This is a small fix to Hoihoi's key grabbing code, so that it will compile with MinGW. You can download MinGW here (http://sourceforge.net/project/showfiles.php?group_id=2435) .

Also made one small fix, client was displaying the incorrect key on screen but the correct key was sent to showeq:

from:
printf ("Session key:\t0x%016llx\n", (unsigned long long) key);
to:
printf ("Session key:\t0x%016I64x\n", (unsigned long long) key);

(thank you MisterSpock)

Just for the newbies, compile it like this:

Copy the code to c:\mingw\bin
Start your command prompt and 'cd' there

gcc -c hoihoi432.c
gcc -o hh.exe hoihoi432.o -lth32 -lwsock32

Congrats, you should have hh.exe. Copy it wherever you want.

Usage:

Using EQW, start the executable once you get to the character selection screen, otherwise it will scan for eqgame.exe in memory and exit if it's not found.

If you don't want to use EQW then you need to add a delay before it scans for eqgame.exe:

change:


int main(void)
{
printf ("scanning for eqgame.exe\n");

if (ReadConfig() == 1)
scanproclist(1);
else
scanproclist(0);

return 0;
}


to this:


int main(void)
{
printf ("start you game now! you have 3 minutes to get to character select!\n");

Sleep(180000); // Ok..this is the tricky value. This sniffer needs to "attach" to eqgame
// for the FIRST time at the *CHARACTER selection screen*. Therefore, as it is set
// now (at 3 minutes), you need to make sure you're at the char selection screen
// WITHIN 3 minutes, and you don't enter the game until AFTER 3 minutes.
// Make sense? ...once it's done it's business the first time (each session),
// it doesn't matter.
// Once you've gotten a feel for it, you can adjust this timer to what works
// best for you. (1000 = 1 second). It's a pain, but this is a simple program!

printf ("scanning for eqgame.exe...\n");

if (ReadConfig() == 1)
scanproclist(1);
else
scanproclist(0);

return 0;
}


Here's the full code:

hoihoi432.c


// $Header: /usr/local/cvsroot/senseheading/senseheading.c,v 1.4 2002/11/05 23:36:03 hoihoi Exp $

#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#include <tlhelp32.h>
#include <time.h>

#define CONF_FILE "C:/hh.conf"
#define CONF_SIZE 16

struct CONFIG
{
unsigned long long SessionKeyLocation;
unsigned int SendInterval;
char seq_ip[16];
int seq_port;
} config;

int SendSessionKey(unsigned long long SessionKey);

void readkey (HANDLE hProcess, int useConfig)
{
while (1)
{
unsigned long addr;
unsigned long long key = 0xffffffffffffffff;

char keypressing;

if (useConfig == 0)
{
printf ("\nenter offset (ie: 0x00773b90): ");
if (scanf ("%08x", &addr) == 1)
{
printf ("offset:\t0x%08x\n", addr);
}
}
else
addr = config.SessionKeyLocation;

if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
}
else
{
printf ("Session key:\t0x%016I64x\n", (unsigned long long) key);

if ( useConfig == 1)
{
if (SendSessionKey(key) != SOCKET_ERROR)
printf("Sent the session key to %s:%d\n", config.seq_ip, config.seq_port);
else
printf("Failed to send the session key to %s:%d\n", config.seq_ip, config.seq_port);
}

if (config.SendInterval != 0)
sleep(config.SendInterval*1000);
else
{
printf("\nPress some key to continue");
scanf("%s", &keypressing);
}
}
}

fflush (stdin);
}

int scanproclist ( int useConfig )
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};

// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return 0;

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed, error: %u\n", dw);
return 0;
}
readkey (hProcess, useConfig);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return 0;
}


int ReadConfig (void)
{
int useConfig = 0;
char conf_buffer[CONF_SIZE];

GetPrivateProfileString("Client", "SessionKeyLocation", "0", conf_buffer, CONF_SIZE, CONF_FILE);
config.SessionKeyLocation = strtol(conf_buffer,NULL,16);

GetPrivateProfileString("Client", "SendInterval", "0", conf_buffer, CONF_SIZE, CONF_FILE);
config.SendInterval = atoi(conf_buffer);

GetPrivateProfileString("ShowEQ", "IP", "0", conf_buffer, CONF_SIZE, CONF_FILE);
strcpy(config.seq_ip, conf_buffer);

