 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
 Posted: Sat Mar 13, 2010 6:02 pm Post subject: Hooking Recv/Send Of Gunbound. |
 |
|
Well,in my lasts days i was trying to hook recv/send of gunbound but i cant get any packet...
My code works very well for other games...
Someone tell me that this apis are protected,i try to use hook hop but no sucefull again...
Its my code(piece):
| Code: | Procedure SetHookProxy(Enabled: Boolean);
Var
AdrSend: DWord;
AdrRecv: Dword;
Begin
if Enabled then
Begin
AdrSend := Integer(TargetToPointer('ws2_32.dll','send')) + 5;
AdrRecv := Integer(TargetToPointer('ws2_32.dll','recv')) + 5;
AfxCodeHook.HookCode(Ptr(AdrSend),@SendMeu,@OrigSend);
AfxCodeHook.HookCode(Ptr(AdrRecv),@RecvMeu,@OrigRecv);
End
Else
Begin
AfxCodeHook.UnhookCode(@OrigSend);
AfxCodeHook.UnhookCode(@OrigRecv);
End;
End; |
TargetToPointer Is a function thats use the GetProcAddress to get pointer for some api.
I use the afxcodehook to do all work.
I dont use the hook hop on GetProcAddress anyway...
My Question Is: How i will hook the recv/send of gunbound?
Thanks
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sat Mar 13, 2010 7:52 pm Post subject: |
|
|
| CristoferMartins wrote: | | My Question Is: How i will hook the recv/send of gunbound? |
IAT
|
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sat Mar 13, 2010 8:26 pm Post subject: |
|
|
| Slugsnack wrote: | | CristoferMartins wrote: | | My Question Is: How i will hook the recv/send of gunbound? |
IAT |
And Trampoline?
I am confuse,how i will Bypass the npggnt?
Thanks for you post.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Mar 14, 2010 7:47 am Post subject: |
|
|
no, there is no need to trampoline because you are not overwriting anything, just redirecting the code flow from the IAT
here is an IAT hook i made a longggg time ago. not great code but should give you the idea of what needs to be done.
and no, gg does not detect IAT hooks
| Code: | include \masm32\include\masm32rt.inc
include \masm32\include\psapi.inc
includelib \masm32\lib\psapi.lib
main proto
HookFxn proto
.data
szTempFile byte "IAT Hook.txt", 0
szModulename byte "user32.dll", 0
szProcname byte "MessageBoxA", 0
bPlaceHooks bool TRUE
szParam1 byte "Param 1 : 0x"
szParam2 byte "Param 2 : 0x"
szParam3 byte "Param 3 : 0x"
szParam4 byte "Param 4 : 0x"
.data?
hInstance dword ?
hProcess dword ?
hFile dword ?
hSnapshot dword ?
lpProc dword ?
me MODULEENTRY32 <>
szFilename byte 255 dup (?)
.code
LibMain proc instance:DWORD,reason:DWORD,unused:DWORD
.IF reason == DLL_PROCESS_ATTACH
mrm hInstance, instance ; copy local to global
invoke CreateThread, 0, 0, addr main, 0, 0, 0
mov eax, TRUE ; return TRUE so DLL will start
.ELSEIF reason == DLL_PROCESS_DETACH
.ELSEIF reason == DLL_THREAD_ATTACH
.ELSEIF reason == DLL_THREAD_DETACH
.ENDIF
ret
LibMain endp
main proc
LOCAL flOldProtect:DWORD
xor ebx, ebx
invoke GetCurrentProcessId
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, eax
mov hProcess, eax
invoke GetModuleFileNameEx, hProcess, hInstance, addr szFilename, 255
mov ecx, offset szFilename
@@:
dec eax
cmp byte ptr ds:[eax+ecx], '\'
jne @b
