Jump to content
Moopler Closing Read more... ×


  • Content Count

  • Joined

  • Last visited

  • Days Won


Roast last won the day on April 1 2017

Roast had the most liked content!

Community Reputation

4 Neutral

About Roast

  • Rank
    New kid on the block

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Roast

    Help Hooking ws2_32.dll send/recv functions

    Sweet, I keep running in to typing issues that are all alien to me and having to stop to do some reading. Progress is slow, but it's been a lot faster thanks to you guys Having been a C# engineer for years I'm amazed by all the things that I've taken for granted. Right now I'm comparing Cryptography libraries for C++, whereas I'm so used to just using System.Security.Cryptography.
  2. Roast

    Help Hooking ws2_32.dll send/recv functions

    I did consider that, but I wouldn't have expected packets to be coming in with different encodings in the same packet right? (EDIT: I think what I said is retarded, it's been a long day...) I can see my email in plaintext in the first logged packet surrounded by what look like encrypted bytes. I've had a look online for information around the packet encryption in the game I'm working with and I already understand the methods involved, just need to work on a C++ implementation. I think my main struggle will be figuring out the correct types to use for the information, for example byte arrays would be a vector of chars?
  3. Roast

    Help Hooking ws2_32.dll send/recv functions

    Awesome, turns out this was the main problem. I can now see my process loaded in to memory! I've managed to get both examples working in the end, thank you again for the code snippets you've posted! I'm now able to log packets out to file but it looks like they're encrypted. I'm logging out to file like so decltype(&send) send_hook = [](SOCKET s, const char *buf, int len, int flags) -> int { std::ofstream myfile; myfile.open("C:\\Users\\jamie\\Desktop\\test.txt", std::ios_base::app | std::ios_base::out); myfile << len << " " << buf << " " << "\n"; myfile.close(); return _send(s, buf, len, flags); }; I've made the assumption that writing them out like this doesn't require me to do anything like construct a string with the characters coming in. Here's a snippet of what I see in my file: 14 ÚK)ʯú¶E�E\ÕŸë{k{7�–il.com� 3 bZŽÊ¯ú¶E�E\ÕŸë{k{7�–il.com� 3 y�Âʯú¶E�E\ÕŸë{k{7�–il.com� 3 �´ ʯú¶E�E\ÕŸë{k{7�–il.com� 3 �L¦Ê¯ú¶E�E\ÕŸë{k{7�–il.com� 3 Á(êʯú¶E�E\ÕŸë{k{7�–il.com� 3 �»uʯú¶E�E\ÕŸë{k{7�–il.com� 3 ÏàÞʯú¶E�E\ÕŸë{k{7�–il.com� 3 ÿ{õʯú¶E�E\ÕŸë{k{7�–il.com� Judging by the characters at the end, could that contain my email address? ? There was a packet that didnt look encrypted at the beginning which was solely my login email address. Looks like the next step is to try and find the encryption/decryption functions with IDA.
  4. Roast

    Help Hooking ws2_32.dll send/recv functions

    Ok, sweet. I'm set up with Microsoft's detours library, but I'm having a similar problem to before where the jump is being set to empty memory. I ended up trying to apply the 2nd example first as it was a lot simpler to read and understand. Here's what I've tried to do, which is very similar to before. typedef int(*WINAPI ws2Send_t)(SOCKET s, const char* buf, int len, int flags); auto ws2Send = reinterpret_cast<ws2Send_t>(0x752B5E40); // I assumed this is meant to be the address of the function I'm hooking. void WINAPI SendHook(SOCKET s, const char* buf, int len, int flags) { std::ofstream myfile; myfile.open(<FilePathHere>); myfile << len << " " << buf << " " << "\n"; myfile.close(); ws2Send(s, buf, len, flags); } In DllMain, I'm calling the SetHook function you posted like this BOOL WINAPI DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID reserved) { if (dwReason == DLL_PROCESS_ATTACH) { SetHook(true, reinterpret_cast<PVOID*>(&ws2Send), &SendHook); return 0; } } I'm stuck as to what the problem is, but I'll keep trying.
  5. Roast

    Help Hooking ws2_32.dll send/recv functions

    So I've revisited this tonight and had a look at it through Cheat Engine as @NewSprux2.0? suggested. It looks like the changes are written roughly as I'd expect. But I've cocked up the bytes that I'm writing? Going to the address 0x6E501120, there's just nothing there. So the jump is invalid, there's no memory there to jump to and so it instantly crashes... So the first problem has to be in here somewhere I assume. HINSTANCE library = LoadLibrary(Module); DWORD FunctionAddress = (DWORD)GetProcAddress(library, Function); DWORD MyFunctionAddress = (DWORD)MyFunction; BYTE jumpBytes[6] = { 0xE9,0x00,0x00,0x00,0x00,0xC3 }; DWORD jumpAddress = (MyFunctionAddress - FunctionAddress) - 5; memcpy(&jumpBytes[1], &jumpAddress, 4); The only thing that comes to mind so far is that I'm miscalculating jumpAddress, but I don't know how I've messed that up. I'll make some further attempts at debugging in the morning. EDIT: I've just realised I'm overwriting either too many or too few bytes... I'm too tired to tell which.
  6. Roast

