The latest zone wannabe and apperant IGZ successor is, if you didn't already know, 'Voobly'. (Yes I know, odd name).

I'll be periodically posting my notes as I come across anything noteworthy and more importantly, when I can. Thus far I havn't come across anything particularly enthralling but i'll keep you informed and I encourage everyone else to do the same. Just append a response - my intention is to make this the one stop shop for Voobly information.

Here's what i've got. Notice 'voobly.txt' in the main directory - it serves as a log file updating as we perform actions. Each load of 'voobly.exe' results in a new log file being created. Not that special, but what is does do is provide us with a neat vehicle to log our actions from our injected or via manually loaded dll's.

Address 'gui.009FCA10' is where the fun is. Given that gui refers to a module, for this to be of any use, we'll have to subtract the modules ImageBase from this RVA. [gui.009FCA10h - 009F0000h = CA10h]. In our dll get the imagebase of gui using either GetModuleHandle [or any other (un)documented method] then add CA10h to get the working RVA.

.data szGui BYTE "gui.dll", 0 szSuccess BYTE ":: Remote module -> DLL_PROCESS_ATTACH!", 13 BYTE ":: Remote module -> DLLInjection successful!", 0 .code MakeLog PROC in_FormatString:DWORD invoke GetModuleHandle, ADDR szGUI add eax, 0CA10h push in_FormatString call eax add esp, 4 ret MakeLog PROC ; Usage push OFFSET szIn push eax call MakeLog

When I inject the DLL then open up 'voobly.txt' it reads;

17:52:27 Application started 17:52:27 :: Remote module -> DLL_PROCESS_ATTACH reached! :: Remote module -> DLL Injection was successful! 17:52:27 Loading 'lobby.dll'... 17:52:27 Loading 'gui.dll'... 17:52:27 Loading 'messenger.dll'... 17:52:27 Loading 'launch.dll'... 17:52:27 Loading 'anticheat1.dll'... 17:52:27 Voobly version: 2.1.12.5 17:52:27 CGUI::RunApp

There we have it, an easy method of logging our behaviour in any given situation.

Cheers

009FE584 > 68 841FA200 PUSH gui.00A21F84 ; /MutexName = "Voobly-Installer" 009FE589 . 6A 00 PUSH 0 ; |InitialOwner = FALSE 009FE58B . 6A 00 PUSH 0 ; |pSecurity = NULL 009FE58D . C683 1C010000 >MOV BYTE PTR DS:[EBX+11C],0 ; | 009FE594 . C683 34010000 >MOV BYTE PTR DS:[EBX+134],0 ; | 009FE59B . C683 35010000 >MOV BYTE PTR DS:[EBX+135],0 ; | 009FE5A2 . FF15 1400A200 CALL DWORD PTR DS:[<&KERNEL32.CreateMute>; \CreateMutexA 009FE5A8 . 85C0 TEST EAX,EAX 009FE5AA . 894424 38 MOV DWORD PTR SS:[ESP+38],EAX 009FE5AE . 75 15 JNZ SHORT gui.009FE5C5 009FE5B0 . 68 841FA200 PUSH gui.00A21F84 ; /MutexName = "Voobly-Installer" 009FE5B5 . 50 PUSH EAX ; |Inheritable 009FE5B6 . 68 00000200 PUSH 20000 ; |Access = 20000 009FE5BB . FF15 6C00A200 CALL DWORD PTR DS:[<&KERNEL32.OpenMutexA>; \OpenMutexA

MSDN Description: Creates or opens a named or unnamed mutex object.

CreateMutex is most often used to restrict a process to only a single instance. Voobly via gui.dll calls CreateMutex(), if the mutex handle as pointed to by the third parameter "Voobly-Installer" already exists, the return is the handle to the existing mutex. If it fails it is NULL.

MSDN: Return Value

If the function succeeds, the return value is a handle to the newly created mutex object.

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

If the mutex is a named mutex and the object existed before this function call, the return value is a handle to the existing object, GetLastError returns ERROR_ALREADY_EXISTS, bInitialOwner is ignored, and the calling thread is not granted ownership. However, if the caller has limited access rights, the function will fail with ERROR_ACCESS_DENIED and the caller should use the OpenMutex function.

The Solution is to change the "TEST EAX, EAX" to "XOR EAX, EAX" which immediately follows the CreateMutex function.

Cheers

Also, on a side note; it looks like they changed the network encryption from ICE to DES.

>Address 'gui.009FCA10' is where the fun is. Given that gui refers to a module, for this to be of any use, we'll have to subtract the modules ImageBase from this RVA. [gui.009FCA10h - 009F0000h = CA10h].

I obviously wouldn't suggest hardcoding this address...

>CreateMutex is most often used to restrict a process to only a single instance. Voobly via gui.dll calls CreateMutex(), if the mutex handle as pointed to by the third parameter "Voobly-Installer" already exists, the return is the handle to the existing mutex. If it fails it is NULL.

In this case it's only used to lock out the installer so people don't try to update Voobly whilst it's running. The multiple instances are prevented via shared memory on Voobly. It'll cause problems if you break this as you'll get a messenger instance per-lobby.

>Also, on a side note; it looks like they changed the network encryption from ICE to DES.

No.. it should still be ICE.

OK so I had a quick mess around with the internal anti-flooding feature...

I've been able to disable the popup box informing us that we have been temporarily muted for flooding (patch lobby.dll @ 1007AE19 to 'JMP 1007B0B2') and i've also managed to turn off the feature where it temporarily diables the input editbox (so we can't send text when muted). I've also stopped the client from changing the send button caption from send to mute as well as preventing the client from disabling the button altogether (patch lobby.dll @ 1007AFE2 to 'JMP 1007B0B2').

Alas, all these efforts are somewhat redundant because their effects are only cosmetic, I still am yet to fully disable this anti-flood feature.

For those keen on investigating polygamy, I suggest looking into (lobby.dll) CreateFileMappingA and OpenFileMappingA.

NB: I fkn hate this QWidget pos.

>Alas, all these efforts are somewhat redundant because their effects are only cosmetic, I still am yet to fully disable this anti-flood feature.

It's not going to be possible as the anti-flood is server side. It does the same thing as a moderator mute and marks your client as muted. The chat message functions drop any incoming requests whilst the user is in that state.

Last modified by tOrMeNtIuM on October 16, 2009, 11:56 am

LoL, somebody cares! Cool. Still ICE? Okay. My lazy analysis is full of fail.