sense heading [send key over udp to showeq]

[Hoihoi]

do not distribute any binaries of this nor use any binaries of this that you didnt compiled self.

i tuned mverns code some to send the key over udp to the showeq box and use a config file.

this is the config sample file:

Code:

[Client]
SessionKeyLocation=0x00773b90
SendInterval=600

[ShowEQ]
IP=192.168.1.11
Port=666

SendInterval is used to send the key all X seconds to the showeq box.
set it to 0 to not send it automaticaly.

this is the source for it. compiles fine with lcc

Code:

// $Header: /usr/local/cvsroot/senseheading/senseheading.c,v 1.1.1.1 2002/11/02 21:10:16 hoihoi Exp $

#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#include <tlhelp32.h>

#define CONF_FILE "C:/senseheading/senseheading.conf"
#define CONF_SIZE 16

struct CONFIG
{
	unsigned long long SessionKeyLocation;
	unsigned int SendInterval;
	char seq_ip[16];
	int seq_port;
} config;

int SendSessionKey(unsigned long long SessionKey);

void readkey (HANDLE hProcess, int useConfig)
{
	while (1)
	{
		unsigned long addr;
		unsigned long long key;
		char keypressing;

		if (useConfig == 0)
		{
			printf ("\nenter offset (ie: 0x00773b90): ");
			if (scanf ("%08x", &addr) == 1)
			{
				printf ("offset:\t0x%08x\n", addr);
			}
		}
		else
			addr = config.SessionKeyLocation;

		if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
		{
			printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
		}
		else
		{
			printf ("Session key:\t0x%016llx\n", (unsigned long long) key);
		}

		if ( useConfig == 1)
		{
			if (SendSessionKey(key) != SOCKET_ERROR)
				printf("Sent the session key to %s:%d\n", config.seq_ip, config.seq_port);
			else
				printf("Failed to send the session key to %s:%d\n", config.seq_ip, config.seq_port);
		}

		if (config.SendInterval != 0)
			sleep(config.SendInterval*1000);
		else
		{
			printf("\nPress some key to continue");
			scanf("%s", &keypressing);
		}
	}

	fflush (stdin);
}

int scanproclist ( int useConfig )
{
    HANDLE         hProcessSnap = NULL;
    PROCESSENTRY32 pe32      = {0};

    //  Take a snapshot of all processes in the system.
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hProcessSnap == INVALID_HANDLE_VALUE)
        return 0;

    //  Fill in the size of the structure before using it.
    pe32.dwSize = sizeof(PROCESSENTRY32);

    if (Process32First(hProcessSnap, &pe32))
    {
		HANDLE hProcess;

        do
        {
            LPSTR pCurChar;
			char pName[512];

            // strip path and leave exe filename
            for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
                 *pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;
                 --pCurChar)

            strcpy(pName, pCurChar);
			strlwr(pName);

			if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
			{
				printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
				hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
				if (hProcess == NULL)
				{
					DWORD dw;
					dw = GetLastError();
					printf ("OpenProcess failed, error: %u\n", dw);
					return 0;
				}
				readkey (hProcess, useConfig);
			}
	  }
        while (Process32Next(hProcessSnap, &pe32));
    }

    CloseHandle (hProcessSnap);
    return 0;
}


int ReadConfig (void)
{
	int useConfig = 0;
	char conf_buffer[CONF_SIZE];

	GetPrivateProfileString("Client", "SessionKeyLocation", "0", conf_buffer, CONF_SIZE, CONF_FILE);
	config.SessionKeyLocation = strtol(conf_buffer,NULL,16);

	GetPrivateProfileString("Client", "SendInterval", "0", conf_buffer, CONF_SIZE, CONF_FILE);
	config.SendInterval = atoi(conf_buffer);

	GetPrivateProfileString("ShowEQ", "IP", "0", conf_buffer, CONF_SIZE, CONF_FILE);
	strcpy(config.seq_ip, conf_buffer);

	GetPrivateProfileString("ShowEQ", "Port", "0", conf_buffer, CONF_SIZE, CONF_FILE);
	config.seq_port = atoi(conf_buffer);

	if (config.SessionKeyLocation > 0)
		useConfig = 1;

	return useConfig;
}

int SendSessionKey(unsigned long long SessionKey)
{
	int ret;
	char content[18];

	sprintf(content, "0x%016llx", SessionKey);

	WSADATA wsd;
	SOCKET ssocket;
	SOCKADDR_IN seq;

	if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)
	{
       printf("WSAStartup failed!\n");
	   return SOCKET_ERROR;
	}

	ssocket = socket(AF_INET, SOCK_DGRAM, 0);
	if (ssocket == INVALID_SOCKET)
	{
		printf("socket() failed; %d\n", WSAGetLastError());
		return SOCKET_ERROR;
	}

	seq.sin_family = AF_INET;
	seq.sin_port = htons((short)config.seq_port);
	seq.sin_addr.s_addr = inet_addr(config.seq_ip);

	ret = sendto(ssocket, content, sizeof(content), 0, (SOCKADDR *)&seq, sizeof(seq));
	if (ret == SOCKET_ERROR)
	{
		return SOCKET_ERROR;
	}

	closesocket(ssocket);

	WSACleanup();
	return 0;
}



int main(void)
{
	printf ("scanning for eqgame.exe\n");

	if (ReadConfig() == 1)
		scanproclist(1);
	else
		scanproclist(0);

	return 0;
}

adjusting the showeq source some to capture the packet with the key. will post the code later.

