Intro:
Tutorial by: thong aka Paul of team [Limited edition] @ www.gamehackers.net //
USEast.Battle.net OP Obsolete
Type of tutorial: Advanced FYI (For Your Information)
Main focus of tutorial: To create a packet sender for Diablo II LoD V1.10 *AND* hopefully give you (The reader) a better understanding of what Packet DASM is and how to write your very own packet sender for D2 or other gaming titles!
Skills required: An understanding of SoftICE, x86 ASM and a brain!
Tools used: SoftICE, WDASM, DHack, Notepad, WPE Pro and a brain
First, this is the second tutorial I've written covering the topic of "Packet DASM" using Diablo II LoD as our game of choice to reverse engineer. This tutorial will be very similiar to my previous one, but with a few different twists because the programmers of the new V1.10 patch have updated quite a few things in the packeting send()'ing process! Nothing that we can't overcome though!
... Lets go ahead and start this project!
Some information about Diablo 2 LoD:
- This game does not use encrypted data packets for send(), in-game! Keep this in mind if you plan to apply this tutorial to games that are using encrypted packets in-game. I'm frequently asked how to decrypt packet data that is encrypted on some of these odd ball games, such as Prince of Qin Online and it's frustrating for me to give an answer to this question because of all the unknowns.
Each game is different on how things are done, but because a packet is generated using an encryption technique within the game code it CAN be found and CAN be reversed. It's just a matter of extra backtracing and stepping. The principles used in this tutorial can help aid you in your quest, but only to a certain degree; most of the time locating packet building processes before they are
encrypted require alot of time tracing AND guessing, especially if there isn't any documentation on the game code. IE: Open Source or some other game hacker released a packet reference to decrypted data from his/her own efforts. So fair warning, if you aren't the type of person who can spend hours and hours, possibly even months, in game code trying to understand how it works you should
bail out now! Making packet senders aren't for you!
I)
There are several ways to locate WSOCK32 send() functions within a game. Here are some that are more commonly used:
Step 1.) The first thing I did was fire up Diablo 2 LoD and joined/created a game.
Step 2.) Next, I ran SoftICE's Symbol Loader. (Remember to load SoftICE first if you're on NT!)
Step 3.) Loaded WSOCK32.dll in SoftICE's Symbol Loader.
Step 4.) Returned to my Diablo II LoD game.
Step 5.) Ctrl+D into SoftICE! -> addr Game
Step 6.) From SoftICE's command line I type'd: bpx send
Step 7.) Returned to Diablo 2 LoD
Step 8.) Toggled my gear with the "w" key!
Step 9.) SoftICE pops up. Press F11!
Step 9.) SoftICE pops up here:
D2Net.dll
* Reference To: WSOCK32.send, Ord:0013h
|
:6FC017BE FF158C71C06F Call dword ptr [6FC0718C]
:6FC017C4 83F8FF cmp eax, FFFFFFFF
:6FC017C7 7535 jne 6FC017FE
[ECX] stores the packet! In SoftICE type: d ecx
AL and BL stores the packet length!
Step 10.) After typing "d ecx" in SoftICE, you'll notice [ECX] stores the following:
60 00 XX XX XX XX ...
And AL and BL have the following value:
00000001
We can now assume that the following is the syntax for toggling gear with the "w" key:
60 [No trailing 00 is required because the length is only 1 byte! Besides, I believe the D2 client adds trailing 00's.]
Step 11.) Now, for testing purposes you can "bpx 6FC017BE" from SoftICE and preform various actions. For every action that you do in-game that sends ANY data what-so-ever to others SoftICE will pop up at 6FC017BE and you can view that packet in [ECX] and length of that packet in AL or BL.
6FC017BE is a very useful address to us!
Side note:
If SoftICE pops up without you doing anything after setting a breakpoint at 6FC017BE, chances are your client is sending an auto-update out, which is on a timer!