mov byte ptr ds:[eax+ecx+1], 0
mov eax, add$(addr szFilename, addr szTempFile)
invoke CreateFile, addr szFilename, GENERIC_READ OR GENERIC_WRITE, ebx, ebx, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, ebx
mov hFile, eax
invoke SetEndOfFile, eax
invoke GetModuleHandle, addr szModulename
invoke GetProcAddress, eax, addr szProcname
mov edi, eax
mov lpProc, eax
restoreIAT:
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, ebx
mov hSnapshot, eax
mov me.dwSize, sizeof me
invoke Module32First, eax, addr me
@@:
mov eax, me.modBaseAddr ; address of PE header
add eax, 3Ch ; offset to value of offset to PE signature
mov eax, dword ptr ds:[eax]
add eax, me.modBaseAddr ; eax = pointer to PE signature
add eax, 0D8h ; eax = pointer to pointer to IAT
mov esi, dword ptr ds:[eax] ; esi = pointer to offset of IAT
add esi, me.modBaseAddr ; esi = pointer to IAT
mov ecx, dword ptr ds:[eax+4] ; ecx = IAT size
.WHILE ecx != 0
.IF dword ptr ds:[esi+4*ecx] == edi
lea esi, [esi+4*ecx]
invoke VirtualProtect, esi, 4, PAGE_EXECUTE_READWRITE, addr flOldProtect
.IF bPlaceHooks == 1
mov dword ptr ds:[esi], offset HookFxn
.ELSE
mov eax, lpProc
mov dword ptr ds:[esi], eax
.ENDIF
invoke VirtualProtect, esi, 4, flOldProtect, addr flOldProtect
mov ecx, 1
.ENDIF
dec ecx
.ENDW
invoke Module32Next, hSnapshot, addr me
test eax, eax
jnz @b
invoke CloseHandle, hSnapshot
.IF bPlaceHooks == TRUE
xor eax, eax
.WHILE eax == 0
invoke Sleep, 100
invoke GetAsyncKeyState, VK_F10
.ENDW
mov bPlaceHooks, FALSE
mov edi, offset HookFxn
jmp restoreIAT
.ENDIF
invoke CloseHandle, hFile
invoke CloseHandle, hProcess
invoke FreeLibraryAndExitThread, hInstance, ebx
ret
main endp
HookFxn proc
OPTION PROLOGUE:NONE
OPTION EPILOGUE:NONE
push ebp
mov ebp, esp
pushad
mov edi, lengthof szParam1
mov ebx, dword ptr ss:[ebp+8]
mov eax, fwrite(hFile, addr szParam1, edi)
fprint hFile, uhex$(ebx)
mov ebx, dword ptr ss:[ebp+0Ch]
mov eax, fwrite(hFile, addr szParam2, edi)
fprint hFile, uhex$(ebx)
mov ebx, dword ptr ss:[ebp+010h]
mov eax, fwrite(hFile, addr szParam3, edi)
fprint hFile, uhex$(ebx)
mov ebx, dword ptr ss:[ebp+014h]
mov eax, fwrite(hFile, addr szParam4, edi)
fprint hFile, uhex$(ebx)
popad
pop ebp
jmp lpProc
ret
HookFxn endp
end LibMain |
|
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sun Mar 14, 2010 9:38 am Post subject: |
|
|
| Slugsnack wrote: | no, there is no need to trampoline because you are not overwriting anything, just redirecting the code flow from the IAT
here is an IAT hook i made a longggg time ago. not great code but should give you the idea of what needs to be done.
and no, gg does not detect IAT hooks
| Code: | include \masm32\include\masm32rt.inc
include \masm32\include\psapi.inc
includelib \masm32\lib\psapi.lib
main proto
HookFxn proto
.data
szTempFile byte "IAT Hook.txt", 0
szModulename byte "user32.dll", 0
szProcname byte "MessageBoxA", 0
bPlaceHooks bool TRUE
szParam1 byte "Param 1 : 0x"
szParam2 byte "Param 2 : 0x"
szParam3 byte "Param 3 : 0x"
szParam4 byte "Param 4 : 0x"
.data?
hInstance dword ?
hProcess dword ?
hFile dword ?
hSnapshot dword ?
lpProc dword ?
me MODULEENTRY32 <>
szFilename byte 255 dup (?)
.code
LibMain proc instance:DWORD,reason:DWORD,unused:DWORD
.IF reason == DLL_PROCESS_ATTACH
mrm hInstance, instance ; copy local to global
invoke CreateThread, 0, 0, addr main, 0, 0, 0
mov eax, TRUE ; return TRUE so DLL will start
.ELSEIF reason == DLL_PROCESS_DETACH
.ELSEIF reason == DLL_THREAD_ATTACH
.ELSEIF reason == DLL_THREAD_DETACH
.ENDIF
ret
LibMain endp
main proc
LOCAL flOldProtect:DWORD
xor ebx, ebx
invoke GetCurrentProcessId
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, eax
mov hProcess, eax
invoke GetModuleFileNameEx, hProcess, hInstance, addr szFilename, 255
mov ecx, offset szFilename
@@:
dec eax
cmp byte ptr ds:[eax+ecx], '\'
jne @b
mov byte ptr ds:[eax+ecx+1], 0
mov eax, add$(addr szFilename, addr szTempFile)
invoke CreateFile, addr szFilename, GENERIC_READ OR GENERIC_WRITE, ebx, ebx, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, ebx
mov hFile, eax
invoke SetEndOfFile, eax
invoke GetModuleHandle, addr szModulename
invoke GetProcAddress, eax, addr szProcname
mov edi, eax
mov lpProc, eax
restoreIAT:
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, ebx
mov hSnapshot, eax
mov me.dwSize, sizeof me
invoke Module32First, eax, addr me
@@:
mov eax, me.modBaseAddr ; address of PE header
add eax, 3Ch ; offset to value of offset to PE signature
mov eax, dword ptr ds:[eax]
add eax, me.modBaseAddr ; eax = pointer to PE signature
add eax, 0D8h ; eax = pointer to pointer to IAT
mov esi, dword ptr ds:[eax] ; esi = pointer to offset of IAT
add esi, me.modBaseAddr ; esi = pointer to IAT
mov ecx, dword ptr ds:[eax+4] ; ecx = IAT size
.WHILE ecx != 0
.IF dword ptr ds:[esi+4*ecx] == edi
lea esi, [esi+4*ecx]
invoke VirtualProtect, esi, 4, PAGE_EXECUTE_READWRITE, addr flOldProtect
.IF bPlaceHooks == 1
mov dword ptr ds:[esi], offset HookFxn
.ELSE
mov eax, lpProc
mov dword ptr ds:[esi], eax
.ENDIF
invoke VirtualProtect, esi, 4, flOldProtect, addr flOldProtect
mov ecx, 1
.ENDIF
dec ecx
.ENDW
invoke Module32Next, hSnapshot, addr me
test eax, eax
jnz @b
invoke CloseHandle, hSnapshot
.IF bPlaceHooks == TRUE
xor eax, eax
.WHILE eax == 0
invoke Sleep, 100
invoke GetAsyncKeyState, VK_F10
.ENDW
mov bPlaceHooks, FALSE
mov edi, offset HookFxn
jmp restoreIAT
.ENDIF
invoke CloseHandle, hFile
invoke CloseHandle, hProcess
invoke FreeLibraryAndExitThread, hInstance, ebx
ret
main endp
HookFxn proc
OPTION PROLOGUE:NONE
OPTION EPILOGUE:NONE
push ebp
mov ebp, esp
pushad
mov edi, lengthof szParam1
mov ebx, dword ptr ss:[ebp+8]
mov eax, fwrite(hFile, addr szParam1, edi)
fprint hFile, uhex$(ebx)
mov ebx, dword ptr ss:[ebp+0Ch]
mov eax, fwrite(hFile, addr szParam2, edi)
fprint hFile, uhex$(ebx)
mov ebx, dword ptr ss:[ebp+010h]
mov eax, fwrite(hFile, addr szParam3, edi)
fprint hFile, uhex$(ebx)
mov ebx, dword ptr ss:[ebp+014h]
mov eax, fwrite(hFile, addr szParam4, edi)
fprint hFile, uhex$(ebx)
popad
pop ebp
jmp lpProc
ret
HookFxn endp
end LibMain |
|
How i will pass of the protection of GG?
I dont understand anything about this asm code...
Anyway,its confuse...
What i need is to hook the recv/send and i dont have found any example of iat hook in delphi...
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sun Mar 14, 2010 10:33 am Post subject: |
|
|
| Hmm, this will Help
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sun Mar 14, 2010 11:10 am Post subject: |
|
|
I don't know if this applies to gunbound but I've had troubles with packed/protected games in the past:
the packer usually removes most entries from the IAT except for one function from every dll and GetProcAddress. And then it imports the functions manually with GetProcAddress.
This means that you can't hook the function by following the PE header and finding the function in the IAT table because the function won't be there.
I've never been able to find a way to solve that (other than hooking the function the 'normal' way by overwriting it with a jmp)
|
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sun Mar 14, 2010 11:42 am Post subject: |
|
|
| tombana wrote: | I don't know if this applies to gunbound but I've had troubles with packed/protected games in the past:
the packer usually removes most entries from the IAT except for one function from every dll and GetProcAddress. And then it imports the functions manually with GetProcAddress.
|
Its happens in gb?
