flat assembler
Message board for the users of flat assembler.

Index > Windows > WS2_32.DLL

Author
Thread Post new topic Reply to topic
Fungos Bauux



Joined: 19 Jan 2005
Posts: 31
Location: CWB
Fungos Bauux 02 Oct 2006, 19:54
Anybody already wrote a fake WS2_32.DLL to dump a program packets (connect/recv/send wrappers)?

This kind of thing works? Smile

I will try to write one with fasm, but I need to know if there is someone with experience.

Thanks
Post 02 Oct 2006, 19:54
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 02 Oct 2006, 20:03
No, I wanted to do that in the past by I finally didn't do anything...

Anyway, the technique is called "proxy DLL". http://www.internals.com/articles/apispy/apispy.htm there is some info. I had more links stored in a TXT but well, I already explained what happend with my HD...
Post 02 Oct 2006, 20:03
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 02 Oct 2006, 20:21
winpcap?
Post 02 Oct 2006, 20:21
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Fungos Bauux



Joined: 19 Jan 2005
Posts: 31
Location: CWB
Fungos Bauux 02 Oct 2006, 20:27
Well the truth is.. I only need to change the connect destination of a game. It used to connect to a hostname, so I only changed my "hosts" file to point that name to 127.0.0.1 and I have my fake server working.

The client was updated, and now it has the destination IP hardcoded. I cannot simply change the program (binary path or memory patch) because its protected by a rootkit like that one from Sony. And I dont want to study and reverse this protection. I only want to get able to connect to localhost and play the game locally.

I need any simple solution, because I will publish that server emulator and dont want to change other people system DLLs Smile

Well, Proxy DLL should work. I will try...
There is any tool that create a DLL skel based on imports/exports of a original dll?
Post 02 Oct 2006, 20:27
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 02 Oct 2006, 20:29
simple hooking does the job... either messing with target's IAT or using detours, up to you...
Post 02 Oct 2006, 20:29
View user's profile Send private message MSN Messenger Reply with quote
Fungos Bauux



Joined: 19 Jan 2005
Posts: 31
Location: CWB
Fungos Bauux 02 Oct 2006, 20:34
I wanted to do a WS2_32.DLL wrapper with FASM, so I can practice my asm a little. ;D

I already know detours, I will give a try to it.
Post 02 Oct 2006, 20:34
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 02 Oct 2006, 20:39
Fungos Bauux wrote:
I wanted to do a WS2_32.DLL wrapper with FASM, so I can practice my asm a little. ;D

I already know detours, I will give a try to it.


making a wrapper means that you must emulate, or atleast export and reroute ALL exported funcs by WS2_32.DLL, and if you simply need to change just the address it's connecting to, just go for detour...

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 02 Oct 2006, 20:39
View user's profile Send private message MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 02 Oct 2006, 21:15
studying something about export forwarding may ease your work. for others, just import original dll renamed to something else, forward unhooked imports, and overtake wanted ones.

in theory, it's easy Wink
Post 02 Oct 2006, 21:15
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 02 Oct 2006, 21:55
Writing a wrapper DLL is usually a bad idea, hooking specific functions (with something robust like detours) is better...
Post 02 Oct 2006, 21:55
View user's profile Send private message Visit poster's website Reply with quote
Fungos Bauux



Joined: 19 Jan 2005
Posts: 31
Location: CWB
Fungos Bauux 03 Oct 2006, 01:24
Im trying to do the Exports Forwarding thing, but look this:


dumpbin /imports game.exe

Code:
    WS2_32.dll
                4745E0 Import Address Table
                483FC0 Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference

                      Ordinal    17
                  3D  WSASetEvent
                  47  WSAWaitForMultipleEvents
                      Ordinal    13
                  34  WSARecv
                  39  WSASend
                      Ordinal     7
                      Ordinal     1
                      Ordinal     5
                      Ordinal     4
                      Ordinal   115
                      Ordinal   116
                      Ordinal    12
                      Ordinal    52
                      Ordinal    11
                      Ordinal   111
                  28  WSAIoctl
                      Ordinal    21
                  12  WSACloseEvent
                      Ordinal     3
                  38  WSAResetEvent
                  1E  WSAGetOverlappedResult
                      Ordinal    20
                  14  WSACreateEvent
                      Ordinal     2
                      Ordinal    23
                      Ordinal     9
                      Ordinal    15
                      Ordinal     6
                  41  WSASocketA
                      Ordinal    22
    


How can I do a forward of these "Ordinal"? What they are? and which one is the connect one? Very Happy

I have done the forwarding for the Text Named ones, but when I runs it says something like, cannot find ordinal 17 inside ws2_32.dll ...

@okasvi:
OT: Reversed smileys arent a nice idea.. Very Happy
Post 03 Oct 2006, 01:24
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Fungos Bauux



Joined: 19 Jan 2005
Posts: 31
Location: CWB
Fungos Bauux 03 Oct 2006, 01:51
Ok, I have done a forward of all exported functions of ws2_32.dll, but the application doesnt work.
It gives this error: "The application failed to initialize properly (0xc00000fd)"

Its only a bunch of pragma to forward. no actual code, see here:
http://pastebin.wikistuce.info/?257

And Im having problem to export myConnect in this code:
http://pastebin.wikistuce.info/?258
Post 03 Oct 2006, 01:51
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 03 Oct 2006, 10:14
Just grab detours and go with that, it's going to save you so much time.
Post 03 Oct 2006, 10:14
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.