Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Running into a crash while sending many packets through game

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris
PostPosted: Wed Nov 02, 2016 8:34 pm    Post subject: Running into a crash while sending many packets through game Reply with quote
I am hacking an online game. There is a packet which the client sends to the server. The hack is the following : I duplicate thise packet on the fly when it is sent and I send it another 100 times, this means i have to encrypt it and then use send function from winsock (tcp connection).

This is all working great except that when I duplicate and send the packet more than 100 times (ie 101 times +), the game starts omitting packets (ie they re encrypted correctly but some of them aren't sent : i don't see them using wireshark). I am thinking that the problem is in the way i use the send function (which resides in windows dll), it's a pretty long code, I usually don't poste than kind of stuff but i am stuck after several hours.
There is 1 script that is 100% working which global allocates 2 variables and puts the winsock send address in one, and the socket value in the other.

Then there is the script of interest which does the following :
It hook the game encryption function (this function has the encyrption key address in ecx, the packet buffer address as first argument and the packet size as second argument).
This function is hooked by my code,i check if the packet currently being encrypted is my packet of interest (simple packet title comparing) and if it is, i duplicate the packet, encrypt it, and send it using the game's socket value through the game send function.

The code is the following :

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(encKey,4)
alloc(source,4)
alloc(countloop,4)
countloop:
dd 64
alloc(size,4)
alloc(hook,2048)
alloc(buffer2,2048)
alloc(buffer,2048)
alloc(newmem,2048)
label(bypass)
label(loop)
label(exit)
hook:

push eax//saves all registers
push edx
push ecx
push edi
push esi
//check if we are at the right packet
mov eax,[esp+14] // places buffer address in eax
mov eax,[eax] //places first 4 bytes held by buffer in eax (those are packet title/size)
cmp eax,63500029 //compares those bytes to the packet's title we care about
jne bypass // if it's not our wanted packet, function takes the regular game code.
//######################################################
//save encryption key from ecx
mov [encKey],ecx //we are at encryption point and ecx holds the encryption key
mov esi,[esp+14]//we save buffer (packet content) to source variable
mov [source],esi
mov ecx,[esp+18]//we save packet size to size varibale
mov [size],ecx
mov edx,ecx // saves the size
mov [countloop],64 //resets hack use
//make my own source buffer too
mov esi,[source]
mov edi,buffer2
mov ecx,[size]
repe movsb //duplicates packet
mov ecx,[size]
sub edi,ecx//restores edi to buffer address
sub esi,ecx//restores esi to buffer address
mov [source],edi//my own buffer containing duplicated packet becomes the source of encryption
loop:
mov eax,[countloop]
dec eax
mov [countloop],eax
test eax,eax
je bypass // back to regular code when packet was duplicated enough times
mov eax,[encKey]
mov esi,[source]
mov edi,buffer
mov ecx,[size]
mov edx,[size]
repe movsb
//puts back edi where it must be
sub edi,edx
sub esi,edx
// call encrypt
push edx //pushes size
push edi
mov ecx,eax //encryption function needs encryption key buffer in ecx
call 018EC950 //encrypts packet
//put size to ecx
mov ecx,[esp+18]
push 0
push ecx //size
push buffer
mov eax,[socket]
push eax //pushes socket value (stolen from game)
call [sendAddress] //calls windows tcp send function to connected socket (server)
jmp loop
//##################################################################
bypass:
pop esi//restores all registers
pop edi
pop ecx
pop edx
pop eax
call 018EC950 //regular game code
jmp exit
018ECCA2:
jmp hook
exit:
[DISABLE]



Some packets are not sent even though they should be however i still receive packets and also the "normal" packets from the game will still be sent correctly. Only packets which are sent through my own calling of the windows tcp send function will be omitted (wireshark shows it).
This problem occurs on every computer (tried 3 so far). The first 100 "hacked" packets were always correctly sent so far however it starts failing between 101 and 111.
I am thinking it's a timing issue : maybe the function isn't meant to be used this way, maybe something interfers with it from another thread, got any idea ?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites