Jump to content
Moopler
  • 0
Sign in to follow this  
wshh

Question Arcane Packet Exploit

Question

Like the old script that is now outdated it would drop 10 mesos as a temporary packet, I dont neccessarly need a packet editor or even a packet sender I pretty much just need these 3 packets sent to max out my arcane and that's pretty much it if anyone can come up with a script that basically can send these 3 packets 

first slot arcane symbol 29 01 00 00 00 00 C0 F9 FF FF C0 F9 FF FF

second slot arcane symbol 29 01 00 00 00 00 BF F9 FF FF BF F9 FF FF

third slot arcane symbol 29 01 00 00 00 00 BE F9 FF FF BE F9 FF FF

I'd be willing to pay thanks alot!

Share this post


Link to post

21 answers to this question

Recommended Posts

  • 3

I haven't tested this script( @Razz wrote it without maple even being open), but the only sketchy thing is pushing the packet to EncodeBuffer. Report back if it does not work.

/*
  > v187.2
  + Attack based packet sender. Just attck once to send your packet.
  + Made by Razz (well, he grabbed the first address he saw in scripts database, so OuterHaven/Cam for the hook address)
*/

[enable]
alloc(hook,256)
alloc(packet, 128)
alloc(coutpacket_custom, 48)
label(return)
label(exit)

alloc(_InjectPacket,28)
_InjectPacket:
mov ecx, [02C73578]
lea eax, [coutpacket_custom]
push eax
push 014942B4
jmp 00E20700
ret

packet:
db 00 00 00 00 C0 F9 FF FF C0 F9 FF FF //12 bytes

0200AF50: // CAntiRepeat::TryRepeat
jmp hook
return:

hook:
pushad
push 0129
lea ecx, [coutpacket_custom]
call 009F2C90 //coutpacket::coutpacket
push #12 //size
lea eax, [packet]
push eax //data
lea ecx, [coutpacket_custom]
call 007C5F30 //EncodeBuffer
call _InjectPacket

exit:
popad
db 55 8B EC 8B 01
jmp return

[disable]
0200AF50: // 7E ? 83 ? ? 7D ? 8B ? ? 2B ? 3D [Start]
db 55 8B EC 8B 01

dealloc(hook)
dealloc(coutpacket_custom)
dealloc(_InjectPacket)
dealloc(packet)

 

If you want it hotkey based, find an ::Update() function and do something like this, obviously replace the website opening code with the sendpacket code:

/*
  > GMS v185.2
  + Hotkey based URL opener.
*/

[enable]
alloc(hook,256)
label(return)
label(exit)

alloc(website, 123)
website:
db 'www.youtube.com' 00

01E1F060:
jmp hook
return:

hook:
pushad
push 74 //F5
call GetAsyncKeyState
mov ecx,00008000
test cx,ax
je exit

//do shit

push 6
push 0
push website
call 01F86940

exit:
popad
push ebp
mov ebp,esp
push -01 { 255 }
jmp return

[disable]
01E1F060: //83 ec 0c 53 56 57 b9 ? ? ? ? e8
push ebp
mov ebp,esp
push -01 { 255 }

dealloc(hook)
dealloc(website)

 

Edited by Erotica
  • Like 3

Share this post


Link to post
  • 0
15 minutes ago, wshh said:

Like the old script that is now outdated it would drop 10 mesos as a temporary packet, I dont neccessarly need a packet editor or even a packet sender I pretty much just need these 3 packets sent to max out my arcane and that's pretty much it if anyone can come up with a script that basically can send these 3 packets 

first slot arcane symbol 29 01 00 00 00 00 C0 F9 FF FF C0 F9 FF FF

second slot arcane symbol 29 01 00 00 00 00 BF F9 FF FF BF F9 FF FF

third slot arcane symbol 29 01 00 00 00 00 BE F9 FF FF BE F9 FF FF

I'd be willing to pay thanks alot!

Since you're willing to "pay" why don't you buy terminal.

 

Packet.h

#include <Windows.h>
#include <Intrin.h>
#include <queue>

#pragma pack(push, 1)
struct COutPacket
{
	BOOL fLoopback;
	union
	{
		LPBYTE lpbData;
		LPVOID lpvData;
		LPWORD lpwHeader;
	};
	DWORD dwcbData;
	UINT uOffset;
	BOOL fEncryptedByShanda;
};

struct CInPacket
{
	BOOL fLoopback; // 0
	INT iState;     // 2
	union
	{
		LPVOID lpvData;
		struct
		{
			DWORD dw;
			WORD wHeader;
		} *pHeader;
		struct
		{
			DWORD dw;
			BYTE bData[0];
		} *pData;
	};
	USHORT usLength;  // size of preceding struct
	USHORT usRawSeq;  // pData->dw & 0xFFFF
					  // should be DWORD, then SIZE_T, according to jony
	USHORT usDataLen; // usLength - 4
	USHORT usUnknown; // 0xCC
	UINT uOffset;     // sizeof(DWORD) == 4
	LPVOID lpv;       // idk; 1238E0?
};
#pragma pack(pop)

void SendPacket(LPBYTE lpBytes, DWORD dwLength);
void RecvPacket(LPVOID lpvBytes, USHORT usLength);

int TimeStamp();

void EnableInjectPacket();
void DisableInjectPacket();

