carniato Posted January 6 Posted January 6 (edited) Packet interception demonstration for Conquer Online using MinHook + ImGui overlay. This is a feature I posted in the ConquerDX9.Hook thread and people liked it, so I decided to make it a separate dedicated project. Features: Real-time packet interception (before encryption) Packet injection (client encrypts automatically) ImGui overlay interface (toggle with INSERT key) Packet history with hex dump Automatic character ID extraction How I found it: Found SendPacket (0x007414F0) in IDA. // Address: 0x007414F0 (Conquer Online client version 6609) int __fastcall SendPacket( void* thisPtr, // Network object (ECX register) void* edx, // Unused (EDX register) void* data, // Packet data (NOT encrypted!) int len // Packet size ) Note: This address (0x007414F0) is specific to Conquer Online client version 6609 only. Usage: Version 6609 (Proxy Method): Rename original Chat.dll to OChat.dll in game folder Copy compiled Chat.dll to the same folder Launch game (no injector needed) Press INSERT to toggle ImGui interface Building: • Visual Studio (Release & Win32) • Output: Release/Chat.dll Rep: git/cnthigu/conquer-packet-interceptor Please like the project on GitHub? Libraries: • MinHook (included) • ImGui (included) Note: This is an educational project and example implementation, as a student. Use your creativity, there's so much more that can be done! If this helps you in any way, please consider giving it a star on GitHub!!!. Edited January 6 by carniato Quote
xFranko Posted January 7 Posted January 7 (edited) Did it ever crash your client past this login point before? I tried to add a logger to detect the crashes, seems like it's trying to access wrong memory address or smth during dll unload for a font cleanup method it seems Font_CloseSys (I'm not the best at C++ xD) , I will update if I find a solution, this is probably related to my client even though I'm on 6609 [2026-01-07 07:40:26] ======================================== Crash Logger Initialized Log File: O:\Games\Conquer\MTA Conquer\Client v6609 - MTA\Env_DX9\crash_log.txt ======================================== [2026-01-07 07:40:27] Crash logger initialized successfully [2026-01-07 07:40:27] DLL loaded (DLL_PROCESS_ATTACH) [2026-01-07 07:40:51] ======================================== CRASH DETECTED ======================================== Exception Code: 0xC0000005 (EXCEPTION_ACCESS_VIOLATION) Exception Flags: 0x00000000 Exception Address: 0x015C43B4 Exception Parameters: 2 Parameter[0]: 0x00000000 Parameter[1]: 0x00000000 Access Type: READ Fault Address: 0x00000000 Register Context: EAX: 0x00000000 EBX: 0x1A43DEF0 ECX: 0x93C87EF3 EDX: 0x0019F9E4 ESI: 0x1D8921C0 EDI: 0x1D9D0008 EBP: 0x00000007 ESP: 0x0019FA20 EIP: 0x015C43B4 EFLAGS: 0x00210283 Stack Trace: [00] 0x015C43B4 Font_CloseSys+0x8B4 [01] 0x015A9CCB TargetBmpCreateEx+0xAB ======================================== [2026-01-07 07:40:52] DLL unloading (DLL_PROCESS_DETACH) [2026-01-07 07:40:52] Crash logger shutting down Edited January 7 by xFranko Quote
carniato Posted January 7 Author Posted January 7 (edited) @xFranko Thanks for the detailed crash report! Based on your logs, it looks like a cleanup order issue during DLL unload - Font_CloseSys accessing freed memory. I couldn't reproduce it here, but I created a potential fix in the `v1.0.1-beta` branch: https://github.com/cnthigu/conquer-packet-interceptor/tree/v1.0.1-beta It adds proper cleanup order and exception handling. Not sure if it'll fix it since I can't test the crash scenario, but maybe it helps? Could you test and let me know? If it works, I'll merge to main. Thanks! Edited January 7 by carniato Quote
xFranko Posted January 9 Posted January 9 On 1/7/2026 at 4:49 PM, carniato said: @xFranko Thanks for the detailed crash report! Based on your logs, it looks like a cleanup order issue during DLL unload - Font_CloseSys accessing freed memory. I couldn't reproduce it here, but I created a potential fix in the `v1.0.1-beta` branch: https://github.com/cnthigu/conquer-packet-interceptor/tree/v1.0.1-beta It adds proper cleanup order and exception handling. Not sure if it'll fix it since I can't test the crash scenario, but maybe it helps? Could you test and let me know? If it works, I'll merge to main. Thanks! Hey @carniato! Thank you so much for this really, and sorry for the late reply I got busy with work so didn't have further time to debug the issue further on my end, I will give this one a try and will update here with the results, I hope it works! And if it does I maybe could also create a PR with my logger so that for the future it's more robust to catch such issues Will update you soon! : ) Quote
xFranko Posted January 9 Posted January 9 Hey @carniato Sadly it still crashes past login after getting the Entity UID, I will message you privately for a version to test with That's how it looks before the client crashes and shutsdown Crash Logger Initialized DLL Path: O:\Games\Conquer\MTA Conquer\Client v6609 - MTA\Env_DX9\ Game Path: O:\Games\Conquer\MTA Conquer\Client v6609 - MTA\Env_DX9\ Log File: O:\Games\Conquer\MTA Conquer\Client v6609 - MTA\Env_DX9\crash_log.txt ======================================== [2026-01-09 15:07:54] Crash logger initialized successfully [2026-01-09 15:08:13] ======================================== CRASH DETECTED ======================================== Exception Code: 0xC0000005 (EXCEPTION_ACCESS_VIOLATION) Exception Flags: 0x00000000 Exception Address: 0x016A43B4 Exception Parameters: 2 Parameter[0]: 0x00000000 Parameter[1]: 0x00000000 Access Type: READ Fault Address: 0x00000000 Register Context: EAX: 0x00000000 EBX: 0x1C951378 ECX: 0xAB1ABDB5 EDX: 0x0019F9E4 ESI: 0x1C837EB0 EDI: 0x1CB0CB90 EBP: 0x00000007 ESP: 0x0019FA20 EIP: 0x016A43B4 EFLAGS: 0x00210283 Module Information: Crash Module: graphic.dll Module Base: 0x01670000 Module Size: 0x001A2000 Offset in Module: 0x000343B4 Stack Trace: [00] 0x016A43B4 [graphic.dll] Font_CloseSys+0x8B4 [01] 0x01689CCB [graphic.dll] TargetBmpCreateEx+0xAB Memory Information: Fault Address: 0x00000000 Base Address: 0x00000000 Region Size: 0x00010000 State: FREE Type: PRIVATE Protect: 0x00000001 ======================================== [2026-01-09 15:08:15] DLL_PROCESS_DETACH: Shutting down... [2026-01-09 15:08:15] Crash logger shutting down Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.