Marquinho Posted August 21, 2011 Posted August 21, 2011 (edited) i am try create a dll i get create but, i need this dll hook winsock api and use this send function of program TCP/IP Client for send packets, with Socket id.. This dll based on wpeSpy. for send packets in the program. i used void __cdecl Send( const char* szText ){UINT_PTR adr = 0x00402800; //function address__asm{push szTextmov edx, szTextmov ecx, edxcall adr}} but i dont understand works. Att.Marquinho Edited August 21, 2011 by Marquinho
deepzero Posted August 21, 2011 Posted August 21, 2011 so you want to injecta dll into a running process to hook the winsock send() api?post your code & what exactly is your problem?
Marquinho Posted August 21, 2011 Author Posted August 21, 2011 (edited) so you want to injecta dll into a running process to hook the winsock send() api?post your code & what exactly is your problem?#include <Windows.h>#include <stdio.h>char bTsunomon[] = { 0xCC, 0x61, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xBF, 0x71, 0x38, 0xFF, 0x97, 0x7F, 0x1C, 0x48, 0x9C, 0x83, 0xCC, 0x16, 0xEC, 0x8A, 0xCE, 0x86 };char Packet[128];void __cdecl Send( const char* szText ){UINT_PTR adr = 0x00402800; //function address__asm{push szTextmov eax,szTextmov ecx,0x005081E8call adr}}void CopyPacket(int iCount, int Count){for(iCount = 0; iCount < Count; iCount++){ Packet[iCount] = bTsunomon[iCount];}}void Hack(){while(1){ if(GetAsyncKeyState(VK_F6) &1) { CopyPacket(0, 4); Send(bTsunomon); } Sleep(50);}}BOOL WINAPI DllMain(HINSTANCE hInst, DWORD Reason, LPVOID reserved){switch(Reason){case DLL_PROCESS_ATTACH: MessageBoxA(NULL, "DLL HOOK iNJECT", "DLL HACK DIGIMON", MB_OK); CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&Hack, NULL, NULL, NULL);}return true;}thisI want to inject my dll and send the packages that I want the program target Edited August 21, 2011 by Marquinho
Holy Posted August 21, 2011 Posted August 21, 2011 (edited) Trying to hack Digimon Battle? Yeah that game has so many security flaws, I reported one some days ago . For inject the DLL you can use an injector like Winject. Anyway what you're trying to do is to send a packet.But, have you bypassed GameGuard? It can maybe detect your DLL. Also are you calling the function at 0x00402800 correctly? I don't see the 0x005081E8 constant anywhere in the game's code. PS: You're not hooking winsock api. Edited August 22, 2011 by frammm
Marquinho Posted August 22, 2011 Author Posted August 22, 2011 (edited) Yeah Digimon Battle Hackbut my client logged without GG, and i trying to emulate server.You have a idea?i am try to send packets from server in the Client.exei get with WPE Pro but i am create DLLfor Hacker.0x00402800 this addres of PUSH EBP with initial function send0x005081E8 i understand function. Edited August 22, 2011 by Marquinho
Holy Posted August 22, 2011 Posted August 22, 2011 (edited) So, that bTsunomon packet is sent from the server to client. And you want toreceive that packet in the client when you press F6, even if the server didn't send you, that's right?You can do something like this:void Hack(){while(1){ if(GetAsyncKeyState(VK_F6) &1) { _asm{ lea ecx, bTsunomon Mov eax, 0x4A3AE0 CALL eax } } Sleep(50);}}The switch case for 61:0049251F |> \8B4C24 10 |MOV ECX,DWORD PTR SS:[ESP+10] ; Case 61 of switch 00490BBA00492523 |. E8 B8150100 |CALL DigimonB.004A3AE000492528 |.^ E9 E3E5FFFF |JMP DigimonB.00490B10But I am not sure what do you pretend to do with that packet, since it doesn't seem to check any of the packet bytes in the switch case and it only displays "Cannot fight. Attack different digimon." Edited August 22, 2011 by frammm
Marquinho Posted August 22, 2011 Author Posted August 22, 2011 i am pretend send this packet for receiver battle with tsunomon, i am used WPE PRO for send this packet and work.but i pretend developer DLL.one question you is Holy?, Holy Mu Devel?
Holy Posted August 22, 2011 Posted August 22, 2011 (edited) Ah, then that's a different thing. Well you just only need to grab the Socket ID and then send the packet with the send API.PS: Ye i am that holy. Edited August 22, 2011 by Holy
Marquinho Posted August 22, 2011 Author Posted August 22, 2011 you understand, i am need and try to send packets for client program, i get with WPE PRO.PACKET->bTsunomon->Send->SERVER->Battle x Tsunomon.not need change or modify packet, only send.this packet is a battle with tsunomon and works in all maps.