Packet.cpp:

#include "Packet.h"

std::queue<COutPacket *> outqueue;
std::queue<CInPacket *> inqueue;

// DispatchMessageA: FF 15 ? ? ? ? 8D ? ? ? ? ? ? 8B ? ? ? ? ? E8 ? ? ? ? 85
const LPVOID *lppvDispatchMessageA = reinterpret_cast<const LPVOID*>(0x02C7B954);
const LPVOID lpvDispatchMessageA_Return = reinterpret_cast<const LPVOID>(0x0216E89A);

// CClientSocket::ReturnAddress: 90 C3
const LPVOID lpvCClientSocket__ReturnAddress = reinterpret_cast<const LPVOID>(0x0040105F);

// CClientSocketPtr: 8B 0D ? ? ? ? 85 C9 74 ? 8D ? ? 50 E8 ? ? ? ? 8D ? ? E8
const LPVOID *lppvCClientSocketPtr = reinterpret_cast<const LPVOID*>(0x02C73578);

// CClientSocket::SendPacket: [Follow call below CClientSocketPtr]
typedef void(__fastcall *CClientSocket__SendPacket_t)(LPVOID lpvECX, LPVOID lpvEDX, COutPacket *oPacket);
CClientSocket__SendPacket_t CClientSocket__SendPacket = reinterpret_cast<CClientSocket__SendPacket_t>(0x00E20700);

// COutPacket::COutPacket(long): E8 ? ? ? ? 8B ? ? C7 ? ? ? ? ? ? E8 ? ? ? ? ? 8D [Follow call]
typedef void(__fastcall *COutPacket__COutPacket__long_t)(LPVOID lpvECX, LPVOID lpvEDX, int nType);
COutPacket__COutPacket__long_t COutPacket__COutPacket__long = reinterpret_cast<COutPacket__COutPacket__long_t>(0x009F2C90);

// 8th function after CClientSocket::SendPacket
// CClientSocket::ProcessPacket: 8B ? ? ? ? ? 8D ? ? ? ? ? ? E8 ? ? ? ? 8D ? ? ? ? ? E8 ? ? ? ? 8D ? ? ? ? ? E8 [Follow call below]
typedef void(__fastcall *CClientSocket__ProcessPacket_t)(LPVOID lpvECX, LPVOID lpvEDX, CInPacket *iPacket);
CClientSocket__ProcessPacket_t CClientSocket__ProcessPacket = reinterpret_cast<CClientSocket__ProcessPacket_t>(0x00E21850);

// get_update_time: 8D 8E ? ? 00 00 E8 ? ? ? ? E8 ? ? ? ? 50 [Follow second call]
typedef int(_cdecl *get_update_time_t)();
get_update_time_t get_update_time = reinterpret_cast<get_update_time_t>(0x02098B10);

int TimeStamp()
{
	return get_update_time();
}

void __declspec(naked) InjectOutPacket(COutPacket *oPacket)
{
	__asm
	{
		// Set class pointer
		mov ecx, [lppvCClientSocketPtr]
		mov ecx, [ecx]

		// Push oPacket and fake return address
		push [esp+0x04]
		push [lpvCClientSocket__ReturnAddress]

		// Inject packet
		jmp [CClientSocket__SendPacket]
	}
}

void __declspec(naked) InjectInPacket(CInPacket *iPacket)
{
	__asm
	{
		// Set class pointer
		mov ecx, [lppvCClientSocketPtr]
		mov ecx, [ecx]

		// Push iPacket and fake return address
		push [esp+0x04]
		push [lpvCClientSocket__ReturnAddress]

