The Power of MHS: Generic Packet Sniffer/Editor

Submit Tutorials Related to Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Postby mezzo » Tue Dec 04, 2007 4:00 am

ye, my penny dropped 10 hours too late :p
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp

Postby TehTitaNiuM » Fri Dec 28, 2007 10:32 pm

[...]"Click the + button, then scroll down until you see send. Right-click on send and choose Goto Function." Right after I click on Goto Function, MHS shuts down. Bad settings, my fault or a bug?
TehTitaNiuM
I Have A Few Questions
 
Posts: 2
Joined: Wed Dec 26, 2007 8:50 pm

Postby L. Spiro » Sat Dec 29, 2007 6:00 pm

My reply is days late because of my faggot Internet at my apartment which allows me to view but not post thanks to their retarded router settings which they refuse to fix after my numerous complaints (time for a new apartment).

So I had to walk out of my room, down the road, and pay money at an Internet café even though I already pay money for Internet in my room.


And all of this just to answer, “I could not reproduce this problem.”



And now onto the point:

I could not reproduce this problem.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby g3nuin3 » Sat Dec 29, 2007 11:08 pm

perhaps the function its going to is 'out of range'
g3nuin3
Acker
 
Posts: 96
Joined: Tue Jul 18, 2006 10:53 am

Postby Zyphyr » Sun Feb 10, 2008 12:37 pm

having trouble with the 1st part of the tut.

I got to the compile then setting the breakpoint in the debugger.

Except when i do something in the game no packets/info displays in the code editor.

Is there some sort of setting or did i just do something wrong?
Zyphyr
I Ask A Lot Of Questions
 
Posts: 14
Joined: Sun Feb 10, 2008 12:35 pm

Postby L. Spiro » Sun Feb 10, 2008 2:59 pm

User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Zyphyr » Sun Feb 10, 2008 9:15 pm

ok... ill try again later, but i think thats the same one i was using before.
Zyphyr
I Ask A Lot Of Questions
 
Posts: 14
Joined: Sun Feb 10, 2008 12:35 pm

Postby L. Spiro » Sun Feb 10, 2008 10:22 pm

Be sure the Debugger is actually active.

Be sure the game is sending packets with the function you expect at the times you expect it.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Zyphyr » Sun Feb 10, 2008 10:32 pm

will all games send packets with the same address as in the tutorial? or is it different for each game?
Zyphyr
I Ask A Lot Of Questions
 
Posts: 14
Joined: Sun Feb 10, 2008 12:35 pm

Postby L. Spiro » Sun Feb 10, 2008 11:51 pm

There are two primary packet-sending libraries but the tutorial covers both.

Refer to the EDIT section. Don’t bother wasting time and risking error by adding the breakpoints manually. Just use scripts to get the addresses and set the breakpoints.

For that you will need the file in the link I gave above.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby erichumale » Mon Feb 11, 2008 12:51 am

We're going to be breakpointing on the fourth line, SUB ESP, 10. Whether we use a Hardware or Software breakpoint, the stack will be aligned by the time the breakpoint is hit and an aligned stack means we'll have no problem getting the parameters off of it. At 71AB428F, the stack looks like this:
EBP+0x00: Old EBP
EBP+0x04: Return Address of Calling Function
EBP+0x08: Parameter 1 -- socket
EBP+0x0C: Parameter 2 -- packet buffer
EBP+0x10: Parameter 3 -- length
EBP+0x14: Parameter 4 -- flags
etc...

So, to grab the 2nd and 3rd parameters, we have to read EBP+0x08 and EBP+0x0C. First, lets set up the function that will handle this breakpoint, then we'll compile and set the breakpoint.

(script here)



It's rather well commented, but just so we're clear: if you want to compare the packet to something or change the packet around, you'd do so directly after the ReadProcessMemory call. Make any changes to byte array packet as you want, then WriteProcessMemory(GetCurProcessHandle(), (void *)ptr, packet, len, NULL);.

Save the script as whatever you want. Choose File -> Add to Scripts. Either hit [F5] or click the Compile button in the bottom-right.

Now, to set the breakpoint, go back to the Disassembler window and right-click on the line that says SUB ESP, 10. Choose Breakpoints -> Add Breakpoint Here. Put in a name that reminds you that this is the WS2_32:send() breakpoint (the name doesn't actually matter at all). Make sure both On Execute and Hardware are selected/checked. Set the Callback Function to Script Function by choosing it out of the dropdown box; make sure to set the Parm for Callback Function to 1 (note: the function we wrote is called On_BP_1, which is why the Parm for Callback Function needs to be 1 as well).


um.. i dont get these bits =S how do i complie the script? i been finding it for so long and still cant find it. and how do we save it? which way do we save it to compile it?

also how do i look at the stacks?
i cant see these
EBP+0x00: Old EBP
EBP+0x04: Return Address of Calling Function
EBP+0x08: Parameter 1 -- socket
EBP+0x0C: Parameter 2 -- packet buffer
EBP+0x10: Parameter 3 -- length
EBP+0x14: Parameter 4 -- flags
erichumale
Hackleberry Fin
 
Posts: 25
Joined: Mon Feb 11, 2008 12:47 am

Postby L. Spiro » Mon Feb 11, 2008 1:05 am

um.. i dont get these bits =S how do i complie the script?

Read the help file.
Alt-T/R to load the Script Editor.
Ctrl-N to make a new file.
Put code into it.
Ctrl-D to add it to the scripts.
F5 to compile.


also how do i look at the stacks?
i cant see these
EBP+0x00: Old EBP
EBP+0x04: Return Address of Calling Function
EBP+0x08: Parameter 1 -- socket
EBP+0x0C: Parameter 2 -- packet buffer
EBP+0x10: Parameter 3 -- length
EBP+0x14: Parameter 4 -- flags

Read the code in the tutorial. It has:
Code: Select all
   //EBP+0x0C == 2nd parameter, or a pointer to the packet
   extern DWORD ptr = {"", lpProcInfo->pcContext->Ebp + 0x0C};

lpProcInfo->pcContext->Ebp + 0x0C is the key.

Use this to view/edit the registers.




By the way, if this is being used on Maple Story it will not work; you can not debug that game.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby erichumale » Mon Feb 11, 2008 1:18 am

o i'm just using it on maple story lol
dam now that sucks...
would there be any tut to create a packet editor that is undetected? or wont be detected?
erichumale
Hackleberry Fin
 
Posts: 25
Joined: Mon Feb 11, 2008 12:47 am

Postby L. Spiro » Mon Feb 11, 2008 1:49 am

It can always be detected.

In this case because all debuggers can be detected.


But perhaps (no guarantee) MHS will not be detected in the future. I suspect it can still be “broken” even if not detected.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Zyphyr » Mon Feb 11, 2008 3:30 am

if you cant debug maple can this tut still let you packet edit/sniff its packets?
Zyphyr
I Ask A Lot Of Questions
 
Posts: 14
Joined: Sun Feb 10, 2008 12:35 pm

PreviousNext

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests