A little keyreader example code

[mvern]

Pretty much all the issues of the original version with permissions are solved now. The following example can be built for sure with msvc 6, and should work with most other compilers as well. This version writes the key to keyfile.dat in the directory its run in, as well as printing the key to the console each time it changes. It can be started at any time, and should work without having to restart it between EQ sessions. Key is scanned once per second, and eqgame is scanned for once per 10 seconds when its not already been found and valid. It can be started with the offset of the key as a command line argument for when it changes, but runs with the current value as default.

edit again: fixed for lcc too, now
.. and again fixed maybe

Code:

/*
 * kscan.c - version 2
 *
 * if you get an error about a missing symbol PlaySound, be sure to link with winmm.lib
 * if your missing Process32First, link with th32.lib
 */

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <Mmsystem.h>
#include <tlhelp32.h>

FILE *keydat;
unsigned long addr = 0x773b90;

BOOL enable_debug_privs()
{
	HANDLE      hToken;     /* process token */
	TOKEN_PRIVILEGES tp;    /* token provileges */
	TOKEN_PRIVILEGES oldtp;    /* old token privileges */
	DWORD    dwSize = sizeof (TOKEN_PRIVILEGES);          
	LUID     luid;

	if (!OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
	{
		if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
			return TRUE;
		printf ("OpenProcessToken() failed: %d\n", GetLastError());
		return FALSE;
	}

	if (!LookupPrivilegeValue (NULL, SE_DEBUG_NAME, &luid))
	{
		printf ("LookupPrivilege() failed: %d\n", GetLastError());
		CloseHandle (hToken);
		return FALSE;
	}

	ZeroMemory (&tp, sizeof (tp));
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	/* Adjust Token privileges */
	if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize))
	{
		printf ("AdjustTokenPrivileges() failed: %d\n", GetLastError());
		CloseHandle (hToken);
		return FALSE;
	}
	return TRUE;
}

void readkey (HANDLE hProcess)
{
	ULONGLONG oldkey = 0;
	while (1)
	{
		ULONGLONG key;

		if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
		{
			printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
			break;
		} else {
			if (key == oldkey)
			{
				Sleep (1000);
				continue;
			}
#if defined(__CYGWIN__) || defined(__LCC__)
			printf ("new key:\t0x%016llx\n", key);
#else
			printf ("new key:\t0x%016I64x\n", key);
#endif
			oldkey = key;
			if ( (keydat = fopen ("keyfile.dat", "wb")) == NULL)
			{
				printf ("error opening keyfile.dat for writing\n");
				exit (-1);
			}
			fwrite (&key, 8, 1, keydat);
			fclose (keydat);
			/* try to play the default exclamation sound, if that fails, use beep */
			if (!PlaySound ("Exclamation", NULL, SND_ASYNC))
				Beep (500, 500);
		}
	}
	CloseHandle (hProcess);
}

void scanproclist () 
{ 
	HANDLE         hProcessSnap = NULL; 
	PROCESSENTRY32 pe32      = {0}; 
 
    /*  Take a snapshot of all processes in the system. */
	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 

	if (hProcessSnap == INVALID_HANDLE_VALUE) 
		return; 
 
	/*  Fill in the size of the structure before using it. */
	pe32.dwSize = sizeof(PROCESSENTRY32); 
 
	if (Process32First(hProcessSnap, &pe32))
	{ 
		HANDLE hProcess;

		do 
		{ 
			LPSTR pCurChar;
			char pName[512];

			/* strip path and leave exe filename */
			for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile)); 
				*pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;  
				--pCurChar) 

			strcpy(pName, pCurChar); 
			strlwr(pName);

			if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
			{
				printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
				hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
				if (hProcess == NULL)
				{
					DWORD dw;
					dw = GetLastError();
					printf ("OpenProcess failed, error: %u\n", dw);
					return;
				}
				readkey (hProcess);
			}
		} 
		while (Process32Next(hProcessSnap, &pe32)); 
	} 

	CloseHandle (hProcessSnap);
	return; 
}


int main(int argc, char *argv[])
{
	if (argc == 2)
	{
		addr = strtoul (argv[1], NULL, 16);
		printf ("set offset to 0x%08x\n", addr);
	} else {
		printf ("using default offset 0x%08x (usage is: %s [offset], to use a different one)\n", addr, argv[0]);
	}
	printf ("enabling debug privs\n");
	if (enable_debug_privs() == FALSE)
	{
		printf ("error enabling privs\n");
		return 1;
	}
	printf ("scanning for eqgame\n");

	while (1)
	{
		scanproclist ();
		Sleep (10000); /* pause 10 seconds between checks */
	}

	return 0;
}

[mvern]

Ok, I give up on trying to get this to show up as an attachment soo... anyway, just consider this a quick example to use for building your own keyreader off of.

WARNING: old version, leaving it here as a reference, I recommend using the version from the post above.

kscan.c:

Code:

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>

void readkey (HANDLE hProcess)
{
	while (1)
	{
		unsigned long addr;
		ULONGLONG key;

		printf ("\nenter offset (ie: 0x00773b90): ");
		if (scanf ("%08x", &addr) == 1)
		{
			printf ("offset:\t0x%08x\n", addr);
			if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
			{
				printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
			} else {
				printf ("key:\t0x%016I64x\n", key);
			}
		}
		fflush (stdin);
	}
}

void scanproclist () 
{ 
    HANDLE         hProcessSnap = NULL; 
    PROCESSENTRY32 pe32      = {0}; 
 
    //  Take a snapshot of all processes in the system. 
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 

    if (hProcessSnap == INVALID_HANDLE_VALUE) 
        return; 
 
    //  Fill in the size of the structure before using it. 
    pe32.dwSize = sizeof(PROCESSENTRY32); 
 
    if (Process32First(hProcessSnap, &pe32))
    { 
		HANDLE hProcess;

        do 
        { 
            LPSTR pCurChar;
			char pName[512];

            // strip path and leave exe filename 
            for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile)); 
                 *pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;  
                 --pCurChar) 

            strcpy(pName, pCurChar); 
			strlwr(pName);

			if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
			{
				printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
				hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
				if (hProcess == NULL)
				{
					DWORD dw;
					dw = GetLastError();
					printf ("OpenProcess failed, error: %u\n", dw);
					return;
				}
				readkey (hProcess);
			}
	  } 
        while (Process32Next(hProcessSnap, &pe32)); 
    } 

    CloseHandle (hProcessSnap);
    return; 
}


void main(int argc, char **argv)
{
	printf ("scanning for eqgame\n");
	scanproclist ();
}

[Mr. Suspicious]

Doesn't compile in MSVC++ 5 (for those *like me *g* that don't have MSVC++ 6)

--------------------Configuration: kscan - Win32 Debug--------------------
Compiling...
kscan.c
C:\Windows\Desktop\kscan.c(53) : error C2001: newline in constant
C:\Windows\Desktop\kscan.c(53) : error C2015: too many characters in constant
C:\Windows\Desktop\kscan.c(54) : error C2105: '--' needs l-value
C:\Windows\Desktop\kscan.c(54) : error C2146: syntax error : missing ';' before identifier 'pCurChar'
C:\Windows\Desktop\kscan.c(54) : error C2059: syntax error : ')'
C:\Windows\Desktop\kscan.c(56) : error C2146: syntax error : missing ')' before identifier 'strcpy'
Error executing cl.exe.

kscan.obj - 6 error(s), 0 warning(s)

[Mongo222]

-- *pCurChar != '\' && pCurChar != pe32.szExeFile - 1;
++ *pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;


A lot of compilers interrupt the single \ as escaping the ' char.


Also I don't know what compiler the existing format string for the key printf works under, but gcc hates it

-- printf ("key:\t0x%016I64x\n", key);
++ printf ("key:\t0x%016llx\n", key);

NOTE THE FIX ABOVE IS A CHANGE, I borked it up good the first time and only printed 32 bits of the key.

[Mr. Suspicious]

Thanks Mongo, never would have thought of that.

For those that get linking errors during build, don't forget to add th32.lib to your project (Alt+F7, go to Link tab, add "th32.lib" to "Object/library modules")

[seqseq]

Interesting approach. Need to stew on this a little.

[Mongo222]

The thing I don't like about this approach is the need for the sniffer to stay attached to the process the entire game session. It would be nice to just start up a process breifly when you want a key, and then terminate.

I've heard that type of method is more involved.

I don't have the windows coding skills to know.

Thanks for the code though.

[wrongway]

You could have it watch the log file, and you could make it read a new key and export it to the seq box when it sees the password. If you are worried, you could make the password something like "Helo" and "accidently" type it in. Also, I think /echo works.. not sure.

-- Course that might be the:
WrongWay

[maggotboy]

You should only need the PROCESS_VM_READ permission in your OpenProcess statement ... It might succeed in cases where PROCESS_ALL_ACCESS would fail on NT.

Also ... you may want to check to find out if calling OpenProcess on everquest.exe which then in turn launches eqgame.exe will give you (through inheritance) supervisory access to eqgame.exe ...

[Chutney]

where did the offset 0x00773b90 come from? is it real? does it change (like maybe when eqclient.exe gets updated)?

how often does the key at the specified address change? per eq run? per zone? per hour?

any info would be helpful. thanks!

[grimjack]

Originally posted by maggotboy
You should only need the PROCESS_VM_READ permission in your OpenProcess statement ... It might succeed in cases where PROCESS_ALL_ACCESS would fail on NT.

Also ... you may want to check to find out if calling OpenProcess on everquest.exe which then in turn launches eqgame.exe will give you (through inheritance) supervisory access to eqgame.exe ...

Using PROCESS_VM_READ works wonderfully.

Thanks
GrimJack

[lildr00d]

With the update of todays source code it would also be possiable to ftp from EQ machine to SEQ machine the key then have SEQ use the load key from file commend. Just a thought on how to semi-automate the process of key entry.

[Scrubfire]

For anyone who doesn't have a compiler, I compiled it and posted it at:

***************

md5sum - e6dcc25c8a5104017e4dda907082a7c5 eqsniff.exe

I know... I know... "What if it's a virus?". It's not. Don't download it if you think it might be. Scan it if you think it is (you should do that with all your downloads anyhow).

Removed the link. It was out of date pretty quick anyhow.

[IgorQ]

If we are conserned with LibEQ.a being a pw sniffer such that we Md5sum it. Then whats to stop the people from posting links to Key rippers that do not do anything but grab your login info. Nothing. I would recommend caution when running anything Dl'ed from the net in this mode or any mode. Guess I should call my windows programing buddy and get a copy of his compiler.. Unless Fee or Ratt post it.. or its source that i can follow its not going on my machine.

IgorQ.

ps. It doesnt have to be a virus to send your login info to him. and im not saying it is a login graber. just be warry... and the fact that he posted an MD5sum of it means only that its the one he compiled....

[JustACoder]

Question: Do you have to know any coding or can you just enter that in compile and have it work? I unfortunately no shit about C++.