		// Inject packet
		jmp [CClientSocket__ProcessPacket]
	}
}

void SendPacket(LPBYTE lpBytes, DWORD dwLength)
{
	COutPacket *oPacket = new COutPacket;
	SecureZeroMemory(oPacket, sizeof(COutPacket));
	oPacket->lpbData = new byte[dwLength];
	oPacket->dwcbData = dwLength;

	memcpy_s(oPacket->lpbData, dwLength, lpBytes, dwLength);
	outqueue.push(oPacket);
}

void RecvPacket(LPVOID lpvBytes, USHORT usLength)
{
	CInPacket *iPacket = new CInPacket;
	SecureZeroMemory(iPacket, sizeof(CInPacket));
	iPacket->fLoopback = 0;
	iPacket->iState = 2;
	iPacket->lpvData = new byte[usLength];
	iPacket->usLength = usLength;
	iPacket->usDataLen = iPacket->usLength - sizeof(DWORD);
	iPacket->usUnknown = 0;
	iPacket->uOffset = 4;

	memcpy_s(iPacket->lpvData, usLength, lpvBytes, usLength);
	inqueue.push(iPacket);
}

LRESULT WINAPI DispatchMessageA_Hook(const MSG *lpmsg)
{
	if (_ReturnAddress() == lpvDispatchMessageA_Return)
	{
		try
		{
			COutPacket *oPacket;
			while (!outqueue.empty())
			{
				oPacket = outqueue.front();
				outqueue.pop();

				InjectOutPacket(oPacket);

				delete[] oPacket->lpbData;
				delete oPacket;
			}

			CInPacket *iPacket;
			while (!inqueue.empty())
			{
				iPacket = inqueue.front();
				inqueue.pop();

				InjectInPacket(iPacket);

				delete[] iPacket->lpvData;
				delete iPacket;
			}
		}
		catch (...)
		{

		}
	}

	return DispatchMessageA(lpmsg);
}

void EnableInjectPacket()
{
	*(unsigned long*)lppvDispatchMessageA = (unsigned long)DispatchMessageA_Hook;
}

void DisableInjectPacket()
{
	*(unsigned long*)lppvDispatchMessageA = (unsigned long)DispatchMessageA;
}

Form1.cpp:

#include <Windows.h>
#include "MainForm.h"
#include "Packet.h"

using namespace GMSPacketInjector;

void Main(void)
{
	Application::EnableVisualStyles();
	Application::SetCompatibleTextRenderingDefault(false);
	Application::Run(gcnew MainForm);
	Application::Exit();
}

void MainForm::MainForm_FormClosing(System::Object^  sender, System::Windows::Forms::FormClosingEventArgs^  e)
{
	System::Windows::Forms::DialogResult drResult = MessageBox::Show("Are you sure you want to close this program?\n"
		"Closing this program will also close MapleStory.", "Close MapleStory?", MessageBoxButtons::YesNo, MessageBoxIcon::Question);

	if (drResult == ::DialogResult::Yes)
	{
		TerminateProcess(GetCurrentProcess(), 0);
	}
	else if (drResult == ::DialogResult::No)
	{
		e->Cancel = true;
	}
}

void MainForm::MainForm_Load(System::Object^  sender, System::EventArgs^  e)
{
	static DWORD dwProcessID = GetCurrentProcessId();

	this->Text = "[" + dwProcessID + "] GMS Packet Injector";

	comboBoxPACKETTYPE->SelectedIndex = 0;

	this->textBoxPACKET->Enabled = false;
	this->comboBoxPACKETTYPE->Enabled = false;
	this->buttonINJECT->Enabled = false;
	this->labelDELAY->Enabled = false;
	this->textBoxDELAY->Enabled = false;
	this->buttonSPAM->Enabled = false;
}

std::string toHexadecimal(int num)
{
	std::string str;

	for (int i = 0; i < 4; i++)
	{
		char tmp[10];
		sprintf(tmp, (i == 0 ? "%02X" : "%02X"), (BYTE)((UINT)(num << 16) >> 16));
		num = num >> 8;
		str += tmp;
	}

	return str;
}

bool IsGoodPacket(String^ strPacket, String^ &strError) 
{	
	if (strPacket == String::Empty)
	{
		strError = "Packet is empty!";

		return false;
	}

	if ((strPacket->Length) % 2 == 1)
	{
		strError = "Packet size is not a multiple of 2!";

		return false;
	}

	for (int i = 0; i < strPacket->Length; i++)
	{
		if (strPacket[i] >= '0' && strPacket[i] <= '9') continue;
		if (strPacket[i] >= 'A' && strPacket[i] <= 'F') continue;
		if (strPacket[i] >= 'a' && strPacket[i] <= 'f') continue;
		if (strPacket[i] == '*') continue;
		if (strPacket[i] == String::Compare(strPacket, "@TIMESTAMP") == 0) continue;

		strError = "Invalid character detected in packet!";

		return false;
	}

	return true;
}

bool InjectPacket(String^ strPacket, String^ &strError, bool PacketType)
{
	if (!IsGoodPacket(strPacket, strError))
		return false;

