Page 1 of 3 123 LastLast
Results 1 to 10 of 24
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    Forsaken World Packet Injection

    There are several ways to manipulate game client, and one of them, let’s call it – packet injection. Not a good name, ‘coz it well known code injection. Anyways, to manipulate Forsaken Game client we will write a byte array to the buffer and send this buffer to the special function (call it PacketSend).

    How to manually find PacketSend? … by your favorite debugger Maybe I’ll explain how to do that but not at this moment. How to get buffer… set BP on PacketSend and check memory dump

    PacketCall = 0x007A9E20
    PacketSend call should be like this
    00781C50 - 53                         - push ebx
    00781C51 - 55 - push ebp
    00781C52 - 56 - push esi
    00781C53 - 8B 74 24 10 - mov esi,[esp+10]
    00781C57 - 85 F6 - test esi,esi
    00781C59 - 57 - push edi
    00781C5A - 74 4E - je 00781CAA
    00781C5C - 8B 7C 24 18 - mov edi,[esp+18]
    00781C60 - 85 FF - test edi,edi
    00781C62 - 74 46 - je 00781CAA
    00781C64 - 8D 6F 06 - lea ebp,[edi+06]
    00781C67 - 55 - push ebp
    00781C68 - E8 63952600 - call 009EB1D0
    00781C6D - 8B D8 - mov ebx,eax
    00781C6F - 83 C4 04 - add esp,04
    00781C72 - 85 DB - test ebx,ebx
    00781C74 - 74 34 - je 00781CAA
    00781C76 - 8B CF - mov ecx,edi
    00781C78 - 66 C7 03 3100 - mov word ptr [ebx],0031
    00781C7D - 8B C1 - mov eax,ecx
    00781C7F - 89 7B 02 - mov [ebx+02],edi
    00781C82 - 8D 7B 06 - lea edi,[ebx+06]
    00781C85 - 55 - push ebp :
    00781C86 - C1 E9 02 - shr ecx,02
    00781C89 - F3 A5 - repe movsd
    00781C8B - 8B C8 - mov ecx,eax
    00781C8D - 53 - push ebx :
    00781C8E - 83 E1 03 - and ecx,03
    00781C91 - F3 A4 - repe movsb

    => 00781C93 - 8B 0D 107BD300 - mov ecx,[00D37B10] : [00D3B5A0]
    => 00781C99 - 8B 49 24 - mov ecx,[ecx+24]
    => 00781C9C - E8 7F810200 - call 007A9E20

    00781CA1 - 53 - push ebx
    00781CA2 - E8 39952600 - call 009EB1E0
    00781CA7 - 83 C4 04 - add esp,04
    00781CAA - 5F - pop edi
    00781CAB - 5E - pop esi
    00781CAC - 5D - pop ebp
    00781CAD - 5B - pop ebx


    space is reserved for further data

    Packets.
    Note: First 2 bytes are always packet ID

    PHP Code:
    Move item in inventory:
       
    11 00
       00 – from cell
       01 – to cell

    Wear gear
       36 00
       00 
    inv cell with gear 
       05 
    gear slot on char (05 pants)

    abort spell
       
    09 00

    select target
       07 00
       C9 19 
    target id
       00 00 00 00 00 80

    hide title
       56 00
       00 00

    set title
       56 00
       80 BC

    talk with npc
       46 00
       7A 18 
    npc id
       00 00 00 00 00 80

    use item
       32 00 
       00 01 
       05 00 D4 38 00 00 
    P.S. Injection routines, libs and so on will be available in a future
    P.P.S. Everyone is welcome for continuing data collection
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following 4 Users Say Thank You to Dwar For This Useful Post:


  3. #2
    Abstract
    Abstract is offline
    New member
    Join Date
    2011 Apr
    Location
    Germany
    Posts
    5
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    8
    Thanked in
    1 Post
    Rep Power
    0
    How about doing this.

    Writting a Loader which overrides part of the Package Send to copy to Package to a fixed Memory Adress. With this Adress the Loader can read the latest sended package. And ofc then call the real Package Send. This should make it alot easier to fill the Package List. If noone did it already i will create this program next weekend.

  4. #3
    coded
    coded is offline
    New member coded's Avatar
    Join Date
    2011 May
    Posts
    30
    Thanks Thanks Given 
    10
    Thanks Thanks Received 
    27
    Thanked in
    8 Posts
    Rep Power
    0
    This is great. Is anybody still working on this? It seems to crash on me when I try to put it in debug mode so I had to make it jmp to an empty area of the memory and have it store the value of the registers. Maybe, I could provide more information. I don't know if they encrypted the packet.

  5. #4
    coded
    coded is offline
    New member coded's Avatar
    Join Date
    2011 May
    Posts
    30
    Thanks Thanks Given 
    10
    Thanks Thanks Received 
    27
    Thanked in
    8 Posts
    Rep Power
    0
    I guess nobody is going to finish this?

    picking/farming/etc..

    781d30

    ID = 0x16 (22)

    It push random address which I guess, is a packet to send I guess.

    call 0x007A9E20

  6. #5
    coded
    coded is offline
    New member coded's Avatar
    Join Date
    2011 May
    Posts
    30
    Thanks Thanks Given 
    10
    Thanks Thanks Received 
    27
    Thanked in
    8 Posts
    Rep Power
    0
    well I don't know what happen to the others that decided to work on this, but I injected dll that writes data to a file. I assume it's a packet but I'm NOT 100% sure.
    I injected and ran my function at 00798CD0 (talk to an npc function?) and I'm assuming that the function before the one that actually sends the packets is the encrypted packet. I deducted that it's a function that encrypts because the address doesn't change and I found the function for jobs and I did some alchemy and it had the name of what I was making inside of the packet. I don't think that is enough because when I got it to write to a function, I went to a different to test it out and there was no differences in both of the packet and the two npc I talked to. I'm not too sure what to do now. I am excited because this is the first time I did this without actually having to debug it because it wouldn't let me put it in a debugger. However thanks to Dwar and others who contributed I was able to do it without debugging (hard to do)!! Thanks and I wish you guys would come back!!!

  7. The Following User Says Thank You to coded For This Useful Post:


  8. #6
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    We must finished Aika Bot project and soon after that I will continue analyzing this client. So, don't lose your enthusiasm
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  9. #7
    coded
    coded is offline
    New member coded's Avatar
    Join Date
    2011 May
    Posts
    30
    Thanks Thanks Given 
    10
    Thanks Thanks Received 
    27
    Thanked in
    8 Posts
    Rep Power
    0
    dw I think I have more fun doing this than actually playing the game itself.

  10. #8
    coded
    coded is offline
    New member coded's Avatar
    Join Date
    2011 May
    Posts
    30
    Thanks Thanks Given 
    10
    Thanks Thanks Received 
    27
    Thanked in
    8 Posts
    Rep Power
    0
    It's been really fun but mind boggling. I found some more function addresses and commands. I haven't written down all the commands/packet's id, just the function's address but it shouldn't be hard to find (in the function, it should appear like this: mov word ptr [ebx],0031).

    Here are some of the ones I found:
    00798840 = Warps to a dung
    00798DA0 = sell items
    00798d20 = buy items
    00798CD0 = Talk to npc?
    00798C90 = Chief
    00798BB0 = Call pet
    00798BF0 = Recall pet
    00797DD0 = Picking (plants)
    00797280 = running?
    00797220 = Accept Quest
    00797c71 = Cancel Skill
    00797350 = hitting ground stopping (?)
    00797440 =select target
    00797490=Normal Attack
    00797cb0=Social Action

    I thought 00A0FBB0 was an encryption function but I was wrong and I wish I knew what it does because it seems to appear in other functions as well as all the function listed.
    “It's not that I'm so smart , it's just that I stay with problems longer .”

    -Albert Einstein

  11. #9
    buFFy
    buFFy is offline
    New member
    Join Date
    2011 Jul
    Posts
    6
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    12
    Thanked in
    3 Posts
    Rep Power
    0
    hi all.

    i am still continueing this.. stuff that ive got so far:

    SendPacket:

    for finding it, u may wanna use this as pattern:
    Code:
    byte ptPacket[] = {0x57, 0x8B, 0xF9, 0x6A, 0x07}; //-26
    Code:
    unsigned int GetNetworkClassPtr()
    {
    	byte ptNetworkClassPtr[] = {
    		0x89, 0x38, 0x89, 0x58, 0x04, 0xA1
    	};
    
    	for(unsigned int i = 0x700000; i<0x800000; i++)
    	{
    		__try
    		{
    			if( memcmp((void*)i, ptNetworkClassPtr, 6) == 0 )
    			{
    				i += sizeof(ptNetworkClassPtr);
    				unsigned int pAddr = *(unsigned int*)i;
    				unsigned int pThis = *(unsigned int*)(*(unsigned int*)(pAddr)+0x24);
    
    				return pThis;
    			}
    		}
    		__except(1)
    		{
    
    		}
    	}
    	return 0;
    }
    
    bool SendPacket(byte* Packet_Cont, int Packet_Size)
    {
    	if( pThis == NULL )
    		return 0;
    	__asm
    	{
    		PUSH Packet_Size
    		PUSH Packet_Cont
    		MOV ECX, pThis
    		CALL dwPacketSend
    	}
    	return 1;
    }
    Code:
    void HideTitle()
    {
    	byte Packet[] = {0x56, 0x00, 0x00, 0x00};
    
