Code: Select all
16:45:43.772 [HACKLIST] Hacklist size is 1
16:45:43.772 [sQSNTAccept] *** Deleted socket 2136 (192.168.1.1) - user spamming with reconnects ***
16:47:44.244 [HACKLIST] Hacklist size is 0
Code: Select all
6FF705C6 747A jz L6FF70642
6FF705C8 BAB2040000 mov edx,000004B2h
6FF705CD 8BCD mov ecx,ebp
6FF705CF E8BC10FFFF call Fog.252
6FF705D4 55 push ebp
6FF705D5 FF156C50F76F call [KERNEL32.dll!EnterCriticalSection]
6FF705DB 8B936C090000 mov edx,[ebx+0000096Ch]
6FF705E1 42 inc edx
6FF705E2 55 push ebp
6FF705E3 89936C090000 mov [ebx+0000096Ch],edx
6FF705E9 FF151450F76F call [KERNEL32.dll!LeaveCriticalSection]
6FF705EF 83FF01 cmp edi,00000001h
6FF705F2 7507 jnz L6FF705FB
6FF705F4 B8F88BF76F mov eax,SSZ6FF78BF8_user_on_hack_list
6FF705F9 EB0F jmp L6FF7060A
6FF705FB L6FF705FB:
6FF705FB 83FF02 cmp edi,00000002h
6FF705FE B8E08BF76F mov eax,SSZ6FF78BE0_user_logged_on_twice
6FF70603 7405 jz L6FF7060A
6FF70605 B8C08BF76F mov eax,SSZ6FF78BC0_user_spamming_with_reconnects
6FF7060A L6FF7060A:
6FF7060A 8B542420 mov edx,[esp+20h]
6FF7060E 50 push eax
6FF7060F 8B02 mov eax,[edx]
6FF70611 50 push eax
6FF70612 E88FC7FEFF call jmp_WSOCK32.dll!WSOCK32.11
6FF70617 8B742428 mov esi,[esp+28h]
6FF7061B 50 push eax
6FF7061C 56 push esi
6FF7061D 68808BF76F push SSZ6FF78B80__sQSNTAccept____________________
6FF70622 684070F76F push SSZ6FF77040_HACK
6FF70627 E8748AFFFF call Fog.31
6FF7062C 83C414 add esp,00000014h
6FF7062F 56 push esi
6FF70630 E84DC7FEFF call jmp_WSOCK32.dll!WSOCK32.3
6FF70635 5F pop edi
6FF70636 5E pop esi
6FF70637 5D pop ebp
6FF70638 83C8FF or eax,FFFFFFFFh
6FF7063B 5B pop ebx
6FF7063C 83C408 add esp,00000008h
6FF7063F C20C00 retn 000Ch
;----------------------------------------------------------------------------------------------------
6FF70642 L6FF70642:
While I'm not really experienced enough to say what this is really doing I figured out that WSOCK32.3 is called to close the socket of a player that is on the Hacklist. So I changed the jz L6FF70642 command at 6FF705C6 to be an unconditional jmp L6FF70642. This appears to have the effect of just skipping the print out of the "Deleted socket" line and killing of the socket. I haven't had a chance to fully test this to see if there is any other unintended side effects but thought I would share this in case others are having the same issue.
If anyone has a better understating of this part of the code I would love to know more about what is going on and if this can be implemented in a better way.
I used PE Explorer to read the fog.dll assembly and ollydbg to edit it.
Edit: I know this is probably bordering on against the rules but it does have a valid application for open bnet games and is hopefully educational for others and maybe me if anyone has any better idea of how to do this..