 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
efjay
Newbie cheater
![]() Reputation: 0
Joined: 17 Apr 2014
Posts: 12
|
 Posted: Thu Apr 17, 2014 12:59 am Post subject: hook ws2_32.send, lua |
 |
|
Hey, long time lurker. I've always wanted to use CE as a makeshift WPE replacement, hoping to change the buffer as packets go by. Anyway, after some searching I found a tutorial Dark Byte made on hooking api calls and tried to get it to work for ws2_32.send
| Code: |
local Hook_Example = {}
function Hook_Example.Main( )
-- Obtain original send pointer.
Hook_Example.sendPointer = getAddress("ws2_32.send");
-- Error checking..
if( Hook_Example.sendPointer == nil ) or ( Hook_Example.sendPointer == 0 ) then
showMessage( "Failed to hook send, possibly not imported by process." );
return false;
end
-- Set debugger callback.
debugger_onBreakpoint = Hook_Example.OnBreakpoint;
debugProcess();
-- Apply breakpoint.
debug_setBreakpoint("ws2_32.send");
print("Hooked");
return true;
end
function Hook_Example.OnBreakpoint( )
-- Skip if not send breakpoint.
if( EIP ~= sendPointer ) then
print(string.format("Not right EIP: %x vs %x", EIP, Hook_Example.sendPointer));
--return 0;
end
-- Obtain information from call stack.
local retaddr = readInteger( ESP );
local socket = readInteger( ESP + 4 );
local buffer = readString( ESP + 8, readInteger(ESP + 12) );
local length = readInteger( ESP + 12 );
local flags = readInteger( ESP + 16 );
-- Remove hook after first break.
debug_removeBreakpoint( "ws2_32.send" );
-- Display param info.
print( string.format(
"Socket: %d\nBuffer: %s\nLength: %d\nFlags: %d", socket, buffer, length, flags
) );
return 1;
end
Hook_Example.Main();
|
Problem is, I get garbage for all the values. Is it because the program is 64-bit? I'm quite new to this. Also, the EIP never matches the getAddress() result, it's missing some characters on the front.
Example:
Hooked
Not right EIP: ff898000 vs 7feff898000
Socket: 0
Buffer:
Length: 0
Flags: 2048
It does not have the 7fe, just the ff898000.
Thanks for reading!
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25296
Location: The netherlands
|
| Posted: Thu Apr 17, 2014 4:59 am Post subject: |
|
|
Use RIP instead of EIP
Also, parameter passing is different in 64 bit
Read http://msdn.microsoft.com/en-us/library/ms235286.aspx
In short, the first 4 parameters are stored in RCX, RDX, R8 and R9, and the others in the stack at RSP+28 and further
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Thu Apr 17, 2014 5:14 am Post subject: |
|
|
It's always best to attach a debugger and step through a few calls when you don't know what's going on. I don't use Lua, and I don't code x64 asm, but you could try this:
| Code: |
local Hook_Example = {}
function Hook_Example.Main( )
-- Obtain original send pointer.
Hook_Example.sendPointer = getAddress("ws2_32.send");
-- Set debugger callback.
debugger_onBreakpoint = Hook_Example.OnBreakpoint;
debugProcess();
-- Apply breakpoint.
debug_setBreakpoint("ws2_32.send");
print("Hooked");
return true;
end
function Hook_Example.OnBreakpoint( )
local buffer = readString( RDX, readQword(R8) );
-- Remove hook after first break.
debug_removeBreakpoint( "ws2_32.send" );
-- Display param info.
print(string.format("Buffer: %s\n", buffer));
return 1;
end
Hook_Example.Main();
|
I tried it with a simple C program that fetches a web page, and the output seemed reasonable:
"Buffer: GET / HTTP/1.1
Host: www.google.com
Connection: "
I somewhat enjoyed this experiment and don't mean to sound disparaging, but I can't fathom why one would choose embedded Lua for this kind of project.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25296
Location: The netherlands
|
| Posted: Thu Apr 17, 2014 7:34 am Post subject: |
|
|
it saves time making a dll that needs to be injected, and is especially useful if you know lua better than the dll capable languages
Tip: The template call ce lua function is designed for this scenario. That way you don't have to use a debugger but can still use a lua function to call on a hook entry
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
efjay
Newbie cheater
![]() Reputation: 0
Joined: 17 Apr 2014
Posts: 12
|
| Posted: Thu Apr 17, 2014 9:31 am Post subject: |
|
|
| Dark Byte wrote: | it saves time making a dll that needs to be injected, and is especially useful if you know lua better than the dll capable languages
Tip: The template call ce lua function is designed for this scenario. That way you don't have to use a debugger but can still use a lua function to call on a hook entry |
So you suggest injecting a DLL that hooks these functions instead? Also thanks for responding to my post! Are there any examples of this on this site? I took a quick look and couldn't find any. I have made some .dlls before that would hook some functions, but I assume I'd have to call some CE related calls.. I'm not sure.
Also, RIP doesn't seem to match up with ws2_32.send's address :/
@justa_dude That works, thanks. I'll play around with this.
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Thu Apr 17, 2014 11:49 am Post subject: |
|
|
| Quote: | | Also, RIP doesn't seem to match up with ws2_32.send's address :/ |
I think that it's unlikely CE's excellent symbol handler got it wrong. No offfense, but you're probably not evaluating it correctly.
| efjay wrote: | | So you suggest injecting a DLL that hooks these functions instead?... I took a quick look and couldn't find any. I have made some .dlls before that would hook some functions, but I assume I'd have to call some CE related calls.. I'm not sure. |
Obviously, this is not production code (scant error handling, not a log format very well suited for unprintable chars, etc), but it might give you some idea. I tested it against the same simple C scraper I used this AM, and got similar results. Just attach CE and inject the dll.
| Code: |
#include "MinHook.h"
//using in this case the "Minimalistic API Hook Library" from
//http://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra
//because MS Detours (free) doesn't work for x64, afaik. You could do it yourself pretty
//easily, though, if you were so inclined...
#pragma comment(lib, "libMinHook.x64.lib")
#include <fstream>
extern "C"
{
static BOOL(WINAPI *TrueReadProcessMemory)(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead) = ReadProcessMemory;
static int (WINAPI *real_send)(SOCKET s, const char *buf, int len, int flags) = send;
}
int WINAPI my_send(SOCKET s, const char *buf, int len, int flags)
{
int ret = real_send(s, buf, len, flags);
std::ofstream log("c:/somewhere/send.log", std::ios::app & std::ios::binary);
log.write(buf, len);
log << std::endl;
log.close();
return ret;
}
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
// LONG error;
if(dwReason == DLL_PROCESS_ATTACH)
{
//init minhook & create hook
if(MH_Initialize() != MH_OK || MH_CreateHook(&send, &my_send, reinterpret_cast<void**>(&real_send)) != MH_OK)
{
MessageBox(NULL, "init", "error", MB_ICONERROR);
return FALSE;
}
//start hooking
if(MH_EnableHook(&send) != MH_OK)
{
MessageBox(NULL, "hook", "error", MB_ICONERROR);
return FALSE;
}
}
else if(dwReason == DLL_PROCESS_DETACH && !reserved)
{
//cleanup
MH_DisableHook(&send);
MH_Uninitialize();
}
return TRUE;
}
|
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
efjay
Newbie cheater
![]() Reputation: 0
Joined: 17 Apr 2014
Posts: 12
|
| Posted: Fri Sep 18, 2015 7:48 am Post subject: |
|
|
| Dark Byte wrote: | it saves time making a dll that needs to be injected, and is especially useful if you know lua better than the dll capable languages
Tip: The template call ce lua function is designed for this scenario. That way you don't have to use a debugger but can still use a lua function to call on a hook entry |
Sorry to bring back this dead thread but what do you mean by the "tenplate call ce lua function", do you have an example?
I'm just trying to take advantage of CE's anti-hack methods because programs such WPEPro and mmbbq crash whenever I hook the send function 
Thanks!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
