls slot which is used (slot 0x25) then it works perfectly. Is there any explanation why it doesnt work when i copy all slots with the code i posted above?