Sending packet to the client WITHOUT proxy

[OsQu]

Heya!

Does someone know how to send packet to the client program without proxy. I'm hooking the recv() and send() function so I can catch packets, and I can too send packets to the server (just calling the original send() function), but I've really big problems with sending packets to client. Does someone have any advice where to start exploring info about that. I'm a bit lost now what to do.

OsQu

[Frit0]

Code:

#include <winsock2.h>
#include <windows.h>
#include "detours.h"
#pragma comment( lib, "WSOCK32.lib" )



typedef int (WINAPI *t_send)(SOCKET, char *, int, int);
typedef int (WINAPI *t_recv)(SOCKET, char *, int, int);

//Globals
t_send o_send;
t_recv o_recv;
SOCKET mysocket;//This will hold our socket

//Hooking orginal recv() with Myrecv func
int WINAPI Myrecv(SOCKET s, char *buf, int len, int flags)
{

   mysocket = s;//adding socket to our global
     return  o_recv(s,buf, len, flags);
}


int WINAPI Mysend(SOCKET s, char *buf, int len, int flags)
{
     return  o_send(s,buf, len, flags);
}



unsigned int APIENTRY DllMain(HMODULE hModule, unsigned long ulReason, void* vpReserved)
{

  if(ulReason == DLL_PROCESS_ATTACH)
        {
          	
                       //Setting our hooks
              o_recv = (t_recv)DetourFunction((PBYTE)GetProcAddress(GetModuleHandle("ws2_32.dll"),"recv"), (PBYTE)Myrecv);	   
	      o_send = (t_send)DetourFunction((PBYTE)GetProcAddress(GetModuleHandle("ws2_32.dll"), "send"), (PBYTE)MySend);
		
	
		return true;
	}

	else if(ulReason == DLL_PROCESS_DETACH)
	
	   return false;
}

Then u can call send from anywhere in your code.

send(mysocket,packet,packet_size,0);

[OsQu]

If I get it right, that send(mysocket..) is the function in ws2_32.dll? But in my program (Tibia) it's using same socket when sending, and receiving packets. So.. when I call send(mysocket, ...) I think I'm gonna send that packet to the server. But I need to check that. Your style looks interesting

[Frit0]

oh are you trying to send packets to yourself?

[OsQu]

Yep. To the client. I can send them to the server. (Same way you are doing it). Any ideas about that?

[Frit0]

...ah ok im srry i understood wrong...sending packets to yourself is tricky but here is how i do it. I hook the wsarecv() ,which im sure tibia uses, you can add this to the above code i posted.

Code:

#include <winsock2.h>
#include <windows.h>
#include "detours.h"
#pragma comment( lib, "WSOCK32.lib" )




typedef int (WINAPI *t_wrecv)(SOCKET,LPWSABUF ,DWORD ,LPDWORD ,LPDWORD,LPWSAOVERLAPPED ,LPWSAOVERLAPPED_COMPLETION_ROUTINE );


//Globals
t_wrecv o_wrecv;
DWORD bytesReceived;



int MyWrecv(SOCKET s,LPWSABUF lpBuffers,DWORD dwBufferCount,LPDWORD lpNumberOfBytesRecvd,LPDWORD lpFlags,LPWSAOVERLAPPED lpOverlapped,LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
{
   int ret;
ret =o_wrecv(s,lpBuffers,1,lpNumberOfBytesRecvd,lpFlags,lpOverlapped,lpCompletionRoutine);


			if(ret==0)
			{

			bytesReceived = *lpNumberOfBytesRecvd;  //getting real size

                       }


                   if(lpBuffers->buf[0] == '\x42')//just an example change accordingly 
                        
		char packet[20] =
                               "\x42\x10\x00\xBA\x0B\x0C\x00\x0E\x02\x2E\x00\x09\x01\x0A\x00\x00\x00\x00\x00";
                 packet[15] = lpBuffers->buf[11];//example of what i wanted to change
										
									
      memcpy(lpBuffers->buf + bytesReceived ,packet,19);//adding to data being recived from server
	
										
 *lpNumberOfBytesRecvd +=19 ;//adding our custom packet size to buffer size 
  bytesReceived += 19 ;//adding our custom size to our real  size 
			}



     return ret;
}



unsigned int APIENTRY DllMain(HMODULE hModule, unsigned long ulReason, void* vpReserved)
{

  if(ulReason == DLL_PROCESS_ATTACH)
        {
          	
                       //Setting our hook

		o_wrecv = (t_wrecv)DetourFunction((PBYTE)GetProcAddress(GetModuleHandle("ws2_32.dll"), "WSARecv"), (PBYTE)MyWrecv);	
	
		return true;
	}

	else if(ulReason == DLL_PROCESS_DETACH)
	
	   return false;
}

So... we have to wait to receive data from server then add our custom packet to the original data being received.
Btw you may need to comment out the recv() hook the game and just hook wsarecv() ...iv had problems in the past where the game crashes or locks up.Anyways you dont really need to have recv() hooked if you have wsarecv() hooked.

[Cameri]

isn't there a way we could force tibia to call our recv() function?
or waiting until a next packet arrives has to be it?

The problem is when you are all alone in some places, u receive a packet from the game every... 5 seconds, that's the ping packet. So using the option you suggested will not serve well enough =/.

[Frit0]

Yes that is the only way i have found when doing it by this method :( ...can you send a packet that would make the server respond back?

[Cameri]

I checked out how the ping packet worked, and it's the server who issues the ping (like it should), if it were the client, we could issue the ping packet and then append the thing. I'm pretty sure there is something to make this work, the only problem is, it will never be instant, what if we try to send two packets one after the other, and there is only one recv, we will have to append our two packets until they get passed to the client and then cleared. Like, we'll have to make our own "buffer". That isn't a problem, but this just doesn't look like the option we need.

[Frit0]

i dont have the game so i dont know how it works...but saying something in chat and sending it to server wont get a returned packet? or how about checking inventory or something along that lines?

[OsQu]

That kind of trick might work, but when the packet must first go into server, and then back to the client (which we then modificate) it's not instant. I wonder (and I'm pretty sure), that there is the way do it instant. Like just send packet to client.