The packet type for the client update is 0x6C and its routine can be found here in the D2Client.dll:
* Reference To: KERNEL32.GetTickCount, Ord:0186h
:6FAAD3B4 8B3514DFB66F mov esi, dword ptr [6FB6DF14]
:6FAAD3BA FFD6 call esi
:6FAAD3BC 8B15F079BA6F mov edx, dword ptr [6FBA79F0]
:6FAAD3C2 8BC8 mov ecx, eax
:6FAAD3C4 2BCA sub ecx, edx
:6FAAD3C6 81F988130000 cmp ecx, 00001388
:6FAAD3CC 7243 jb 6FAAD411
:6FAAD3CE A3F079BA6F mov dword ptr [6FBA79F0], eax
:6FAAD3D3 C64424046C mov [esp+04], 6C <----- Client update packet type / Keepalive
:6FAAD3D8 FFD6 call esi
:6FAAD3DA 89442405 mov dword ptr [esp+05], eax
:6FAAD3DE E8FDC6FFFF call 6FAA9AE0
:6FAAD3E3 8D542404 lea edx, dword ptr [esp+04]
:6FAAD3E7 6A09 push 00000009 <----- Packet length = 9 bytes
:6FAAD3E9 52 push edx
:6FAAD3EA D1E8 shr eax, 1
:6FAAD3EC 6A00 push 00000000
:6FAAD3EE 89442415 mov dword ptr [esp+15], eax
:6FAAD3F2 E811EA0B00 Call 6FB6BE08 <----- Call a send() for auto-update!
The other technique used to locate send() fuctions within the game, other than the stated above method, is to load the game files into WDASM. From WDASM you will click on the "Imports" button on the toolbar. Once the Import Functions table loads locate AND double click on the following:
WSOCK32.send
Using the above example load D2Net.dll into WDASM. Goto Import Functions table. Locate and double click on WSOCK32.send.
WDASM will take you to the following code:
* Reference To: WSOCK32.send, Ord:0013h
:6FC017BE FF158C71C06F Call dword ptr [6FC0718C]
Some people will say that the WDASM technique is alot easier than the SoftICE
Tutorial by: thong aka Paul of team [Limited edition] @ www.gamehackers.net //
USEast.Battle.net OP Obsolete
Type of tutorial: Advanced FYI (For Your Information)
Main focus of tutorial: To create a packet sender for Diablo II LoD V1.10 *AND* hopefully give you (The reader) a better understanding of what Packet DASM is and how to write your very own packet sender for D2 or other gaming titles!
Skills required: An understanding of SoftICE, x86 ASM and a brain!
Tools used: SoftICE, WDASM, DHack, Notepad, WPE Pro and a brain
First, this is the second tutorial I've written covering the topic of "Packet DASM" using Diablo II LoD as our game of choice to reverse engineer. This tutorial will be very similiar to my previous one, but with a few different twists because the programmers of the new V1.10 patch have updated quite a few things in the packeting send()'ing process! Nothing that we can't overcome though!
... Lets go ahead and start this project!
Some information about Diablo 2 LoD:
- This game does not use encrypted data packets for send(), in-game! Keep this in mind if you plan to apply this tutorial to games that are using encrypted packets in-game. I'm frequently asked how to decrypt packet data that is encrypted on some of these odd ball games, such as Prince of Qin Online and it's frustrating for me to give an answer to this question because of all the unknowns.
Each game is different on how things are done, but because a packet is generated using an encryption technique within the game code it CAN be found and CAN be reversed. It's just a matter of extra backtracing and stepping. The principles used in this tutorial can help aid you in your quest, but only to a certain degree; most of the time locating packet building processes before they are
encrypted require alot of time tracing AND guessing, especially if there isn't any documentation on the game code. IE: Open Source or some other game hacker released a packet reference to decrypted data from his/her own efforts. So fair warning, if you aren't the type of person who can spend hours and hours, possibly even months, in game code trying to understand how it works you should
bail out now! Making packet senders aren't for you!
I)
There are several ways to locate WSOCK32 send() functions within a game. Here are some that are more commonly used:
Step 1.) The first thing I did was fire up Diablo 2 LoD and joined/created a game.