    Help Hooking ws2_32.dll send/recv functions

    Thanks for the quick response! If I'm understanding correctly, because I'm calling this winsock function return send(s, buf, len, flags); inside SendHook, it then retriggers my hook because I've modified send to trigger my SendHook. Would I not then expect to see at least something in my text file before it crashes? The text file remains empty, so I didn't consider this. What you've said makes sense to me though, so thank you I'll revisit this when I'm home again and I'll take a look at it through CheatEngine to make sure it's doing what I think it's doing.
  7. tl;dr I'm trying to hook ws2_32.dll send and recv functions, but upon injecting my DLL it just crashes. I'm not sure what I'm fucking up here, please help. It's been a hell of a long time since I've worked with C++ at all. It looks like I have too many gaps in my knowledge to jump straight in to Maplestory, so I've decided to opt for exploring a simple MMORPG with no anti cheat and no encryption that I'm aware of yet. I'm getting to grips with the freeware of IDA 7.0 and ollydbg and working through the struggles as best I can. I've gone in to IDA Pro and had a look in the imports tab to see if I can find anything useful. Sure enough there's an import for send and receive from ws2_32.dll That lists the address as .idata:00D339FC. If I look for it in ollydbg while the app is running, it lists the address of the start of the send function as 0x752B5E40. Just to confirm, if I go to that address in Cheat Engine's memory viewer, it shows that address as WS2_32.send: So I have the address of the send function in memory and I've been trying to get to grips with hooking the function. There's a lot of resources online that I've been reading through but can't seem to get it right and I'm too noob to figure it out. My project is a simple barebones C++ dll. Basic entry point. BOOL WINAPI DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID reserved) { if (dwReason == DLL_PROCESS_ATTACH) { HookApiFunction("ws2_32.dll", "send", SendHook, hook); return 0; } } SendHook is super basic, all I want to do for now is to log packets to file. Once I get my head around this I'll work on making GUI for displaying the inbound/outbound packets. int WINAPI SendHook(SOCKET s, const char* buf, int len, int flags) { std::ofstream myfile; myfile.open(<PathToFile>); myfile << len << " " << buf << " " << "\n"; myfile.close(); return send(s, buf, len, flags); } In HookApiFunction, I load the library and call GetProcAddress to find the address of the function in memory. HINSTANCE library = LoadLibrary(Module); DWORD FunctionAddress = (DWORD)GetProcAddress(library, Function); DWORD MyFunctionAddress = (DWORD)MyFunction; Then attempt to redirect the send function to my SendHook function and then continue with the original function. DWORD jumpAddress = (MyFunctionAddress - FunctionAddress) - 5; memcpy(&jumpBytes[1], &jumpAddress, 4); DWORD dwProtect; VirtualProtect((LPVOID)FunctionAddress, 6, PAGE_EXECUTE_READWRITE, &dwProtect); WriteProcessMemory(GetCurrentProcess(), (LPVOID)FunctionAddress, jumpBytes, 6, 0); VirtualProtect((LPVOID)FunctionAddress, 6, dwProtect, &dwProtect); Everything compiles fine, but judging by when I crash, it happens when the send function is called. I can inject at the login screen for example, be fine for a few seconds until what I assume is some keepalive packet is sent. Thanks in advance for any help.
  8. Going off of the script from the script database from v192.2: [ENABLE] alloc(CMob__GetPos_Hook,128) CMob__GetPos_Hook: mov eax,[02D82708] // CUserLocal: 8B 3D ? ? ? ? 8B CF F3 lea ecx,[eax+04] mov eax,[ecx] jmp [eax+14] 01421180: // CMob::GetPos jmp CMob__GetPos_Hook [DISABLE] 01421180: // 55 8B ? 56 57 8D ? ? ? ? ? 8D [13th Result] push ebp mov ebp,esp push esi push edi dealloc(CMob__GetPos_Hook) I understand what's going on here, the script changes the CMob::GetPos function to always return the player's coordinates and so the items spawn at the player's feet. I'm not 100% sure on how it works written like this though. Move the pointer to CUserLocal in to the EAX register(?) Load value from address(?) at CUserLocal + 4 in to the ECX register? What value is this? Overwrite the value in EAX register, so that ECX and EAX contain the same thing at this point? I don't know what's at EAX + 14, am I just missing knowledge about the CUserLocal structure? Main question: I can't seem to find the function CMob::GetPos. Obviously the AoB is there, but there are 25 results, all of which just crash me or do nothing. Has Semi Item Vac been patched, or am I missing something? AoB changed? This script isn't from that long ago. I can't seem to find any other public scripts that make use of CMob::GetPos, at least none that have it commented as such. Thanks in advance for any help!
  9. Roast

    Help Help finding CUserLocal address on v193.1

    Yeah I'm aware of how it works, but the address the AoB turns up is 01439E22, which just doesn't seem right and probably isn't since it's crashing on enable EDIT: Nevermind, found it, I was being a dumbass, it was 03141B44
  10. Nevermind, found what I was looking for.
  11. Executable renaming doesn't seem to bypass detection on Windows 8.1 (and the title changer you posted doesn't seem to work, neither does AHK). Ended up using HxD instead and it works just fine. Got autobanned 10 minutes in because I tried to use a rune while skill injection was on though.
  12. Roast

    Discussion What should I hack?

    You'd probably get bored with TERA and ArcheAge pretty quick. Teleport, speed and fly hacks are about the only fun things you can really get out of them. ArcheAge radars are pretty good for finding hidden camps etc. Bots are always fun to make of course but that depends on whether or not you actually care about making a farm for either of the games. I did vote ArcheAge though because knowing you you'll probably find some ridiculous shit immediately.
  13. Roast

    Release Controlled Magic Injection

    This looks awesome! What class are you using in your gifs?
  14. Roast

    How to Update Script with Instructions?

    It was meant to be one question, but English is a weird language sometimes. I always thought there was a specific reason people made AoBs that lead to somewhere other than the actual address, like they would always make it point to the start of a function. I guess it's almost random depending on who made the script. That makes sense, thank you