GetPrivateProfileString("ShowEQ", "Port", "0", conf_buffer, CONF_SIZE, CONF_FILE);
config.seq_port = atoi(conf_buffer);

if (config.SessionKeyLocation > 0)
useConfig = 1;

return useConfig;
}

int SendSessionKey(unsigned long long SessionKey)
{
int ret;
WSADATA wsd;
SOCKET ssocket;
SOCKADDR_IN seq;

if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)
{
printf("WSAStartup failed!\n");
return SOCKET_ERROR;
}

ssocket = socket(AF_INET, SOCK_DGRAM, 0);
if (ssocket == INVALID_SOCKET)
{
printf("socket() failed; %d\n", WSAGetLastError());
return SOCKET_ERROR;
}

seq.sin_family = AF_INET;
seq.sin_port = htons((short)config.seq_port);
seq.sin_addr.s_addr = inet_addr(config.seq_ip);

ret = sendto(ssocket, (char *) &SessionKey, sizeof(unsigned long long), 0, (SOCKADDR *)&seq, sizeof(seq));
if (ret == SOCKET_ERROR)
return SOCKET_ERROR;

closesocket(ssocket);
WSACleanup();

return 0;
}

int main(void)
{
printf ("scanning for eqgame.exe\n");

if (ReadConfig() == 1)
scanproclist(1);
else
scanproclist(0);

return 0;
}



Make sure you have the latest cvs (4.3.2) of showeq and the latest libEQ.a (md5sum 26d3d74f456562ce902e4827dc186d1f) from ftp://azriel.trifocus.net/pub/libeq/i386/linux/libEQ.a

And setup your hh.conf to point to the IP address of your ShowEQ box.

Here is my hh.conf



[Client]
SessionKeyLocation=0x00773b90
SendInterval=10

[ShowEQ]
IP=10.0.7.1
Port=666



And please read the code before you compile it!

Zertful


ps: Make sure line 96 has two \ instead of one. This bb seems to strip them off... argh.

Ok If you are using any Compiler you need to link for sure the wsock32.lib and Ws2_32.lib, I did the one "ws2_32.lib" and worked ok for the compile but never sent the data over the Port, yet when I added the wsock32.lib worked Great.

Make sure you link these files...



Red Blue yellow white and Green, never look so neat..



:) :D :p :cool:

I have compiled this several times no errors but when i run the program it says scanning for eqgame blah blah then drops me back to the prompt.

I would appreciate any info as to what i did wrong compiled using MinGW as shown.

Thank you

hulkster

Hulkster99

Right after this line

printf ("scanning for eqgame.exe\n");

add the following


Sleep(15000);


That will give you 15 seconds to start the game.

Is this or the last one posted by HoiHoi working for anyone?

I compiled using Mingw with NO ERRORS, scans for game, finds game, sends key of ALL 0's to correct ip and port but never sends anything else, after zoning several times.

NM, got it working...

Any chance someone can add a LastKey Variable, so that if key and lastkey equal, no key is sent to SEQ?

Why is it that hoihoi's code is giving 0x00000000xxxxxxxx as a key and mvern's code is giving 0xffffffffxxxxxxxx as a key?

I've tried inputing '0x00000000xxxxxxxx' into seq and nothing happens. While putting '0xffffffffxxxxxxxx' into seq results in a lockup of seq.

foo

Why exactly must the process attach while at the character select screen? And why not later?
If you read my other thread you see I had plans for an on-demand sniffer, that would hopefully be less detectable because it would not always be resident in memory.
But, is this simply not an option? Or is it just not with this code.

Originally posted by foo
Why is it that hoihoi's code is giving 0x00000000xxxxxxxx as a key and mvern's code is giving 0xffffffffxxxxxxxx as a key?

I've tried inputing '0x00000000xxxxxxxx' into seq and nothing happens. While putting '0xffffffffxxxxxxxx' into seq results in a lockup of seq.

foo

Hmm, in Bazaar and Shadowhaven my key looks like 0xffffffff but zoning to Paludal Caverns makes it 0xd4cb88d02.

However, I am able to decrypt the 0xffffffff zones just fine. I've never entered a key in manually... I have it sent to showeq on a specific port. 4.3.2 has an option under >Decoder>Key Port to listen for the key.

Anyone else having problems?

Zertful

Very odd.. I use the 0xffffffffxxxxxxxx code from mvern's code an showeq now decodes. Apparently when it looks like it's locking up it's actually decoding after about 10sec.

Not sure why HoiHoi's code is displaying 0x00000000xxxxxxxxx still, which doesn't work.

Zertful,

Try adding 0xffffffff to all your decodes.

