Hook directx or packet decrypt function...?

[Exempt]

If you had the choice to hook directx or a packet dycrypt function inorder to find enemy information which would you do.. I'm still pretty noobish to hooking in general so I was thinking the packet one would be a bit easier but I'm not sure.

Game is stillxenimus and I still cannot detect enemy. It's a must fix to get any further for me sadly.

[Administrator]

Hooking DirectX wouldn't get you very far. You should be using a memory editing software to search for a an address that changes when you select different targets. That address is either going to end up being a pointer to the targeted object or it's GUID.

You could go the packet route, too. Bots that work by sending and receiving packets work wonderfully, but take an awful lot of work. Depending on the game, you may or may not need to figure out the packet encryption/decryption, as well as what each packet means, and then you have to construct all the logic that the game would normally do for you out. The plus side is that you can create a clientless bot, so you could potentially run hundreds of them on a single machine.

[Exempt]

Sadly, this game does not have the normal targeting you'd find in a bigger 3d game. I'm pretty sure you've even tried to find some of the monster info last time I went here, and ere unable ot figure it out. I've to search for the target i'm click on the targets location and even the hp left on the target non of which worked for me. I mean I can see the monsters moving and such so the memory must be there but where?

I made this post at game deception.

I'm trying to hook a packet decryption function but I'm pretty much new to this type of programming all together. I'll be using Dev C++ and Detours 1.5 to hopefully accomplish this.. How would I go about hooking this decrpyt function, assuming I already have the address of it, and once I do hook it how do I gather the data from the hooked function?

I'm using windows 7 64bit. I do have a laptop with vista 32 bit if it'll make it less complicated to start with.

This is the function itself in olly, the address pointing to this function is 41C230. I'm this far but not to sure where to go from here. :ditsy:

