Memory Hacking Software

Lodrik wrote:How did you find 'EBP+0x00;
EBP+0x04;
EBP+0x08;
EBP+0x0c;
EBP+0x10;
EBP+0x14'?

This is how you get the parameters to any function.
They are in the same order as they are passed to the function, so all you need is to know the parameters, which are listed on the MSDN.

Lodrik wrote:Is it the same in sendto, recvto and WSASend functions?

The same on any function.

Lodrik wrote:How did you find out where the breakpoint has to be set?
Did you look for a specific piece of code or is it just random?

The breakpoint has to be set at the start of the function as soon as the stack has been realigned.

Lodrik wrote:How do we know when the stack gets realigned?

When you see a line containing SUB ESP or ENTER.


L. Spiro

Thanks for your answers, I just have some more questions left.

The breakpoint has to be set at the start of the function as soon as the stack has been realigned.

Does it need to be exactly on SUB ESP or ENTER or may it be at any line after these commands?
Also what can we do if there are not any SUB ESP or ENTER in the function?

Also what does the stack tab display in MHS's disassembler and how to activate it?

#1: It can be anywhere as long as EBP has been set. The obvious reason people set it to the line after EBP is set is because anywhere else there is a chance the code will not go there (JMP around it) or the parameters have been modified.

#2: It shows you the stack. Single-step through some code to see it.


L. Spiro

hey all i went the "automation" method and tried to add the script but i got this error

Code: Select all

ERROR: Line: 4 Undeclared identifier (wsock32_recv).  File: C:\Documents and Settings\MyPC\Desktop\SNIFFER.lss
ERROR: Line: 41 Unable to compile function.  File: C:\Documents and Settings\MyPC\Desktop\SNIFFER.lss

someone help please?


Live

wsock32_recv is not a script function.
If you want its address, do as the tutorial suggests:

Code: Select all

ws2_32_recv = GetRemoteFuncAddress("WS2_32.dll", "recv");

L. Spiro

The buffer is not populated with the bytes of the packet of information until right before the function returns, so we can't just breakpoint at the start of the function.

Hi, I'm trying to write a winsock packet editor in C++. I have a DLL that injects into a running process and hooks ws2_32.dll's send() and recv() using Microsoft Detours 2.1.

It works, but I cannot modify the buffer used by recv(). Rather, the buffer parameter passed to recv() is populated with bytes, but modifying them at this stage is entirely inconsequential and the process seems to get the original data.

Is there any advice for me on how I would go about modifying the buffer used by recv() in my DLL? Since I'm not using the debugger/breakpoint method as described in this thread. I can't seem to find information on this and the only winsock packet editors I know of are not open source.

Nevermind, I figured it out. You simply have to set the buffer AFTER calling the original recv() from your hook function.