I took the code above, made the needed modifications for VC++6 and complied it... Updated my SEQ to 4.3.2 and got the new libEQ.a

Everything looks great, except ShowEQ doesn't seem to be getting the key I am sending to it. From the Windows side, I added some printf's and basically trace my progress through the process of the program and can see in my console window that I am finding eqgame.exe and getting the key. I am not getting any wsocks errors when sending the key over, and the key is a valid key each time I zone. I can run eq in eqw and then see the session key is being sent to my linux machine. I can also enter the key that I am sending to my linux machine manually in SEQ under the Decode/Input Session Key and it decodes perfectly.

Therefore only a few things could be wrong, 1) SEQ is not seeing my key come over, or 2) Even though I am not getting any socks errors, it just isn't sending it.

And yes, I have checked to ensure that I am sending it to the correct IP of my linux box and I set the decoder port to what I have in my config file.

Also, I am running WinXP, not that it should matter....


Any ideas on why SEQ doesn't seem to be seeing my key?

Linux Box IP is 192.168.1.100
Port I am looking for the key on is 600 which is the port I am sending it to.
Running SEQ 4.3.2 using the latest libEQ.a ( checked it with md5sum)

Also, yes I am linking wsock32.lib and ws2_32.lib in my project file.

Thanks for any help in advance,

Papa,

Only thing I can think of is to check your iptables. You may have some firewall rule not allowing all udp traffic into the linux box, even locally.

Also, the first time I tried to compile 4.3.2 I used 'cvs update'. But still managed to be running version 4.3.1 even though it had the option for "Key Port". It didn't work so I wiped my source and started over from scratch. After that compiled I didn't have any problems with it accepting the key.


Zert

I seem to have the same problem as Pappa Smurf;
Sniffer compiles ok, key is found and if I manually enter it into ShowEQ it decodes perfectly BUT it is not sent automatically using UDP:666.

I have disabled all firewall rules and verified in showeq.xml that the port is set to 666 but still nothing happens unless I enter the key by hand.

Is there any way I can debug this? I tried netstat -l, but port 666 is not listed as a port I am listening to. Maybe it shouldn't... any help is appreciated.

/Devis

You probably have already done this but... have you verified the line
#define CONF_FILE "C:/hh.conf"
in the code has the right path and file name for you conf file? Does your conf file have the correct IP address of you linux box?

I have, Loco. Since I can see the output in the DOS-box when running EQW I verified the IP and port there. That is also where I get the key when manually entering it into ShowEQ.

Keep the ideas coming though!

I found out my mistake.. I forgot to add in that change to the printf statement on

printf ("Session key:\t0x%016I64x\n", (unsigned long long) key);

The resulting key from HoiHoi's code now match mvern's kscan.c

However, I'm still unable to get SEQ to pick it out of the UDP port 666. I wrote the perl script to listen and print out port 666:UDP and I can see the key being pushed thru that port. So it's not my firewall.

I'm having to type the key in manually each time to get SEQ to decode.

Foo

Originally posted by Elyon
Hulkster99

Right after this line

printf ("scanning for eqgame.exe\n");

add the following


Sleep(15000);


That will give you 15 seconds to start the game.


it's really a lot easier to do it this way, so you have an unlimited amount of time to start the game:



int main(void)
{
if (ReadConfig() == 1) {
printf("config file name is: %s \n", CONF_FILE) ;
while (1) {
printf ("scanning for game\n");
scanproclist(1);
Sleep (10000); /* pause 10 seconds between checks */
}
}
else {
printf("error reading config file: %s \n", CONF_FILE) ;
exit (1) ;
}

return 0;
}

You probably have already done this but... have you verified the line
#define CONF_FILE "C:/hh.conf"
in the code has the right path and file name for you conf file? Does your conf file have the correct IP address of you linux box?


Loco, it is reading my config file without any problems. I can start eq in EQW and watch the dos box, and see that it is finding the key, and sending it to my linux boxs IP and port (192.168.1.100:600). I am gonna run a perl script to show me if the key is being recieved on that port on the linux side, if it is, then it seems to be that SEQ is just not getting the key from the port...


Any ideas anyone?


Thanks in advance,

I am gonna run a perl script to show me if the key is being recieved on that port on the linux side, if it is, then it seems to be that SEQ is just not getting the key from the port...


Any ideas anyone?


Without you first checking the things still unchecked, no, noone will be able to sugest any ideas that won't run you around in circles and get you nowhere for a couple of days.

I take a perl script that as listed here on the forums, and ran it while running my key sniffer, and it seems that the key is not being sent to the Linux machine for some reason.


