 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Reak
I post too much
 Reputation: 0
Joined: 15 May 2007
Posts: 3496
|
 Posted: Mon Aug 05, 2013 3:41 pm Post subject: Problems Hooking send with dll (Updated) |
 |
|
Hello CEF,
I'm just for fun trying to hook the ws2_32.send() function.
I'm doin that with a injected dll written in c++..Everything works well if I use it on own written socket-applications.
The problem is..if I do that on iexplorer it crashes as soon as it calls the send function.
The hook-dll does exactly the same like this auto-assembly code (with which it works fine)
| Code: | alloc(copymem,512)
alloc(packet, 2048)
alloc(packetlen, 4)
label(returnhere)
label(repeat)
ws2_32!send:
jmp copymem
returnhere:
copymem:
push ebp
mov ebp, esp
push eax
push ecx
push esi
push edi
mov ecx,[ebp+0c] //
mov esi, [ebp+10] //
mov [packetlen], esi
mov edi, 0
repeat:
mov eax, [ecx+edi]
mov [packet+edi], eax
add edi, 4
cmp edi, esi
jb repeat
pop edi
pop esi
pop ecx
pop eax
mov esp,ebp
pop ebp
mov edi, edi
push ebp
mov ebp,esp
jmp returnhere |
I tried replacing the code created by the hook-dll with this ^^..still crashes...
As soon as it jumps into the area of the dll..iexplorer crashes.
Why?
DLL Source (very untidy I know..)
| Code: |
#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <strsafe.h>
typedef void (WINAPI *PMSGF)(SOCKET , const char*, int, int, const struct sockaddr*, int);
typedef void (WINAPI *ASD)(void);
union {
int iInt;
char bCh[4];
} mixed;
int packet_len_done = 0;
int packet_len = 100;
int packet_len_addy = 0;
int packet = 0;
int packet_addy = 0;
char donepack[2049];
char bufferz[30];
char * bufs;
int lens;
ASD asd;
void testapp(void)
{
packet_len_done = packet_len;
sprintf(bufferz, "Len:%i - %c", packet_len_done, donepack[0]);
MessageBox(NULL, bufferz, NULL, NULL);
}
DWORD WINAPI Thread_no_1( LPVOID lpParam )
{
char buffer [255];
PMSGF send;
HMODULE Ws2_32 = GetModuleHandle(TEXT("Ws2_32.dll"));
send = (PMSGF)GetProcAddress(Ws2_32, "send");
void* ret = malloc(1024);
void* ret2 = malloc(1024);
HANDLE cprocess = GetCurrentProcess();
int testaddy = (int)&testapp;;
packet_len_addy = (int)&packet_len;
packet_addy = (int)&packet;
int jmprange = (0 - ((int)send-(int)ret) - 5);
int jmprange2 = (int)send-(int)ret-52;
int jmprange3 = (int)send-(int)ret2-5;
int jmprange4 = testaddy-(int)ret-45;
char JMP = 0xE9;
char END = 0x90;
char CALL = 0xE8;
char rbuffer[50];
char buffer1[15] = {
0x55, // push ebp
0x8B, 0xEC, // mov ebp, esp
0x50, // push eax
0x51, // push ecx
0x56, // push esi
0x57, // push edi
0x8B, 0x4D, 0x0C, // mov ecx,[ebp+0C]
0x8B, 0x75, 0x10, // mov esi,[ebp+10]
0x89, 0x35 // mov [XX],esi
};
char buffer2[10] = {
0xBF, 0x00, 0x00, 0x00, 0x00, // mov edi,00000000
0x8B, 0x04, 0x39, // mov eax,[ecx+edi]
0x89, 0x87}; // mov [edi+XX],eax
char buffer3[7] = {
0x83, 0xC7, 0x04, // add edi,04
0x39, 0xF7, // cmp edi,esi
0x72, 0xF0}; // jb
//0xE8}; // call XXXXX
char buffer4[12] = {
0x5F, // pop edi
0x5E, // pop esi
0x59, // pop ecx
0x58, // pop eax
0x8B, 0xE5, // mov esp,ebp
0x5D, // pop ebp
0x8B, 0xFF, // mov edi,edi
0x55, // push ebp
0x8B, 0xEC }; // mov ebp,esp
Sleep(1000);
//ReadProcessMemory(cprocess, send, &rbuffer, 50, NULL);
//WriteProcessMemory(cprocess, ret2, &rbuffer, 50, NULL);
//WriteProcessMemory(cprocess, (LPVOID)((int)ret2+5), &JMP, 1, NULL);
//WriteProcessMemory(cprocess, (LPVOID)((int)ret2+6), &jmprange3, 4, NULL);
//int testaddy = (int)&testapp;
WriteProcessMemory(cprocess, ret, &buffer1, 15, NULL);
WriteProcessMemory(cprocess, (LPVOID)((int)ret+15), &packet_len_addy, 4, NULL);
int testad = (int)&donepack;
WriteProcessMemory(cprocess, (LPVOID)((int)ret+19), &buffer2, 10, NULL);
WriteProcessMemory(cprocess, (LPVOID)((int)ret+29), &testad, 4, NULL);
WriteProcessMemory(cprocess, (LPVOID)((int)ret+33), &buffer3, 7, NULL);
//WriteProcessMemory(cprocess, (LPVOID)((int)ret+40), &jmprange4, 4, NULL);
WriteProcessMemory(cprocess, (LPVOID)((int)ret+40), &buffer4, 12, NULL);
WriteProcessMemory(cprocess, (LPVOID)((int)ret+52), &JMP, 1, NULL);
WriteProcessMemory(cprocess, (LPVOID)((int)ret+53), &jmprange2, 4, NULL);
sprintf(buffer, "ret2: %X", ret);
MessageBox(NULL, buffer, NULL, NULL);
WriteProcessMemory(cprocess, send, &JMP, 1, NULL);
WriteProcessMemory(cprocess, (LPVOID)((int)send+1), &jmprange, 4, NULL);
//while(1){}
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(0,0,(LPTHREAD_START_ROUTINE)Thread_no_1,NULL,0,NULL);
break;
}
return TRUE;
} |
DLL-download:
http://www8.zippyshare.com/v/14093290/file.html
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 468
Joined: 09 May 2003
Posts: 25719
Location: The netherlands
|
| Posted: Mon Aug 05, 2013 7:11 pm Post subject: |
 |
|
Iexplore might be using the no-execute ability. So mark your allocated memory as executable
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Reak
I post too much
Reputation: 0
Joined: 15 May 2007
Posts: 3496
|
| Posted: Mon Aug 05, 2013 7:36 pm Post subject: |
|
|
Worked thx 
| Code: | | void* ret = VirtualAlloc(NULL, 1024, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE); |
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Fri Aug 09, 2013 2:12 am Post subject: |
|
|
Why are you using ReadProcessMemory if you're already running through a dll within the memory space of the desired process?!
use inline assemby instead..
_________________
Stylo |
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 204
Joined: 25 Jan 2006
Posts: 8581
Location: 127.0.0.1
|
| Posted: Fri Aug 09, 2013 4:00 am Post subject: |
|
|
memset/memcpy or direct memory access via casting. No need to inline assembly to read/write memory.
_________________
- Retired. |
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sat Aug 10, 2013 9:00 am Post subject: |
|
|
I'm sorry, i meant WriteProcessMemory
the point is, why does he need to figure out the opcodes instead of writing in assembly which is much more simpler
_________________
Stylo |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
