Packets sniffer

[N1ghtmaree]

Thinking to make some...
Can someone tell me, which functions i can hook to catch already decrypted packets (in both directions)?

[culino]

ClientConnection::SendPacket
NetClient::Process

The first one is scanned by warden, so be careful or use a trial account.

[N1ghtmaree]

Thanks, as i know warden scans for mem modifying? If I hook without mem modifying, can i keep it safe?

[Batousan]

The current iteration of Warden should not be able to tell if you are reading Wow.exe's memory from out of process. If you try to redirect it, write to it, that can be dangerous.

[N1ghtmaree]

Can someone help me with NetClient__Process? Which params are passed? Seems no CDataStore (like in SendPacket) is used.

Hmm... I see a3 is a packet pointer...
And probably a4 is Len, than what is a2 for?

[serock1]

ecx: service object ptr
arg1: tick count
arg2: packet object ptr

packet object:
0x00: vtbl
0x04: buff
0x08: ref count, maybe
0x0c: buff_length
0x10: current_length
0x14: read/write cursor

[N1ghtmaree]

Are you sure in that? Arg2 is ebp+0Ch, right? The structure is wrong anyway than...

[serock1]

I am talking about function ".text:00490360 CNetClient__Process proc near", v406.13623. Calling conversation of it is like "ecx->CNetClient__Process(tick_count, packet_ptr, 0)". The callee cleans the stack.

At least, my tool works fine.

[N1ghtmaree]

Yes, but this is what IDA says:
char __thiscall NetClient__Process(void *this, int a2, int a3, int a4)

[serock1]

IDA is right, there is no conflict. Check around .text:00490A99 please, WoW's code will tell you the truth.