My network setup:

DSL Modem / Linksys Router / 5 port mini-hub ( non-switch )
my Windows machine and linux machine plug into the mini-hub.

I am running WinXP Pro and Red-Hat 7.2 and do not have a firewall setup on linux, as I have everything shielded by the router. Installed 7.2 with standard options, nothing fancy.

My code to send the key over to the linux box looks like this...




int SendSessionKey(ULONGLONG SessionKey)
{
int ret;
WSADATA wsd;
SOCKET ssocket;
SOCKADDR_IN seq;

if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)
{
printf("WSAStartup failed!\n");
return SOCKET_ERROR;
}

ssocket = socket(AF_INET, SOCK_DGRAM, 0);
if (ssocket == INVALID_SOCKET)
{
printf("socket() failed; %d\n", WSAGetLastError());
return SOCKET_ERROR;
}

seq.sin_family = AF_INET;
seq.sin_port = htons((short)config.seq_port);
seq.sin_addr.s_addr = inet_addr(config.seq_ip);

ret = sendto(ssocket, (char *) &SessionKey, sizeof(ULONGLONG), 0, (SOCKADDR *)&seq, sizeof(seq));
if (ret == SOCKET_ERROR)
return SOCKET_ERROR;

closesocket(ssocket);
WSACleanup();

return 0;
}



I am linking with wsock32.lib and ws2_32.lib and complied using MSVC++6

When running my sniffer, I can see in the dos box that it is reading my config file, getting the key correctly from memory, and sending it to my linux box's ip and port ( "Sending key to 192.168.1.102:666").

I am not getting any socket errors when I send the packet. From the windows side things appear to be working correctly.

The packet just doesn't seem to be getting to my Linux machine.

The perl script I used to see if the key was coming in on the port is:




#!/usr/bin/perl

use strict;
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $sender, $MAXLEN, $PORTNO);
$MAXLEN = 1024;
$PORTNO = 666;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp')
or die "socket: $@";
print "Awaiting UDP messages on port $PORTNO\n";
$oldmsg = "This is the starting message.";
while ($sock->recv($newmsg, $MAXLEN)) {
my($port, $ipaddr) = sockaddr_in($sock->peername);
$sender = gethostbyaddr($ipaddr, AF_INET);
print "Client $sender said ``$newmsg''\n";
$sock->send($oldmsg);
$oldmsg = "[$sender] $newmsg";

open (KEYFILE, ">/tmp/sessionkey_$sender.txt") or die "Couldn't open file.\n";
print KEYFILE $newmsg;
close KEYFILE;
}
die "recv: $!";




Any ideas what the problem is?


Thanks in advanced,

I found mine works if I don't use a lower secure type port, but a much higher port the type given out dynamicly,
like 56666

When running my sniffer, I can see in the dos box that it is reading my config file, getting the key correctly from memory, and sending it to my linux box's ip and port ( "Sending key to 192.168.1.102:666").

Any ideas what the problem is?


Lets read the announcement section together:


CVS Commit Nov 6, 2002 (http://seq.sourceforge.net/showthread.php?s=&threadid=2372)


I would recomend using ports in the range 10000 to 65000. ShowEQ defaults to port 10000 but can be configured using the Decoder menu. The packet itself MUST be UDP and the first 8 bytes of the payload MUST be the key in little endian byte order.

where can I find / download MinGW 2.0 ?

sa sa sa sa search.

di di di did


found nothing other than this thread which doesn't mention it heh.

http://sourceforge.net/project/showfiles.php?group_id=2435

Originally posted by gnome01
di di di did


found nothing other than this thread which doesn't mention it heh.

di di di did you think to look outside of this project?

http://www.google.com/

oh well, i'll ask anyway... where exactly does this send the key from the windows box to the linux box? I have seq setup to listen on port 666 but it does not receive any key type.

The mind boggles...

*boggle*

Originally posted by gnome01
oh well, i'll ask anyway... where exactly does this send the key from the windows box to the linux box? I have seq setup to listen on port 666 but it does not receive any key type.

Thanks for making this easy for me, all I had to do was copy & past the same answer I gave a few posts before yours: Lets read the announcement section together:

CVS Commit Nov 6, 2002 (http://seq.sourceforge.net/showthread.php?s=&threadid=2372)


I would recomend using ports in the range 10000 to 65000. ShowEQ defaults to port 10000 but can be configured using the Decoder menu. The packet itself MUST be UDP and the first 8 bytes of the payload MUST be the key in little endian byte order.

