Jump to content
Moopler
  • 0
Crypt707

Question Packet injection method v176

Question

I wonder if this method still works  for v176? 

I try using famous waty source bypassless sender , but all aobs looks perfect to me, it just crash at sending.

Any help will be welcome, thanks

const uint32_t MSLockAddy = 0x40E010;			// 53 56 8B 74 24 0C 8B D9 8B CE
	const uint32_t MSUnlockAddy = 0x403CD0;			// 8B 01 83 40 04 FF 75 06
	const uint32_t innoHashAddy = 0x1A73FF0;		// 51 8B 44 24 10 C7 04 24
	const uint32_t FlushSocketAddy = 0x65EF30;		// 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 10 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 24 64 A3 ? ? ? ? 8B D9 8B 43 08
	const uint32_t MakeBufferListAddy = 0xCEF8E0;	// 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 14 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 28 64 A3 ? ? ? ? 8B D9 89 5C 24 1C

	const uint32_t CClientSocketPtr = 0x22C41C8;	// 8B 0D ? ? ? ? 85 C9 74 0A 8D 44

 

Edited by Crypt707

Share this post


Link to post

6 answers to this question

Recommended Posts

  • 0

The method still works good for current GMS version (176.1).

You're not showing code related to the structs, so I don't know what's wrong/why you crash.

Your addresses are correct.

 

But I'm going to take a guess on why you crash...

https://github.com/Waty/PacketSenderPlz/blob/master/PacketSenderPlz/MapleStructs.h

 

In MapleStructs.h, the CClientSocket struct changed a bit for gms, it's the same as the ems one. Just use #define EMS and use your addresses and you should be set.

 

Share this post


Link to post
  • 0

Hey I would like to thank you for helping me out, I did what you told me to define EMS, now I don't crash but I disconnect at sending packet

here is my code below from watys source, what I did wrong this time? and thanks again.

#pragma once
#define EMS
#include <vector>
#include <stdint.h>
#include <WinSock.h>
#include <string>


extern void Log(const std::string& msg);
#pragma comment (lib, "Ws2_32.lib")

namespace GMSAddys
{
	const uint32_t MSLockAddy = 0x40E010;			// 53 56 8B 74 24 0C 8B D9 8B CE
	const uint32_t MSUnlockAddy = 0x403CD0;			// 8B 01 83 40 04 FF 75 06
	const uint32_t innoHashAddy = 0x1A73FF0;		// 51 8B 44 24 10 C7 04 24
	const uint32_t FlushSocketAddy = 0x65EF30;		// 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 10 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 24 64 A3 ? ? ? ? 8B D9 8B 43 08
	const uint32_t MakeBufferListAddy = 0xCEF8E0;	// 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 14 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 28 64 A3 ? ? ? ? 8B D9 89 5C 24 1C

	const uint32_t CClientSocketPtr = 0x22C41C8;	// 8B 0D ? ? ? ? 85 C9 74 0A 8D 44

	const uint32_t GameVersion = 176;
}

namespace EMSAddys
{
	const uint32_t MSLockAddy = 0x40E010;			// 53 56 8B 74 24 0C 8B D9 8B CE
	const uint32_t MSUnlockAddy = 0x403CD0;			// 8B 01 83 40 04 FF 75 06
	const uint32_t innoHashAddy = 0x1A73FF0;		// 51 8B 44 24 10 C7 04 24
	const uint32_t FlushSocketAddy = 0x65EF30;		// 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 10 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 24 64 A3 ? ? ? ? 8B E9 8B 45 08
	const uint32_t MakeBufferListAddy = 0xCEF8E0;	// 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 14 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 28 64 A3 ? ? ? ? 8B E9 89 6C 24 1C

	const uint32_t CClientSocketPtr = 0x22C41C8;	// 8B 0D ? ? ? ? 8D 54 24 1C 52 E8 ? ? ? ? 8B 0D NEW* 8B 0D ? ? ? ? 85 C9 74 0A 8D 44 ADDRESS: 019CB0CD

	const uint32_t GameVersion = 103;
}

#ifdef GMS
using namespace GMSAddys;
#endif // GMS

#ifdef EMS
using namespace EMSAddys;
#endif // EMS



struct ZSocketBase
{
	unsigned int _m_hSocket;
};

template <class T> struct ZList
{
	virtual ~ZList<T>();		//0x00
	void* baseclass_4;			//0x04
	unsigned int _m_uCount;		//0x08
	T* _m_pHead;				//0x0C
	T* _m_pTail;				//0x10	
};								//0x14 
static_assert(sizeof(ZList<void>) == 0x14, "ZList is the wrong size");

template <class T> struct ZRef
{
	void* vfptr;
	T* data;
};

