Jump to content
Moopler
Sign in to follow this  
maplefreak200

Help [Request] Flush socket/MakebufferList address

Recommended Posts

Hello moopler, as title suggests, what are the current addies for this version? I am trying to find the flush socket address and maker buffer list address to update but not sure how to find the correct addresses. I'm getting the wrong address.

 

Thanks

Share this post


Link to post

Tips on finding flush address, BP on send api (ws2_32.send), go to function start

Edited by XShade

Share this post


Link to post
1 minute ago, XShade said:

Tips on finding flush address, BP on official send api (ws2_32.send), go to function start

Thanks @XShade , so pretty much I find the sendret address and breakpoint on it? Im not sure completely

Share this post


Link to post

1. Start the GameLauncher

2. On Ce go to Memory view and press CTRL + G

3. type Send and press ok

4. right on WS2_32.send right click it-> toggle break point

5. start Ms. around where it asks you to select which region it should bp (break point)

6. Image should look something like this now double click on the addy that you get, in this case 00A41F0E

7. Now because of the pdb we know Flush function calls WS2_32 API, simply right click -> select current function and it will scroll you to the top of the function.

In this case we get 00A41E60

Edited by Fameguy

Share this post


Link to post
5 minutes ago, Fameguy said:

1. Start the GameLauncher

2. On Ce go to Memory view and press CTRL + G

3. type Send and press ok

4. right on WS2_32.send right click it-> toggle break point

5. start Ms. around where it asks you to select which region it should bp (break point)

6. Image should look something like this now double click on the addy that you get, in this case 00A41F0E

7. Now because of the pdb we know Flush function calls WS2_32 API, simply right click -> select current function and it will scroll you to the top of the function.

In this case we get 00A41E60

Thanks Fameguy, however I tried this address, but I crashed, I think maybe buffer list might be wrong if the flush socket is indeed correct address.

Share this post


Link to post
2 minutes ago, maplefreak200 said:

Thanks Fameguy, however I tried this address, but I crashed, I think maybe buffer list might be wrong if the flush socket is indeed correct address.

can you post all of your address?

@maplefreak 200

try this for buffer list, should be correct: 0113CF80

Share this post


Link to post
5 minutes ago, Fameguy said:

can you post all of your address?