That one was so sad, it was funny..........

msk

Thanks to all who contributed, I was able to compile keysniffer and get SEQ back. :D

Ok, I've been know to overlook the obvious before, but i can't find any info about how the conf file should be set up. I tried settiing it up as follows:
SessionKeyLocation 0x00773b90
SendInterval 60
IP 192.168.001.103
Port 10441

and it asks me for the offset and after it says to hit any key, it sleeps permanently

What am i doing wrong?

Originally posted by Arrendek
Ok, I've been know to overlook the obvious before, but i can't find any info about how the conf file should be set up.

What am i doing wrong?

Search! it's amazing. i sit here and answer everyon's questions even though i don't know the answer myself until i click the search button. grrr. i am turning into mr. susspicious.

http://seq.sourceforge.net/showthread.php?s=&threadid=2291

it's a windows ini format config file.

Greetings,

I've compiled the code here with a few modifications and successfully created the executable file. I've also created the .conf and place it in the correct directory.

When I start my exe I get the following

config file name is: C:\hh.conf
scanning for game
found eqgame = pid = 524

OpenProcess failed, error: 5


Searched the forums and couldn't find any specific info on this problem. Any info would be appreciated.

Thanks

OpenProcess failed, error: 5

Searched the forums and couldn't find any specific info on this problem.

I don't believe you did search. there is a thread with that same error message as the title in the helpdesk forum.

I read your post concerning this before I posted but did not find an answer that made any sense to me :rolleyes:

Originally posted by Mr. Suspicious


quote:
--------------------------------------------------------------------------------
Originally posted by gnome01
oh well, i'll ask anyway... where exactly does this send the key from the windows box to the linux box? I have seq setup to listen on port 666 but it does not receive any key type.
--------------------------------------------------------------------------------



Thanks for making this easy for me, all I had to do was copy & past the same answer I gave a few posts before yours: Lets read the announcement section together:

CVS Commit Nov 6, 2002

quote:
--------------------------------------------------------------------------------

I would recomend using ports in the range 10000 to 65000. ShowEQ defaults to port 10000 but can be configured using the Decoder menu. The packet itself MUST be UDP and the first 8 bytes of the payload MUST be the key in little endian byte order.

--------------------------------------------------------------------------------




ok, I was using port 666 as an example heh because thats the one stated in this thread and in the code.. I am really using port 55000, but my question was not based upon the port. I was asking a simple question. Let me refrase perhaps you might understand what my question was.

I was asking somewhere in the ballfield of where this code is sending the keyfile.dat to the linux computer, I am by far no C++ programmer as I know very little. Would I need additional software other than this source and seq to make the linux machine actually receive the key?

Thanks,
-gnome01

Originally posted by EQWarrior86
I read your post concerning this before I posted but did not find an answer that made any sense to me :rolleyes:

then wouldn't it make more sence to post in that thread, saying "I don't understand what you are saying, please clarify xxx point." rather than post in this thread saying that the information has never been posted?

It's not uploading a file. It's sending directly to a socket (IPaddress and portnumber) on the linux box.

You set this in the showeq gui.


edit: Just noticed that it doesn't actually have a socket open to RX the packet. If just "sniffs" for the packet like it does for EQ packets. Same answer applies.

-Lane

Oh, now I realize why I can't find the port among the ones my Linux box listens to. It's simply sniffing for the packets!

Thanx, Lane!

I was asking somewhere in the ballfield of where this code is sending the keyfile.dat to the linux computer

No it's not sending any file. It sends a UDP "packet" to whichever IP adress you specified in the source. This UDP packet is ignored by the receiving IP party, because it doesn't make sence to them (they just drop it) Because you have set your ShowEQ to "sniff" any packets going along the line on port X (55000 in your case) ShowEQ sees that packet, knows it makes sence and uses it o decode.


I am by far no C++ programmer as I know very little. Would I need additional software other than this source and seq to make the linux machine actually receive the key?

No nothing extra. Well, you need a compliler to compile the source into an executable program.

Ok. I compile in MinGW with no errors. My c:\hh.conf looks like this:

[Client]
SessionKeyLocation=0x00773b90
SendInterval=10

[ShowEQ]
IP=my linux box ip here
Port=55000

My hh.exe was compiled in c:\mingw\bin.

This is how I am using the program and seq, in this order:
showeq is always open -> decode -> key port, 55000
open hh.exe (not sure if it's suposed to just open and close. But that's what is happening. hh.exe opens and immediately closes, or hides? I'm not sure if this is suposed to happen, or is it just me?)
open EQ *using eqw*

when I get past the character screen and into a zone I go to my showeq box and use decode -> load session key. At this point nothing happens, nothing decodes, etc.


