Jump to content
Tuts 4 You

Help in Hook Winsock API


Marquinho

Recommended Posts

Posted (edited)

i am try create a dll

i get create but, i need this dll hook winsock api and use this send function of program TCP/IP Client for send packets, with Socket id..

This dll based on wpeSpy. for send packets in the program.

i used


void __cdecl Send( const char* szText )
{
UINT_PTR adr = 0x00402800; //function address
__asm
{
push szText
mov edx, szText
mov ecx, edx
call adr
}
}

but i dont understand works. :(

Att.Marquinho

Edited by Marquinho
Posted

so you want to injecta dll into a running process to hook the winsock send() api?

post your code & what exactly is your problem?

Posted (edited)

so you want to injecta dll into a running process to hook the winsock send() api?

post your code & what exactly is your problem?


#include <Windows.h>
#include <stdio.h>
char bTsunomon[] = { 0xCC, 0x61, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xBF, 0x71, 0x38, 0xFF, 0x97, 0x7F, 0x1C, 0x48, 0x9C, 0x83, 0xCC, 0x16, 0xEC, 0x8A, 0xCE, 0x86 };
char Packet[128];
void __cdecl Send( const char* szText )
{
UINT_PTR adr = 0x00402800; //function address
__asm
{
push szText
mov eax,szText
mov ecx,0x005081E8
call adr
}
}
void CopyPacket(int iCount, int Count)
{
for(iCount = 0; iCount < Count; iCount++)
{
Packet[iCount] = bTsunomon[iCount];
}
}
void Hack()
{
while(1)
{
if(GetAsyncKeyState(VK_F6) &1)
{
CopyPacket(0, 4);
Send(bTsunomon);
}
Sleep(50);
}
}
BOOL WINAPI DllMain(HINSTANCE hInst, DWORD Reason, LPVOID reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
MessageBoxA(NULL, "DLL HOOK iNJECT", "DLL HACK DIGIMON", MB_OK);
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&Hack, NULL, NULL, NULL);
}
return true;
}

this

I want to inject my dll and send the packages that I want the program target

Edited by Marquinho
Posted (edited)

Trying to hack Digimon Battle?

Yeah that game has so many security flaws, I reported one some days ago tongue.png.

For inject the DLL you can use an injector like Winject.

Anyway what you're trying to do is to send a packet.But, have you bypassed GameGuard? It can maybe detect your DLL. Also are you calling the function at 0x00402800 correctly? I don't see the 0x005081E8 constant anywhere in the game's code.

PS: You're not hooking winsock api.

Edited by frammm
Posted (edited)

Yeah Digimon Battle Hack

but my client logged without GG, and i trying to emulate server.

You have a idea?

i am try to send packets from server in the Client.exe

i get with WPE Pro but i am create DLL

for Hacker.

0x00402800 this addres of PUSH EBP with initial function send

0x005081E8 i understand function.

Edited by Marquinho
Posted (edited)

So, that bTsunomon packet is sent from the server to client. And you want to

receive that packet in the client when you press F6, even if the server didn't send you, that's right?

You can do something like this:


void Hack()
{
while(1)
{
if(GetAsyncKeyState(VK_F6) &1)
{
_asm{
lea ecx, bTsunomon
Mov eax, 0x4A3AE0
CALL eax
}
}
Sleep(50);
}
}

The switch case for 61:


0049251F |> \8B4C24 10 |MOV ECX,DWORD PTR SS:[ESP+10] ; Case 61 of switch 00490BBA
00492523 |. E8 B8150100 |CALL DigimonB.004A3AE0
00492528 |.^ E9 E3E5FFFF |JMP DigimonB.00490B10

But I am not sure what do you pretend to do with that packet, since it doesn't seem to check any of the packet bytes in the switch case and it only displays "Cannot fight. Attack different digimon."

Edited by frammm
Posted

i am pretend send this packet for receiver battle with tsunomon, i am used WPE PRO for send this packet and work.

but i pretend developer DLL.

one question you is Holy?, Holy Mu Devel?

Posted (edited)

Ah, then that's a different thing. Well you just only need to grab the Socket ID and then send the packet with the send API.

PS: Ye i am that holy.

Edited by Holy
Posted

you understand, i am need and try to send packets for client program, i get with WPE PRO.

PACKET->bTsunomon->Send->

SERVER->Battle x Tsunomon.

not need change or modify packet, only send.

this packet is a battle with tsunomon and works in all maps.

Posted

00402800 $ 55 PUSH EBP
00402801 . 8BEC MOV EBP,ESP
00402803 . 6A FF PUSH -1
00402805 . 68 D0375700 PUSH DigimonB.005737D0 ; SE handler installation
0040280A . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00402810 . 50 PUSH EAX
00402811 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00402818 . 83EC 18 SUB ESP,18
0040281B . 8A41 14 MOV AL,BYTE PTR DS:[ECX+14]
0040281E . 53 PUSH EBX
0040281F . 56 PUSH ESI
00402820 . 57 PUSH EDI
00402821 . 84C0 TEST AL,AL
00402823 . 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
00402826 . 894D EC MOV DWORD PTR SS:[EBP-14],ECX
00402829 . 74 61 JE SHORT DigimonB.0040288C
0040282B . 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
0040282E . 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00402831 . 33DB XOR EBX,EBX
00402833 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00402836 . 895D E8 MOV DWORD PTR SS:[EBP-18],EBX
00402839 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
0040283C > 3BDE CMP EBX,ESI
0040283E . 7D 4C JGE SHORT DigimonB.0040288C
00402840 . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
00402843 . 8B41 18 MOV EAX,DWORD PTR DS:[ECX+18]
00402846 . 2BF3 SUB ESI,EBX
00402848 . 03DA ADD EBX,EDX
0040284A . 6A 00 PUSH 0 ; /Flags = 0
0040284C . 56 PUSH ESI ; |DataSize
0040284D . 53 PUSH EBX ; |Data
0040284E . 50 PUSH EAX ; |Socket
0040284F . C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0 ; |
00402856 . FF15 18D45700 CALL DWORD PTR DS:[<&wsock32.send>] ; \send
0040285C . 8BF8 MOV EDI,EAX
0040285E . 83FF FF CMP EDI,-1
00402861 . 897D E4 MOV DWORD PTR SS:[EBP-1C],EDI
00402864 . 0F85 85000000 JNZ DigimonB.004028EF
0040286A . FF15 14D45700 CALL DWORD PTR DS:[<&wsock32.WSAGetLastE>; [WSAGetLastError
00402870 . 3D 33270000 CMP EAX,2733
00402875 . 74 28 JE SHORT DigimonB.0040289F
00402877 . 68 38EB5800 PUSH DigimonB.0058EB38 ; ASCII " Send Error
"
0040287C . E8 4F630100 CALL DigimonB.00418BD0
00402881 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00402884 . 83C4 04 ADD ESP,4
00402887 . E8 84FDFFFF CALL DigimonB.00402610
0040288C > 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0040288F . 5F POP EDI
00402890 . 5E POP ESI
00402891 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
00402898 . 5B POP EBX
00402899 . 8BE5 MOV ESP,EBP
0040289B . 5D POP EBP
0040289C . C2 7830 RETN 3078

this a send function client

Posted

Here you have. I did a hook on the function you posted (there goes all the packets that goes from client to server), and then I check for the walk packet (type 20) if that's the case I grab the socketID (cause they both uses the same socket id).

So you only need to do a walk, so the hook can get the socket ID and then you can press F6 and the packet will be sent. I also added a check for null socketID showing a cool in-game text :P


#define WIN32_LEAN_AND_MEAN#include <windows.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdlib.h>
#include <stdio.h>
#include <detours.h>#pragma comment (lib, "Ws2_32.lib")
#pragma comment (lib, "Mswsock.lib")
#pragma comment (lib, "AdvApi32.lib")
#pragma comment(lib, "detours.lib")int (__stdcall* Hook)();
int MyHook();
void ShowInGameText(char[]);
int socketID = 0;
char bTsunomon[] = { 0xCC, 0x61, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xBF, 0x71, 0x38, 0xFF, 0x97, 0x7F, 0x1C, 0x48, 0x9C, 0x83, 0xCC, 0x16, 0xEC, 0x8A, 0xCE, 0x86 };
void Hack()
{
while(1)
{
if(GetAsyncKeyState(VK_F6) &1)
{
if(socketID != 0)
send(socketID,bTsunomon,bTsunomon[4],0);
ShowInGameText("Your socketID is NULL!You need to do a walk first.");
}
Sleep(50);
}
}BOOL WINAPI DllMain(HINSTANCE hInst, DWORD Reason, LPVOID reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
MessageBoxA(NULL, "DLL HOOK iNJECT", "DLL HACK DIGIMON", MB_OK);
Hook = (int (__stdcall*)())DetourFunction((PBYTE)0x0040282B, (PBYTE)MyHook);
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&Hack, NULL, NULL, NULL);
}
return true;
}__declspec( naked) int MyHook()
{
_asm{
LEA EAX,DWORD PTR SS:[EBP+8] // Packet
CMP BYTE PTR SS:[EAX+1], 0x20 //Packet type. 20 = Walk Packet
JNZ Finish
MOV EAX,DWORD PTR DS:[ECX+0x18] //socketID
MOV socketID, EAX
Finish:
JMP Hook//Return to the original code.
}
}void ShowInGameText(char text[]){
_asm{
PUSH 0
//Teal color
PUSH 0xDA //Blue
PUSH 0xE4 //Green
PUSH 0x18 //Red
MOV ECX, text
PUSH ECX
MOV ECX,0x1117DD0
MOV EDX,0x0480AF0
CALL EDX
}
}
  • Like 1
Posted

Good!, Good!, you are a good programmer.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...