Fun with LD_PRELOAD

[*DEAD*]

im afraid I dont have time right now to explain how this works, but i was thinking of ways to bot tibia undetectably. this is 100% legal, it doesnt modify the client in any way, it simply modifies the environment it runs in, not to mention it would be impossible to detect because there are so many flavours of linux all compiled with different versions of gcc.

so, step by step instructions
step 1: cd into your tibia directory
step 2: copy the following into wrapper.c and compile using

Code:

gcc -shared -o wrapper.so wrapper.c

Code:

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>

/* its handy to know which socket we're connected to */
int xsock = -1;
int gamesock = -1;

int connect (int sockfd, const struct sockaddr *serv_addr, socklen_t addrlen)
{
        printf ("connect\n");
        if (xsock == -1) {
                xsock = sockfd;
        } else {
                gamesock = sockfd;
        }

        return __connect (sockfd, serv_addr, addrlen);
}

int send (int s, const void *buf, size_t len, int flags)
{
        if (gamesock == s) {
                printf ("send %d\n", len);
        }
        return __send (s, buf, len, flags);
}

ssize_t write(int fildes, const void *buf, size_t nbyte)
{
        if (gamesock == fildes) {
                printf ("write %d\n", nbyte);
        }
        return __write (fildes, buf, nbyte);
}

ssize_t read(int fildes, void *buf, size_t nbyte)
{
        int n = __read (fildes, buf, nbyte);
        if (gamesock == fildes && n != -1) {
                printf ("read %d\n", n);
        }
        return n;
}

step3: type

Code:

export LD_PRELOAD=$PWD/wrapper.so

step4:

Code:

./Tibia

step5: profit
step6: when youre done, you can either close the terminal, or use

Code:

export -n LD_PRELOAD

to unexport LD_PRELOAD and stop other programs trying to used your hacked functions

enjoy ;p

[zionz]

This is indeed very fun, something i noticed is you are not using dlsym() to get the original function pointers, maybe this is not needed anymore? i'll give it a try now.
You can preload the .so like this if you dont want to export/unexport after running it:

Code:

LD_PRELOAD=./wrapper.so ./Tibia

[*DEAD*]

i believe connect is defined as
connect () {
__connect ();
}

so dlsym wasnt necessary. there is no __recv, so if you wanted that you would need dlsym, but this was a quick hackup and after i discovered that once you are in the game tibia uses read and write i didnt care.

some other fun facts. The xconn is the connection to xserver, instead of sending packets it might be interesting to send key presses to the xserver and control the bot that way.

also, tibia is using polling, remove the && n != -1 and youll see what i mean. This means we can send packets to the client because read is polled, rather than waited upon.

Here i have two options, i can either hook connect and make the real connect connect to me, or i can build a proxy into the read/write functions. The latter may be more complex, but it has the advantage that tibia chooses the login server, and because I am in tibias address space I can now steal the xtea key from memory and build all the decryption/encryption routines into the .so. That would then require a slight modification of my proxy. Actually it would even be feasible to load all of the proxy code into the .so and run it from there, but i want to be able to have multiple clients connected to the single proxy.

o and thanks for the tip, that will save me exporting and unexporting.