DLL Injection - Fake Packets

[Sovak]

Hello guys, i have been trying to code a dll which would send packets to the servers but i kinda got stuck with creating a pointer for CDataStore

Those are the function i made:

Code:

void Packet::SendInt32(int thisPtr, int num)
{
    typedef void (__thiscall* SendInt32)(int thisPtr, int num);
    SendInt32 SendInt32Func = reinterpret_cast<SendInt32>(CDataStore__PutInt32);
    SendInt32Func(thisPtr, num);
}

void Packet::SendInt8(int thisPtr, char num)
{
    typedef void (__thiscall* SendInt8)(int thisPtr, char num);
    SendInt8 SendInt8Func = reinterpret_cast<SendInt8>(CDataStore__PutInt8);
    SendInt8Func(thisPtr, num);
}

void Packet::SendPacket(int thisPtr)
{
    typedef void (__cdecl* SendPacket)(int thisPtr);
    SendPacket SendPacketFunc = reinterpret_cast<SendPacket>(CDataStore__SendPacket2);
    SendPacketFunc(thisPtr);
}

And the sending should look like this :

int ptr = .....;
Packet::PuInt32(ptr, opcode);
Packet::PutInt8(ptr, 1);
Packet::SendPacket(ptr);

Ive been trying to reproduce requesting of played time and here is the assembly:

Code:

.text:008C7450                   Script_RequestTimePlayed proc near      ; DATA XREF: .data:00D0B58Co
.text:008C7450
.text:008C7450                   var_18          = dword ptr -18h
.text:008C7450                   var_14          = dword ptr -14h
.text:008C7450                   var_10          = dword ptr -10h
.text:008C7450                   var_C           = dword ptr -0Ch
.text:008C7450                   var_8           = dword ptr -8
.text:008C7450                   var_4           = dword ptr -4
.text:008C7450
.text:008C7450 55                                push    ebp
.text:008C7451 8B EC                             mov     ebp, esp
.text:008C7453 83 EC 18                          sub     esp, 18h
.text:008C7456 56                                push    esi
.text:008C7457 33 F6                             xor     esi, esi
.text:008C7459 68 04 08 00 00                    push    804h
.text:008C745E 8D 4D E8                          lea     ecx, [ebp+var_18]
.text:008C7461 C7 45 E8 C4 98 B8+                mov     [ebp+var_18], offset off_B898C4
.text:008C7468 89 75 EC                          mov     [ebp+var_14], esi
.text:008C746B 89 75 F0                          mov     [ebp+var_10], esi
.text:008C746E 89 75 F4                          mov     [ebp+var_C], esi
.text:008C7471 89 75 F8                          mov     [ebp+var_8], esi
.text:008C7474 C7 45 FC FF FF FF+                mov     [ebp+var_4], 0FFFFFFFFh
.text:008C747B E8 C0 A4 FA FF                    call    CDataStore__PutInt32
.text:008C7480 6A 01                             push    1
.text:008C7482 8D 4D E8                          lea     ecx, [ebp+var_18]
.text:008C7485 E8 F6 A3 FA FF                    call    CDataStore__PutInt8
.text:008C748A 8D 45 E8                          lea     eax, [ebp+var_18]
.text:008C748D 50                                push    eax
.text:008C748E 89 75 FC                          mov     [ebp+var_4], esi
.text:008C7491 E8 1A 77 C0 FF                    call    ClientServices__Send2
.text:008C7496 83 C4 04                          add     esp, 4
.text:008C7499 83 7D F4 FF                       cmp     [ebp+var_C], 0FFFFFFFFh
.text:008C749D C7 45 E8 C4 98 B8+                mov     [ebp+var_18], offset off_B898C4
.text:008C74A4 5E                                pop     esi
.text:008C74A5 74 15                             jz      short loc_8C74BC
.text:008C74A7 8D 4D F4                          lea     ecx, [ebp+var_C]
.text:008C74AA 51                                push    ecx
.text:008C74AB 8D 55 F0                          lea     edx, [ebp+var_10]
.text:008C74AE 52                                push    edx
.text:008C74AF 8D 45 EC                          lea     eax, [ebp+var_14]
.text:008C74B2 50                                push    eax
.text:008C74B3 8D 4D E8                          lea     ecx, [ebp+var_18]
.text:008C74B6 FF 15 C8 98 B8 00                 call    ds:off_B898C8
.text:008C74BC
.text:008C74BC                   loc_8C74BC:                             ; CODE XREF: Script_RequestTimePlayed+55j
.text:008C74BC 33 C0                             xor     eax, eax
.text:008C74BE 8B E5                             mov     esp, ebp
.text:008C74C0 5D                                pop     ebp
.text:008C74C1 C3                                retn
.text:008C74C1                   Script_RequestTimePlayed endp

Could anybody help me with the creation of the pointer ?

[namreeb]

The size of the class is evident from the asm you linked, as is how to initialize the various members. The lines from .text:008C745E to .text:008C7474 is the constructor inlined.

[Jadd]

Look what is loaded into __this (ecx).

Code:

.text:008C7461 C7 45 E8 C4 98 B8+                mov     [ebp+var_18], offset off_B898C4
...
.text:008C7482 8D 4D E8                          lea     ecx, [ebp+var_18]
.text:008C7485 E8 F6 A3 FA FF                    call    CDataStore__PutInt8

You should be able to use the value in off_B898C4 as your datastore.

Edit: Or yeah, do what namreeb said and make your own datastore. Then you don't have to worry about thread safety also.

[namreeb]

Look what is loaded into __this (ecx).
You should be able to use the value in off_B898C4 as your datastore.

The value you are referring to is the VMT, not a global instance of the type.

[Jadd]

The value you are referring to is the VMT, not a global instance of the type.

Oh yeah you're right. There is a global instance held somewhere...

Edit: You can find it in CDataStore::Release.

[TOM_RUS]

You can take a look at my project (it's for 3.3.5 client though).

[Sovak]

Yah guys, i know what it is, but ive got no clue how to code it I mean, the DLL Injection is coded, everything is ready, i just dont know how to do code this 1 part

Edit: Figured it out, thanks TOM_RUS