Hook directx or packet decrypt function...?

[Exempt]

How can I be sure the code is compiling as a 32bit code? I've read that it may only work on 32bit source and apps.

Edit: Sorry i though i hit edit.

[Administrator]

How can I be sure the code is compiling as a 32bit code? I've read that it may only work on 32bit source and apps.

Edit: Sorry i though i hit edit.

Unless you installed a 64-bit compiler and have specifically set up your project to compile as 64-bit, it is 32-bit. I assume you just got the Code::Blocks and MinGW package, so it will be 32-bit.

I don't understand what you're even trying to do in your main function. You could probably remove a whole bunch of that, open the log file with write permissions, and print out something just to make sure that code is even being called.

[Exempt]

EDIT: Ugh, Appearently code::blocks with the gcc compiler can mangle up the DLLMAIN causing it to not call to DLL_PROCESS_ATTACH or something of the sort...
I have managed to crash the game now, lol. dam

Code: Select all

extern "C" BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)

EDIT2:
I don't understand what this is telling me to do for length. Any idea what this means assuming that is my function down there?
p3_len: Number of complete opcodes >= 5, eg, push 0xFFFFFFFF = 6bytes

Code: Select all

CPU Disasm
Address   Hex dump          Command                                  Comments
0041C230  /$  56            PUSH ESI                                 ; Xenimus.0041C230(guessed Arg1,Arg2)
0041C231  |.  8B7424 08     MOV ESI,DWORD PTR SS:[ARG.1]
0041C235  |.  8971 10       MOV DWORD PTR DS:[ECX+10],ESI
0041C238  |.  0FB616        MOVZX EDX,BYTE PTR DS:[ESI]
0041C23B  |.  0FB646 01     MOVZX EAX,BYTE PTR DS:[ESI+1]
0041C23F  |.  03C2          ADD EAX,EDX
0041C241  |.  8B51 28       MOV EDX,DWORD PTR DS:[ECX+28]
0041C244  |.  25 FF000000   AND EAX,000000FF
0041C249  |.  8941 04       MOV DWORD PTR DS:[ECX+4],EAX
0041C24C  |.  0FB60410      MOVZX EAX,BYTE PTR DS:[EDX+EAX]
0041C250  |.  83E0 24       AND EAX,00000024
0041C253  |.  83C8 01       OR EAX,00000001
0041C256  |.  8901          MOV DWORD PTR DS:[ECX],EAX
0041C258  |.  8036 AA       XOR BYTE PTR DS:[ESI],AA
0041C25B  |.  8B51 10       MOV EDX,DWORD PTR DS:[ECX+10]
0041C25E  |.  803A 00       CMP BYTE PTR DS:[EDX],0
0041C261  |.  74 6B         JE SHORT 0041C2CE
0041C263  |.  57            PUSH EDI
0041C264  |.  8B7C24 10     MOV EDI,DWORD PTR SS:[ARG.2]
0041C268  |.  83FF 02       CMP EDI,2
0041C26B  |.  C741 08 02000 MOV DWORD PTR DS:[ECX+8],2
0041C272  |.  7E 59         JLE SHORT 0041C2CD
0041C274  |.  53            PUSH EBX
0041C275  |>  8B59 04       /MOV EBX,DWORD PTR DS:[ECX+4]      //This is where the loop starts here
0041C278  |.  8B51 28       |MOV EDX,DWORD PTR DS:[ECX+28]
0041C27B  |.  8B41 08       |MOV EAX,DWORD PTR DS:[ECX+8]
0041C27E  |.  8B31          |MOV ESI,DWORD PTR DS:[ECX]
0041C280  |.  85F0          |TEST EAX,ESI
0041C282  |.  8A141A        |MOV DL,BYTE PTR DS:[EBX+EDX]
0041C285  |.  0FBEDA        |MOVSX EBX,DL
0041C288  |.  74 13         |JE SHORT 0041C29D
0041C28A  |.  85DE          |TEST ESI,EBX
0041C28C  |.  8B71 10       |MOV ESI,DWORD PTR DS:[ECX+10]
0041C28F  |.  74 06         |JE SHORT 0041C297
0041C291  |.  03C6          |ADD EAX,ESI
0041C293  |.  3010          |XOR BYTE PTR DS:[EAX],DL
0041C295  |.  EB 1E         |JMP SHORT 0041C2B5
0041C297  |>  03C6          |ADD EAX,ESI
0041C299  |.  2810          |SUB BYTE PTR DS:[EAX],DL
0041C29B  |.  EB 18         |JMP SHORT 0041C2B5
0041C29D  |>  85DE          |TEST ESI,EBX
0041C29F  |.  74 0D         |JE SHORT 0041C2AE
0041C2A1  |.  8B51 10       |MOV EDX,DWORD PTR DS:[ECX+10]
0041C2A4  |.  03C2          |ADD EAX,EDX
0041C2A6  |.  8A10          |MOV DL,BYTE PTR DS:[EAX]
0041C2A8  |.  F6D2          |NOT DL
0041C2AA  |.  8810          |MOV BYTE PTR DS:[EAX],DL
0041C2AC  |.  EB 07         |JMP SHORT 0041C2B5
0041C2AE  |>  8B71 10       |MOV ESI,DWORD PTR DS:[ECX+10]
0041C2B1  |.  03C6          |ADD EAX,ESI
0041C2B3  |.  0010          |ADD BYTE PTR DS:[EAX],DL
0041C2B5  |>  8B41 04       |MOV EAX,DWORD PTR DS:[ECX+4]
0041C2B8  |.  8341 08 01    |ADD DWORD PTR DS:[ECX+8],1
0041C2BC  |.  83C0 01       |ADD EAX,1
0041C2BF  |.  25 FF000000   |AND EAX,000000FF
0041C2C4  |.  8941 04       |MOV DWORD PTR DS:[ECX+4],EAX
0041C2C7  |.  3979 08       |CMP DWORD PTR DS:[ECX+8],EDI
0041C2CA  |.^ 7C A9         \JL SHORT 0041C275                            //It ends here...
0041C2CC  |.  5B            POP EBX
0041C2CD  |>  5F            POP EDI
0041C2CE  |>  5E            POP ESI
0041C2CF  \.  C2 0800       RETN 8