#pragma pack( push, 1 )
struct COutPacket
{
	COutPacket() : m_bLoopback(false), m_bIsEncryptedByShanda(false), m_uOffset(0) { }
	COutPacket(uint8_t* data, uint32_t dwLength) : COutPacket()
	{
		m_lpvSendBuff = data;
		m_uDataLen = dwLength;
	}

	int32_t  m_bLoopback;							// + 0x00
	uint8_t* m_lpvSendBuff;							// + 0x04
	uint32_t m_uDataLen;							// + 0x08
	uint32_t m_uOffset;								// + 0x0C
	int32_t  m_bIsEncryptedByShanda;				// + 0x10

	void MakeBufferList(ZList<ZRef<void>> *l, unsigned __int16 uSeqBase, unsigned int *puSeqKey, int bEnc, unsigned int dwKey)
	{
		typedef void(__thiscall *MakeBufferList_t)(COutPacket *_this, ZList<ZRef<void>> *l, unsigned __int16 uSeqBase, unsigned int *puSeqKey, int bEnc, unsigned int dwKey);
		MakeBufferList_t MakeBufferList = reinterpret_cast<MakeBufferList_t>(MakeBufferListAddy);
		MakeBufferList(this, l, uSeqBase, puSeqKey, bEnc, dwKey);
	}
};

struct CInPacket
{
	int32_t m_bLoopback;							// + 0x00
	int32_t m_nState;								// + 0x04
	uint8_t* m_lpbRecvBuff;							// + 0x08
	uint32_t m_uLength;								// + 0x0C
	uint32_t m_uRawSeq;								// + 0x10
	uint32_t m_uDataLen;							// + 0x14
	uint32_t m_uOffset;								// + 0x18
};

#pragma pack( pop )

struct ZFatalSectionData
{
	void *_m_pTIB;									// + 0x00
	int _m_nRef;									// + 0x04
};

struct ZFatalSection : public ZFatalSectionData
{

};

template<class T> struct ZSynchronizedHelper
{
public:
	__inline ZSynchronizedHelper(T* lock)
	{
		reinterpret_cast<void(__thiscall*)(ZSynchronizedHelper<T>*, T*)>(MSLockAddy)(this, lock);
	}

	__inline ~ZSynchronizedHelper()
	{
		reinterpret_cast<void(__thiscall*)(ZSynchronizedHelper<T>*)>(MSUnlockAddy)(this);
	}

private:
	T* m_pLock;
};

static auto CIGCipher__innoHash = reinterpret_cast<unsigned int(__cdecl *)(char *pSrc, int nLen, unsigned int *pdwKey)>(innoHashAddy);
struct CClientSocket
{
	struct CONNECTCONTEXT
	{
		ZList<sockaddr_in> lAddr;
		void *posList;
		int bLogin;
	};

	virtual ~CClientSocket();
	void* ___u1;
	ZSocketBase m_sock;
	CONNECTCONTEXT m_ctxConnect;
	sockaddr_in m_addr;
	int m_tTimeout;
#ifdef EMS
	void* unknown;					//ZList<ZInetAddr>::'vftable'
#endif
	ZList<ZRef<void> > m_lpRecvBuff; //ZList<ZRef<ZSocketBuffer> >
	ZList<ZRef<void> > m_lpSendBuff; //ZList<ZRef<ZSocketBuffer> >
	CInPacket m_packetRecv;
	ZFatalSection m_lockSend;
	unsigned int m_uSeqSnd;
	unsigned int m_uSeqRcv;
	char* m_URLGuestIDRegistration;
	int m_bIsGuestID;

	void Flush()
	{
		reinterpret_cast<void(__thiscall*)(CClientSocket*)>(FlushSocketAddy)(this);
	}

	void SendPacket(COutPacket& oPacket)
	{
		ZSynchronizedHelper<ZFatalSection> lock(&m_lockSend);

		if (m_sock._m_hSocket != 0 && m_sock._m_hSocket != 0xFFFFFFFF && m_ctxConnect.lAddr._m_uCount == 0)
		{
			oPacket.MakeBufferList(&m_lpSendBuff, GameVersion, &m_uSeqSnd, 1, m_uSeqSnd);
			m_uSeqSnd = CIGCipher__innoHash(reinterpret_cast<char*>(&m_uSeqSnd), 4, 0);
			Flush();
		}
	}
};
#ifdef GMS
static_assert(sizeof(CClientSocket) == 0x98, "CClientSocket is the wrong size!");
#endif // GMS

#ifdef EMS
static_assert(sizeof(CClientSocket) == 0x9C, "CClientSocket is the wrong size!");
#endif // EMS

 

Edited by Crypt707

Share this post


Link to post
  • 0
21 hours ago, CJ. said:

The method still works good for current GMS version (176.1).

You're not showing code related to the structs, so I don't know what's wrong/why you crash.

Your addresses are correct.

 

But I'm going to take a guess on why you crash...

https://github.com/Waty/PacketSenderPlz/blob/master/PacketSenderPlz/MapleStructs.h

 

In MapleStructs.h, the CClientSocket struct changed a bit for gms, it's the same as the ems one. Just use #define EMS and use your addresses and you should be set.

 

Was about to post the same information, but seems like you were much faster than I was... :o

  • Like 5

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×