-
I am still having problems with mine not unhooking, so when I get into the game I just shut off my dll, seemed to fix my crashing after memory fills up. I cant figure out how to use any of the debuggers for winME, if someone could help me figure one out I can post what is happening to me
-
Ahh, so you just have to either "crtl+alt+del" the rundll32 or run RemoveHook?
I'll try that tonight and see if I stop crashing.
-
my EQ still crashes from this sniffer after a while also, and its probably because the hooker never releases itself, even with the unhook
how do you shut off the dll when in the game?
only way I have founf is to reboot then the system notices it and asks to kill it, but it doesnt show up in the task manager before that
dn
-
It should be in task manager as "Rundll32.exe", not the .dll file you made.
-
More obfuscation
I don't know just how effective this would be to hiding it, but I copied rundll32.exe and gave it a different name, say something like ADUsermon.exe or something like that that other programs run (that im not running)... so many programs actually create processes anymore its sickening.
At any rate a process enumeration doesnt show "Rundll32.exe" sitting there and gone after EQ starts up.
I also placed the DLL on a network drive and used UNC to reference and use it thus removing the ability to detect it by scanning the local drive.
-
Not hearing anything
I spent many many hours reading these forums yesterday and I still cannot quite get my setup to work. I think it may be a topology thing as I think everything else I have is working.
* I was able to compile with no errors. Rundll32 loads and unloads as it should.
* I can get GPS mode with the grey unknowns
* When I run tcpdump to listen on my specified port I don't get anything, well kinda. When I hit any key to get past the first three screens before login (SOE, UELA, etc..) my TCPDUMP gets a few messages. But not the UDP 8 byte that I am expecting. Alot of ARP chatter asking who xxx.xxx.xxx.xxx is and responses with mac addresses. After about 15 lines of this chatter I get nothing, even when zoning.
*Here is my setup:
Internet -- Cable Router -- Hub -- SEQ, EQ, 2k Box
My 2k box is acting as gateway, dhcp, etc. Is there a problem with this setup?
Any help is appreciated.
-
Zewl_1,
This might be answer you're seeking or not. But most Cable companies only give 2 ip numbers. So if you're not using a switch where you listed hub, the SEQ system might not be getting an ip number assigned. Make sure you're setting the port number high too, like 50000..
-
Enig, thanks for the response. MY cable router has the ISP IP address assigned to it and it is NAT ing out to the rest of my boxes.
I have tried several addresses. The odd thing is, I can set the tcpdump to listen to all ports and it sees that data going from the EQ box out.
Thanks.
-
You get GPS-Mode = No problem with your IP-Setup.
Perhaps problem opening port, attaching to exe. If you would have a wrong offset you should see something in tcpdump, but it would not be the correct key ...
Hav not used the dll ... therefor only commen hints
-
* You get GPS-Mode = No problem with your IP-Setup.
That's what I was thinking Lord Crush. I am a little confused by the offset thing. In the example code of:
RUNDLL32.EXE mysniffer.dll,InstallHook 192.168.1.10 666 eqgame.exe 0x00773b90
Is the 0x00773b90 is the offset and should be set to 0x007c1950?
Thanks.
-
I am not sure about the current offset, it will change today anyway ... so we have to wait until a kind person with an debuggingskill of 250 will post the new offset. :D
but i suggest to change the port 666 to some number above 1024 or better above 10000
666 is used by a trojan
http://www.windowsecurity.com/whitep...orses_use.html
perhaps you check this :p
and Doom uses it ;)
http://www.zvon.org/tmRFC/RFC1700/Output/chapter6.html
Hope it helps a little
-
He's showing you an example of the syntax
RUNDLL32.EXE mysniffer.dll,InstallHook 192.168.1.10 666 eqgame.exe 0x00773b90
Where 0x00773b90 would be replaced by whatever the current offset is found to be.
1.) Check to make sure you can ping each machine from the other.
2.) Check to make sure the firewall on your Linux box isnt blocking the port your using.
3.) Check in SEQ "Network => Keyport =>" Enter whatever you put into your sniffer
4.) Make sure your actually giving your TCPDump something to see. If you are installing the hook with a trigger of eqgame.exe, then you need to actually start EQ and wait for packets. (They will only be sent once or twice during boot of the game, then every time you zone for the most part)
-