I've got a personal project going on, it is to patch a server client for a game that is no longer in development and is pretty much abandoneware. Anyway, I don't have the source code for the server client, so I have been working my way at patching it to do what I need.

Specifically, I have had no problem locating and patching to just log what is occuring in the server. Pretty much as the server client still retains control, or more precisely, the EIP returns to the precise same place as it was before I patched it. I have no problems their, but there is a limit to what I can actually do.

I want to be able to add functionality so that I can perform a server command from the client without having to go into the game a issue the command in the chat. I am just totally lost in figuring out what is called to do it. It seems to be doing 50 different calls to get everything done, way more than seems like would be needed.

My understanding of how programming works tells me that you would have something like this for example:


Now what I was thinking about was finding that first call, which calls everything else. That way I would only have to patch to call that one location in code. Now, Is this type of thinking the way to go, or am I just totally wrong about the way I am thinking. Any help is appreciated.

Hey. I just got your PM a few minutes ago(took a while huh!). Nice to see you made it here(do I get some sort of finders fee for recruiting new members).

Anyway, if you're sure what you're working on is abandonware, it is probably ok to post the actual program here. But check with the admins first.

What you've stated looks right, but of course theres also obsfucation, protection, etc to deal with. Although it sounds like you wont run into those. I'm only a newbie, but my approach would be to read up on socket programming, and trace through as one of these chat commands is received. Your using olly?

I'm pretty sure there is no protection or obsfucation here, which of course will make it easier for me.

I am using IDA Pro to get an idea where to start looking in the code. Then I am using SoftICE to set breakpoints and see what I can use.

The annoying thing is I have traced it from where it recvs the data (I think heh) to where it sends the data, there are soo many calls that look like what I am after and after a little more looking into ends up being something that only prints the data to the screen, not send the command over the network to the client. Its enought to drive me nuts, heh theres got to be a faster way to find what I am looking for

PM me a link to the program and i could have a go at it too, just out of curiosity.

It seems like you 2 know each other and know the problem you're working on, which is fine. But it does make things a bit hard for the rest of us to help you because you've both got knowledge about this problem that you haven't shared with us yet

In principle your original post was correct - push all the necessary data then make the top level jmp/call. Beyond that there's not much else to say, if you push the right data and (if necessary) balance the stack out at the end of your inserted/injected code it should work. Of course getting the "right" data might be more difficult than it sounds. You also need to consider whether the top level call (or any child calls) will modify any global data in the app that might cause subsequent problems.

I'd recommend you get started trying to actually do it, then post details with code snippets if you get stuck. Incidentally I believe abandonwarez are technically still copyrighted and owned by an organization/individual, so it may well be a bad idea to post details here (I'm aware several sites offer abandonwarez for download but it's still testing the borders of legality, something this server could probably do without).

Nope, I don't know him. heh, I think he may have mistaken me for someone else.

Anyway, I have been chatting over MSN with a friend who has been helping me with tracking this stuff down. I have come to the realization that I made a mistake in thinking I could just track it down in with SoftICE, spending way too much time in there than I should just looking around. I should have been in IDA Pro looking figuring out what it does and when it would most likely have called the desired function.

Then take those possible addresses to SoftICE and finished er up, heh. Learned something there heh

Heh, so i did. I recommended someone else here from a different forum with a problem that sounded like yours. thought it was the same person, obviously not.