Thread: Forsaken World Packet Injection

There are several ways to manipulate game client, and one of them, let’s call it – packet injection. Not a good name, ‘coz it well known code injection. Anyways, to manipulate Forsaken Game client we will write a byte array to the buffer and send this buffer to the special function (call it PacketSend).

How to manually find PacketSend? … by your favorite debugger Maybe I’ll explain how to do that but not at this moment. How to get buffer… set BP on PacketSend and check memory dump

PacketCall = 0x007A9E20
PacketSend call should be like this

00781C50 - 53                         - push ebx

00781C51 - 55                         - push ebp

00781C52 - 56                         - push esi

00781C53 - 8B 74 24 10                - mov esi,[esp+10]

00781C57 - 85 F6                      - test esi,esi

00781C59 - 57                         - push edi

00781C5A - 74 4E                      - je 00781CAA

00781C5C - 8B 7C 24 18                - mov edi,[esp+18]

00781C60 - 85 FF                      - test edi,edi

00781C62 - 74 46                      - je 00781CAA

00781C64 - 8D 6F 06                   - lea ebp,[edi+06]

00781C67 - 55                         - push ebp

00781C68 - E8 63952600                - call 009EB1D0

00781C6D - 8B D8                      - mov ebx,eax

00781C6F - 83 C4 04                   - add esp,04

00781C72 - 85 DB                      - test ebx,ebx

00781C74 - 74 34                      - je 00781CAA

00781C76 - 8B CF                      - mov ecx,edi

00781C78 - 66 C7 03 3100              - mov word ptr [ebx],0031

00781C7D - 8B C1                      - mov eax,ecx

00781C7F - 89 7B 02                   - mov [ebx+02],edi

00781C82 - 8D 7B 06                   - lea edi,[ebx+06]

00781C85 - 55                         - push ebp			: 

00781C86 - C1 E9 02                   - shr ecx,02

00781C89 - F3 A5                      - repe movsd 

00781C8B - 8B C8                      - mov ecx,eax

00781C8D - 53                         - push ebx			:

00781C8E - 83 E1 03                   - and ecx,03

00781C91 - F3 A4                      - repe movsb 



=> 00781C93 - 8B 0D 107BD300             - mov ecx,[00D37B10] : [00D3B5A0]

=> 00781C99 - 8B 49 24                   - mov ecx,[ecx+24]

=> 00781C9C - E8 7F810200                - call 007A9E20



00781CA1 - 53                         - push ebx

00781CA2 - E8 39952600                - call 009EB1E0

00781CA7 - 83 C4 04                   - add esp,04

00781CAA - 5F                         - pop edi

00781CAB - 5E                         - pop esi

00781CAC - 5D                         - pop ebp

00781CAD - 5B                         - pop ebx

space is reserved for further data

Packets.
Note: First 2 bytes are always packet ID

PHP Code:

Move item in inventory:
   11 00
   00 – from cell
   01 – to cell

Wear gear
   36 00
   00 - inv cell with gear 
   05 - gear slot on char (05 pants)

abort spell
   09 00

select target
   07 00
   C9 19 - target id
   00 00 00 00 00 80

hide title
   56 00
   00 00

set title
   56 00
   80 BC

talk with npc
   46 00
   7A 18 - npc id
   00 00 00 00 00 80

use item
   32 00 
   00 01 
   05 00 D4 38 00 00 


P.S. Injection routines, libs and so on will be available in a future
P.P.S. Everyone is welcome for continuing data collection