[Administrator]

I told you to compile it as C to make sure to avoid C++ name-mangling.

Code: Select all

0041C230  /$  56            PUSH ESI                                 ; Xenimus.0041C230(guessed Arg1,Arg2)
0041C231  |.  8B7424 08     MOV ESI,DWORD PTR SS:[ARG.1]
0041C235  |.  8971 10       MOV DWORD PTR DS:[ECX+10],ESI
0041C238  |.  0FB616        MOVZX EDX,BYTE PTR DS:[ESI]
0041C23B  |.  0FB646 01     MOVZX EAX,BYTE PTR DS:[ESI+1]

Well, 56 is one command, and it is only 1 byte. 8B7424 08 is the next command, and it is 4 bytes. So, there you go, you've already reached at least 5 bytes (between those two commands) that complete a full set of instructions.

[Exempt]

EDIT: Well, after a ton of time wasted with code::blocks... I just realized something. msvs isn't all that hard to do. When i created my own project from scratch added just what i needed i've got it working!...downside is there is a crap load of packets constantly coming lol. Thanks a ton for the help Admin. I'm sure i'll need more soon!

EDIT: I watched it inject with olly and it's crashing when it tried to return from my dll.. hm

So I can just use 5? I guess my calling convention is wrong..boo.

This s the one used by a program thats done this before..

Code: Select all

typedef int (__thiscall* DecryptCall)(void* pthis, unsigned char* buffer, int length);

I've tried to make it both with and without the pthis argument both have failed. Also, I've used DetourFunc and DetourClassFunc.

[Administrator]

I'm not really sure why it is crashing when you return. Maybe log the return value from the original function call and see if it looks normal?

[Exempt]

The proto type was the issue. I had to make it a __thiscall wit the void *pthis as the first argument. MSVS recognizes __thiscall so I was able to do it with MSVS.