Marquinho Posted August 22, 2011 Author Posted August 22, 2011 00402800 $ 55 PUSH EBP00402801 . 8BEC MOV EBP,ESP00402803 . 6A FF PUSH -100402805 . 68 D0375700 PUSH DigimonB.005737D0 ; SE handler installation0040280A . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]00402810 . 50 PUSH EAX00402811 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP00402818 . 83EC 18 SUB ESP,180040281B . 8A41 14 MOV AL,BYTE PTR DS:[ECX+14]0040281E . 53 PUSH EBX0040281F . 56 PUSH ESI00402820 . 57 PUSH EDI00402821 . 84C0 TEST AL,AL00402823 . 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP00402826 . 894D EC MOV DWORD PTR SS:[EBP-14],ECX00402829 . 74 61 JE SHORT DigimonB.0040288C0040282B . 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]0040282E . 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]00402831 . 33DB XOR EBX,EBX00402833 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX00402836 . 895D E8 MOV DWORD PTR SS:[EBP-18],EBX00402839 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI0040283C > 3BDE CMP EBX,ESI0040283E . 7D 4C JGE SHORT DigimonB.0040288C00402840 . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]00402843 . 8B41 18 MOV EAX,DWORD PTR DS:[ECX+18]00402846 . 2BF3 SUB ESI,EBX00402848 . 03DA ADD EBX,EDX0040284A . 6A 00 PUSH 0 ; /Flags = 00040284C . 56 PUSH ESI ; |DataSize0040284D . 53 PUSH EBX ; |Data0040284E . 50 PUSH EAX ; |Socket0040284F . C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0 ; |00402856 . FF15 18D45700 CALL DWORD PTR DS:[<&wsock32.send>] ; \send0040285C . 8BF8 MOV EDI,EAX0040285E . 83FF FF CMP EDI,-100402861 . 897D E4 MOV DWORD PTR SS:[EBP-1C],EDI00402864 . 0F85 85000000 JNZ DigimonB.004028EF0040286A . FF15 14D45700 CALL DWORD PTR DS:[<&wsock32.WSAGetLastE>; [WSAGetLastError00402870 . 3D 33270000 CMP EAX,273300402875 . 74 28 JE SHORT DigimonB.0040289F00402877 . 68 38EB5800 PUSH DigimonB.0058EB38 ; ASCII " Send Error"0040287C . E8 4F630100 CALL DigimonB.00418BD000402881 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]00402884 . 83C4 04 ADD ESP,400402887 . E8 84FDFFFF CALL DigimonB.004026100040288C > 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]0040288F . 5F POP EDI00402890 . 5E POP ESI00402891 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX00402898 . 5B POP EBX00402899 . 8BE5 MOV ESP,EBP0040289B . 5D POP EBP0040289C . C2 7830 RETN 3078this a send function client
Holy Posted August 22, 2011 Posted August 22, 2011 Here you have. I did a hook on the function you posted (there goes all the packets that goes from client to server), and then I check for the walk packet (type 20) if that's the case I grab the socketID (cause they both uses the same socket id). So you only need to do a walk, so the hook can get the socket ID and then you can press F6 and the packet will be sent. I also added a check for null socketID showing a cool in-game text #define WIN32_LEAN_AND_MEAN#include <windows.h>#include <winsock2.h>#include <ws2tcpip.h>#include <stdlib.h>#include <stdio.h>#include <detours.h>#pragma comment (lib, "Ws2_32.lib")#pragma comment (lib, "Mswsock.lib")#pragma comment (lib, "AdvApi32.lib")#pragma comment(lib, "detours.lib")int (__stdcall* Hook)();int MyHook();void ShowInGameText(char[]);int socketID = 0;char bTsunomon[] = { 0xCC, 0x61, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xBF, 0x71, 0x38, 0xFF, 0x97, 0x7F, 0x1C, 0x48, 0x9C, 0x83, 0xCC, 0x16, 0xEC, 0x8A, 0xCE, 0x86 };void Hack(){while(1){ if(GetAsyncKeyState(VK_F6) &1) { if(socketID != 0) send(socketID,bTsunomon,bTsunomon[4],0); ShowInGameText("Your socketID is NULL!You need to do a walk first."); } Sleep(50);}}BOOL WINAPI DllMain(HINSTANCE hInst, DWORD Reason, LPVOID reserved){switch(Reason){case DLL_PROCESS_ATTACH: MessageBoxA(NULL, "DLL HOOK iNJECT", "DLL HACK DIGIMON", MB_OK); Hook = (int (__stdcall*)())DetourFunction((PBYTE)0x0040282B, (PBYTE)MyHook); CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&Hack, NULL, NULL, NULL);}return true;}__declspec( naked) int MyHook(){ _asm{ LEA EAX,DWORD PTR SS:[EBP+8] // Packet CMP BYTE PTR SS:[EAX+1], 0x20 //Packet type. 20 = Walk Packet JNZ Finish MOV EAX,DWORD PTR DS:[ECX+0x18] //socketID MOV socketID, EAX Finish: JMP Hook//Return to the original code. }}void ShowInGameText(char text[]){ _asm{ PUSH 0 //Teal color PUSH 0xDA //Blue PUSH 0xE4 //Green PUSH 0x18 //Red MOV ECX, text PUSH ECX MOV ECX,0x1117DD0 MOV EDX,0x0480AF0 CALL EDX }} 1
Marquinho Posted August 22, 2011 Author Posted August 22, 2011 Good!, Good!, you are a good programmer.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now