The first thing we do after we bring a game is to analyze the contract sending function.
Because the sending function can give us a lot of useful information.
First, all functions can be realized by sending packets.
Second, the parameters in the sending package can learn the data form in the game, such as the type of some parameters and the value of the ID.
Third, you can know whether there are loopholes in the communication method of the game through sending packets. For example, if a monster sends a packet when it dies, it will have the function of instant monster packet and instant monster.
First, we go to the three sending functions of send, sendto, and WSASend respectively to see if they are sending functions.
After send
sendto
WSASend
was disconnected respectively, it was found that the
Occasionally, it will be disconnected. After analysis, it is found that it has nothing to do with our contract sending action.
So instead of the packets sent by these 3 packet sending functions, this game implements the packet sending function itself.
Games sent via other send
We call the inner packet sending function WSPSend inside send and
find the inner packet sending function
WSPSend
71384405 6A 44 push 44
71384407 68 80453871 push 71384580
7138440C E8 7FCFFFFF call 71381390
71384411 33FF chorus was, was
71384413 897D E0 mov dword ptr [ebp-20], edi
71384416 803D B8643B71 0>cmp byte ptr [713B64B8], 0
7138441D 0F85 04240000 jnz 71386827
71384423 393D 5C603B71 cmp dword ptr [713B605C], edi
71384429 0F86 F8230000 jbe 71386827
7138442F FF35 88603B71 push dword ptr [713B6088]
71384435 FF15 D0123871 call dword ptr [<&API-MS-Win-Core-Pro>; kernel32.TlsGetValue
7138443B 8945 D4 mov dword ptr [ebp-2C], eax
7138443E 3BC7 cmp eax, edi
71384440 0F84 E1230000 is 71386827
Of course, the address of each computer is different.
Only on this computer is the same
We re-attach the Romance of Lingshan and jump to this address
CTRL+F9 returns to the real contract sending function
after analysis
According to the nature of the parameters, we analyze
Here is the reimplementation of WSASend
At this time, any packet sending action will be broken, and of course there will be heartbeat packets.