Well, I would like to do password hashing on MatchServer.
I found out that it was fairly easier on the client since I knew what to hook and do a detour on, but anyone could just take it and copy it.
Could anyone tell me what function I should hook on the MatchServer with the address (if possible), or provide the detour details/detour?
Can't think of the exact function or address off the top of my head, but what I would do is change your register page to encrypt the password, then hook the function in MatchServer that does the Match.ResponseLogin packet. Once it receives the packet from the client, encrypt it before you compare it to the password that's in the DB using the same algo as what's in your register page. I might look into it when I get time, but I'm not promising anything. It shouldn't be too hard to do.
Could you show me how the detour for the MatchServer would look like?
It'd work the same as a detour for any other program. I don't know the address or function to detour, I haven't looked at Matchserver or any dumps of it for this sort of thing, I'm just talking off the top of my head. I'd have to investigate it.
MatchServer - Hook OnResponseLogin, edit size of string check.
PHP - the algorithm you want to use. ie: md5(), sha1()
I've looked into the dumps.
I know what algorithm I'd use, I just need to find out the detour and stuff.
Are the parameters for this function related to the detour? If it is, I'll have to find its address of this function. May take me some time.
Code:Function : static, [0x0005f870][0x0001:0x0005e870], len = 0000043c, protected: void __thiscall MMatchServer::OnMatchLogin(struct MUID,char const *,char const *,int,unsigned long) FuncDebugStart : static, [0x0005f89d][0x0001:0x0005e89d] FuncDebugEnd : static, [0x0005fc85][0x0001:0x0005ec85] Data : enregistered edx, Object Ptr, Type: class MMatchServer * const, this Data : ebp Relative, [0x00000004], Param, Type: struct MUID, CommUID Data : ebp Relative, [0x0000000c], Param, Type: const char *, szUserID Data : ebp Relative, [0x00000010], Param, Type: const char *, szPassword Data : ebp Relative, [0x00000014], Param, Type: int, nCommandVersion Data : ebp Relative, [0x00000018], Param, Type: unsigned long, nChecksumPack Data : ebp Relative, [0xffffff70], Local, Type: unsigned int, nAID Data : ebp Relative, [0xffffff6c], Local, Type: class MCommObject *, pCommObj Data : ebp Relative, [0xffffff88], Local, Type: class std::basic_string<char,std::char_traits<char>,std::allocator<char> >, strCountryCode3 Data : ebp Relative, [0xffffff78], Local, Type: struct MUID, AllocUID Data : ebp Relative, [0xffffffc4], Local, Type: struct MMatchAccountInfo, accountInfo Data : ebp Relative, [0xffffffa4], Local, Type: char[0x20], szDBPassword Data : ebp Relative, [0xffffff6b], Local, Type: bool, bFreeLoginIP Data : ebp Relative, [0xffffff6c], Local, Type: bool, bIsPremiumIP
u should find OnResponseLogin D: and i think edit that vars too mmmOriginally Posted by Linear88
The function is called OnMatchLogin.
bool __stdcall OnMatchLoginHook(struct MUID, char *UserID, const char *Password, int CommandVersion, DWORD ChecksumPack, BYTE MD5Value[]) {
}
Have fun.
I would need to find the address now.
Do I return true in my detour?
Last edited by Linear88; 01-08-09 at 01:54 PM.
Well I got a DLL written up but I can't really find the address to OnMatchLogin in the newer versions, even though I have an older address I can't seem to update this one. I suck with Olly lol. If someone has the address, I can test my DLL and if it works, I'll post it.
Code:#define MMATCHSERVER_ONMATCHLOGIN 0x004328E0
Thanks Lambda! My DLL should be working now. I will need to test it.
How did you find the address anyway?
I was looking for it and I passed that. =/
Last edited by Linear88; 01-08-09 at 01:52 PM.
I had the function address for a long time, but to find an address just copy a few unique bytes of the function and search for those bytes in the other exe.
The problem is, where do I get the unique bytes/signatures?
I have the test.txt and it's for the client, but there isn't any for MatchServer.
There is one for the MatchServer, I had it a while back but lost it. Nobody will share it as everyone is being ego here at the community. Gunner might have it, I'll ask him whenever I talk to him.
I have sent to gunner the PDB and the exe a few days ago, here is the dump of the functions.
http://rapidshare.com/files/26250600...PDB___Dump.rar
You need to add the imagebase of the exe (0x400000) to each function, so for example for the OnMatchLogin the function address is 0x006A130, so 0x400000 + 0x006A130= 0x46A130 = OnMatchLogin.
Enjoy it.
Last edited by -Lambda-; 01-08-09 at 03:06 PM.
00436B40 (ZPostCommand)
00437027 (Login Case)
004328E0 (OnResponseLogin)
Thanks, didn't know you have it.
Hmm. Well MatchServer keeps crashing when I try to login with my DLL injected, so I don't know what's up. I'll try to get it figured out.
For me too, it works well with 10-50 clients but with more it crashes the matchserver, i had to write my own class hook library to hook the function without crash the matchserver
Well for me it crashes no matter what. I think the address you gave me is for the wrong version of MatchServer, I'm testing with the June 2007 files. Because no matter what code I put in my hook, it crashes. Or it could be a variety of stuff. I found out through this little project that the version of Detours I'm using doesn't allow you to call the original function without a crash, and Lance's detour class doesn't compile under VC2005. It's a work in progress, lmao.
The address is for the June 2007 files, it works fine for me :S
its just the function is old :p i asked phail why i couldn't use what was in the pdb i have the new one now works fine thats how fatal's antihack hasnt been bypassed i got a hashed password on long
there:
DWORD ZPostLoginAddress = 0x004C3E20;
CDetour ZPostLoginDet;
Last edited by own_prox; 02-08-09 at 12:20 AM.
@ownprox: That's for the client.
I got it working, but it's giving me Cannot Access Server and I have no idea on what to return on what conditions.
Last edited by Linear88; 02-08-09 at 07:06 AM.
Did you make sure your MatchServer didn't crash?
And you shouldn't be returning anything yourself. Just return the original function, but pass it the hashed password and keep everything else the same.
Reply With Quote