	Random^ randObj = gcnew Random();
	String^ rawBytes = String::Empty;

	for (int i = 0; i < strPacket->Length; i++) 
	{
		if (strPacket[i] == '*')
			rawBytes += randObj->Next(16).ToString("X");
		else
			rawBytes += strPacket[i];
	}

	using namespace System::Globalization;

	::DWORD  dwOffset = 0;
	::DWORD  dwLength = (rawBytes->Length / 2);
	::LPBYTE lpBytes = new ::BYTE[dwLength];

	for (int i = 0; (dwOffset < dwLength) && ((i + 1) < rawBytes->Length); dwOffset++, i += 2)
		lpBytes[dwOffset] = Byte::Parse(rawBytes->Substring(i, 2), NumberStyles::HexNumber, CultureInfo::InvariantCulture);

	try 
	{
		if (!PacketType)
			SendPacket(lpBytes, dwLength);
		else
			RecvPacket(lpBytes, dwLength);
	}
	catch (Exception^) 
	{

	}
	finally 
	{
		delete[] lpBytes;
	}

	return true;
}

void MainForm::buttonINJECT_Click(System::Object^  sender, System::EventArgs^  e)
{
	String^ strError = String::Empty;

	std::string strTimeStamp = toHexadecimal(TimeStamp());
	String^ sTimeStamp = gcnew String(strTimeStamp.c_str());

	if (this->comboBoxPACKETTYPE->Text == "Send")
	{
		if (!InjectPacket(textBoxPACKET->Text->Replace(" ", "")->Replace("@TIMESTAMP", sTimeStamp), strError, 0))
			MessageBox::Show(strError);
	}
	else if (this->comboBoxPACKETTYPE->Text == "Recv")
	{
		if (!InjectPacket(textBoxPACKET->Text->Replace(" ", "")->Replace("@TIMESTAMP", sTimeStamp), strError, 1))
			MessageBox::Show(strError);
	}
}

void MainForm::checkBoxPACKETINJECTOR_CheckedChanged(System::Object^  sender, System::EventArgs^  e)
{
	if (this->checkBoxPACKETINJECTOR->Checked)
	{
		EnableInjectPacket();

		this->textBoxPACKET->Enabled = true;
		this->comboBoxPACKETTYPE->Enabled = true;
		this->buttonINJECT->Enabled = true;
		this->labelDELAY->Enabled = true;
		this->textBoxDELAY->Enabled = true;
		this->buttonSPAM->Enabled = true;
		this->buttonSPAM->Text = "Spam";

	}
	else
	{
		DisableInjectPacket();

		this->textBoxPACKET->Enabled = false;
		this->comboBoxPACKETTYPE->Enabled = false;
		this->buttonINJECT->Enabled = false;
		this->labelDELAY->Enabled = false;
		this->textBoxDELAY->Enabled = false;
		this->buttonSPAM->Enabled = false;
		this->buttonSPAM->Text = "Spam";
	}
}

int iSpamDelay = 100;

void MainForm::textBoxDELAY_TextChanged(System::Object^  sender, System::EventArgs^  e)
{
	iSpamDelay = Convert::ToInt32(this->textBoxDELAY->Text);
}

void MainForm::buttonSPAM_Click(System::Object^  sender, System::EventArgs^  e)
{
	if (this->buttonSPAM->Text == "Spam")
	{
		this->buttonSPAM->Text = "Stop";
		this->timerSPAM->Interval = iSpamDelay;
		this->timerSPAM->Enabled = true;
		this->textBoxPACKET->Enabled = false;
		this->comboBoxPACKETTYPE->Enabled = false;
		this->buttonINJECT->Enabled = false;
		this->labelDELAY->Enabled = false;
		this->textBoxDELAY->Enabled = false;
	}
	else
	{
		this->buttonSPAM->Text = "Spam";
		this->timerSPAM->Enabled = false;
		this->textBoxPACKET->Enabled = true;
		this->comboBoxPACKETTYPE->Enabled = true;
		this->buttonINJECT->Enabled = true;
		this->labelDELAY->Enabled = true;
		this->textBoxDELAY->Enabled = true;
	}
}

void MainForm::timerSPAM_Tick(System::Object^  sender, System::EventArgs^  e)
{
	String^ strError = String::Empty;

	std::string strTimeStamp = toHexadecimal(TimeStamp());
	String^ sTimeStamp = gcnew String(strTimeStamp.c_str());

