[Question] : Breakpoint at packet send

Submit Tutorials Related to Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

[Question] : Breakpoint at packet send

Postby WhiteHat » Thu Nov 22, 2007 10:15 pm

I'm sorry if this is the wrong section... Please move this post to proper section.

In MHS, what do we have to do to set a breakpoint everytime a packet is send ? (any packet, any multiplaying game)
A brief step by step explanation would be really appreciated. Thank you very much in advance.
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Shynd » Thu Nov 22, 2007 10:24 pm

Isn't possible to breakpoint on any packet in ANY multiplayer game. If you want to breakpoint on any packet sent in whatever process you attach MHS to, you'd set a breakpoint on the address for WSOCK32's 'Send' function, which you can find the address of using OllyDBG.

As soon as breakpoints are available to be set via scripts, you could use GetProcAddress(GetModuleHandle("WSOCK32.dll"), "send") to automatically get the function address, then breakpoint on it.

It's doable, anyway. Might take a little bit of trial and error, but it's doable.
User avatar
Shynd
Acker
 
Posts: 68
Joined: Fri Jan 05, 2007 2:11 am

Postby mezzo » Thu Nov 22, 2007 11:01 pm

heya !
You seem to know quite a lot about this :-) so I got a little question for you. After a long search I found a doc on the Microsoft site describing the winsock2 api a bit and the send() function is described as follows:

Code: Select all
int WSAAPI
send (
   IN      SOCKET       s,
   IN      const char FAR *    buf,
   IN      int          len,
   IN      int          flags
);


s   A descriptor identifying a connected socket.

buf   A buffer containing the data to be transmitted.

len   The length of the data in buf.

flags   Specifies the way in which the call is made.


If I breakpoint the wsock32.send function, does this mean that the 2e value down on the stack is the memory location (pointer) to the packet that is about to be send ? or how am I to see this ?
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby WhiteHat » Thu Nov 22, 2007 11:30 pm

@Shynd
Thanks for the brief explanation. But, would it be a burden if you make a step-by-step tut specifically about this ?

Also, you mentioned OllyDbg for certain task... Is this unavoidable ?
I'd like to stick with MHS only. So, it would be great if i could minimize the need of other apps...

Thank you very much.
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby WhiteHat » Thu Nov 22, 2007 11:36 pm

Very sorry for double post. I can't edit my last post somehow ... >.<

Actually, i’m trying to do this: (in an MMORPG)
- I'm doing an action..
- See if certain packet is send, which is n bytes long and byte number x and y is HexHex and HexHex
- If the packet send is meet the specification, then send it 10 times instead of once...

How to do that ?.. (MHS only or MHS plus OllyDbg would be good)


Thank you very much in advance...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby L. Spiro » Fri Nov 23, 2007 9:46 am

mezzo wrote:If I breakpoint the wsock32.send function, does this mean that the 2e value down on the stack is the memory location (pointer) to the packet that is about to be send ? or how am I to see this ?


At the start of a function you will see either
Code: Select all
ENTER
or
Code: Select all
PUSH EBP
MOV EBP, ESP
SUB ESP X
which aligns the stack.
If your breakpoint comes after this, you can use EBP+0xC to get the second argument (buf) and EBP+0x10 to get len.
Use the thread context in the breakpoint handler to get EBP and add 0xC to it to get an address representing the address of the argument.
Read from that address to get the address of the buffer.


Also, MHS shows the addresses of all function in the target process in the Exports tab of the Helper window of the Disassembler.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Shynd » Sun Nov 25, 2007 11:22 am

This is what L. Spiro is talking about:
Code: Select all
void On_BP_27(LPVOID lpvAddress, LPPROC_INFO_MHS lpProcInfo)
{
   extern DWORD packetptr = {"", lpProcInfo->pcContext->Ebp + 0x0C};
   //As L. Spiro pointed out, EBP+0x10 == 3rd parameter, or length
   extern DWORD len = {"", lpProcInfo->pcContext->Ebp + 0x10};
   //buffer to hold the bytes of the packet
   BYTE packet[256] = {0};
   //buffer to hold the packet string we print out
   char packetstr[1024] = {0};
   
   //Read the 2nd parameter--packetptr == EBP+0x0C--from memory into buffer 'packet'
   ReadProcessMemory(GetCurProcessHandle(), (void *)packetptr, &packet, len, NULL);
   
   //populate the packet string so we can output it to console
   for (int i = 0; i < len; i++)
      SPrintF(&packetstr[(i * 3)], "%02X ", packet[i]);
   
   //output the string to console
   PrintF("SEND | % 3i | %s", len, packetstr);
}
User avatar
Shynd
Acker
 
Posts: 68
Joined: Fri Jan 05, 2007 2:11 am

Postby mezzo » Mon Nov 26, 2007 9:00 pm

ooh cool, think I overlooked you guys replying to my post..
I'm trying to understand how you guys get to the ebp+0x0C and ebp+0x10.. Gonna just write down what I think you mean, correct me if I'm wrong...

Code: Select all
PUSH EBP
MOV EBP, ESP
SUB ESP X

The first line, pushes the original value of EBP onto the stack.
Second line moves the value of the stack pointer into ebp.
Not a clue what line 3 does.

Anyway, I assume the stack at this point looks something like this:

xxxx original value of EBP (pushed by first instr in call) <= esp and ebp point here
xxxx dunno what this is, is this esi of instr after the call ?? (this is ebp+0x04)
xxxx descriptor of the SOCKET s (ebp+0x08)
xxxx pointer to the packet buffer buf (ebp+0x0C)
xxxx length of the packet, len (ebp+0x10)
xxxx flags of the packet (ebp+0x14)

I rarely use the stack for anything, but seeing that win32 programming uses it a lot, I would very much like to learn how to (ab)use it correctly.Is my basic representation of the stack a bit accurate after this 'send' call ?
Or do I need to do some more reading ?

EDIT: Never mind, I found what I needed to know in the pc-asm book under the stack and calling convention chapter.
Nice resource, should anybody need to know anything.
http://www.scs.stanford.edu/05au-cs240c/lab/pcasm-book.pdf
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby WhiteHat » Mon Nov 26, 2007 11:36 pm

Umm ... i’m totally lost here... >.<

Which post is the answer for my question then ?
I haven’t got into script again, anyway. Still work on my C.
Kinda hard, because i’m still learning VB now...

Oh, and don’t worry to include some assembly lines.
I can read pretty well for the simple ones.

Thanks.



Edit:
I've been able to attach a breakpoint to send of WS2_32.dll
from disassembler, export tab. But it breaks for every packet sent...

Now, what am i suppose to do to make it breaks on specific packet
(length, hex sequence, etc) ?
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Shynd » Tue Nov 27, 2007 12:25 am

When you set the breakpoint on send(), go to the Breakpoints tab of the Disassembler and double-click on the breakpoint you sent to modify it. Change it to a Hardware breakpoint and instead of using Single Step as the callback function, use Script Function.

Then, write a script function like the one I pasted above. That will print out every packet sent plus the length. If you have downloaded MHS4.0.0.7.Test.rar then you can call EnterSingleStep() dependant on the length of the packet or whatever you want. Yes, you'll have to learn some C syntax in order to do it.
User avatar
Shynd
Acker
 
Posts: 68
Joined: Fri Jan 05, 2007 2:11 am

Postby L. Spiro » Tue Nov 27, 2007 10:11 am

The entry code for WS2_32.dll:send() is:
Code: Select all
71AB428A | 8BFF    | MOV     EDI, EDI |
71AB428C | 55      | PUSH    EBP      |
71AB428D | 8BEC    | MOV     EBP, ESP |
71AB428F | 83EC 10 | SUB     ESP, 10  |


If you are going to use EBP (and you will since you are checking parameters) you need to breakpoint after EBP has been set up.

EBP is set up on 71AB428D via MOV EBP, ESP.

Therefore you must breakpoint after this instruction (if using software breakpoints) or on it (if using hardware).



xxxx dunno what this is, is this esi of instr after the call ?? (this is ebp+0x04)

The address where the thread will go when the function returns.



But it breaks for every packet sent...