Code: Select all

CPU Disasm
Address   Hex dump          Command                                  Comments
0041C230  /$  56            PUSH ESI                                 ; Xenimus.0041C230(guessed Arg1,Arg2)
0041C231  |.  8B7424 08     MOV ESI,DWORD PTR SS:[ARG.1]
0041C235  |.  8971 10       MOV DWORD PTR DS:[ECX+10],ESI
0041C238  |.  0FB616        MOVZX EDX,BYTE PTR DS:[ESI]
0041C23B  |.  0FB646 01     MOVZX EAX,BYTE PTR DS:[ESI+1]
0041C23F  |.  03C2          ADD EAX,EDX
0041C241  |.  8B51 28       MOV EDX,DWORD PTR DS:[ECX+28]
0041C244  |.  25 FF000000   AND EAX,000000FF
0041C249  |.  8941 04       MOV DWORD PTR DS:[ECX+4],EAX
0041C24C  |.  0FB60410      MOVZX EAX,BYTE PTR DS:[EDX+EAX]
0041C250  |.  83E0 24       AND EAX,00000024
0041C253  |.  83C8 01       OR EAX,00000001
0041C256  |.  8901          MOV DWORD PTR DS:[ECX],EAX
0041C258  |.  8036 AA       XOR BYTE PTR DS:[ESI],AA
0041C25B  |.  8B51 10       MOV EDX,DWORD PTR DS:[ECX+10]
0041C25E  |.  803A 00       CMP BYTE PTR DS:[EDX],0
0041C261  |.  74 6B         JE SHORT 0041C2CE
0041C263  |.  57            PUSH EDI
0041C264  |.  8B7C24 10     MOV EDI,DWORD PTR SS:[ARG.2]
0041C268  |.  83FF 02       CMP EDI,2
0041C26B  |.  C741 08 02000 MOV DWORD PTR DS:[ECX+8],2
0041C272  |.  7E 59         JLE SHORT 0041C2CD
0041C274  |.  53            PUSH EBX
0041C275  |>  8B59 04       /MOV EBX,DWORD PTR DS:[ECX+4]      //This is where the loop starts here
0041C278  |.  8B51 28       |MOV EDX,DWORD PTR DS:[ECX+28]
0041C27B  |.  8B41 08       |MOV EAX,DWORD PTR DS:[ECX+8]
0041C27E  |.  8B31          |MOV ESI,DWORD PTR DS:[ECX]
0041C280  |.  85F0          |TEST EAX,ESI
0041C282  |.  8A141A        |MOV DL,BYTE PTR DS:[EBX+EDX]
0041C285  |.  0FBEDA        |MOVSX EBX,DL
0041C288  |.  74 13         |JE SHORT 0041C29D
0041C28A  |.  85DE          |TEST ESI,EBX
0041C28C  |.  8B71 10       |MOV ESI,DWORD PTR DS:[ECX+10]
0041C28F  |.  74 06         |JE SHORT 0041C297
0041C291  |.  03C6          |ADD EAX,ESI
0041C293  |.  3010          |XOR BYTE PTR DS:[EAX],DL
0041C295  |.  EB 1E         |JMP SHORT 0041C2B5
0041C297  |>  03C6          |ADD EAX,ESI
0041C299  |.  2810          |SUB BYTE PTR DS:[EAX],DL
0041C29B  |.  EB 18         |JMP SHORT 0041C2B5
0041C29D  |>  85DE          |TEST ESI,EBX
0041C29F  |.  74 0D         |JE SHORT 0041C2AE
0041C2A1  |.  8B51 10       |MOV EDX,DWORD PTR DS:[ECX+10]
0041C2A4  |.  03C2          |ADD EAX,EDX
0041C2A6  |.  8A10          |MOV DL,BYTE PTR DS:[EAX]
0041C2A8  |.  F6D2          |NOT DL
0041C2AA  |.  8810          |MOV BYTE PTR DS:[EAX],DL
0041C2AC  |.  EB 07         |JMP SHORT 0041C2B5
0041C2AE  |>  8B71 10       |MOV ESI,DWORD PTR DS:[ECX+10]
0041C2B1  |.  03C6          |ADD EAX,ESI
0041C2B3  |.  0010          |ADD BYTE PTR DS:[EAX],DL
0041C2B5  |>  8B41 04       |MOV EAX,DWORD PTR DS:[ECX+4]
0041C2B8  |.  8341 08 01    |ADD DWORD PTR DS:[ECX+8],1
0041C2BC  |.  83C0 01       |ADD EAX,1
0041C2BF  |.  25 FF000000   |AND EAX,000000FF
0041C2C4  |.  8941 04       |MOV DWORD PTR DS:[ECX+4],EAX
0041C2C7  |.  3979 08       |CMP DWORD PTR DS:[ECX+8],EDI
0041C2CA  |.^ 7C A9         \JL SHORT 0041C275                            //It ends here...
0041C2CC  |.  5B            POP EBX
0041C2CD  |>  5F            POP EDI
0041C2CE  |>  5E            POP ESI
0041C2CF  \.  C2 0800       RETN 8

[Administrator]

I'm sure it is there, it is probably just not stored how you expect. Maybe it is a 64-bit value or something. Use unknown value searches and only use 'changed' and 'unchanged' filters; not 'increased' and 'decreased'.

Look here for an example on winsock hooking: http://stackoverflow.com/questions/8023 ... ck-hooking


You basically just create your own function that accepts and returns the same types as the original function, then you create a detour at the original location that points to your function. Now, when the game tries to call that function, it instead sees modified code telling it to jump to some other location (your function) where you can call the original function (or not) and modify the return value.

[Exempt]

I will try some more but i've done that asweel many times. If you ever get any free time try and take a look at it, the game is small to dl and free to play. xenimus.com

Edit: Yeah, I'm not getting anythin consistant from this, ugh.

[Administrator]

You are creating a C (not C++) DLL and then injecting it into the target process, right?

[Exempt]

I'm unable to get one to inject right. I just messed up my pc too and had to reset ir back lol. Now i start again. I'm really not sure how to use the function even after i get the detour injected tho.

Edit: If I do try and hook the packet decrypt function would this be how I'd use it?...

Use win sock to capture packets then run the encrpyted packet thru the detoured function I hooked and read that output, or am i adding another step i shouldn't?

[Administrator]

I'm unable to get one to inject right. I just messed up my pc too and had to reset ir back lol. Now i start again. I'm really not sure how to use the function even after i get the detour injected tho.

Then there's your problem. If you can't inject a DLL, you can't hook.