	if (this->comboBoxPACKETTYPE->Text == "Send")
	{
		if (!InjectPacket(textBoxPACKET->Text->Replace(" ", "")->Replace("@TIMESTAMP", sTimeStamp), strError, 0))
		{
			this->buttonSPAM->Text = "Spam";
			this->timerSPAM->Enabled = false;
			this->textBoxPACKET->Enabled = true;
			this->comboBoxPACKETTYPE->Enabled = true;
			this->buttonINJECT->Enabled = true;
			this->labelDELAY->Enabled = true;
			this->textBoxDELAY->Enabled = true;
			MessageBox::Show(strError);
		}
	}
	else if (this->comboBoxPACKETTYPE->Text == "Recv")
	{
		if (!InjectPacket(textBoxPACKET->Text->Replace(" ", "")->Replace("@TIMESTAMP", sTimeStamp), strError, 1))
		{
			this->buttonSPAM->Text = "Spam";
			this->timerSPAM->Enabled = false;
			this->textBoxPACKET->Enabled = true;
			this->comboBoxPACKETTYPE->Enabled = true;
			this->buttonINJECT->Enabled = true;
			this->labelDELAY->Enabled = true;
			this->textBoxDELAY->Enabled = true;
			MessageBox::Show(strError);
		}
	}
}

Reference: 

https://ccplz.net/threads/mini-source-code-packet-sender-cli-c.7733/

https://ccplz.net/threads/release-sendpacket-function-source.41982/

 

Send inject you have to manually log packet with mapleshark to get header unless some 1337 hacker is able to tweak it to send non encrypted header.

Recv inject is broken (does not work) either wrong address outdated structure more check idk

updated by unknown on (cannot name site dot com)

quoted from unknown

Share this post


Link to post
  • 0
12 hours ago, Raymond said:

updated by unknown on (cannot name site dot com)

quoted from unknown

FYI, we don't filter websites at Moopler. You can post references to whatever you wish.

  • Like 1

Share this post


Link to post
  • 0
8 hours ago, Erotica said:

I haven't tested this script( @Razz wrote it without maple even being open), but the only sketchy thing is pushing the packet to EncodeBuffer. Report back if it does not work.


/*
  > v187.2
  + Attack based packet sender. Just attck once to send your packet.
  + Made by Razz (well, he grabbed the first address he saw in scripts database, so OuterHaven/Cam for the hook address)
*/

[enable]
alloc(hook,256)
alloc(packet, 128)
alloc(coutpacket_custom, 48)
label(return)
label(exit)

alloc(_InjectPacket,28)
_InjectPacket:
mov ecx, [02C73578]
lea eax, [coutpacket_custom]
push eax
push 014942B4
jmp 00E20700
ret

packet:
db 00 00 00 00 C0 F9 FF FF C0 F9 FF FF //12 bytes

0200AF50: // CAntiRepeat::TryRepeat
jmp hook
return:

hook:
pushad
push 0129
lea ecx, [coutpacket_custom]
call 009F2C90 //coutpacket::coutpacket
push #12 //size
lea eax, [packet]
push eax //data
lea ecx, [coutpacket_custom]
call 007C5F30 //EncodeBuffer
call _InjectPacket

exit:
popad
db 55 8B EC 8B 01
jmp return

[disable]
0200AF50: // 7E ? 83 ? ? 7D ? 8B ? ? 2B ? 3D [Start]
db 55 8B EC 8B 01

dealloc(hook)
dealloc(coutpacket_custom)
dealloc(_InjectPacket)
dealloc(packet)

 

If you want it hotkey based, find an ::Update() function and do something like this, obviously replace the website opening code with the sendpacket code:


/*
  > GMS v185.2
  + Hotkey based URL opener.
*/

[enable]
alloc(hook,256)
label(return)
label(exit)

alloc(website, 123)
website:
db 'www.youtube.com' 00

01E1F060:
jmp hook
return:

hook:
pushad
push 74 //F5
call GetAsyncKeyState
mov ecx,00008000
test cx,ax
je exit

//do shit

push 6
push 0
push website
call 01F86940

exit:
popad
push ebp
mov ebp,esp
push -01 { 255 }
jmp return

[disable]
01E1F060: //83 ec 0c 53 56 57 b9 ? ? ? ? e8
push ebp
mov ebp,esp
push -01 { 255 }

dealloc(hook)
dealloc(website)

 

Script works, but useless for normal people? You don't explain how to get unencrypted header.

I modified this one it drop 10 mesos and is it possible to use COutPacket structure instead of Decode Buffer?