Thanks Mr. S for explaining the process of UDP, it helps me better understand the program...

I also assume I do not need to use Input Session Key and Key filename for this to work..


Any help would be appreciated, thanks.

hoihoi's code does not loop looking for eqgame, so you have to have eq already started before you run it.

however, you must be at the server select of character select screen to run it. if you run it after you have already logged in, you will likely get error 5.

First: Forget everything you are doing.

Next: Do this...
Start SEQ and enter port number that is in config file.
Save settings in SEQ and don't worry about step one again.

Run EQ in EQW
Once you get to the char select screen go back to a windows screen.
Open a "dos" window (Start ->Run->cmd. Move to the proper directory of where hh.exe is.
Run hh.exe (PS, you really should have renamed this)
It should say something about looking for game and finding the config file then find the key.
Go back to EQ.
Select a character and enter the world.
Bob's your uncle.

You will not need to enter anything into SEQ. That is why it is sniffing the UDP packets. If it sees one, it will load that key and you will get colors. Woot.

Note: This is how I would need to start EQ on my computer (win2000). Depending on your OS it could be a little different, but this should work. Also, by combining some of the code snipets in these forums you could change it so you can just run in the backround, have 3-4 minutes to get to the char select screen, and then play.

I don't write this code, I just read it and sometimes I don't read so well.

-Lane

Gnome01, You have it all correct, but you need to change the end of the code and replace with this, then recompile. This will make the program LOOP waiting for EQGAME and once it's found it, do what it's supposed to do, without having to run EQ Windows.



code:-------------------------------------------------------------------------------
int main(void)
{
if (ReadConfig() == 1) {
printf("config file name is: %s \n", CONF_FILE) ;
while (1) {
printf ("scanning for game\n");
scanproclist(1);
Sleep (10000); /* pause 10 seconds between checks */
}
}
else {
printf("error reading config file: %s \n", CONF_FILE) ;
exit (1) ;
}

return 0;
}

Thanks Guys for the help.. I added Elyon's code to it and compiled with no errors however I am getting a new error...

Here is the source..



// $Header: /usr/local/cvsroot/senseheading/senseheading.c,v 1.4 2002/11/05 23:36:03 hoihoi Exp $

#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#include <tlhelp32.h>
#include <time.h>

#define CONF_FILE "C:/hh.conf"
#define CONF_SIZE 16

struct CONFIG
{
unsigned long long SessionKeyLocation;
unsigned int SendInterval;
char seq_ip[16];
int seq_port;
} config;

int SendSessionKey(unsigned long long SessionKey);

void readkey (HANDLE hProcess, int useConfig)
{
while (1)
{
unsigned long addr;
unsigned long long key = 0xffffffffffffffff;

char keypressing;

if (useConfig == 0)
{
printf ("\nenter offset (ie: 0x00773b90): ");
if (scanf ("%08x", &addr) == 1)
{
printf ("offset:\t0x%08x\n", addr);
}
}
else
addr = config.SessionKeyLocation;

if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
}
else
{
printf ("Session key:\t0x%016I64x\n", (unsigned long long) key);

if ( useConfig == 1)
{
if (SendSessionKey(key) != SOCKET_ERROR)
printf("Sent the session key to %s:%d\n", config.seq_ip, config.seq_port);
else
printf("Failed to send the session key to %s:%d\n", config.seq_ip, config.seq_port);
}

if (config.SendInterval != 0)
sleep(config.SendInterval*1000);
else
{
printf("\nPress some key to continue");
scanf("%s", &keypressing);
}
}
}

fflush (stdin);
}

int scanproclist ( int useConfig )
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};

// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return 0;

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed, error: %u\n", dw);
return 0;
}
readkey (hProcess, useConfig);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return 0;
}


int ReadConfig (void)
{
int useConfig = 0;
char conf_buffer[CONF_SIZE];

GetPrivateProfileString("Client", "SessionKeyLocation", "0", conf_buffer, CONF_SIZE, CONF_FILE);
config.SessionKeyLocation = strtol(conf_buffer,NULL,16);

GetPrivateProfileString("Client", "SendInterval", "0", conf_buffer, CONF_SIZE, CONF_FILE);
config.SendInterval = atoi(conf_buffer);

GetPrivateProfileString("ShowEQ", "IP", "0", conf_buffer, CONF_SIZE, CONF_FILE);
strcpy(config.seq_ip, conf_buffer);