Edit: If I do try and hook the packet decrypt function would this be how I'd use it?...

Use win sock to capture packets then run the encrpyted packet thru the detoured function I hooked and read that output, or am i adding another step i shouldn't?

You would read the input that is sent to that function and perform whatever action you wanted. If you received a packet indicating that your health changed, you might check if your health is low and use a potion, for example. You would use that potion by calling the send function with the proper packet to use a potion.

[Exempt]

I can inject a dll but not using this detour stuff for some reason. I just got detour 3.0 and made the new makefile for it. I'm gonna try it out tomarrow, I think I'm getting closer to what i need.

It didn't work cause of compiler errors, I just got vs 2010 pro so it's kinda breaking my brain atm.

I had alot fo error now just this one, hopefully getting the new makefile will fix it when i test it.

Code: Select all

1>LINK : fatal error C1047: The object or library file 'Detours/detours.lib' was created with an older compiler than other objects; rebuild old objects and libraries
1>LINK : fatal error LNK1257: code generation failed

Code: Select all

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#pragma comment(lib, "Detours/detours.lib") 
#include "Detours/detours.h"

typedef int (__thiscall* DecryptCall)(void* pthis, unsigned char* buffer, int length);

DecryptCall FuncToDetour = (DecryptCall)(0x41C230); //Set it at address to detour in

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		DisableThreadLibraryCalls(hModule);
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourAttach(&(PVOID&)FuncToDetour, FuncToDetour);
        DetourTransactionCommit();
	case DLL_THREAD_ATTACH:
		DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourDetach(&(PVOID&)FuncToDetour, FuncToDetour);
        DetourTransactionCommit();
        break;
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

[Administrator]

Any Microsoft compiler is an absolute pain to work with. Had they actually used standards, things would be different. I had a lot of issues with the Detours lib, myself, so I stopped bothering and used Azorbix's detours lib instead. I'm pretty sure I posted a copy of this for you before.

[Exempt]

I may try and use that, I was hoping to figure thi one out tho.

[Exempt]

When using Azorbix's detours lib is there no real .lib file, If so what would be the proper way to implement this into my code? This does seem to be to code I need tho, the typedef I need to use it exactly what this handles. From what the documentation says about it.

[Administrator]

Just add the .cpp and .h files to your project. Include the .h as you normally would (but you'll use quotes("") instead of angular braces(<>), of course).

[Exempt]

When I try to make my type def out in Code::Blocks(trying to make this easier) it doesn't recognize __thiscall as anything.

my dll header file.

Code: Select all

#ifndef __MAIN_H__
#define __MAIN_H__

#include <windows.h>

/*  To use this exported function of dll, include this header
 *  in your project.
 */

#ifdef BUILD_DLL
    #define DLL_EXPORT __declspec(dllexport)
#else
    #define DLL_EXPORT __declspec(dllimport)
#endif


#ifdef __cplusplus
extern "C"
{
#endif

    typedef int (__thiscall* DecryptCall)(void* pthis, unsigned char* buffer, int length);
    static DecryptCall decrypt;

#ifdef __cplusplus
}
#endif

#endif // __MAIN_H__

Code: Select all

C:\Users\Matthew\Desktop\Injector\DLL\main.h|22|error: expected ')' before '*' token|
C:\Users\Matthew\Desktop\Injector\DLL\main.h|23|error: 'DecryptCall' does not name a type|
C:\Users\Matthew\Desktop\Injector\DLL\main.cpp|9|error: expected ')' before '*' token|
C:\Users\Matthew\Desktop\Injector\DLL\main.cpp|11|error: 'Decrypt' does not name a type|
C:\Users\Matthew\Desktop\Injector\DLL\main.cpp||In member function 'int DetouredClass::DetourDecrypt(unsigned char*, int)':|
C:\Users\Matthew\Desktop\Injector\DLL\main.cpp|21|error: 'decrypt' was not declared in this scope|
C:\Users\Matthew\Desktop\Injector\DLL\main.cpp||In function 'BOOL DllMain(HINSTANCE__*, DWORD, void*)':|
C:\Users\Matthew\Desktop\Injector\DLL\main.cpp|94|error: 'decrypt' was not declared in this scope|
C:\Users\Matthew\Desktop\Injector\DLL\main.cpp|94|error: invalid use of non-static member function 'int DetouredClass::DetourDecrypt(unsigned char*, int)'|
||=== Build finished: 7 errors, 0 warnings ===|