[enable]
alloc(hook,256)
alloc(packet, 128)
alloc(coutpacket_custom, 48)
label(return)
label(exit)

alloc(_InjectPacket,28)
_InjectPacket:
mov ecx, [02C73578] // CClientSocket
lea eax, [coutpacket_custom] // load packet data
push eax // push packet data
push 014942B4 // Fake ret (any ret instruction, this one use nop ret)
jmp 00E20700 // CClientSocket::SendPacket
ret

// Drop 10 mesos Packet
// [Unencrypted Header] [TimeStamp] [Amount of Mesos]
// [3F 01] [AA BB CC 00] [0A 00 00 00]
packet:
db AA BB CC 00 0A 00 00 00 // 8 Byte

0200AF50: // CAntiRepeat::TryRepeat
jmp hook
return:

hook:
pushad
push 013F // Unencrypted header here
lea ecx, [coutpacket_custom]
call 009F2C90 // COutPacket::COutPacket(long)
push #8 // Size
lea eax, [packet]
push eax // Data
lea ecx, [coutpacket_custom]
call 007C5F30 // EncodeBuffer
call _InjectPacket

exit:
popad
db 55 8B EC 8B 01
jmp return

[disable]
0200AF50: // 7E ? 83 ? ? 7D ? 8B ? ? 2B ? 3D [Start]
db 55 8B EC 8B 01

dealloc(hook)
dealloc(coutpacket_custom)
dealloc(_InjectPacket)
dealloc(packet)

is it also possible to have the header in 

packet:
db AA BB CC 00 0A 00 00 00
Edited by Raymond

Share this post


Link to post
  • 0
20 minutes ago, Raymond said:

is it also possible to have the header in <x>

No. MapleStory has deployed a "new" security feature where the server sends a block of encrypted headers to the client, which the COutPacket constructor translates real headers into, then sends the fake header to the server. This is just a cheap workaround to send real headers without having to reverse engineer the encryption on the header block, and somehow pass fake headers to the SendPacket function.

Real headers are obtained by making packet loggers that take above fix into account, hooking both the COutPacket constructor and SendPacket, and comparing the COutPacket object and real header used in the parameters. Currently Blight does this. I do not know if GameKiller has a PE because I will never visit their frankly terrible website.

It is also possible to just log packets as usual, with fake headers, and going to the return address - which is just the address where the SendPacket function is called - and scrolling up until you see the real header pushed to to the COutPacket constructor.

  • Like 2

Share this post


Link to post
  • 0
6 minutes ago, Erotica said:

No. MapleStory has deployed a "new" security feature where the server sends a block of encrypted headers to the client, which the COutPacket constructor translates real headers into, then sends the fake header to the server. This is just a cheap workaround to send real headers without having to reverse engineer the encryption on the header block, and somehow pass fake headers to the SendPacket function.

Real headers are obtained by making packet loggers that take above fix into account, hooking both the COutPacket constructor and SendPacket, and comparing the COutPacket object and real header used in the parameters. Currently Blight does this. I do not know if GameKiller has a PE because I will never visit their frankly terrible website.

It is also possible to just log packets as usual, with fake headers, and going to the return address - which is just the address where the SendPacket function is called - and scrolling up until you see the real header pushed to to the COutPacket constructor.

And to set packet data and size we have to use DecodeBuffer?

cannot use this struct anymore to set it?

#pragma pack(push, 1)
struct COutPacket
{
	BOOL fLoopback;
	union
	{
		LPBYTE lpbData;
		LPVOID lpvData;
		LPWORD lpwHeader;
	};
	DWORD dwcbData;
	UINT uOffset;
	BOOL fEncryptedByShanda;
};
#pragma pack(pop)

 

Share this post


Link to post
  • 0

What does DecodeBuffer have to do with anything? That is used for incoming packets.

Sure, EncodeBuffer will write data to the packet object, or you can do that yourself, but you will still need the correct size of the data, no?

The COutPacket sctructure is mostly used to access data of an already made object. What exactly are you even asking.

  • Like 1

Share this post


Link to post
  • 0
51 minutes ago, Erotica said:

What does DecodeBuffer have to do with anything? That is used for incoming packets.

Sure, EncodeBuffer will write data to the packet object, or you can do that yourself, but you will still need the correct size of the data, no?

The COutPacket sctructure is mostly used to access data of an already made object. What exactly are you even asking.

He's asking if he can fill out an object and inject it through the SendPacket function.

  • Like 1

Share this post


Link to post
  • 0
Just now, NewSprux2.0? said:

He's asking if he can fill out an object and inject it through the SendPacket function.

Well of course he can. The function literally takes COutPacket object as a parameter.

  • Like 1

Share this post


Link to post
  • 0

Wanting to update old script with non encrypted header...

somehow only header get sent???