@maplefreak 200

try this for buffer list, should be correct: 0113CF80

	#pragma once
#include <vector>
#include <stdint.h>
#include <WinSock.h>
#include <string>
	extern void Log(const std::string& msg);
#pragma comment (lib, "Ws2_32.lib")
	namespace GMSAddys
{
    const uint32_t MSLockAddy = 0x40ECE0;            // 53 56 8B 74 24 0C 8B D9 8B CE
    const uint32_t MSUnlockAddy = 0x403D40;            // 8B 01 83 40 04 FF 75 06
    const uint32_t innoHashAddy = 0x1F75C50;        // 51 8B 44 24 10 C7 04 24
    const uint32_t FlushSocketAddy = 0xA41E63;        // 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 10 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 24 64 A3 ? ? ? ? 8B 74 24 20
    const uint32_t MakeBufferListAddy = 0x113D790;    // 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 14 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 28 64 A3 ? ? ? ? 8B D9 89 5C 24 1C
	    const uint32_t CClientSocketPtr = 0x29D4174;    // 8B 0D ? ? ? ? 85 C9 74 0A 8D 44
	    const uint32_t GameVersion = 178;
}
	namespace EMSAddys
{
    const uint32_t MSLockAddy = 0x4093F0;            // 53 56 8B 74 24 0C 8B D9 8B CE
    const uint32_t MSUnlockAddy = 0x401420;            // 8B 01 83 40 04 FF 75 06
    const uint32_t innoHashAddy = 0x13F7550;        // 51 8B 44 24 10 C7 04 24
    const uint32_t FlushSocketAddy = 0x5C4630;        // 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 10 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 24 64 A3 ? ? ? ? 8B E9 8B 45 08
    const uint32_t MakeBufferListAddy = 0xA2AC60;    // 6A FF 68 ? ? ? ? 64 A1 ? ? ? ? 50 83 EC 14 53 55 56 57 A1 ? ? ? ? 33 C4 50 8D 44 24 28 64 A3 ? ? ? ? 8B E9 89 6C 24 1C
	    const uint32_t CClientSocketPtr = 0x1996DEC;    // 8B 0D ? ? ? ? 8D 54 24 1C 52 E8 ? ? ? ? 8B 0D
	    const uint32_t GameVersion = 114;
}
	#ifdef GMS
using namespace GMSAddys;
#endif // GMS
	#ifdef EMS
using namespace EMSAddys;
#endif // EMS
	struct ZSocketBase
{
    unsigned int _m_hSocket;
};
	template <class T> struct ZList
{
    virtual ~ZList<T>();        //0x00
    void* baseclass_4;            //0x04
    unsigned int _m_uCount;        //0x08
    T* _m_pHead;                //0x0C
    T* _m_pTail;                //0x10    
};                                //0x14 
static_assert(sizeof(ZList<void>) == 0x14, "ZList is the wrong size");
	template <class T> struct ZRef
{
    void* vfptr;
    T* data;
};
	#pragma pack( push, 1 )
struct COutPacket
{
    COutPacket() : m_bLoopback(false), m_bIsEncryptedByShanda(false), m_uOffset(0) { }
    COutPacket(uint8_t* data, uint32_t dwLength) : COutPacket()
    {
        m_lpvSendBuff = data;
        m_uDataLen = dwLength;
    }
	    int32_t  m_bLoopback;                            // + 0x00
    uint8_t* m_lpvSendBuff;                            // + 0x04
    uint32_t m_uDataLen;                            // + 0x08
    uint32_t m_uOffset;                                // + 0x0C
    int32_t  m_bIsEncryptedByShanda;                // + 0x10
	    void MakeBufferList(ZList<ZRef<void>> *l, unsigned __int16 uSeqBase, unsigned int *puSeqKey, int bEnc, unsigned int dwKey)
    {
        typedef void(__thiscall *MakeBufferList_t)(COutPacket *_this, ZList<ZRef<void>> *l, unsigned __int16 uSeqBase, unsigned int *puSeqKey, int bEnc, unsigned int dwKey);
        MakeBufferList_t MakeBufferList = reinterpret_cast<MakeBufferList_t>(MakeBufferListAddy);
        MakeBufferList(this, l, uSeqBase, puSeqKey, bEnc, dwKey);
    }
};
	struct CInPacket
{
    int32_t m_bLoopback;                            // + 0x00
    int32_t m_nState;                                // + 0x04
    uint8_t* m_lpbRecvBuff;                            // + 0x08
    uint32_t m_uLength;                                // + 0x0C
    uint32_t m_uRawSeq;                                // + 0x10
    uint32_t m_uDataLen;                            // + 0x14
    uint32_t m_uOffset;                                // + 0x18
};
	#pragma pack( pop )
	struct ZFatalSectionData
{
    void *_m_pTIB;                                    // + 0x00
    int _m_nRef;                                    // + 0x04
};
	struct ZFatalSection : public ZFatalSectionData
{
	};
	template<class T> struct ZSynchronizedHelper
{
public:
    __inline ZSynchronizedHelper(T* lock)
    {
        reinterpret_cast<void(__thiscall*)(ZSynchronizedHelper<T>*, T*)>(MSLockAddy)(this, lock);
    }
	    __inline ~ZSynchronizedHelper()
    {
        reinterpret_cast<void(__thiscall*)(ZSynchronizedHelper<T>*)>(MSUnlockAddy)(this);
    }
	private:
    T* m_pLock;
};
	static auto CIGCipher__innoHash = reinterpret_cast<unsigned int(__cdecl *)(char *pSrc, int nLen, unsigned int *pdwKey)>(innoHashAddy);
struct CClientSocket
{
    struct CONNECTCONTEXT
    {
        ZList<sockaddr_in> lAddr;
        void *posList;
        int bLogin;
    };
	    virtual ~CClientSocket();
    void* ___u1;
    ZSocketBase m_sock;
    CONNECTCONTEXT m_ctxConnect;
    sockaddr_in m_addr;
    int m_tTimeout;
#ifdef GMS
    void* unknown;                    //ZList<ZInetAddr>::'vftable'
#endif
    ZList<ZRef<void> > m_lpRecvBuff; //ZList<ZRef<ZSocketBuffer> >
    ZList<ZRef<void> > m_lpSendBuff; //ZList<ZRef<ZSocketBuffer> >
    CInPacket m_packetRecv;
    ZFatalSection m_lockSend;
    unsigned int m_uSeqSnd;
    unsigned int m_uSeqRcv;
    char* m_URLGuestIDRegistration;
    int m_bIsGuestID;
	    void Flush()
    {
        reinterpret_cast<void(__thiscall*)(CClientSocket*)>(FlushSocketAddy)(this);
    }
	    void SendPacket(COutPacket& oPacket)
    {
        ZSynchronizedHelper<ZFatalSection> lock(&m_lockSend);
	        if (m_sock._m_hSocket != 0 && m_sock._m_hSocket != 0xFFFFFFFF && m_ctxConnect.lAddr._m_uCount == 0)
        {
            oPacket.MakeBufferList(&m_lpSendBuff, GameVersion, &m_uSeqSnd, 1, m_uSeqSnd);
            m_uSeqSnd = CIGCipher__innoHash(reinterpret_cast<char*>(&m_uSeqSnd), 4, 0);
            Flush();
        }
    }
};
#ifdef GMS
static_assert(sizeof(CClientSocket) == 0x9C, "CClientSocket is the wrong size!");
#endif // GMS
	#ifdef EMS
static_assert(sizeof(CClientSocket) == 0x98, "CClientSocket is the wrong size!");
#endif // EMS

Also doing this:

const uint32_t FlushSocketAddy = 0xA41E60;        

 const uint32_t MakeBufferListAddy = 0x113CF80; 

 

And this:

const uint32_t FlushSocketAddy = 0xA41E63;     
const uint32_t MakeBufferListAddy = 0x113CF80;  

 

Both crashes

Share this post


Link to post

FlushSocketAddy is wrong.

 

1. Go to 'send' in memory view, copy the address.

2. 4-Byte(Hex) scan that address, it will give the pointer (First Result) (023B74CC for gms 178.3).

3. Reverse 023B74CC to CC 74 3B 02.

4. Aob scan: FF 15 CC 74 3B 02

5. It will give 2 results that calls the send api.

GMS v.178.3

KaW

If you do the same steps for GMS v.177.3, it gives 3 results that calls the send api, the third result was FlushSocketAddy.

KaX

FlushSocketAddy takes 1 param (ret 0004).

 

00A33F33 = 00697083  they both take 2 params (ret 0008)

00A41F08 = 006A5298 they both take 0 params (ret)

 

FlushSocketAddy is probably virtualized, idk.

 

Edit: Wrong information; forget it.

 

 

 

Edited by CJ.

Share this post


Link to post

Here is the address log that current latest version of DPE (0.9.1.625) uses for latest version of EMS/GMS.

[2016-12-07 18:29:42] Info: Initializing Dami's Packet Editor v0.9.1.625 (Beta) to MapleStory Global (GMS v178 Rev 3).
[2016-12-07 18:29:43] Debug: SendPacket         0x00A42970
[2016-12-07 18:29:43] Debug: Initialize         0x0113D170
[2016-12-07 18:29:43] Debug: Encode1            0x0086B3B0
[2016-12-07 18:29:43] Debug: Encode2            0x0086B400
[2016-12-07 18:29:43] Debug: Encode4            0x00860F90
[2016-12-07 18:29:43] Debug: Encode8            0x0091F8D0
[2016-12-07 18:29:43] Debug: EncodeBuffer       0x0088A060
[2016-12-07 18:29:43] Debug: EncodeString       0x0097F250
[2016-12-07 18:29:43] Debug: ProcessPacket      0x00A43FA0
[2016-12-07 18:29:43] Debug: Decode1            0x0042FC50
[2016-12-07 18:29:43] Debug: Decode2            0x0042FD00
[2016-12-07 18:29:43] Debug: Decode4            0x0042FDB0
[2016-12-07 18:29:43] Debug: Decode8            0x0091E910
[2016-12-07 18:29:43] Debug: DecodeBuffer       0x0042FE60
[2016-12-07 18:29:43] Debug: DecodeString       0x00889FB0
[2016-12-07 18:29:43] Info: Full send & recv packet logging should be available!
[2016-12-07 18:29:43] Debug: MSLockAddress         0x0040ECE0
[2016-12-07 18:29:43] Debug: MSUnlockAddress       0x00403D40 ; Also known as ZArray::RemoveAll()?
[2016-12-07 18:29:43] Debug: InnoHashAddress       0x01F75C50
[2016-12-07 18:29:43] Debug: FlushSocketAddress    0x00A41E60
[2016-12-07 18:29:43] Debug: MakeBufferListAddress 0x0113D790
[2016-12-07 18:29:43] Debug: CClientSocketPointer  0x029D4174
[2016-12-07 18:29:43] Debug: GameVersion           178
[2016-12-07 18:29:43] Info: Full send & recv packet injection support should be available!
[2016-12-07 18:29:43] Info: 1 window configured.

As far as I know, DPE's packet interface should be functioning correctly with the above address information.

Do note that the CClientSocket class data structure changed slightly as well, basically everything was offset by 4 bytes in the data structure. See uploaded image for more information about this.

P.S: I agree with @CJ., there is something odd about the FlushSocket address. It seems like function is no longer used by the game, even though the existing code in the client is still working.

Capture.PNG

  • Like 4

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×