Gunbound.gme is packed with armadillo...
If its happens with gb i think that my project is fucked up 
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sun Mar 14, 2010 1:05 pm Post subject: |
|
|
| CristoferMartins wrote: | Its happens in gb?
Gunbound.gme is packed with armadillo...
If its happens with gb i think that my project is fucked up |
You might be able to hook GetProcAddress. But then you have to hook that really fast before anything else is done. This means you'll have to write your dll injector (i'm assuming you're using a dll) to create the process suspended, then inject the dll and apply the GetProcAddress hook and then resume the process.
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sun Mar 14, 2010 1:46 pm Post subject: |
|
|
| @tombana You're right. But with my own experience, GunBound patched most methods for dll injection. I only ones that work is IAT and maybe SetWindowsHookEx method, the rest use WriteProcessMemory() which won't work.
|
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sun Mar 14, 2010 2:37 pm Post subject: |
|
|
| iPromise wrote: | | @tombana You're right. But with my own experience, GunBound patched most methods for dll injection. I only ones that work is IAT and maybe SetWindowsHookEx method, the rest use WriteProcessMemory() which won't work. |
Anyway mans,the IAt hook will work or not?
If will,can anyone give me a delphi/c source?(i dont understand C too much but i can do the things).
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Mar 14, 2010 5:02 pm Post subject: |
|
|
| iPromise wrote: | | @tombana You're right. But with my own experience, GunBound patched most methods for dll injection. I only ones that work is IAT and maybe SetWindowsHookEx method, the rest use WriteProcessMemory() which won't work. |
so uhhh how exactly do you go about doing a dll injection with an IAT hook or with the IAT at all ?
|
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Mon Mar 15, 2010 1:09 pm Post subject: |
|
|
| Slugsnack wrote: | | iPromise wrote: | | @tombana You're right. But with my own experience, GunBound patched most methods for dll injection. I only ones that work is IAT and maybe SetWindowsHookEx method, the rest use WriteProcessMemory() which won't work. |
so uhhh how exactly do you go about doing a dll injection with an IAT hook or with the IAT at all ? |
We can inject a dll in gunbound like injecting on other game...
Anyway some ideas come in my mind:
Hook Iat,put my function in the table to intercept the calls...
Use trampoline to call orig funcition(gg hook it).
Is it?
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Mon Mar 15, 2010 3:48 pm Post subject: |
|
|
| CristoferMartins wrote: | | Slugsnack wrote: | | iPromise wrote: | | @tombana You're right. But with my own experience, GunBound patched most methods for dll injection. I only ones that work is IAT and maybe SetWindowsHookEx method, the rest use WriteProcessMemory() which won't work. |
so uhhh how exactly do you go about doing a dll injection with an IAT hook or with the IAT at all ? |
We can inject a dll in gunbound like injecting on other game...
Anyway some ideas come in my mind:
Hook Iat,put my function in the table to intercept the calls...
Use trampoline to call orig funcition(gg hook it).
Is it? |
iPromise was implying a DLL injection can be done with an IAT hook. And I'm still not understanding why you think you need to trampoline anything with an IAT hook. Your 'idea' is implemented in the second post I made in this topic.
|
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Tue Mar 16, 2010 9:44 am Post subject: |
|
|
| Slugsnack wrote: | | CristoferMartins wrote: | | Slugsnack wrote: | | iPromise wrote: | | @tombana You're right. But with my own experience, GunBound patched most methods for dll injection. I only ones that work is IAT and maybe SetWindowsHookEx method, the rest use WriteProcessMemory() which won't work. |
so uhhh how exactly do you go about doing a dll injection with an IAT hook or with the IAT at all ? |
We can inject a dll in gunbound like injecting on other game...
Anyway some ideas come in my mind:
Hook Iat,put my function in the table to intercept the calls...
Use trampoline to call orig funcition(gg hook it).
Is it? |
iPromise was implying a DLL injection can be done with an IAT hook. And I'm still not understanding why you think you need to trampoline anything with an IAT hook. Your 'idea' is implemented in the second post I made in this topic. |
The dll injection is not a problem...
Anyway,i will hook the send/recv using the iat hook.
but,gg hooks it.
How i will call the original recv/send function ? i think its is trampoline.
Edit:
I know the adddress of function(thats gb use to call the recv or send),what i need now?
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
