Jump to content
Tuts 4 You

Help in Hook Winsock API

Marquinho

By Marquinho
in Programming and Coding

Recommended Posts

Marquinho

Marquinho

Posted
Posted (edited)

i am try create a dll

i get create but, i need this dll hook winsock api and use this send function of program TCP/IP Client for send packets, with Socket id..

This dll based on wpeSpy. for send packets in the program.

i used


void __cdecl Send( const char* szText )
{
UINT_PTR adr = 0x00402800; //function address
__asm
{
push szText
mov edx, szText
mov ecx, edx
call adr
}
}

but i dont understand works. :(

Att.Marquinho

Edited by Marquinho
deepzero

deepzero

Posted
Posted

so you want to injecta dll into a running process to hook the winsock send() api?

post your code & what exactly is your problem?

Marquinho

Marquinho

Posted
  • Author
Posted (edited)

so you want to injecta dll into a running process to hook the winsock send() api?

post your code & what exactly is your problem?


#include <Windows.h>
#include <stdio.h>
char bTsunomon[] = { 0xCC, 0x61, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xBF, 0x71, 0x38, 0xFF, 0x97, 0x7F, 0x1C, 0x48, 0x9C, 0x83, 0xCC, 0x16, 0xEC, 0x8A, 0xCE, 0x86  };
char Packet[128];
void __cdecl Send( const char* szText )
{
UINT_PTR adr = 0x00402800; //function address
__asm
{
push szText
mov eax,szText
mov ecx,0x005081E8
call adr
}
}
void CopyPacket(int iCount, int Count)
{
for(iCount = 0; iCount < Count; iCount++)
{
  Packet[iCount] = bTsunomon[iCount];
}
}
void Hack()
{
while(1)
{
  if(GetAsyncKeyState(VK_F6) &1)
  {
   CopyPacket(0, 4);
   Send(bTsunomon);
  }
  Sleep(50);
}
}
BOOL WINAPI DllMain(HINSTANCE hInst, DWORD Reason, LPVOID reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
  MessageBoxA(NULL, "DLL HOOK iNJECT", "DLL HACK DIGIMON", MB_OK);
  CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&Hack, NULL, NULL, NULL);
}
return true;
}

this

I want to inject my dll and send the packages that I want the program target

Edited by Marquinho
Holy

Holy

Posted
Posted (edited)

Trying to hack Digimon Battle?

Yeah that game has so many security flaws, I reported one some days ago tongue.png.

For inject the DLL you can use an injector like Winject.

Anyway what you're trying to do is to send a packet.But, have you bypassed GameGuard? It can maybe detect your DLL. Also are you calling the function at 0x00402800 correctly? I don't see the 0x005081E8 constant anywhere in the game's code.

PS: You're not hooking winsock api.

Edited by frammm
Marquinho

Marquinho

Posted
  • Author
Posted (edited)

Yeah Digimon Battle Hack

but my client logged without GG, and i trying to emulate server.

You have a idea?

i am try to send packets from server in the Client.exe

i get with WPE Pro but i am create DLL

for Hacker.

0x00402800 this addres of PUSH EBP with initial function send

0x005081E8 i understand function.

Edited by Marquinho
Holy

Holy

Posted
Posted (edited)

So, that bTsunomon packet is sent from the server to client. And you want to

receive that packet in the client when you press F6, even if the server didn't send you, that's right?

You can do something like this:


void Hack()
{
while(1)
{
  if(GetAsyncKeyState(VK_F6) &1)
  {
   _asm{
	lea ecx, bTsunomon
	Mov eax, 0x4A3AE0
	CALL eax
   }
  }
  Sleep(50);
}
}

The switch case for 61:


0049251F  |> \8B4C24 10 	|MOV ECX,DWORD PTR SS:[ESP+10]   		;  Case 61 of switch 00490BBA
00492523  |.  E8 B8150100   |CALL DigimonB.004A3AE0
00492528  |.^ E9 E3E5FFFF   |JMP DigimonB.00490B10

But I am not sure what do you pretend to do with that packet, since it doesn't seem to check any of the packet bytes in the switch case and it only displays "Cannot fight. Attack different digimon."

Edited by frammm
Marquinho

Marquinho

Posted
  • Author
Posted

i am pretend send this packet for receiver battle with tsunomon, i am used WPE PRO for send this packet and work.

but i pretend developer DLL.

one question you is Holy?, Holy Mu Devel?

Holy

Holy

Posted
Posted (edited)

Ah, then that's a different thing. Well you just only need to grab the Socket ID and then send the packet with the send API.

PS: Ye i am that holy.

Edited by Holy
Marquinho

Marquinho

Posted
  • Author
Posted

you understand, i am need and try to send packets for client program, i get with WPE PRO.

PACKET->bTsunomon->Send->

SERVER->Battle x Tsunomon.

not need change or modify packet, only send.

this packet is a battle with tsunomon and works in all maps.

Marquinho

Marquinho

Posted
  • Author
Posted 

00402800   $ 55         	PUSH EBP
00402801   . 8BEC       	MOV EBP,ESP
00402803   . 6A FF      	PUSH -1
00402805   . 68 D0375700	PUSH DigimonB.005737D0               	;  SE handler installation
0040280A   . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00402810   . 50         	PUSH EAX
00402811   . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00402818   . 83EC 18    	SUB ESP,18
0040281B   . 8A41 14    	MOV AL,BYTE PTR DS:[ECX+14]
0040281E   . 53         	PUSH EBX
0040281F   . 56         	PUSH ESI
00402820   . 57         	PUSH EDI
00402821   . 84C0       	TEST AL,AL
00402823   . 8965 F0    	MOV DWORD PTR SS:[EBP-10],ESP
00402826   . 894D EC    	MOV DWORD PTR SS:[EBP-14],ECX
00402829   . 74 61      	JE SHORT DigimonB.0040288C
0040282B   . 8B75 0C    	MOV ESI,DWORD PTR SS:[EBP+C]
0040282E   . 8D45 08    	LEA EAX,DWORD PTR SS:[EBP+8]
00402831   . 33DB       	XOR EBX,EBX
00402833   . 8945 E0    	MOV DWORD PTR SS:[EBP-20],EAX
00402836   . 895D E8    	MOV DWORD PTR SS:[EBP-18],EBX
00402839   . 8975 DC    	MOV DWORD PTR SS:[EBP-24],ESI
0040283C   > 3BDE       	CMP EBX,ESI
0040283E   . 7D 4C      	JGE SHORT DigimonB.0040288C
00402840   . 8B55 E0    	MOV EDX,DWORD PTR SS:[EBP-20]
00402843   . 8B41 18    	MOV EAX,DWORD PTR DS:[ECX+18]
00402846   . 2BF3       	SUB ESI,EBX
00402848   . 03DA       	ADD EBX,EDX
0040284A   . 6A 00      	PUSH 0                               	; /Flags = 0
0040284C   . 56         	PUSH ESI                             	; |DataSize
0040284D   . 53         	PUSH EBX                             	; |Data
0040284E   . 50         	PUSH EAX                             	; |Socket
0040284F   . C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0           	; |
00402856   . FF15 18D45700  CALL DWORD PTR DS:[<&wsock32.send>]  	; \send
0040285C   . 8BF8       	MOV EDI,EAX
0040285E   . 83FF FF    	CMP EDI,-1
00402861   . 897D E4    	MOV DWORD PTR SS:[EBP-1C],EDI
00402864   . 0F85 85000000  JNZ DigimonB.004028EF
0040286A   . FF15 14D45700  CALL DWORD PTR DS:[<&wsock32.WSAGetLastE>; [WSAGetLastError
00402870   . 3D 33270000	CMP EAX,2733
00402875   . 74 28      	JE SHORT DigimonB.0040289F
00402877   . 68 38EB5800	PUSH DigimonB.0058EB38               	;  ASCII "    	Send Error
"
0040287C   . E8 4F630100	CALL DigimonB.00418BD0
00402881   . 8B4D EC    	MOV ECX,DWORD PTR SS:[EBP-14]
00402884   . 83C4 04    	ADD ESP,4
00402887   . E8 84FDFFFF	CALL DigimonB.00402610
0040288C   > 8B4D F4    	MOV ECX,DWORD PTR SS:[EBP-C]
0040288F   . 5F         	POP EDI
00402890   . 5E         	POP ESI
00402891   . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
00402898   . 5B         	POP EBX
00402899   . 8BE5       	MOV ESP,EBP
0040289B   . 5D         	POP EBP
0040289C   . C2 7830    	RETN 3078

this a send function client

Holy

Holy

Posted
Posted

Here you have. I did a hook on the function you posted (there goes all the packets that goes from client to server), and then I check for the walk packet (type 20) if that's the case I grab the socketID (cause they both uses the same socket id).

So you only need to do a walk, so the hook can get the socket ID and then you can press F6 and the packet will be sent. I also added a check for null socketID showing a cool in-game text :P


#define WIN32_LEAN_AND_MEAN#include <windows.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdlib.h>
#include <stdio.h>
#include <detours.h>#pragma comment (lib, "Ws2_32.lib")
#pragma comment (lib, "Mswsock.lib")
#pragma comment (lib, "AdvApi32.lib")
#pragma comment(lib, "detours.lib")int (__stdcall* Hook)();
int MyHook();
void ShowInGameText(char[]);
int socketID = 0;
char bTsunomon[] = { 0xCC, 0x61, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xBF, 0x71, 0x38, 0xFF, 0x97, 0x7F, 0x1C, 0x48, 0x9C, 0x83, 0xCC, 0x16, 0xEC, 0x8A, 0xCE, 0x86  };
void Hack()
{
while(1)
{
  if(GetAsyncKeyState(VK_F6) &1)
  {
   if(socketID != 0)
    send(socketID,bTsunomon,bTsunomon[4],0);
   ShowInGameText("Your socketID is NULL!You need to do a walk first.");
  }
  Sleep(50);
}
}BOOL WINAPI DllMain(HINSTANCE hInst, DWORD Reason, LPVOID reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
  MessageBoxA(NULL, "DLL HOOK iNJECT", "DLL HACK DIGIMON", MB_OK);
  Hook = (int (__stdcall*)())DetourFunction((PBYTE)0x0040282B, (PBYTE)MyHook);
  CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&Hack, NULL, NULL, NULL);
}
return true;
}__declspec( naked) int MyHook()
{
    _asm{
   	 LEA EAX,DWORD PTR SS:[EBP+8] // Packet
   	 CMP BYTE PTR SS:[EAX+1], 0x20 //Packet type. 20 = Walk Packet
   	 JNZ Finish
   	 MOV EAX,DWORD PTR DS:[ECX+0x18] //socketID
   	 MOV socketID, EAX
    Finish:
   	 JMP Hook//Return to the original code.
    }
}void ShowInGameText(char text[]){
    _asm{
    PUSH 0
    //Teal color
    PUSH 0xDA //Blue
    PUSH 0xE4 //Green
    PUSH 0x18 //Red
    MOV ECX, text
    PUSH ECX
    MOV ECX,0x1117DD0
    MOV EDX,0x0480AF0
    CALL EDX
    }
}
  • Like 1
Marquinho

Marquinho

Posted
  • Author
Posted

Good!, Good!, you are a good programmer.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...