C++ Rad (Builder) front end to sniffer

[The Mad Poet]

For those of you not using microsloth and wanting to have a nifty windows based sniffer - I took the time to throw it into builder ..

Attached is a zip containing the project - source files and all

I was using version 6 for this - not sure if it would work on lower end versions...

What it does:

1. opens and scans for a configuration - reads the config if there is one.

2. scans eq for the current offset and displays this to the user

3. lets you enter the host address - port number - and interval in milliseconds you want to scan the memory.

4. click the button to start the scan.

If you want to save your setting click File->Save settings...

I would change the registry keys and such to make sure that it's not a simple thing to find for Verant - OR just never save your settings...

I don't like VB - and I don't work well in it - so this is much nicer to me - and you can modify change the code based on other C++ solutions here if that is your thing ya know...


*edit* for some reason this code makes you loose your DNS once you start sending keys - I'm debugging now - grrrrrr....

*edit2*fixed - apparently the socket didn't like being opened and closed so often so I changed the location of the open/close calls - it's working fine now.

[The Mad Poet]

er - attaching the file - forgot to delete my linker objects and it was too big the first time *DOH*

*edit* new file

[The Mad Poet]

ahh and here is the source for those who want to critique...

Everything is generic so if you wanted to cut/paste this just add the right objects to your form - I didn't change the names just for this reason...

The main file...

//---------------------------------------------------------------------------
#include <vcl.h>
#pragma hdrstop

#include "socket_key_gen_main.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//---------------------------------------------------------------------------

void __fastcall TForm1::FormCreate(TObject *Sender)
{
// Create a registry object to read/write registry settings

TRegistry *RegKey = new TRegistry;

// This string will be used for the location of the registry settings - it is the
//root of the settings key we will use
//AnsiString is a Builder string that emulates the Pascal string class and it's very handy

AnsiString RegLoc = "\\Software\\seq";

// Open the registry and check if the key is there - returns true if it is
// false otherwise - the false in the call specifies we do not want to create the key
// with this open - we will create the key later with the save settings feature

// NOTE - I use try/catch to make sure any pointers to the registry are closed - we
// don't want to cause any corruption of the registry as it's too important
// You will want to change the key to avoid detection by Verant...
try
{
if (RegKey->OpenKey(RegLoc, false))
{
// Read the registry - this is done with ReadString taking values from the current key
// We set these values to our forms display controlls

Form1->Edit2->Text = RegKey->ReadString("SendInterval");
Form1->Edit1->Text = RegKey->ReadString("HostAddress");
Form1->Edit3->Text = RegKey->ReadString("Port");
RegKey->CloseKey();
}
}

__finally
{
delete RegKey;
}

int pattern[] = { 0xc1, 0xe0, 0x08, 0x99, 0x09, 0x05 };
FILE *fp;
int c;
unsigned int pos = 0;
unsigned int last = sizeof pattern / sizeof (int) - 1;
unsigned long offset = 0;
fp = stdin;
if ((fp = fopen("c:\\program files\\everquest\\eqgame.exe", "rb")) != NULL)
{
while ( (c = getc(fp)) != EOF)
{
if (c == pattern[pos])
{
if (pos == last)
{
break;
}
else
{
pos++;
}
}
else
{
pos = 0;
}
}

if (c != EOF)
{
/* next four bytes will be the key offset as a little-endian long */
for (pos = 0; pos <= 3; pos++)
{
if ( (c = getc(fp)) == EOF )
{
break;
}
offset = (offset>>8) | (c << 24);
}
Edit4->Text = "0x" + IntToHex((int)offset,sizeof(offset));
//Form1->Offset = IntToStr(offset);
}
}
// clean up the pointer that we created up top so we don't worry about any loose memory holes


}
//---------------------------------------------------------------------------

void __fastcall TForm1::Exit1Click(TObject *Sender)
{
Form1->Close();
}
//---------------------------------------------------------------------------


void __fastcall TForm1::Button1Click(TObject *Sender)
{
// Set the first timer to true and start scanning for the EQ PID
Timer2->Enabled = false;
Timer1->Enabled = true;
UdpSocket1->RemoteHost = Edit1->Text;
UdpSocket1->RemotePort = Edit3->Text.ToInt();
if (!UdpSocket1->Active)
{
UdpSocket1->Open();
}

}
//---------------------------------------------------------------------------

void __fastcall TForm1::Timer1Timer(TObject *Sender)
{
// This is the first timer object - this will start scanning for the PID of the eqgame
// Specified by the timer interval property of the Timer object
// This is set at design time for 10000 ms
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
Form1->StatusBar1->Panels->Items[0]->Text = "Scanning for eqgame...." ;

// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
throw ("Invalid Handle");

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{


do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile)); *pCurChar != '\\' && pCurChar != pe32.szExeFile - 1; --pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
AnsiString pid;
pid.printf("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
Form1->StatusBar1->Panels->Items[0]->Text = pid; // Set status bar to show PID
Form1->hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
AnsiString error = "Open Process Failed, Error: " + dw;
Application->MessageBox( (error.c_str()), "Error", MB_OKCANCEL + MB_DEFBUTTON1);
return;
}
Timer2->Interval = Edit2->Text.ToInt(); // set the 2nd timer interval - this is where we send the key
Timer2->Enabled = true; // enable the 2nd timer
Timer1->Enabled = false; // disable this timer
}
}
while (Process32Next(hProcessSnap, &pe32));
} //end if(Process32First)

CloseHandle (hProcessSnap);
return;
}
//---------------------------------------------------------------------------

void __fastcall TForm1::Timer2Timer(TObject *Sender)
{
unsigned __int64 addr;
unsigned __int64 key = 0xffffffffffffffff;



addr = Edit4->Text.ToInt();

if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
AnsiString error;
error.printf("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
Form1->StatusBar1->Panels->Items[1]->Text = error;
}
else
{
AnsiString FormatStatusbar;
FormatStatusbar.printf("Session key:\t0x%016I64x\n", (unsigned __int64) key);
Form1->StatusBar1->Panels->Items[1]->Text = FormatStatusbar;
void *buf = &key;
UdpSocket1->SendBuf(buf,sizeof(key),0);
// UdpSocket1->Close();
delete buf;
}
}
//---------------------------------------------------------------------------






void __fastcall TForm1::BitBtn1Click(TObject *Sender)
{
//Edit4->Text = Form1->Offset;
}
//---------------------------------------------------------------------------


void __fastcall TForm1::SaveCurrentSettings1Click(TObject *Sender)
{
TRegistry *RegKey = new TRegistry;
AnsiString RegLoc = "\\Software\\seq";

try
{
if (RegKey->OpenKey(RegLoc, true))
{
RegKey->WriteString("SendInterval",Form1->Edit2->Text);
RegKey->WriteString("HostAddress",Form1->Edit1->Text);
RegKey->WriteString("Port",Form1->Edit3->Text);
RegKey->CloseKey();
}
}
__finally
{
delete RegKey;
}
}

//---------------------------------------------------------------------------

void __fastcall TForm1::FormClose(TObject *Sender, TCloseAction &Action)
{
UdpSocket1->Close();
}
//---------------------------------------------------------------------------



The header file...

//---------------------------------------------------------------------------
#ifndef socket_key_gen_mainH
#define socket_key_gen_mainH
//---------------------------------------------------------------------------
#include <Classes.hpp>
#include <Controls.hpp>
#include <StdCtrls.hpp>
#include <Forms.hpp>
#include <ExtCtrls.hpp>
#include <NMUDP.hpp>
#include <Menus.hpp>
#include <registry.hpp>
#include <iostream.h>
#include <stdio.h>
#include <stdlib.h>
#include <ComCtrls.hpp>
#include <string.h>
#include <windows.h>
//#include <winsock2.h>
#include <tlhelp32.h>
#include <Buttons.hpp>
#include <Sockets.hpp>
//#include <ws2tcpip.h>
//#include <time.h>


//---------------------------------------------------------------------------
class TForm1 : public TForm
{
__published: // IDE-managed Components
TTimer *Timer1;
TEdit *Edit1;
TEdit *Edit2;
TEdit *Edit3;
TButton *Button1;
TEdit *Edit4;
TLabel *Label1;
TLabel *Label2;
TLabel *Label3;
TLabel *Label4;
TMainMenu *MainMenu1;
TMenuItem *Settings1;
TMenuItem *SaveCurrentSettings1;
TMenuItem *Exit1;
TMenuItem *Help1;
TMenuItem *About1;
TStatusBar *StatusBar1;
TTimer *Timer2;
TUdpSocket *UdpSocket1;
void __fastcall FormCreate(TObject *Sender);
void __fastcall Exit1Click(TObject *Sender);

void __fastcall Button1Click(TObject *Sender);
void __fastcall Timer1Timer(TObject *Sender);
void __fastcall Timer2Timer(TObject *Sender);
void __fastcall BitBtn1Click(TObject *Sender);
void __fastcall SaveCurrentSettings1Click(TObject *Sender);
private: // User declarations
AnsiString SendInterval;
AnsiString HostAddress;
AnsiString Port;
AnsiString Offset;
public: // User declarations
__fastcall TForm1(TComponent* Owner);
HANDLE hProcess;
};

int SendSessionKey ( unsigned __int64 SessionKey );
void ReadKey (HANDLE hProcess);
int scanproclist (void);

//---------------------------------------------------------------------------
extern PACKAGE TForm1 *Form1;
//---------------------------------------------------------------------------
#endif


Thanks to those who made the find offset code and read key code as I really just wrapped around these....

If you want to try it - Borland offers a free trial of Builder on the web site for download - works for 60 days - and it's fully functional..

I would say go try it - as I find it to be the best C++ windows enviornment out there - VB speed of dev. without the basic.. *GRIN*....

*edit* new code