The breakpoint must follow the rules above.
In my WS2_32.dll, 71AB428F is WS2_32.dll+0x428F.
From there you either add a condition (Use Condition checked):
[EBP+0x10] == 0x52 (If the packet length is equal to 0x52, break.)
Or perform verification from within a script as Shynd explained.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby mezzo » Tue Nov 27, 2007 5:47 pm

In short, if you want to breakpoint a call and see/mess with the arguments:

1) launch MHS, attach the debugger to the program

2) open the disassembler (ctrl+d)

3) go to the exports TAB, select the module you want, in that module, select the call your interested in, right click, and set breakpoint)

4) run the program or trigger the Breakpoint (for whatever call you want to do)

5) When the breakpoint hits, you will be in 'singlestep mode', probably on a CALL NEAR XXXXX. Press F7 to trace into the call.

6) Single step about 3 instructions or so ( F7 or F8 ) until you reach the instruction after MOV EBP,ESP.
(This instruction (mov ebp,esp) makes a copy of the stack pointer, so that things can be pushed onto the stack, but we still have a valid pointer in ebp)

7) On the instruction after the MOV EBP,ESP set a new onexecute breakpoint. This breakpoint is the ideal one to use to see all the parameters pushed onto the stack. To see which parameters, refer to the win32.hlp file or any API help file you have, if it's not a WIN32 api call, you might be on your own to figure out the parameters. Anyway, all the parameters to this call WILL be on the stack. Either in plain form or in a pointer. (if you do create this second breakpoint and attach a script, you may want to switch off the initial breakpoint that does the single step, you don't need it right now, you can always breakpoint the call in the exports tab should you need it again.)

8) A simple example of what you can do is Shynd's 'void On_BP_27' example above. I for one did did all the above steps and used his script (void On_BP_27) on an irc client, and what do you know, I saw the raw HEX values for all the 'commands' and text that I send to the IRC server...

Shynd, L.Spiro, if I got anything wrong, don't hesitate to correct me.
And thanks for explaining me.. Pretty sure I got it now :-)

Everybody that wants to know a bit more, check out the PC Assembler book by Paul A Carter, it's a free download. Check topic 4.3 The stack, 4.4 The CALL and RET instructions and 4.5 Calling conventions. This guy has a solid C background and explains the assembler behind it. It nicely explains how the stack is used to pass parameters to call's and so on..
Book is at the bottom of the page
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby L. Spiro » Tue Nov 27, 2007 6:40 pm

In regards to 5, when the break is hit you will already be inside the API function you breakpointed.

You use the list to set a breakpoint on an API function. It is faster to use the list to go to the API function and just set the breakpoint a few instructions down (rather than setting one at the start and waiting for it to break and setting another).


This will all be automatable in MHS 4.0.0.7 (scripts to get the API function address and set breakpoints and start the debugger), coming probably tomorrow.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby mezzo » Tue Nov 27, 2007 7:59 pm

L. Spiro wrote:In regards to 5, when the break is hit you will already be inside the API function you breakpointed.

You use the list to set a breakpoint on an API function. It is faster to use the list to go to the API function and just set the breakpoint a few instructions down (rather than setting one at the start and waiting for it to break and setting another).

Oops. hehe, I played with it last night and only wrote this when I got to work today.. couldn't quite remember exactly.. thanks for the correction

L. Spiro wrote:This will all be automatable in MHS 4.0.0.7 (scripts to get the API function address and set breakpoints and start the debugger), coming probably tomorrow.


ooh goodie :D take your time, we will be waiting right here :lol:
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby fabsyi » Tue Nov 27, 2007 8:08 pm

Code: Select all
PUSH EBP
MOV EBP, ESP
SUB ESP X

The first line, pushes the original value of EBP onto the stack.
Second line moves the value of the stack pointer into ebp.
Not a clue what line 3 does.

The third line is used to reserve space on the stack, normally used for the local variables of the function.

xxxx dunno what this is, is this esi of instr after the call ?? (this is ebp+0x04)

This is actually the eip of the instruction following the call, it is pushed onto the stack automatically as part of the 'call' instruction.
fabsyi
Hackleberry Fin
 
Posts: 20
Joined: Mon Nov 05, 2007 11:17 am

Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron