View Full Version : Find packet receive

May 9th, 2012, 04:21
I am trying to find out packet structure of mmorpg game however I was unable to find a place in assembly where the packet data is being received. I have tried setting breakpoint on winsock recv, recvfrom, ReadFile but they are never called.
API monitor also doesn't see anything called when the packet is received by the client(only sees winsock send). How can i find a place where packet is received?

May 10th, 2012, 08:37
there are more functions, you could check out: ReadFileEx, WSARecv, WSARecvEx, WSARecvFrom. That won't probably help you too much. Also there's unlikely possibility that there's a separate process, getting the packets. You could also try disconnecting and then trying to find out the spot where the timeout gets handled.

May 10th, 2012, 08:52
Try to find where the packet is being sent in ollydbg and then follow it from there.

May 11th, 2012, 04:31
Also, try using other tools, another round about method is to use Wireshark, when you track down your process's traffic, you can filter it to just show the receiving data, then that data dump you can try and do a binary search for the data(in olly), although timing is key because the data that wireshark intercepted may have already been tampered/decrypted by the game client, if encryption is involved.

May 11th, 2012, 07:12
perfect! There are also tools for replaying packet dumps. That may help you. Not too hard to find. Getting them to work on windows may bring difficulties
And never forget DirectPlay

May 11th, 2012, 07:14
Capture-BAT ("http://www.honeynet.org/node/315") is one such tool

May 15th, 2012, 10:55
Use Process Monitor, filter on your process's network sends/receives, double click on a send/receive event, and look at the call stack. Tada!