Once again (where to find packet parse function for wsarecv call)

[Esoserv2]

I have to ask again, are there any good reversers, who can help me to find the packet parse function within eso? WSARecv is called, the data is put somewhere in memory and then this first task is done. Some other "thread" works with the read data, but i can't find it's origin.

All my attempts failed. Exe is crashing when hooking to wsarecv or attaching debugger with hw or sw breakpoint at that call. Tried olly 1,2 and ida. Also procmon doesn't show any wsarecv calls in stack. Are there other ways to find that parsing function? Packet's structure is length plus some opcode plus data.

Thx for helping me or giving me some hints on doing.

[races]

Just use ida python script shared by blar0 few weeks ago.
Or every opcodes has his own vtable :
* destructor
* Serializer function
* *DE*Serializer function
* Dummy
* Getter (return the num of the opcode).
For example the getter of the opcode 0x105 should be :
mov eax, 105h
retn
just grep B8 05 01 00 00 C3 in IDA (unpacked version), look at the xref you should find the vtable and the serializer and deserializer when they exist.

[Esoserv2]

Thx so far! Through your description i've found the places, where the data, which will be send from client is being processed (e.g. 0x2B10, 0x2B0A). When attaching olly, and setting a bp, it works.

But... When putting bp on the received opcodes from server (0x2B08, 0x2B12, 0x0115, ...) they are never called. Any idea why? Or are the receiving opcode otherwise parsed? Have ya got addresses where these one are handled?

Greetings...

[Esoserv2]

But... When putting bp on the received opcodes from server (0x2B08, 0x2B12, 0x0115, ...) they are never called. Any idea why? Or are the receiving opcode otherwise parsed? Have ya got addresses where these one are handled?

I've to answer myself. When i haven't take the wrong turn, then these opcodes are now loaded from ressource(dat) files. That's my final thought for not to find them in static unpacked exe. This makes it in fact harder to get the right functions.