exmap: Maphack, Packet Logger, etc.

[maper]

If your main purpose of this was to analyze packets could you not just run wireshark in a sandbox?
I am no expert, from what I've read of your work you are miles ahead of me.. but to me it appears you are making it harder then it needs to be for what you are trying to accomplish.
Accompanied with a simple automation script to capture certain lines of code at times of your choice for analysis and you should be good to go.. ie start record capture, do your ingame event you want to watch, end capture, rinse and repeat that process whatever number of times and then do a comparison of the captures to see what packets repeat themselves.
I say to write a script for this as it will decrease the time it takes to start and stop the process which will largely decrease the amount of code you need to decipher.
I used to do something similar to this with cheatengine for locking ammo, health etc, different process here but same idea still applies.

This program captured the network traffic before it was encrypted and sent to the server, and after the response was decrypted from the server. Something like Wireshark would only capture the encrypted packets. Also, I did have a toggle that allowed you to turn packet capture on or off.

[naut333]

This program captured the network traffic before it was encrypted and sent to the server, and after the response was decrypted from the server. Something like Wireshark would only capture the encrypted packets. Also, I did have a toggle that allowed you to turn packet capture on or off.

Ah yes I did not consider that attaching the packet sniffer would avoid the decryption.

Perhaps running a mirror of the client on a virtual machine and do the sniffing from there?

Rather then risk embarassing myself I dug up this article that explains what I am getting at:

Setting up Port Mirroring to Capture Mirrored Traffic on a Hyper-V Virtual Machine | Networking Blog

Let us take the following scenario as an example:

Server1 and Server2 are two physical machines connected to a switch.
HyperVServer is a the host which is also connected to the same switch.
VM1 is a virtual machine running on the HyperVServer.
All the above machines are part of the same network subnet. Port mirroring has been configured on the switch — to mirror any traffic on port Server2 is connected to –> to the port that HyperVServer is connected to.

Now any communication happening between Server1 and Server2 can be captured from a packet sniffing software (say netmon) running on the HyperVServer.

[henrymiller]

I didn't mean that they banned for any open handles. Just ones that are tied to invasive software. They don't have to whitelist any software, it's easy to pick out anomalies across a playerbase if you just send back metadata about every process that has an open handle to the game.

Yup, Ring3 rootkits would be such an anomaly that is likely present on multiple computers if your player base is large enough, still don't know if it's a ring3 rootkit, or a hack.

Also, some game companies like Blizzard don't let you actually sign into a game if it detects certain anomalies, e.g. user-mode rootkits. Though it's mostly to avoid account takeover due to stolen credentials.

Best case scenario! You instantly know they detect it, but you're just a user with poor security, not a filthy cheater who risks a ban.

[soalokinx]

It was a good run. Thanks for the tool while it lasted! Was definitely my favorite program to run alongside Path. I never got banned for using it, but I stopped after the first wave of warnings went out. Cheers, hope to see more from you in the future.

[WodanOfElru]

Likewise, had a good run. Limited user & only ever used this, no warning.

[Zestro]

Most valuable information at the moment is vendor crafting. If we can manage to understand how craft input/preview works, we probably (if they are not additionaly validating it) can spam-check all recipes in game. Im not C++ dev, don't know assembler either, but if given the api can pretty much do everything in C#

If you can hook into it and provide Send/Callback Receive methods (just straight byte[] will be enough) as external API - it will be very useful.

Can you write config file with basic regex matcher on packets (so i can filter heartbeat and everything else)?

Found so far:
0x0a - seems to be message in chat (just looked at hex values - it represented recent message from user in chat). Other information is probably chat related: global/local/etc, length, additionaly serialized identifiers of loot entity and so on.
0xd5 - seems like packet with clickable entity id (chest, workbench, person), id is probably located at index 2-3-4-5, the rest (0xe5) received packages is probably information related to movement of character to this concrete entity as I see it when I simply move around or just stumble into wall (what especially interesting is that game not send movement package if you stumble into wall, so, if send and not validated at server - can result in wallhack).
0xe5 - movement callback
0x0e - skill continuous usage (while channelling it is send constantly, probably for heartbeat at server end), also send movement as skill
0x62 - input into craft menu by Ctrl+left mouse click on item
0x64 - output of craft menu (what will be aquired after accepting barter). Also if sent back - it is accept, and nothing else will be retrieved (so, content is drawed by information calculated in previous 0x64 message)

^^^^^^

Did anything ever happen with this? I went through the whole thread in the hopes that something happened with this in the past year and found nothing. I'm sorry for the necro'ing of this thread but I would really love to hear if this ever took off and did you ever get a full crafting recipe list of vendor recipes?

[omnivore]

GitHub - ncatlin/exileSniffer: A protocol decryption and dissection tool for the game 'Path of Exile' could be a resource for anyone progressing this method of data gathering

[kkooiu]

seems doesn't work after the renderer update released.