[Enduron]

I didnt use nor distro it but it compiles fine =)

-end

p.s. somehow the \ gets pulled out of part of the code, you need to re--add it....annoying but works...

[Hoihoi]

hehe, meant dont use binaries you didnt make self since its sending stuff

[wxh]

Outstanding. Now, if I may make a couple of suggestions for obfuscation on this:

First, the client (key sniffer) should probably establish communication with ShowEQ prior to starting to get keys. This would allow the client to request the key offset from ShowEQ, as well as allowing ShowEQ to select a random port number through which the key exchanges are to occur. The initial handshake would be on a specific port, but once ShowEQ establishes contact with the client on that port and provides the client with a "working" port number to use, ShowEQ would ignore further requests on that port. This would prevent EQ from detecting the client by simply looking for packets being sent on a specific port.

Next, I'd probably have the client encrypt the keys using a simple 8-byte XOR key, also randomly generated by ShowEQ at the time of initial contact. This would prevent EQ from detecting the client by looking for repeated packets which include its key.

The client should probably be written in such a way that it morphs occasionally, or at least shifts parts of itself around randomly each time it's run. This would prevent detection based on process signature.

Last, I'd probably have the key sniffer not look for a key unless ShowEQ sends it a specific request for one. This would prevent detecton on the basis of frequent outside access to EQ's memory, since ShowEQ would only request a key when it sees that a new zone is being loaded.

If you REALLY wanted to go over the top a bit, you could have each packet after the initial handshake be XORed with a different 8-byte key, and whenever either side sends a packet, it would include, encrypted within that packet, the 8-byte key that it wants the receiving end to use the next time it sends a message.

Just some thoughts.

-wxh

[drwoo]

do you need to setup a new program to work with this, something like samba, or do you just need to make sure port 666 is set in in servies using udp?

[fryfrog]

okay, i'm stupid... but what do you have to setup on the OTHER end to get this to work?

[Elyon]

adjusting the showeq source some to capture the packet with the key. will post the code later.

Well, on the other end, it seems that he said he was going to have to adjust the code in ShowEQ to make this work and would post it later. He has yet to post that part....

I, on the other hand, only have the Mingw compiler and it won't compile with that compiler. Any ideas? I haven't programmed since my days with a Commodore 64 and ran a BBS written in Commodore Basic with 14 overlay's that took 3 hours to compile!!!!!

[fryfrog]

yeah, i just went back and saw that... i also can't compile with MinGW

Code:

C:\MinGW\bin>gcc -c hoihoi.c
hoihoi.c:94:31: missing terminating ' character
hoihoi.c:94:31: warning: character constant too long
hoihoi.c: In function `scanproclist':
hoihoi.c:95: invalid lvalue in decrement
hoihoi.c:95: parse error before "pCurChar"

**fixed:

*pCurChar != '\' && pCurChar != pe32.szExeFile - 1;
SHOULD BE
*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;

(added one \ because the \' was escaping the ' so it thought the ' never ended).

[fryfrog]

okay, still stuck at...

Code:

C:\MinGW\bin>gcc -o hoihoi.exe hoihoi.o -lth32 -lwinmm -wsock32
hoihoi.o(.text+0x31e):hoihoi.c: undefined reference to `Process32First@8'
hoihoi.o(.text+0x462):hoihoi.c: undefined reference to `Process32Next@8'
hoihoi.o(.text+0x684):hoihoi.c: undefined reference to `WSAStartup@8'
hoihoi.o(.text+0x6b8):hoihoi.c: undefined reference to `socket@12'
hoihoi.o(.text+0x6d5):hoihoi.c: undefined reference to `WSAGetLastError@0'
hoihoi.o(.text+0x712):hoihoi.c: undefined reference to `htons@4'
hoihoi.o(.text+0x729):hoihoi.c: undefined reference to `inet_addr@4'
hoihoi.o(.text+0x751):hoihoi.c: undefined reference to `sendto@24'
hoihoi.o(.text+0x777):hoihoi.c: undefined reference to `closesocket@4'
hoihoi.o(.text+0x77f):hoihoi.c: undefined reference to `WSACleanup@0'

[MisterSpock]

Those linker errors pop up on MSVC++ also.

You need to specifically tell the linker to include wsock32.lib, as those references appear there.

From your command line (and I'm not familiar with MinGW - sorry) it *appears* that you might already be doing so. Perhaps it cannot find the wsock32 library.

Under lcc, upon first attempt to build, it detects the needed library (wsock32.lib) and adds it (nice!).

[fryfrog]

duh, it was a typo.

Code:

gcc -o hoihoi.exe hoihoi.o -lth32 -lwinmm -lwsock32

(i had -lwsock32, needed -lwsock32)

[fryfrog]

okay, it compiled... but is it supposed to run in a loop? i changed the config to read from "c:\temp\hoihoi.conf" and made a file there with the info from the first post.

Code:

C:\Temp>hoihoi
scanning for eqgame.exe

should it really be:

Code:

#define CONF_FILE "C:/temp/hoihoi.conf"

or should it use "C:\temp\" (other slashes)?

[Hoihoi]

floyd might code the seq part he said. if not, ill code it but i dont want to do double work.

for the path: use regular slashes

[fryfrog]

sorry, i totally forgot to phrase that right... it just exits immediatly after i run it.

[Catt]

If it doesn't find a eqgame.exe (or test) it exits, that is the way it's written.

I'm not sure that was intended, but that is what is written.