Code: Select all

#include "main.h"
#include "../detours/detours.h"
#include "windows.h"
#include <cstdio>
#include <ctype.h>


// a sample exported function
typedef int (__thiscall* DecryptCall)(void* pthis, unsigned char* buffer, int length);

Decrypt decrypt = (DecryptCall)0x41C230;

FILE* flog = NULL;

class DetouredClass
{
public:
	int DetourDecrypt(unsigned char* buffer, int len)
	{
		//call real decrypt
		int decryptres = decrypt(this, buffer, len);

		if (buffer[0] == 0x49)
			return decryptres;

		unsigned char* tmpbuf = new unsigned char[len - 1];
		tmpbuf[0] = buffer[0];
		memcpy(&tmpbuf[1], &buffer[2], len - 2);

		printf("S -> C: OP %02X, len %u\n", buffer[0], len - 1);

		fprintf(flog, "\r\nS -> C: OP %02X, len %u\r\n", buffer[0], len - 1);
		WriteToFile(flog, tmpbuf, len - 1);

		delete[] tmpbuf;

		return decryptres;
	}

	size_t WriteToFile(FILE *dstFile, const void *pSource, size_t sourceLength)
	{
		fprintf(dstFile, "|------------------------------------------------|----------------|\r\n");
		fprintf(dstFile, "|00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F |0123456789ABCDEF|\r\n");
		fprintf(dstFile, "|------------------------------------------------|----------------|\r\n");

		size_t i = 0;
		size_t c = 0;
		size_t start;
		size_t written;
		unsigned char byte;
		const unsigned char *pData = (const unsigned char *)pSource;

		for( ; i < sourceLength; )
		{
			start = i;
			fprintf(dstFile, "|");
			for( c = 0; c < 16 && i < sourceLength; )		// write 16 bytes per line
			{
				fprintf(dstFile, "%02X ", (int)pData[i]);
				++i; ++c;
			}

			written = c;
			for( ; c < 16; ++c )							// finish off any incomplete bytes
				fprintf(dstFile, "   ");

			// write the text part
			fprintf(dstFile, "|");
			for( c = 0; c < written; ++c )
			{
				byte = pData[start + c];
				if( isprint((int)byte) )
					fprintf(dstFile, "%c", (int)byte);
				else
					fprintf(dstFile, ".");
			}

			for( ; c < 16; ++c )
				fprintf(dstFile, " ");

			fprintf(dstFile, "|\r\n");
		}

		fprintf(dstFile, "-------------------------------------------------------------------\r\n");
		return 0;
	}
};

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            DetourClassFunc((PVOID*)&decrypt, (PVOID)(&(PVOID&)DetouredClass::DetourDecrypt), 5); //Not sure what to put for len in the third agrument.
        case DLL_PROCESS_DETACH:
            // detach from process
            break;

        case DLL_THREAD_ATTACH:
            // attach to thread
            break;

        case DLL_THREAD_DETACH:
            // detach from thread
            break;
    }
    return TRUE; // succesful
}

[Administrator]

Well, first thing is, you shouldn't have it in a class like that. That could be messing things up, and will just result in more complications.

You could also probably just remove the __thiscall.

[Exempt]

Ugh, lol always something different. I'm basing alot of what I do on some example codes I have, from a app that does exactly what I'm trying to do already.

Assuming I start from scratch.

All i really need to do is

Find the function in memory "0x41C230"
Make a typedef for it. "typedef int (*DecryptCall)(void* pthis, unsigned char* buffer, int length);"

DecryptCall decrypt = (DecryptCall)0x41C230
Use DetourFunc or DetourClassFunc? "DetourFunc((BYTE*)&decrypt, (BYTE*)&DetourDecrypt, len);" I'm not sure about len.

Inject that dll then use LoadLibrary(?) and read the return from DetourDecrypt which should hopefully be the decrypted packets.

That sound like what I need to do?