GetPrivateProfileString("ShowEQ", "Port", "0", conf_buffer, CONF_SIZE, CONF_FILE);
config.seq_port = atoi(conf_buffer);

if (config.SessionKeyLocation > 0)
useConfig = 1;

return useConfig;
}

int SendSessionKey(unsigned long long SessionKey)
{
int ret;
WSADATA wsd;
SOCKET ssocket;
SOCKADDR_IN seq;

if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)
{
printf("WSAStartup failed!\n");
return SOCKET_ERROR;
}

ssocket = socket(AF_INET, SOCK_DGRAM, 0);
if (ssocket == INVALID_SOCKET)
{
printf("socket() failed; %d\n", WSAGetLastError());
return SOCKET_ERROR;
}

seq.sin_family = AF_INET;
seq.sin_port = htons((short)config.seq_port);
seq.sin_addr.s_addr = inet_addr(config.seq_ip);

ret = sendto(ssocket, (char *) &SessionKey, sizeof(unsigned long long), 0, (SOCKADDR *)&seq, sizeof(seq));
if (ret == SOCKET_ERROR)
return SOCKET_ERROR;

closesocket(ssocket);
WSACleanup();

return 0;
}
int main(void)
{
if (ReadConfig() == 1) {
printf("config file name is: %s \n", CONF_FILE) ;
while (1) {
printf ("scanning for game\n");
scanproclist(1);
Sleep (10000); /* pause 10 seconds between checks */
}
}
else {
printf("error reading config file: %s \n", CONF_FILE) ;
exit (1) ;
}

return 0;
}



Error is: Error reading config file: c:/hh.conf

conf file posted above with my other post.

gnome01 replace this text

#define CONF_FILE "C:/hh.conf"

with this text

#define CONF_FILE "C:\hh.conf"

I think that will fix your problem if not try

#define CONF_FILE "C:\\hh.conf"

Hope that helps

MightyWarrior

i think you need to use the non standard \ instead of /...


also, if you use ./ (er, .\?) instead of a full path i think it looks in the current directory for the conf file.



#define CONF_FILE "./hh.conf"

actually "/" is standard. We were saddled with the "\" when Gates stole CP/M and attempted to make it look less like naked plagerism.

"Sig?.......Yeah I have a sig......I am working on it......And it will be big and flashy......And take up 2 pages......Yeah that is the ticket."

PROBLEM FIXED... it's kinda silly what was wrong but.. hh.conf was a notepad file so you need to make it:

#define CONF_FILE "C:\hh.conf.txt"


Thanks for the posts.!

as a way of fixing THAT without having to re-compile your sniffer... you could have turned on the ability in windows to see "file extensions for known type" or something like that, then just renamed it from "hoihoi.conf.txt" to "hoihoi.conf" :)

yeah fry, I obviouslly had that off =p....

ok here's another question. Now that I have everything working and such, and we all know you can only open this sniffer at the character screen (not when actually in a zone). Would there be a way to make it so you can open this when in a zone and it would actually get the PID and send the key off to linux box? The main reason I want the program to do this is because it will reduce the chance of being cought the less I use it. So mainly I could just open it, watch it send the key, close it, done...(repeat after zoning etc) =)

Thanks

The main reason I want the program to do this is because it will reduce the chance of being cought the less I use it.

Don't presume this - I know that this idea has floated around the boards - but if they run checks on the memory and detect the read then it doesn't matter how often you read the memory - you will get caught.

We already know they do some checks on memory and that they DO send info to the server - they are experienced in this regard.

For example:

There was a hack where you could directly write some hex to memory and alter your run speed to beyond GM levels - this is known as the 'run speed hack' - Verant put checks into the code to watch the checksum of the memory and when it was altered then they sent a flag over to the Verant HQ and banned the account that did this.

*THIS* is what caused the mass bannings way back when - only thing is somehow they either got a glitch or realised they couldn't afford to ban so many and then reinstated alot of accounts - they could have been working on fear factor to make people realise that this can happen in MASS.

Remember that Verant does work with FUD factor involved and the more they can do to make you look over your shoulder if they think you are doing something wrong then the more they win. It is very easy to put a checksum into the code to watch certain variables so that direct memory hacks are caught - the problem is how are they going to read the memory read - because a read is passive it really doesn't alter anything and therefore is harder to detect.

The theory sofar however is that the process used to read the memory in this and other programs is attaching a debug call to the process - this can throw an exception and if VI is checking for this they can then just send a flag to the server (a byte or less in any packet sent to the server) and wham - you are flagged.

