Page 1 of 13 12311 ... LastLast
Results 1 to 15 of 189

Thread: A little keyreader example code

  1. #1
    Registered User
    Join Date
    Dec 2001
    Posts
    59

    Post A little keyreader example (updated example)

    Pretty much all the issues of the original version with permissions are solved now. The following example can be built for sure with msvc 6, and should work with most other compilers as well. This version writes the key to keyfile.dat in the directory its run in, as well as printing the key to the console each time it changes. It can be started at any time, and should work without having to restart it between EQ sessions. Key is scanned once per second, and eqgame is scanned for once per 10 seconds when its not already been found and valid. It can be started with the offset of the key as a command line argument for when it changes, but runs with the current value as default.

    edit again: fixed for lcc too, now
    .. and again fixed maybe

    Code:
    /*
     * kscan.c - version 2
     *
     * if you get an error about a missing symbol PlaySound, be sure to link with winmm.lib
     * if your missing Process32First, link with th32.lib
     */
    
    #include <stdio.h>
    #include <string.h>
    #include <windows.h>
    #include <Mmsystem.h>
    #include <tlhelp32.h>
    
    FILE *keydat;
    unsigned long addr = 0x773b90;
    
    BOOL enable_debug_privs()
    {
    	HANDLE      hToken;     /* process token */
    	TOKEN_PRIVILEGES tp;    /* token provileges */
    	TOKEN_PRIVILEGES oldtp;    /* old token privileges */
    	DWORD    dwSize = sizeof (TOKEN_PRIVILEGES);          
    	LUID     luid;
    
    	if (!OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
    	{
    		if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
    			return TRUE;
    		printf ("OpenProcessToken() failed: %d\n", GetLastError());
    		return FALSE;
    	}
    
    	if (!LookupPrivilegeValue (NULL, SE_DEBUG_NAME, &luid))
    	{
    		printf ("LookupPrivilege() failed: %d\n", GetLastError());
    		CloseHandle (hToken);
    		return FALSE;
    	}
    
    	ZeroMemory (&tp, sizeof (tp));
    	tp.PrivilegeCount = 1;
    	tp.Privileges[0].Luid = luid;
    	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    
    	/* Adjust Token privileges */
    	if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize))
    	{
    		printf ("AdjustTokenPrivileges() failed: %d\n", GetLastError());
    		CloseHandle (hToken);
    		return FALSE;
    	}
    	return TRUE;
    }
    
    void readkey (HANDLE hProcess)
    {
    	ULONGLONG oldkey = 0;
    	while (1)
    	{
    		ULONGLONG key;
    
    		if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
    		{
    			printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
    			break;
    		} else {
    			if (key == oldkey)
    			{
    				Sleep (1000);
    				continue;
    			}
    #if defined(__CYGWIN__) || defined(__LCC__)
    			printf ("new key:\t0x%016llx\n", key);
    #else
    			printf ("new key:\t0x%016I64x\n", key);
    #endif
    			oldkey = key;
    			if ( (keydat = fopen ("keyfile.dat", "wb")) == NULL)
    			{
    				printf ("error opening keyfile.dat for writing\n");
    				exit (-1);
    			}
    			fwrite (&key, 8, 1, keydat);
    			fclose (keydat);
    			/* try to play the default exclamation sound, if that fails, use beep */
    			if (!PlaySound ("Exclamation", NULL, SND_ASYNC))
    				Beep (500, 500);
    		}
    	}
    	CloseHandle (hProcess);
    }
    
    void scanproclist () 
    { 
    	HANDLE         hProcessSnap = NULL; 
    	PROCESSENTRY32 pe32      = {0}; 
     
        /*  Take a snapshot of all processes in the system. */
    	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
    
    	if (hProcessSnap == INVALID_HANDLE_VALUE) 
    		return; 
     
    	/*  Fill in the size of the structure before using it. */
    	pe32.dwSize = sizeof(PROCESSENTRY32); 
     
    	if (Process32First(hProcessSnap, &pe32))
    	{ 
    		HANDLE hProcess;
    
    		do 
    		{ 
    			LPSTR pCurChar;
    			char pName[512];
    
    			/* strip path and leave exe filename */
    			for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile)); 
    				*pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;  
    				--pCurChar) 
    
    			strcpy(pName, pCurChar); 
    			strlwr(pName);
    
    			if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
    			{
    				printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
    				hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
    				if (hProcess == NULL)
    				{
    					DWORD dw;
    					dw = GetLastError();
    					printf ("OpenProcess failed, error: %u\n", dw);
    					return;
    				}
    				readkey (hProcess);
    			}
    		} 
    		while (Process32Next(hProcessSnap, &pe32)); 
    	} 
    
    	CloseHandle (hProcessSnap);
    	return; 
    }
    
    
    int main(int argc, char *argv[])
    {
    	if (argc == 2)
    	{
    		addr = strtoul (argv[1], NULL, 16);
    		printf ("set offset to 0x%08x\n", addr);
    	} else {
    		printf ("using default offset 0x%08x (usage is: %s [offset], to use a different one)\n", addr, argv[0]);
    	}
    	printf ("enabling debug privs\n");
    	if (enable_debug_privs() == FALSE)
    	{
    		printf ("error enabling privs\n");
    		return 1;
    	}
    	printf ("scanning for eqgame\n");
    
    	while (1)
    	{
    		scanproclist ();
    		Sleep (10000); /* pause 10 seconds between checks */
    	}
    
    	return 0;
    }
    Last edited by mvern; 11-03-2002 at 10:45 PM.

  2. #2
    Registered User
    Join Date
    Dec 2001
    Posts
    59
    Ok, I give up on trying to get this to show up as an attachment soo... anyway, just consider this a quick example to use for building your own keyreader off of.

    WARNING: old version, leaving it here as a reference, I recommend using the version from the post above.

    kscan.c:

    Code:
    #include <stdio.h>
    #include <string.h>
    #include <windows.h>
    #include <tlhelp32.h>
    
    void readkey (HANDLE hProcess)
    {
    	while (1)
    	{
    		unsigned long addr;
    		ULONGLONG key;
    
    		printf ("\nenter offset (ie: 0x00773b90): ");
    		if (scanf ("%08x", &addr) == 1)
    		{
    			printf ("offset:\t0x%08x\n", addr);
    			if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
    			{
    				printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
    			} else {
    				printf ("key:\t0x%016I64x\n", key);
    			}
    		}
    		fflush (stdin);
    	}
    }
    
    void scanproclist () 
    { 
        HANDLE         hProcessSnap = NULL; 
        PROCESSENTRY32 pe32      = {0}; 
     
        //  Take a snapshot of all processes in the system. 
        hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
    
        if (hProcessSnap == INVALID_HANDLE_VALUE) 
            return; 
     
        //  Fill in the size of the structure before using it. 
        pe32.dwSize = sizeof(PROCESSENTRY32); 
     
        if (Process32First(hProcessSnap, &pe32))
        { 
    		HANDLE hProcess;
    
            do 
            { 
                LPSTR pCurChar;
    			char pName[512];
    
                // strip path and leave exe filename 
                for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile)); 
                     *pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;  
                     --pCurChar) 
    
                strcpy(pName, pCurChar); 
    			strlwr(pName);
    
    			if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
    			{
    				printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
    				hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
    				if (hProcess == NULL)
    				{
    					DWORD dw;
    					dw = GetLastError();
    					printf ("OpenProcess failed, error: %u\n", dw);
    					return;
    				}
    				readkey (hProcess);
    			}
    	  } 
            while (Process32Next(hProcessSnap, &pe32)); 
        } 
    
        CloseHandle (hProcessSnap);
        return; 
    }
    
    
    void main(int argc, char **argv)
    {
    	printf ("scanning for eqgame\n");
    	scanproclist ();
    }
    Attached Files Attached Files
    Last edited by mvern; 11-03-2002 at 09:17 AM.

  3. #3
    Registered User Mr. Suspicious's Avatar
    Join Date
    May 2002
    Posts
    667
    Doesn't compile in MSVC++ 5 (for those *like me *g* that don't have MSVC++ 6)

    --------------------Configuration: kscan - Win32 Debug--------------------
    Compiling...
    kscan.c
    C:\Windows\Desktop\kscan.c(53) : error C2001: newline in constant
    C:\Windows\Desktop\kscan.c(53) : error C2015: too many characters in constant
    C:\Windows\Desktop\kscan.c(54) : error C2105: '--' needs l-value
    C:\Windows\Desktop\kscan.c(54) : error C2146: syntax error : missing ';' before identifier 'pCurChar'
    C:\Windows\Desktop\kscan.c(54) : error C2059: syntax error : ')'
    C:\Windows\Desktop\kscan.c(56) : error C2146: syntax error : missing ')' before identifier 'strcpy'
    Error executing cl.exe.

    kscan.obj - 6 error(s), 0 warning(s)
    Last edited by Mr. Suspicious; 11-01-2002 at 11:01 AM.
    Before asking anything read the pre-face section of http://www.smoothwall.org/download/p....9/doc.faq.pdf

    after you've read it, you know what to do next...




    "Stay alert! Trust noone! Keep your Lazers Handy! Have a nice day." -- Provided courtesy of the Computer. The Computer never lies.

  4. #4
    Registered User Mongo222's Avatar
    Join Date
    Dec 2001
    Posts
    38

    Small fix for many compilers

    -- *pCurChar != '\' && pCurChar != pe32.szExeFile - 1;
    ++ *pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;


    A lot of compilers interrupt the single \ as escaping the ' char.


    Also I don't know what compiler the existing format string for the key printf works under, but gcc hates it

    -- printf ("key:\t0x%016I64x\n", key);
    ++ printf ("key:\t0x%016llx\n", key);

    NOTE THE FIX ABOVE IS A CHANGE, I borked it up good the first time and only printed 32 bits of the key.
    Last edited by Mongo222; 11-01-2002 at 01:58 PM.