Code: Select all

int DetourDecrypt(unsigned char* buffer, int len)
   {
      //call real decrypt
      int decryptres = decrypt(this, buffer, len);

      if (buffer[0] == 0x49)
         return decryptres;

      unsigned char* tmpbuf = new unsigned char[len - 1];
      tmpbuf[0] = buffer[0];
      memcpy(&tmpbuf[1], &buffer[2], len - 2);

      printf("S -> C: OP %02X, len %u\n", buffer[0], len - 1);

      fprintf(flog, "\r\nS -> C: OP %02X, len %u\r\n", buffer[0], len - 1);
      WriteToFile(flog, tmpbuf, len - 1);

      delete[] tmpbuf;

      return decryptres;
   }

   size_t WriteToFile(FILE *dstFile, const void *pSource, size_t sourceLength)
   {
      fprintf(dstFile, "|------------------------------------------------|----------------|\r\n");
      fprintf(dstFile, "|00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F |0123456789ABCDEF|\r\n");
      fprintf(dstFile, "|------------------------------------------------|----------------|\r\n");

      size_t i = 0;
      size_t c = 0;
      size_t start;
      size_t written;
      unsigned char byte;
      const unsigned char *pData = (const unsigned char *)pSource;

      for( ; i < sourceLength; )
      {
         start = i;
         fprintf(dstFile, "|");
         for( c = 0; c < 16 && i < sourceLength; )      // write 16 bytes per line
         {
            fprintf(dstFile, "%02X ", (int)pData[i]);
            ++i; ++c;
         }

         written = c;
         for( ; c < 16; ++c )                     // finish off any incomplete bytes
            fprintf(dstFile, "   ");

         // write the text part
         fprintf(dstFile, "|");
         for( c = 0; c < written; ++c )
         {
            byte = pData[start + c];
            if( isprint((int)byte) )
               fprintf(dstFile, "%c", (int)byte);
            else
               fprintf(dstFile, ".");
         }

         for( ; c < 16; ++c )
            fprintf(dstFile, " ");

         fprintf(dstFile, "|\r\n");
      }

      fprintf(dstFile, "-------------------------------------------------------------------\r\n");
      return 0;
   }

EDIT:

This is what I've come up with..

Is this what you mean by removing the __this? I was getting errors when i left int decryptres = decrypt(packet, len); as int decryptres = decrypt(this, packet, len);

Code: Select all

#include "main.h"
#include "detours/detours.h"
// a sample exported function


DecryptCall decrypt = (DecryptCall)0x41C230;

int DetourDecrypt(byte *packet, size_t len)
{
	int decryptres = decrypt(packet, len);
	return decryptres;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            DetourFunc((BYTE*)&decrypt, (BYTE*)&DetourDecrypt, 5);

        case DLL_PROCESS_DETACH:
            // detach from process
            break;

        case DLL_THREAD_ATTACH:
            // attach to thread
            break;

        case DLL_THREAD_DETACH:
            // detach from thread
            break;
    }
    return TRUE; // succesful
}

Code: Select all

#ifndef __MAIN_H__
#define __MAIN_H__

#include <windows.h>

/*  To use this exported function of dll, include this header
 *  in your project.
 */

#ifdef BUILD_DLL
    #define DLL_EXPORT __declspec(dllexport)
#else
    #define DLL_EXPORT __declspec(dllimport)
#endif


#ifdef __cplusplus
extern "C"
{
#endif

    typedef int (*DecryptCall)(unsigned char* buffer, int length);

#ifdef __cplusplus
}
#endif

#endif // __MAIN_H__

Well, I think this is good news. RemoreDLL injected the dll without bloing up my pc or the game . Now to see if it's gathering the data... LoadLibrary is in my future i think.

Edit: Maybe it's not doing anything. Wouldn't changing DetourDecrypt(byte *packet, size_t len) return to some random number cause a crash? Nothing changes t all when i do it.

[Administrator]

Find the function in memory "0x41C230"
Make a typedef for it. "typedef int (*DecryptCall)(void* pthis, unsigned char* buffer, int length);"

DecryptCall decrypt = (DecryptCall)0x41C230
Use DetourFunc or DetourClassFunc? "DetourFunc((BYTE*)&decrypt, (BYTE*)&DetourDecrypt, len);" I'm not sure about len.