 

[ENABLE]
alloc(DispatchMessageA_Hook,128)
alloc(SendPacket,128)
alloc(SPacket,128)
alloc(Packet,64)
label(InjectPacket)

SPacket:// 16 bytes
dd 00 // Unknown 1
dd 00 // Packet Data
dd 40 // Packet Size (Take care of the packet size. If your packet is bigger than the size, it will crash.)
dd 00 // Unknown 2

// Drop 10 Mesos
// [3F 01] [C5 96 14 0D] [0A 00 00 00]
// [Header] [TimeStamp] [Mesos Amount]
Packet:
db C5 96 14 00 0A 00 00 00

SPacket+4:
dd Packet

SendPacket:
push 013F // Unencrypted header here
lea ecx,[SPacket]
call 009F2C90 // COutPacket::COutPacket(long)
mov ecx,[02C73578] // CClientSocketPtr: 8B 0D ? ? ? ? 85 C9 74 ? 8D ? ? 50 E8 ? ? ? ? 8D ? ? E8
push SPacket
push 014942B4 // Search for 90 C3 for fake return address
jmp 00E20700 // CClientSocket::SendPacket: Follow call below CClientSocketPtr

DispatchMessageA_Hook:
push 70 // VK_F1
call GetAsyncKeyState
shr ax,#15
cmp ax,1
je InjectPacket
mov edi,edi
push ebp
mov ebp,esp
jmp DispatchMessageA+5

InjectPacket:
call SendPacket
ret

DispatchMessageA:
jmp DispatchMessageA_Hook

[DISABLE]
DispatchMessageA:
mov edi,edi
push ebp
mov ebp,esp

dealloc(DispatchMessageA_Hook)
dealloc(SendPacket)
dealloc(SPacket)
dealloc(Packet)

 

Share this post


Link to post
  • 0

Header only gets sent because that is all ur doing...

push 013F // Unencrypted header here
lea ecx,[SPacket]
call 009F2C90 // COutPacket::COutPacket(long)
mov ecx,[02C73578] // CClientSocketPtr: 8B 0D ? ? ? ? 85 C9 74 ? 8D ? ? 50 E8 ? ? ? ? 8D ? ? E8
push SPacket
push 014942B4 // Search for 90 C3 for fake return address
jmp 00E20700 // CClientSocket::SendPacket: Follow call below CClientSocketPtr

if you want to add the rest of the packet, then u need to use Encode2, Encode4, etc. 

  • Like 1

Share this post


Link to post
  • 0
5 hours ago, Raymond said:

Wanting to update old script with non encrypted header...

somehow only header get sent???

I literally remade the script for you though. What's the difference between writing your own packet in some allocated space - or letting MS write it for you with the function designed by the game developers to do it?

If you want easy access to the header you can define(header, xxx) and push the definition, or alloc(header, 4) header: dw #123 (maybe registersymbol) and change it that way?

  • Like 1

Share this post


Link to post
  • 0

Well I definitely  won't get this if anyone figures this out please share or atleast just make an arcane script xD thank you

 

sorry for being such a leech~

Share this post


Link to post
  • 0

alright just wanted to update old script that's all, thanks for replies.

 

[ENABLE]
alloc(DispatchMessageA_Hook,128)
alloc(SendPacket,128)
alloc(SPacket,128)
alloc(Packet,64)
label(InjectPacket)

SPacket:// 16 bytes
dd 00 // Unknown 1
dd 00 // Packet Data
dd 40 // Packet Size (Take care of the packet size. If your packet is bigger than the size, it will crash.)
dd 00 // Unknown 2

// Drop 10 Mesos
// [3F 01] [C5 96 14 0D] [0A 00 00 00]
// [Header] [TimeStamp] [Mesos Amount]
Packet:
db C5 96 14 00 0A 00 00 00

SPacket+4:
dd Packet

SendPacket:
/* Uncomment to send packet with non encrypted header.
push 013F // Unencrypted header here
lea ecx,[SPacket]
call 009F2C90 // COutPacket::COutPacket(long)
push #8 // Size
lea eax, [Packet]
push eax // Data
lea ecx, [SPacket]
call 007C5F30 // COutPacket::EncodeBuffer
*/
mov ecx,[02C73578] // CClientSocketPtr: 8B 0D ? ? ? ? 85 C9 74 ? 8D ? ? 50 E8 ? ? ? ? 8D ? ? E8
push SPacket
push 014942B4 // Search for 90 C3 for fake return address
jmp 00E20700 // CClientSocket::SendPacket: Follow call below CClientSocketPtr

DispatchMessageA_Hook:
push 70 // VK_F1
call GetAsyncKeyState
shr ax,#15
cmp ax,1
je InjectPacket
mov edi,edi
push ebp
mov ebp,esp
jmp DispatchMessageA+5

InjectPacket:
call SendPacket
ret

DispatchMessageA:
jmp DispatchMessageA_Hook

[DISABLE]
DispatchMessageA:
mov edi,edi
push ebp
mov ebp,esp

dealloc(DispatchMessageA_Hook)
dealloc(SendPacket)
dealloc(SPacket)
dealloc(Packet)

 

Share this post


Link to post
  • 0
1 hour ago, Raymond said:

alright just wanted to update old script that's all, thanks for replies.

