Forsaken World Packet Injection
There are several ways to manipulate game client, and one of them, let’s call it – packet injection. Not a good name, ‘coz it well known code injection. Anyways, to manipulate Forsaken Game client we will write a byte array to the buffer and send this buffer to the special function (call it PacketSend).
How to manually find PacketSend? … by your favorite debugger :) Maybe I’ll explain how to do that but not at this moment. How to get buffer… set BP on PacketSend and check memory dump
PacketCall = 0x007A9E20
PacketSend call should be like this
00781C50 - 53 - push ebx
00781C51 - 55 - push ebp
00781C52 - 56 - push esi
00781C53 - 8B 74 24 10 - mov esi,[esp+10]
00781C57 - 85 F6 - test esi,esi
00781C59 - 57 - push edi
00781C5A - 74 4E - je 00781CAA
00781C5C - 8B 7C 24 18 - mov edi,[esp+18]
00781C60 - 85 FF - test edi,edi
00781C62 - 74 46 - je 00781CAA
00781C64 - 8D 6F 06 - lea ebp,[edi+06]
00781C67 - 55 - push ebp
00781C68 - E8 63952600 - call 009EB1D0
00781C6D - 8B D8 - mov ebx,eax
00781C6F - 83 C4 04 - add esp,04
00781C72 - 85 DB - test ebx,ebx
00781C74 - 74 34 - je 00781CAA
00781C76 - 8B CF - mov ecx,edi
00781C78 - 66 C7 03 3100 - mov word ptr [ebx],0031
00781C7D - 8B C1 - mov eax,ecx
00781C7F - 89 7B 02 - mov [ebx+02],edi
00781C82 - 8D 7B 06 - lea edi,[ebx+06]
00781C85 - 55 - push ebp :
00781C86 - C1 E9 02 - shr ecx,02
00781C89 - F3 A5 - repe movsd
00781C8B - 8B C8 - mov ecx,eax
00781C8D - 53 - push ebx :
00781C8E - 83 E1 03 - and ecx,03
00781C91 - F3 A4 - repe movsb
=> 00781C93 - 8B 0D 107BD300 - mov ecx,[00D37B10] : [00D3B5A0]
=> 00781C99 - 8B 49 24 - mov ecx,[ecx+24]
=> 00781C9C - E8 7F810200 - call 007A9E20
00781CA1 - 53 - push ebx
00781CA2 - E8 39952600 - call 009EB1E0
00781CA7 - 83 C4 04 - add esp,04
00781CAA - 5F - pop edi
00781CAB - 5E - pop esi
00781CAC - 5D - pop ebp
00781CAD - 5B - pop ebx
space is reserved for further data
Packets.
Note: First 2 bytes are always packet ID
PHP Code:
Move item in inventory:
11 00
00 – from cell
01 – to cell
Wear gear
36 00
00 - inv cell with gear
05 - gear slot on char (05 pants)
abort spell
09 00
select target
07 00
C9 19 - target id
00 00 00 00 00 80
hide title
56 00
00 00
set title
56 00
80 BC
talk with npc
46 00
7A 18 - npc id
00 00 00 00 00 80
use item
32 00
00 01
05 00 D4 38 00 00
P.S. Injection routines, libs and so on will be available in a future
P.P.S. Everyone is welcome for continuing data collection