That looks about right. You would use DetourFunc. DetourClassFunc is for when you're using VTABLES.

I don't remember what 'len' is for off the top of my head. I think you would use either the size of the start of the function to the end of the next opcode >=5 (5 would work for you with the code you provided), or if it is the size of the return (8). Try both. if it crashes, then it's wrong.

Inject that dll then use LoadLibrary(?) and read the return from DetourDecrypt which should hopefully be the decrypted packets.

That sound like what I need to do?

Now you're starting to get off track. In your DLL's main function, on PROCESS_ATTACH, you would call DetourFunc to hook those functions (as you have). You should start by just logging these functions to understand how the game works, and call the original function.

Start there. Your code is pretty much what you should have, though, yeah.

[Exempt]

So, I should just build onto the DLL and not make a .exe to work with it at this point? I confused at how I'd log DetourDecrypt from the DLL itself. Unless maybe I just use the Write to file function from the other code snipplet i have. I'm pretty unfamilar with that tho. Is that what you mean tho?


EDIT: Something must be wrong I changed to len arg to 24 and still didn't crash. The dll is injecting and nothing seems to happen after that? Did I misss a step?

I get nothing out of this. hmm. I'm off to bed I'll be back tomarrow. Thanks for all the help

Code: Select all

#include "main.h"
#include "detours/detours.h"
#include <stdio.h>
#include <ctype.h>
// a sample exported function


DecryptCall decrypt = (DecryptCall)0x41C230;
FILE* flog = NULL;

/*int DetourDecrypt(byte *packet, size_t len)
{
	int decryptres = decrypt(packet, len);
	return decryptres;
}*/

size_t WriteToFile(FILE *dstFile, const void *pSource, size_t sourceLength)
{
    fprintf(dstFile, "|------------------------------------------------|----------------|\r\n");
    fprintf(dstFile, "|00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F |0123456789ABCDEF|\r\n");
    fprintf(dstFile, "|------------------------------------------------|----------------|\r\n");

    size_t i = 0;
    size_t c = 0;
    size_t start;
    size_t written;
    unsigned char byte;
    const unsigned char *pData = (const unsigned char *)pSource;

    for( ; i < sourceLength; )
    {
        start = i;
        fprintf(dstFile, "|");
        for( c = 0; c < 16 && i < sourceLength; )		// write 16 bytes per line
        {
            fprintf(dstFile, "%02X ", (int)pData[i]);
            ++i; ++c;
        }

        written = c;
        for( ; c < 16; ++c )							// finish off any incomplete bytes
            fprintf(dstFile, "   ");

        // write the text part
        fprintf(dstFile, "|");
        for( c = 0; c < written; ++c )
        {
            byte = pData[start + c];
            if( isprint((int)byte) )
                fprintf(dstFile, "%c", (int)byte);
            else
                fprintf(dstFile, ".");
        }

        for( ; c < 16; ++c )
            fprintf(dstFile, " ");

        fprintf(dstFile, "|\r\n");
    }

    fprintf(dstFile, "-------------------------------------------------------------------\r\n");
    return 0;
}

int DetourDecrypt(unsigned char* buffer, int len)
{
    //call real decrypt
    int decryptres = decrypt(buffer, len);

    if (buffer[0] == 0x49)
        return decryptres;

    unsigned char* tmpbuf = new unsigned char[len - 1];
    tmpbuf[0] = buffer[0];
    memcpy(&tmpbuf[1], &buffer[2], len - 2);

    printf("S -> C: OP %02X, len %u\n", buffer[0], len - 1);

    fprintf(flog, "\r\nS -> C: OP %02X, len %u\r\n", buffer[0], len - 1);
    WriteToFile(flog, tmpbuf, len - 1);

    delete[] tmpbuf;

    return decryptres;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            DetourFunc((BYTE*)&decrypt, (BYTE*)&DetourDecrypt, 24);
            {
            unsigned int ext = 0;
            FILE* f = fopen("Log.txt", "rb");

            if (f != NULL)
            {
                fclose(f);

                ext = 1;

                while (true)
                {
                    char filename[1024];
                    sprintf(filename, "Log%u.txt", ext);

                    f = fopen(filename, "rb");

                    if (f == NULL)
                        break;
                    fclose(f);
                    ++ext;
                }
            }

            char logfile[1024];
            if (ext == 0)
                strcpy(logfile, "Log.txt");
            else
                sprintf(logfile, "Log%u.txt", ext);

            flog = fopen(logfile, "wb");
            }

        case DLL_PROCESS_DETACH:
            // detach from process
            break;

        case DLL_THREAD_ATTACH:
            // attach to thread
            break;

        case DLL_THREAD_DETACH:
            // detach from thread
            break;
    }
    return TRUE; // succesful
}