    	SendPacket(Packet, 4);
    }
    
    void SetTitle(short Id)
    {
    	byte Packet[] = {0x56, 0x00, 0x00, 0x00};
    	*(short*)(Packet+2) = Id;
    
    	SendPacket(Packet, 4);
    }
    
    void AttackTarget()
    {
    	byte Packet[] = {0x1C, 0x00, 0x0F};
    
    	SendPacket(Packet, 3);
    }
    
    void CancelSkill()
    {
    	byte Packet[] = {0x09, 0x00};
    
    	SendPacket(Packet, 3);
    }
    
    void UseSkill(short sId, short tId)
    {
    	byte Packet[] = {0x20, 0x00, 0x3c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 
    					 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    					 0x0F, 0x01, 0x0A, 0x02, 0x00, 0x00, 0x00, 0x00, 0x80};
    
    	*(short*)(Packet+2 ) = sId;
    	*(short*)(Packet+20) = tId; 
    	SendPacket(Packet, 27);
    }
    
    void CallPet(byte Index)
    {
    	byte Packet[] = {0x64, 0x00, 0x00};
    
    	Packet[2] = Index;
    	SendPacket(Packet, 3);
    }
    
    void DropPet(byte Index)
    {
    	byte Packet[] = {0x65, 0x00, 0x00};
    
    	Packet[2] = Index;
    	SendPacket(Packet, 3);
    }
    
    void PetAttack(short Id)
    {
    	byte Packet[] = {0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    					 0x00, 0x80, 0x04, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00,
    					 0x00, 0x0F};
    
    	*(short*)(Packet+3) = Id;
    	SendPacket(Packet, 20);
    }
    
    void UsePot(short Id, byte Slot)
    {
    	byte Packet[] = {0x32, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
    
    	*(short*)(Packet+6) = Id;
    	Packet[4] = Slot;
    	SendPacket(Packet, 10);
    }
    
    void UsePetFood(short Id, byte Slot)
    {
    	byte Packet[] = {0xA3, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
    
    	*(short*)(Packet+6) = Id;
    	Packet[3] = Slot;
    	SendPacket(Packet, 10);
    }
    im not entirely sure if all of them are correct, but yet i was able to sucessfully send em.

    i also did some struct reversing (very bad though, olly freezes very often):
    Code:
    struct Player
    {
    	byte unk1[0x580];
    	int CurHp;
    	int CurMp;
    	byte unk2[0x1c];
    	int MaxHp;
    	int MaxMp;
    	byte unk3[0x2a4];
    	int TargetId;
    };
    
    struct Target
    {
    	byte unk1[0x1c8];
    	int NamePtr;
    	int Level;
    	int CurHp;
    	int CurMp;
    	int MaxHp;
    	int MaxMp;
    };
    remember the nameptr is unicode

    maybe someone can use this.. im currently working on a small api, but i don't think im gonna finish it, since its very annoying to restart the game over and over again.

    you also may want to download my packetlogger from attachments. unrar and inject (make sure u inject to the child process)

    useful 1st post? lulz

    greetz, buffy

    Please register or login to download attachments.

    Last edited by buFFy; 2011-07-31 at 10:05 PM.

  12. The Following 2 Users Say Thank You to buFFy For This Useful Post:


  13. #10
    coded
    coded is offline
    New member coded's Avatar
    Join Date
    2011 May
    Posts
    30
    Thanks Thanks Given 
    10
    Thanks Thanks Received 
    27
    Thanked in
    8 Posts
    Rep Power
    0
    Nice, the way you read the packet is very similar to mine. I just could find how to calculate the jmp back without doing a jmp ptr [addy]. I also tried to send packages instead of calling functions.
    The things I couldn't get was the target's name or the address where they keep the whats in your storage. I found out how to get an item id and the spot in bag but it I think it uses the mouse x and y to get find those two information.
    “It's not that I'm so smart , it's just that I stay with problems longer .”

    -Albert Einstein

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •