V2 Stealth Code for LCC-Win32 (finally!)

[wizard]

After downloading LCC and working with this a bit. i'm sorta stumped..

first off what i did.. i removed all libEQ.a files from my system (there was only one as i am pretty diligent about that) and optained a new one from the azriel trifocus site. and placed it in /usr/lib where i always have..

i then completely removed my showeq directory, and did a fresh download and full compile of showeq from CVS... I've had updates fail me many times in the past where a full checkout worked fine.. my standard procedure at this point is to do a full download and compile each time..

i downloaded your 1.1 version of the sniffer and compiled it with LCC.. i made no changes to any of it except to change the name in the .DEF file and renamed the .C and .DEF to the same name as well.. i wanted to test it and see if i could make it work before i made any other changes. I ran make received no errors and copied the created .DLL file to the windows directory.

i made a shortcut that runs RUNDLL32 myname.dll,InstallHook 192.168.0.254 26543 eqgame.exe 0x0078AAD0

i am running win98SE, I can load W2K (which i have been meaning to) as it seems most of the people having issues are on WIN98SE.

whenever I use the shortcut i get an hourglass for 5-10 seconds.. however if i go to a command prompt and type it manually its almost instantaneous. now the next part is intermittent and happens no matter which way i load the DLL..

i start up eq and select my character at the character select screen.. I am watching the console window on showeq at this point watching for the key to be found.. of course i set the port to look for the key on to 26543 as well..

one of 2 things happen.. i see on the console screen it loading the Guild data.. if i Don't immediately see the Loading zone lines after the guild lines i get dropped back to the server select screen and a subsequent 1018 error for a minute or 2 which tells me enough is getting loaded that the game thinks i am in the game. if THAT doesn't happen i get all the way in but no decode.

now somtimes when i exit EQ and check my task list rundll is in it.. and other times its not.. it NEVER is if i crash to server select.. if it is running the releasehook does NOT remove it. there have been times it was not in the task list when i didn't crash..

i've been using and was still able to use HOIHOI's sniffer using the same exact IP address and port so i know my seq box is setup correctly and is functional in receiving the key on the port I want and subsequently decodeing the zone.

couple of questions then so i know i am on the right track with my thought process and how this is supposed to work..

1) if when i exit EQ rundll is not in the task list that tells me that the code was successfully injected, the fact that MOST of the time I crash to server select when its NOT in the task list when i exit eq after tells me this is the case.

2) I tried running tcpdump on my linux box to look for the packet coming through.. if it is i should get the key every .5 seconds if i am understanding properly or does it not send the key again if it finds the same one in which case i would need to zone several times to verify it was getting or not getting the key. however tcpdump apparently does not appear anywhere on my linux box.

3) is there an RPM i need to install to get tcpdump on the box or will i be needing to reinstall Redhat?

4) If i compile the DLL with LCC on a win95 box at work is the subsequent DLL thats created able to run on 98/me/2k/xp or do i need to compile it on whatever operating system i intend to use it on?

Thanks for your assistance in advance and thanks for being persistant enough to get a free compiler version working for a lot of people.. I'm sure i've done something wrong at this point, but without tcpdump to verify if my linux box is receiving the key or not when i THINK it successfully injects itself i'm at a loss as to how to proceed.. i'll rebuild the linux box if i have to, gives me the incentive to load RH 8.0 instead and that way i will be 100% sure i have no remnants of an older version of SEQ or libEQ.a floating around.. if there are any i certainly can;t find them at this point and the fact that other sniffers work tells me that side of things is good to go..

[vylesilencer]

Wanted to throw my hat in the ring for crashing on keypress.

I've very carefully followed the instructions provided, using same .def name, .c name and all compiles without error. Compiling on a 2K Pro SP2 workstation, and running the DLL on an XP Pro SP1 box. Both Keyboard and Mouse on the gaming system are USB, I'm wondering if this might be part of the problem? The system I run EQ on is extremely clean. Like the others, I am getting no error codes to give you, I just get the friendly MS dialog box stating the program is closing.
My system specs follow:

AMD 1.8g
1 gig system RAM
XP Professional, SP1
Nvidia Geforce 4 ti
Microsoft Natural keyboard, USB
Microsoft Optical mouse, USB
- I do not have the Intellitype or Intellipoint software installed -

[Kimbler]

MisterSpock,

Did you point your DLL toward MSWORD, or did it crash Word even when directed at eqgame.exe?

I used
RUNDLL32.EXE D:\lcc\projects\lexa\lcc\lexa.dll,InstallHook 192.168.0.7 10000 EQGAME.EXE 0x0078AAD0

From START->RUN (lexa is another try with dif name). Once I run the command I can immediatly (do nothing else) open word and hit a key and get the error message.

Next:

I commented out the line in question with "//" <- line changed from dark to light text (like all comments in lexa.c) then with lexa.c still open I Compiler->Rebulid All get suscessful build message in bottom pane.

From START->RUN

RUNDLL32.EXE D:\lcc\projects\lexa\lcc\lexa.dll,InstallHook 192.168.0.7 10000 EQGAME.EXE 0x0078AAD0

immediately open Word hit a key and get the errors.

Thank you.

Wizard:

i am running win98SE, I can load W2K (which i have been meaning to) as it seems most of the people having issues are on WIN98SE.

Would you mind also giving the build numbers after your version of W98. Since it sounds like you code is getting past where mine gives errors maybe it may be build related (grabing at straws).Mine are 4.10.2222 A <-can be found ->My Computer->Properties on Genearl tab. Thank you

EDIT: After reading VSilencer again I figure I might let you know my mouse is USB, my keyboard is standard.

[wizard]

98 SE should always be that build number..

i am using standard PS/2 keyboard and mouse.. I haven't crashed to the desktop.. just to server select whenever it seems to inject the code..

verified again last night that HOIHOI's still works for me i am 100% confident that SEQ itself is installed properly, that i have the right libEQ.A.. it finds the Key packet on the same port i am using for this DLL and Decodes perfectly.

SO i am left with this code sometimes injecting but i beleive it is crashing me to server select right about the time it would be sending the key to the SEQ box. i say that from observing at what time the key is sent using the HOIHOI code and the time i am crashing with the .DLL. going to check it a bit more. I might try installing W2K since i got plenty of drive space and dual boot for a time to see if i have the same problems under W2K.

[cheese_poker]

I got this compiled ok with llc-win32. I can run it per the instructions here. But I am not getting the "unknowns" decoded on the SEQ box.

Is there something I can do to determine whether it is running and attaching to eqgame.exe?

I don't have EQW. Do I have to put a delay in the InstallHook procedure? Or will it wait for EQ to run by itself?

Sorry for the beginner questions. :/

[FirstBorn]

Kimbler,

I think I may be having the same problem you are. I compiled with no errors and crash after running the Rundll32.exe <Insert hook.dll.code here, Ip address, ETC>

I don't have to do anything but touch a key after I run it and I get windows errors similiar to the ones you are getting (except I haven't started Word, or any program for that matter)

After you run the Rundll32.exe <insert hook.dll code here, IP address, ETC> does yours crash when touching ANY key or key combination?

Let me know,
FirstBorn

[Kimbler]

Firstborn,

After I run it I am at desktop (which) I can hit a key without any errors. But just so I am clear when I open any other program I don't get a true non recoverable "crash" I just get a series of "this program has performed and illegal opperation". I can Close Word but the same happens for anyother program until I reboot.

[FirstBorn]

It looks like the problem I was having had to do with some other apps that were running when my system booted up. I cleaned up my registry and removed all unneeded TSR's and my errors have gone away.
Though I still am unable to decode in SEQ, which I think has something to do with my UDP port. I have full GPS functionality but I don't see any active spawns and everything identifies as "unknown". I thought I read something about sometimes having to open the UDP port up in Linux, somewhere on these boards, I'll have to do a little research on it.

In any case check to make sure you don't have any apps or TSR's running that may be causing your errors.

Good luck,
FirstBorn

[Puppit]

I have found (WinXP Pro) that occasionally I only get GPS but the spawns show up as soon as I enter a new zone. I've also found that Windows shuts down v..e..r..y slowly after I use the program. This is a small problem, however. Once the spawns do appear they remain, despite multiple subsequent zoning.

[FirstBorn]

Still not getting any decode info, I have GPS functionality but all spawns still listed as unknown. I have tried running one of the "Simpler" keysniffers (Keyring) as a test and it worked fine, so I don't believe its my Linux/SEQ box. I used the same port number that I used in the "simpler" keysniffer when running this code, but still nothing. Have tried zoning muliple times and just leaving EQ running for a while (1/2 hour) to see if spawns would show up, still nothing.

Also when I exit EQ, I notice that Rundll32 is still running when I bring up my close program window. Shouldn't that automatically exit when EQ exits? Its almost like its not attaching to the EQ process correctly?

I don't use EQW and run EQ from the icon on my desktop. I noticed that the Icon points to "Everquest.exe" and not "Eqgame.exe" (although I'm sure Everquest.exe calls EQgame.exe at some point) so I changed my command line (Rundll32.exe <insert hook.dll code here, IP address, ETC>) to point to "Everquest.exe" instead of "Eqgame.exe", same results, no decode.

I also tried changing the IP address that the UDP is sent to from the address of my SEQ box to one outside my internal network (saw it in another post) same results, no decode.

I've recompiled twice with no errors, and copy the resulting DLL to my windows folder before running it.

Anyone have any ideas? Or having similiar problems?

[SomeYoungGuy]

/bow MisterSpock

Downloaded the source. Complied Flawlessly. Decodes Great!

You're awesome.

One thing I noticed however (nothing show stopping):

I run 2 instances of EQ on my windows machine using EQW.
With your version of V1 what ever instance of EQ I started up first the sniffer locked onto no problem. I have found that V2 is much more fickle. I need to get the first instance to Char select before it will hook onto it. Works great just something I noticed. Wasn't sure if this was bug or a feature 8)

Thanx again.

[crichton]

Kimbler,

I too recieve the errors in Windows 98SE and I compiled twice with two clean projects. --- Whereas the hoihoi code has worked for me when compiled with MingW. I agree that Win98SE is no longer a development environment yet I appreciate any assistance.

[cheese_poker]

FirstBorn,

I am having what sounds like an identical problem. I have GPS functionality, but no full decode.

I got TCPDUMP working on my Linux machine, and I am not seeing any UDP packet from my windows machine.

Does anyone know anything to try now? It seems as though the windows machine (the key sniffer) is not sending the key across to the SEQ box.

[Dedpoet]

What ports are you guys using for sending your key? Are they greater than 10000?

[cheese_poker]

I was using port 10000.

I kind of gave up on the llc-win32 solution and moved to the hoihoi MinGW one. That one sends packets at port 10000 (and 55555) but my SEQ does not decode the "unknown" spawns still. TCPDUMP sees UDP packets, size 8 (bytes?).

Bleh. I am learning more about the TCPDUMP tool, but not much about why SEQ isn't seing the packets.