 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
loginphp
Cheater
![]() Reputation: 0
Joined: 02 May 2013
Posts: 25
|
 Posted: Tue Jun 04, 2013 1:56 pm Post subject: Finding packet structures in Cheatengine. |
 |
|
EDIT: This is not a tutorial lol I am asking a question. It only sounds like a tutorial at first because I feel it's important to explain myself so it's easier to get help.
I managed to find packet structures in one game so far.
For example, if you were to attach WPE to this game and record a movement packet you would get this "18 00 E3 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX". Ok, obviously 18 is the packet size, right? and E3 is the game function the packet is sending, so E3 = the command that tells the server to move. E3 can be changed to anything, for example an attack packet would be F9 in place of E3. Get it? Ok now that I explained a bit about the packet structure in this game I'm going to explain something else.
Here's what I find interesting.
Below is the E3 command of the packet in the memory and it shows as 79E. If you were to do an assembly scan for this packet function it would look like this below:
ecx,0000079E (I don't remember exactly if it was E3, this is just an example)
Now just a few addresses below that you will notice another address that shows this, the packet SIZE:
ecx,00000012
Now the packet size is 12 in Hex, which would make the packet byte size 18 if you recorded a movement packet with WPE. If I change the packet size to 13 in the memory then that would make the games movement packets 19 bytes long.
Awesome isn't it? I've pulled off miracles in one game by manipulating packets via cheat engine.
However, if I were to do an assembly scan on the size of a packet in a different game, like 0000002A for example, would I possibly pull up accurate results to a particular packet I am searching for? (I search for packets by their size, I don't know why)
Do all games show packet structures in the memory the same way as this game?
Like the example I showed above.
So in this particular game I'm able to modify packets through the memory and it works great making mods.
And please, if you have any nice and quick methods for finding packet structures in the game, then PLEASE share that with me. I'm familiar with most of cheat engines features so I hope I'm not a pain in the neck 
Thank you guys! I apologize for my lack of knowledge and terminology but I'd like to think I'm not bad with cheat engine for all the things I've pulled off in games xD
Happy hacking.
_________________
What is a "signature"? |
|
| Back to top |
|
 |
grasmanek94
Master Cheater
 Reputation: 0
Joined: 03 Jun 2008
Posts: 283
Location: The Netherlands
|
| Posted: Tue Jun 04, 2013 3:14 pm Post subject: |
|
|
| Quote: | | Do all games show packet structures in the memory the same way as this game? |
If I were to create a game I can choose any structure and handling for my packets I want, the mechanism, protocol, what is send, how it is send, you're lucky you could manipulate packets, some games prevent it by addind a CRC or some hashing.
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Jun 04, 2013 5:47 pm Post subject: |
|
|
| grasmanek94 wrote: | | Quote: | | Do all games show packet structures in the memory the same way as this game? |
If I were to create a game I can choose any structure and handling for my packets I want, the mechanism, protocol, what is send, how it is send, you're lucky you could manipulate packets, some games prevent it by addind a CRC or some hashing. |
In most cases games lack security on packets because of how they are handled. For example, a lot of games have a call stack similar to:
CreatePacket -> EncryptPacket -> SendPacket
ReceivePacket -> DecryptPacket -> ProcessPacket
And because of this, you can just hook onto the first and last step of the chain to alter the packets as you see fit without triggering any anti-cheat detection. (Unless the functions are protected etc.)
_________________
- Retired. |
|
| Back to top |
|
|
loginphp
Cheater
![]() Reputation: 0
Joined: 02 May 2013
Posts: 25
|
| Posted: Wed Jun 05, 2013 12:53 pm Post subject: |
|
|
| Wiccaan wrote: | | grasmanek94 wrote: | | Quote: | | Do all games show packet structures in the memory the same way as this game? |
If I were to create a game I can choose any structure and handling for my packets I want, the mechanism, protocol, what is send, how it is send, you're lucky you could manipulate packets, some games prevent it by addind a CRC or some hashing. |
In most cases games lack security on packets because of how they are handled. For example, a lot of games have a call stack similar to:
CreatePacket -> EncryptPacket -> SendPacket
ReceivePacket -> DecryptPacket -> ProcessPacket
And because of this, you can just hook onto the first and last step of the chain to alter the packets as you see fit without triggering any anti-cheat detection. (Unless the functions are protected etc.) |
(Note: The game I am playing now has cheat protection against packet editors, but NOT anything memory related so I am able to use CE but not WPE. This is why it's important I get CE working for packet manipulation the same way I did to my last game. This game has no protection on memory.)
This is what intrigues me lol In some cases you can alter packets via the memory without being detected. I noticed that when I alter packets via the memory that they automatically restructure themselves.
For example, taking a packet editor like WPE/XOR61 and changing a packets size or function may crash the game in many cases. However, when you alter the packet size and function via the memory then the client automatically restructures the packet with valid bytes. I think that's quite interesting Makes me wonder what kinds of other things I can do.
If packets are found in memory in the game I'm playing now, then I'm sure I can find them through the memory in other games as well. But I guess what you were trying to say is that they DON'T all look the same in memory. So that means I have no idea what a packet with the size of 18 bytes would look like in the memory?.. >_<
I heard there is a way to do it with OllyDbg. You do it by setting a break on Send/Recv. Ok, that sounds nifty and all, but how do I set a break on send/recv packets in Olly? I have no clue, but I do enjoy using olly sometimes. I even made a script for it but only with some help.
_________________
What is a "signature"? |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25839
Location: The netherlands
|
| Posted: Wed Jun 05, 2013 1:53 pm Post subject: |
|
|
You can also set a breakpoint with ce and log/modify things
Check out http://forum.cheatengine.org/viewtopic.php?t=530032
It starts with a basic windows api, but you can adjust if to the winsock api
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