Step 2.) Next, I ran SoftICE's Symbol Loader. (Remember to load SoftICE first if you're on NT!)
Step 3.) Loaded WSOCK32.dll in SoftICE's Symbol Loader.
Step 4.) Returned to my Diablo II LoD game.
Step 5.) Ctrl+D into SoftICE! -> addr Game
Step 6.) From SoftICE's command line I type'd: bpx send
Step 7.) Returned to Diablo 2 LoD
Step 8.) Toggled my gear with the "w" key!
Step 9.) SoftICE pops up. Press F11!
Step 9.) SoftICE pops up here:
D2Net.dll
* Reference To: WSOCK32.send, Ord:0013h
|
:6FC017BE FF158C71C06F Call dword ptr [6FC0718C]
:6FC017C4 83F8FF cmp eax, FFFFFFFF
:6FC017C7 7535 jne 6FC017FE
[ECX] stores the packet! In SoftICE type: d ecx
AL and BL stores the packet length!
Step 10.) After typing "d ecx" in SoftICE, you'll notice [ECX] stores the following:
60 00 XX XX XX XX ...
And AL and BL have the following value:
00000001
We can now assume that the following is the syntax for toggling gear with the "w" key:
60 [No trailing 00 is required because the length is only 1 byte! Besides, I believe the D2 client adds trailing 00's.]
Step 11.) Now, for testing purposes you can "bpx 6FC017BE" from SoftICE and preform various actions. For every action that you do in-game that sends ANY data what-so-ever to others SoftICE will pop up at 6FC017BE and you can view that packet in [ECX] and length of that packet in AL or BL.
6FC017BE is a very useful address to us!
Side note:
If SoftICE pops up without you doing anything after setting a breakpoint at 6FC017BE, chances are your client is sending an auto-update out, which is on a timer!
The packet type for the client update is 0x6C and its routine can be found here in the D2Client.dll:
* Reference To: KERNEL32.GetTickCount, Ord:0186h
:6FAAD3B4 8B3514DFB66F mov esi, dword ptr [6FB6DF14]
:6FAAD3BA FFD6 call esi
:6FAAD3BC 8B15F079BA6F mov edx, dword ptr [6FBA79F0]
:6FAAD3C2 8BC8 mov ecx, eax
:6FAAD3C4 2BCA sub ecx, edx
:6FAAD3C6 81F988130000 cmp ecx, 00001388
:6FAAD3CC 7243 jb 6FAAD411
:6FAAD3CE A3F079BA6F mov dword ptr [6FBA79F0], eax
:6FAAD3D3 C64424046C mov [esp+04], 6C <----- Client update packet type / Keepalive
:6FAAD3D8 FFD6 call esi
:6FAAD3DA 89442405 mov dword ptr [esp+05], eax
:6FAAD3DE E8FDC6FFFF call 6FAA9AE0
:6FAAD3E3 8D542404 lea edx, dword ptr [esp+04]
:6FAAD3E7 6A09 push 00000009 <----- Packet length = 9 bytes
:6FAAD3E9 52 push edx
:6FAAD3EA D1E8 shr eax, 1
:6FAAD3EC 6A00 push 00000000
:6FAAD3EE 89442415 mov dword ptr [esp+15], eax
:6FAAD3F2 E811EA0B00 Call 6FB6BE08 <----- Call a send() for auto-update!
The other technique used to locate send() fuctions within the game, other than the stated above method, is to load the game files into WDASM. From WDASM you will click on the "Imports" button on the toolbar. Once the Import Functions table loads locate AND double click on the following:
WSOCK32.send
Using the above example load D2Net.dll into WDASM. Goto Import Functions table. Locate and double click on WSOCK32.send.
WDASM will take you to the following code:
* Reference To: WSOCK32.send, Ord:0013h
:6FC017BE FF158C71C06F Call dword ptr [6FC0718C]
Some people will say that the WDASM technique is alot easier than the SoftICE