 


[ENABLE]
alloc(DispatchMessageA_Hook,128)
alloc(SendPacket,128)
alloc(SPacket,128)
alloc(Packet,64)
label(InjectPacket)

SPacket:// 16 bytes
dd 00 // Unknown 1
dd 00 // Packet Data
dd 40 // Packet Size (Take care of the packet size. If your packet is bigger than the size, it will crash.)
dd 00 // Unknown 2

// Drop 10 Mesos
// [3F 01] [C5 96 14 0D] [0A 00 00 00]
// [Header] [TimeStamp] [Mesos Amount]
Packet:
db C5 96 14 00 0A 00 00 00

SPacket+4:
dd Packet

SendPacket:
/* Uncomment to send packet with non encrypted header.
push 013F // Unencrypted header here
lea ecx,[SPacket]
call 009F2C90 // COutPacket::COutPacket(long)
push #8 // Size
lea eax, [Packet]
push eax // Data
lea ecx, [SPacket]
call 007C5F30 // COutPacket::EncodeBuffer
*/
mov ecx,[02C73578] // CClientSocketPtr: 8B 0D ? ? ? ? 85 C9 74 ? 8D ? ? 50 E8 ? ? ? ? 8D ? ? E8
push SPacket
push 014942B4 // Search for 90 C3 for fake return address
jmp 00E20700 // CClientSocket::SendPacket: Follow call below CClientSocketPtr

DispatchMessageA_Hook:
push 70 // VK_F1
call GetAsyncKeyState
shr ax,#15
cmp ax,1
je InjectPacket
mov edi,edi
push ebp
mov ebp,esp
jmp DispatchMessageA+5

InjectPacket:
call SendPacket
ret

DispatchMessageA:
jmp DispatchMessageA_Hook

[DISABLE]
DispatchMessageA:
mov edi,edi
push ebp
mov ebp,esp

dealloc(DispatchMessageA_Hook)
dealloc(SendPacket)
dealloc(SPacket)
dealloc(Packet)

I pressed f1 with the given packet which is drop mesos and I crashed did you update the script or just re-pasted?

 

Share this post


Link to post
  • 0
3 hours ago, wshh said:

Well I definitely  won't get this if anyone figures this out please share or atleast just make an arcane script xD thank you

 

sorry for being such a leech~

What are you talking about? @Erotica posted it for you... But the header of the arcane packets is now 25 01, so edit the script accordingly

  • Like 1

Share this post


Link to post
  • 0
2 hours ago, misterdave35 said:

What are you talking about? @Erotica posted it for you... But the header of the arcane packets is now 25 01, so edit the script accordingly

TY! and Thanks @Erotica!

Share this post


Link to post
  • 0
Just now, Rocks said:

can anyone @Erotica , update this please.

Packet functions except for SendPacket has not changed. The changes are 10-30 bytes on addresses, try it yourself for 2 minutes first please.

Share this post


Link to post
  • 0
1 hour ago, Erotica said:

Packet functions except for SendPacket has not changed. The changes are 10-30 bytes on addresses, try it yourself for 2 minutes first please.

in your code not sure what to change. people said change header, I tried changing the

packet:
db 00 00 00 00 C0 F9 FF FF C0 F9 FF FF //12 bytes

to

packet:
db 25 01 00 00 C0 F9 FF FF C0 F9 FF FF //12 bytes

 

I'm not even sure if I'm looking at the right thing. Also, logging packets go through so fast i cant keep up.

Share this post


Link to post
  • 0
39 minutes ago, Rocks said:

in your code not sure what to change. people said change header, I tried changing the


packet:
db 00 00 00 00 C0 F9 FF FF C0 F9 FF FF //12 bytes

to


packet:
db 25 01 00 00 C0 F9 FF FF C0 F9 FF FF //12 bytes

 

I'm not even sure if I'm looking at the right thing. Also, logging packets go through so fast i cant keep up.

Update the addresses.

[enable]
// some script

mov ecx, [02C73578] // CClientSocketPtr: 8B 0D ? ? ? ? 85 C9 74 ? 8D ? ? 50 E8 ? ? ? ? 8D ? ? E8
lea eax, [coutpacket_custom]
push eax
push 014942B4 // Search for 90 C3 for fake return address
jmp 00E20700 // call below CClientSocketPtr
ret

// some script

0200AF50: // CAntiRepeat::TryRepeat
jmp hook
return:

// rest of script

[disable]
0200AF50: // 7E ? 83 ? ? 7D ? 8B ? ? 2B ? 3D [Start] // CAntiRepeat::TryRepeat
db 55 8B EC 8B 01

// rest of script

 

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×