EncryptPacket Detouring code...

[lanman92]

This code isn't working right. I wanted it to log the first 4 bytes of the packet(the opcode and other goodies...). I realize that this will NOT log that, but only log the address of the packet, still closer though. It crashes after I move, hence whenever I try to encrypt a packet. I preserved ecx and all registers for that matter. Also, this worked a while ago, but it only overwrote the previous value at the beginning of the file, not appending it. Oddly.

Code:

void__declspec(naked) myEncryptPacket(DWORD packet)
{
__asm pushad;
log(packet);
__asm popad;
__asm jmp encryptPacket;
}
void log(DWORD packet)
{
if(!myfile.is_open())
myfile.open("packets.txt");
myfile << packet + "\n";
return;
} 

BTW: If anyone feels like placing a comment with the base packet structure I'd quite appreciate it. I know they're all different though...

[Shynd]

Probably isn't important at all to give us a bigger chunk of code, something like the address that you're detouring and the code that writes your detour. I'm sure that wouldn't help one bit.

[lanman92]

Here's my Detouring code...

Code:

SendPacket = (

Code:

void(__cdecl*)(DWORD))0x5F9850;
encryptPacket = (DWORD(__cdecl*)(DWORD))DetourFunction((PBYTE)0x41F0F0, (PBYTE)myEncryptPacket);

I know this is ONE of the areas that encrypts packets, but I saw a few other browsing through IDA just now.

EDIT: Also, I even changed the logging to just printing to the console with no success. I don't really see what's happening, since I had it printing to console last night(not the packets, but printing still).

[shingetterrobo]

just hook SendPacket

Code:

pushad

 mov eax, [arg1]
 mov ecx, [eax+4]
 push dword [ecx] // first 4 bytes = opcode
 push log_opcode
 call WriteLineAndFormat

popad
jmp [ReturnAddress]

[lanman92]

The issue is I don't know the SendPacket address before encryption. And I'm a little lost in the encryption they use although it's only simple XOR. They have the key in the class at offset 0x119, but I'm not going to worry about it. I know there's a way to hook before encryption. PS: That location is watched by warden o.O

[shingetterrobo]

SendPacket at 587FD0 not the wrapper at 5F9850

as far as i can tell with the exception of packets sent when signing into the game, all packets will be sent through that call.

[lanman92]

Okay. I was using that one already, but w/e. I'm just trying to figure out why this code is NOT WORKING!

Code:

 
void __declspec(naked) consoleOut(const char* text)
{
__asm {
push 1;
push text;
mov eax, 0x69DE70;
call eax;
add esp, 0x8;
retn;
}
}

[Cypher]

SendPacket at 587FD0 not the wrapper at 5F9850

as far as i can tell with the exception of packets sent when signing into the game, all packets will be sent through that call.

Yeah. That's NetClient::Send, the only packets that don't go through that are as you said the login ones, those go through ClientConnection::Send from memory.

It should be easy to find though, there's lots of strings in the client related to the login process.

But at any rate, hooking that is much easier because there's no encryption to deal with.

[lanman92]

Well. I've got it logging to the console, but it's printing out stupid stuff like 8? and odd symbols. I'm positive there's a better way to do this, but I am a little shaky with C++. I think it's due to my casting directly to a char* instead of _ultoa(). I couldn't get the params right for that though...

Code:

void__declspec(naked) myEncryptPacket(DWORD packet)
{
__asm pushad;
__asm {
mov eax, [packet];
mov opcode, eax;
}
text = reinterpret_cast<char*>(opcode);
consoleOut(text, 1);
__asm popad;
__asm jmp encryptPacket;
}

text and opcode are global variables. char* and DWORD* respectively.

BTW: Cypher, I switched to a typedef'd call to consoleprint and it works like a charm <3

[Cypher]

Lol, was about to ask "why are you using inline asm over a typedef?".

Also, what exactly is "packet"? A pointer to the packet byte array? Too lazy to look. And yes, you can't cast a DWORD to a char* and expect it to do the conversion for you. >_>

If you need that functionality use a std::stringstream, boost::lexical_cast, or the equivalent C-library call (which I don't use so you'll have to google that one yourself).

[shingetterrobo]

mov eax, [packet];
mov opcode, [eax];

[lanman92]

Lol, was about to ask "why are you using inline asm over a typedef?".

Also, what exactly is "packet"? A pointer to the packet byte array? Too lazy to look. And yes, you can't cast a DWORD to a char* and expect it to do the conversion for you. >_>

If you need that functionality use a std::stringstream, boost::lexical_cast, or the equivalent C-library call (which I don't use so you'll have to google that one yourself).

I was using a DWORD*, not that it matters =/
And that code is giving me compile issues when I don't compile using a DWORD* as the opcode. But then I can't use it in the _ultoa() func... Ugh. ****ing C++. This is so easy in C#.

[shingetterrobo]

I was using a DWORD*, not that it matters =/
And that code is giving me compile issues when I don't compile using a DWORD* as the opcode. But then I can't use it in the _ultoa() func... Ugh. ****ing C++. This is so easy in C#.

try itoa instead of ultoa

also, if you prefer C#, why not write it in that?

[lanman92]

Detour functions, console cmds, lua in C#? No thanks.