  5. #5
    Registered User Mr. Suspicious's Avatar
    Join Date
    May 2002
    Posts
    667
    Thanks Mongo, never would have thought of that.

    For those that get linking errors during build, don't forget to add th32.lib to your project (Alt+F7, go to Link tab, add "th32.lib" to "Object/library modules")
    Last edited by Mr. Suspicious; 11-02-2002 at 05:35 AM.
    Before asking anything read the pre-face section of http://www.smoothwall.org/download/p....9/doc.faq.pdf

    after you've read it, you know what to do next...




    "Stay alert! Trust noone! Keep your Lazers Handy! Have a nice day." -- Provided courtesy of the Computer. The Computer never lies.

  6. #6
    Registered User
    Join Date
    Oct 2002
    Posts
    26
    Interesting approach. Need to stew on this a little.

  7. #7
    Registered User Mongo222's Avatar
    Join Date
    Dec 2001
    Posts
    38

    non attached solutions?

    The thing I don't like about this approach is the need for the sniffer to stay attached to the process the entire game session. It would be nice to just start up a process breifly when you want a key, and then terminate.

    I've heard that type of method is more involved.

    I don't have the windows coding skills to know.

    Thanks for the code though.

  8. #8
    Registered User
    Join Date
    Oct 2002
    Posts
    20
    You could have it watch the log file, and you could make it read a new key and export it to the seq box when it sees the password. If you are worried, you could make the password something like "Helo" and "accidently" type it in. Also, I think /echo works.. not sure.

    -- Course that might be the:
    WrongWay

  9. #9
    Registered User
    Join Date
    Nov 2002
    Posts
    115
    You should only need the PROCESS_VM_READ permission in your OpenProcess statement ... It might succeed in cases where PROCESS_ALL_ACCESS would fail on NT.

    Also ... you may want to check to find out if calling OpenProcess on everquest.exe which then in turn launches eqgame.exe will give you (through inheritance) supervisory access to eqgame.exe ...

  10. #10
    Registered User
    Join Date
    Oct 2002
    Posts
    11
    where did the offset 0x00773b90 come from? is it real? does it change (like maybe when eqclient.exe gets updated)?

    how often does the key at the specified address change? per eq run? per zone? per hour?

    any info would be helpful. thanks!

  11. #11
    Registered User grimjack's Avatar
    Join Date
    Dec 2001
    Posts
    32
    Originally posted by maggotboy
    You should only need the PROCESS_VM_READ permission in your OpenProcess statement ... It might succeed in cases where PROCESS_ALL_ACCESS would fail on NT.

    Also ... you may want to check to find out if calling OpenProcess on everquest.exe which then in turn launches eqgame.exe will give you (through inheritance) supervisory access to eqgame.exe ...
    Using PROCESS_VM_READ works wonderfully.

    Thanks
    GrimJack

  12. #12
    Registered User lildr00d's Avatar
    Join Date
    Jan 2002
    Posts
    125

    Lightbulb

    With the update of todays source code it would also be possiable to ftp from EQ machine to SEQ machine the key then have SEQ use the load key from file commend. Just a thought on how to semi-automate the process of key entry.

  13. #13
    Registered User
    Join Date
    Jan 2002
    Posts
    5

    Compiled.

    For anyone who doesn't have a compiler, I compiled it and posted it at:

    ***************

    md5sum - e6dcc25c8a5104017e4dda907082a7c5 eqsniff.exe

    I know... I know... "What if it's a virus?". It's not. Don't download it if you think it might be. Scan it if you think it is (you should do that with all your downloads anyhow).

    Removed the link. It was out of date pretty quick anyhow.
    Last edited by Scrubfire; 11-05-2002 at 08:06 AM.

  14. #14
    Registered User
    Join Date
    Dec 2001
    Posts
    15

    Thumbs down Let the Login info rippers fly!!

    If we are conserned with LibEQ.a being a pw sniffer such that we Md5sum it. Then whats to stop the people from posting links to Key rippers that do not do anything but grab your login info. Nothing. I would recommend caution when running anything Dl'ed from the net in this mode or any mode. Guess I should call my windows programing buddy and get a copy of his compiler.. Unless Fee or Ratt post it.. or its source that i can follow its not going on my machine.

    IgorQ.

    ps. It doesnt have to be a virus to send your login info to him. and im not saying it is a login graber. just be warry... and the fact that he posted an MD5sum of it means only that its the one he compiled....
    Last edited by IgorQ; 11-01-2002 at 02:22 PM.

  15. #15
    Registered User
    Join Date
    Jul 2002
    Posts
    63
    Question: Do you have to know any coding or can you just enter that in compile and have it work? I unfortunately no shit about C++.

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Posting Permissions

You may post new threads
You may post replies
You may post attachments
You may edit your posts
HTML code is Off
vB code is On
Smilies are On
[IMG] code is Off