If you want to check this 'feature' out - go buy a copy of Everquest Classic - then do a search for the run speed hack on the web - use it on the new account - within a few days your account *will* be banned.

do they only flag accounts? or IP's as well?

I've never been banned so I don't know...

going off of info 2nd had I'd say just accounts - people who run 'hacks' tend to pick up the 9 dollar version to test the hack on to see if it will get them banned first....

Sorry mad poet you are wrong in this thing.

This is from another of my posts:

As mvern and Mr. Spock confirmed in this thread: http://seq.sourceforge.net/showthread.php?s=&threadid=2359 (end of page 3).
SOE could not use the function IsDebuggerPresent() to catch the sniffers that only use OpenProcess() and ReadProcessMemory(),
even if they have the access for debugging. At least one point for our side.

You need to call DebugActiveProcess() to set the flag.

Is good to be afraid of SOE, just not that afraid.

Edit: Fixed the weird URL

I'm not saying that is written in stone - just that there is a possiblity - I have a feeling they are trying to figure out a way to detect it myself.

The point is still correct though - if they can detect the memory read then it doesn't matter if your program runs for .001 seconds or stays up 24x7...

But it's good to know the info about the trap =) Thanks!

*edit*
er ... and yer link didn't work search is gud

Yes Mad Poet.

That's another thing, today finally someone posted a very good doc that has good examples of how to hook API Calls (I am glad that you like to search :D ). I started a week ago the discussion on another thread based on something that I read and was unable to find, now is a reality and they can use that way if they were dumb.

Now, we should expect that and check if the ReadProcessMemory() has being hooked (careful, probably AntiVirus and Memory Optimizers already hook it). It will start a war between our side and their side.

I personally think that they will not do it, because they can impact performance and introduce bugs. But who knows?

Ohh, I fixed the URL on the another post.

using dev-c++ 4.9.6.0
heres the error

line 96 unterminated error constant
heres the code

*pCurChar != '\' && pCurChar != pe32.szExeFile - 1;

I have added the extra \ but then i get a lot more errors.

Could it be my compiler?

Using this code and Cywin gcc .. I get this :


In file included from senseheading.c:5:
/usr/include/w32api/winsock2.h:95:2: warning: #warning "fd_set and associated macros have been defined in sys/types. This may cause runtime problems with W32 sockets"


CBiLL

The new offset appears to be 0x0078AAD0, i changed this in the line sessionkeylocation= in the hh.conf file but seems it wont bind to eqgame it just closes, do i need to put this some where else as well, i tried even recompiling with no luck. Thanks for any help i am very new to this aspect of programming these sweet little utilities

It's not closing actually, it's giving an error 5. (run it from a command line shell instead of the program directly to see this).

Interestingly, this is working *perfectly* under 98SE, it's only under XP I'm seeing this issue (error 5).

I'm starting to think they've changed their check for debugging.

I'm going to try enabling compatibility mode for 98SE and see if it can attach..

I'm no C programmer, but I know a bit of php, so that's helped me a *little* bit getting this to work.

I had to enable debug privs in order to get this one working in Windows XP. Once I inserted that code that was posted somehwere (in this thread maybe), it seemed that the program wouldn't read the config file properly.

I just hardcoded the offset, interval, SEQ IP, SEQ Port variables and was able to get it to work.

I also put in that code so that it would loop waiting for eqgame.exe so I don't have to use a telnet server anymore.

Yea, so, I'll have to recompile when there's a new offset. Fortunately it's not all that much more difficult then changing a config file; I just need to run another command to recompile once I change it. No biggie for me.

I'm going to try and get the sniffer to also check for eqgame.exe whenever it's going to grab the key and send it off to the linux box. This would allow me to keep the program running if I exit EQ.

Hiya all,

can someone explain me what i did wrong plz im getting this message

config file name is: C:/key/key.conf
scanning for game
scanning for game
found eqgame - pid = 1860

OpenProcess failed, error: 5
scanning for game
found eqgame - pid = 1860

thnxs

This is a well known problem. You could use the search feature to find the answer.

However.

I'm feeling particularily jovial tonight...

Error 5 means you need to add a stub of code to your program that will enable debug privileges when your app executes.

I am trying to use this sniffer as well. All compiles fine now. The program reports it is sending a key to the SEQ box. SEQ box confirms this with TCPDUMP watching the appropriate port.

The problem is, both the sniffer and TCPDUMP looks like the key value being sent is 0x00000000... (all zeros)

I am using offset 0x00773b90. Is this the correct offset?

If so, any ideas why I am getting a zero value being read for the key?

I compiled with MinGW on Win98.