[Administrator]

So, I should just build onto the DLL and not make a .exe to work with it at this point?

Yes. That would be the easiest route. If you wanted a separate process for the main code, then you would have to set up some sort of messaging system between the two programs. Remember, your DLL will be running as part of the game itself.

I confused at how I'd log DetourDecrypt from the DLL itself. Unless maybe I just use the Write to file function from the other code snipplet i have. I'm pretty unfamilar with that tho. Is that what you mean tho?

Yes. Just write to a file. You can use C file I/O functions for that. I tend to stay away from the C++ functions for that, but the choice is yours. Your logging function looks fine to me.

EDIT: Something must be wrong I changed to len arg to 24 and still didn't crash. The dll is injecting and nothing seems to happen after that? Did I misss a step?

You might need more logging. Make sure that section of code is even being called. How do you know it is even injecting correctly?

Your code looks pretty good so far and serves as good starting point. Just be sure to look around for those log files, as I think they will be created in the working directory of the target process, but I could be wrong.

[Exempt]

EDIT3: I figured out how to add this pthis back but it didn't chage typedef int (__stdcall* DecryptCall)(void* pthis, unsigned char* buffer, int length); I just put it back into the DetourDecrypt function like this int decryptres = decrypt(pthis, buffer, len); -.-

EDIT2: I changed all the "log.txt" to "C:\\log.txt" and made the file there to be sure it worked, it doesn't do anything.

EDIT: How can I be sure that the DLL is executing the code I put inside the DLL_PROCESS_ATTACH?

I'm able to use RemoteDLL injctor to inject the DLL then I can also use RemoteDLL to remove and DLL by searching thru all the .dlls the files uses. One of the selections is my DLL.

I change my DLL to this, it was bugging me that I couldn't create a variable inside the switch statement without it going out of scope. Seems to be the same(maybe better imo). I'm going to inject it again and watch the game directory this time.

Code: Select all

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    if(fdwReason == DLL_PROCESS_ATTACH)
    {
            DetourFunc((BYTE*)&decrypt, (BYTE*)&DetourDecrypt, 24);

        {
            unsigned int ext = 0;
            FILE* f = fopen("Log.txt", "rb");

            if (f != NULL)
            {
                fclose(f);

                ext = 1;

                while (true)
                {
                    char filename[1024];
                    sprintf(filename, "Log%u.txt", ext);

                    f = fopen(filename, "rb");

                    if (f == NULL)
                        break;
                    fclose(f);
                    ++ext;
                }
            }

            char logfile[1024];
            if (ext == 0)
                strcpy(logfile, "Log.txt");
            else
                sprintf(logfile, "Log%u.txt", ext);

            flog = fopen(logfile, "wb");
        }

    }
    return TRUE; // succesful
}

I change my DetourDecrypt function to comment out the check it had here if (buffer[0] == 0x49) just to be sure.

Code: Select all

int DetourDecrypt(unsigned char* buffer, int len)
{
    //call real decrypt
    int decryptres = decrypt(buffer, len);

    //if (buffer[0] == 0x49)
    //    return decryptres;

    unsigned char* tmpbuf = new unsigned char[len - 1];
    tmpbuf[0] = buffer[0];
    memcpy(&tmpbuf[1], &buffer[2], len - 2);

    printf("S -> C: OP %02X, len %u\n", buffer[0], len - 1);

    fprintf(flog, "\r\nS -> C: OP %02X, len %u\r\n", buffer[0], len - 1);
    WriteToFile(flog, tmpbuf, len - 1);

    delete[] tmpbuf;

    return decryptres;
}