carniato Posted January 6 Posted January 6 (edited) Packet interception demonstration for Conquer Online using MinHook + ImGui overlay. This is a feature I posted in the ConquerDX9.Hook thread and people liked it, so I decided to make it a separate dedicated project. Features: Real-time packet interception (before encryption) Packet injection (client encrypts automatically) ImGui overlay interface (toggle with INSERT key) Packet history with hex dump Automatic character ID extraction How I found it: Found SendPacket (0x007414F0) in IDA. // Address: 0x007414F0 (Conquer Online client version 6609) int __fastcall SendPacket( void* thisPtr, // Network object (ECX register) void* edx, // Unused (EDX register) void* data, // Packet data (NOT encrypted!) int len // Packet size ) Note: This address (0x007414F0) is specific to Conquer Online client version 6609 only. Usage: Version 6609 (Proxy Method): Rename original Chat.dll to OChat.dll in game folder Copy compiled Chat.dll to the same folder Launch game (no injector needed) Press INSERT to toggle ImGui interface Building: • Visual Studio (Release & Win32) • Output: Release/Chat.dll Rep: git/cnthigu/conquer-packet-interceptor Please like the project on GitHub? Libraries: • MinHook (included) • ImGui (included) Note: This is an educational project and example implementation, as a student. Use your creativity, there's so much more that can be done! If this helps you in any way, please consider giving it a star on GitHub!!!. Edited January 6 by carniato Quote
xFranko Posted January 7 Posted January 7 (edited) Did it ever crash your client past this login point before? I tried to add a logger to detect the crashes, seems like it's trying to access wrong memory address or smth during dll unload for a font cleanup method it seems Font_CloseSys (I'm not the best at C++ xD) , I will update if I find a solution, this is probably related to my client even though I'm on 6609 [2026-01-07 07:40:26] ======================================== Crash Logger Initialized Log File: O:\Games\Conquer\MTA Conquer\Client v6609 - MTA\Env_DX9\crash_log.txt ======================================== [2026-01-07 07:40:27] Crash logger initialized successfully [2026-01-07 07:40:27] DLL loaded (DLL_PROCESS_ATTACH) [2026-01-07 07:40:51] ======================================== CRASH DETECTED ======================================== Exception Code: 0xC0000005 (EXCEPTION_ACCESS_VIOLATION) Exception Flags: 0x00000000 Exception Address: 0x015C43B4 Exception Parameters: 2 Parameter[0]: 0x00000000 Parameter[1]: 0x00000000 Access Type: READ Fault Address: 0x00000000 Register Context: EAX: 0x00000000 EBX: 0x1A43DEF0 ECX: 0x93C87EF3 EDX: 0x0019F9E4 ESI: 0x1D8921C0 EDI: 0x1D9D0008 EBP: 0x00000007 ESP: 0x0019FA20 EIP: 0x015C43B4 EFLAGS: 0x00210283 Stack Trace: [00] 0x015C43B4 Font_CloseSys+0x8B4 [01] 0x015A9CCB TargetBmpCreateEx+0xAB ======================================== [2026-01-07 07:40:52] DLL unloading (DLL_PROCESS_DETACH) [2026-01-07 07:40:52] Crash logger shutting down Edited January 7 by xFranko Quote
carniato Posted January 7 Author Posted January 7 (edited) @xFranko Thanks for the detailed crash report! Based on your logs, it looks like a cleanup order issue during DLL unload - Font_CloseSys accessing freed memory. I couldn't reproduce it here, but I created a potential fix in the `v1.0.1-beta` branch: https://github.com/cnthigu/conquer-packet-interceptor/tree/v1.0.1-beta It adds proper cleanup order and exception handling. Not sure if it'll fix it since I can't test the crash scenario, but maybe it helps? Could you test and let me know? If it works, I'll merge to main. Thanks! Edited January 7 by carniato Quote
xFranko Posted January 9 Posted January 9 On 1/7/2026 at 4:49 PM, carniato said: @xFranko Thanks for the detailed crash report! Based on your logs, it looks like a cleanup order issue during DLL unload - Font_CloseSys accessing freed memory. I couldn't reproduce it here, but I created a potential fix in the `v1.0.1-beta` branch: https://github.com/cnthigu/conquer-packet-interceptor/tree/v1.0.1-beta It adds proper cleanup order and exception handling. Not sure if it'll fix it since I can't test the crash scenario, but maybe it helps? Could you test and let me know? If it works, I'll merge to main. Thanks! Hey @carniato! Thank you so much for this really, and sorry for the late reply I got busy with work so didn't have further time to debug the issue further on my end, I will give this one a try and will update here with the results, I hope it works! And if it does I maybe could also create a PR with my logger so that for the future it's more robust to catch such issues Will update you soon! : ) Quote
xFranko Posted January 9 Posted January 9 Hey @carniato Sadly it still crashes past login after getting the Entity UID, I will message you privately for a version to test with That's how it looks before the client crashes and shutsdown Crash Logger Initialized DLL Path: O:\Games\Conquer\MTA Conquer\Client v6609 - MTA\Env_DX9\ Game Path: O:\Games\Conquer\MTA Conquer\Client v6609 - MTA\Env_DX9\ Log File: O:\Games\Conquer\MTA Conquer\Client v6609 - MTA\Env_DX9\crash_log.txt ======================================== [2026-01-09 15:07:54] Crash logger initialized successfully [2026-01-09 15:08:13] ======================================== CRASH DETECTED ======================================== Exception Code: 0xC0000005 (EXCEPTION_ACCESS_VIOLATION) Exception Flags: 0x00000000 Exception Address: 0x016A43B4 Exception Parameters: 2 Parameter[0]: 0x00000000 Parameter[1]: 0x00000000 Access Type: READ Fault Address: 0x00000000 Register Context: EAX: 0x00000000 EBX: 0x1C951378 ECX: 0xAB1ABDB5 EDX: 0x0019F9E4 ESI: 0x1C837EB0 EDI: 0x1CB0CB90 EBP: 0x00000007 ESP: 0x0019FA20 EIP: 0x016A43B4 EFLAGS: 0x00210283 Module Information: Crash Module: graphic.dll Module Base: 0x01670000 Module Size: 0x001A2000 Offset in Module: 0x000343B4 Stack Trace: [00] 0x016A43B4 [graphic.dll] Font_CloseSys+0x8B4 [01] 0x01689CCB [graphic.dll] TargetBmpCreateEx+0xAB Memory Information: Fault Address: 0x00000000 Base Address: 0x00000000 Region Size: 0x00010000 State: FREE Type: PRIVATE Protect: 0x00000001 ======================================== [2026-01-09 15:08:15] DLL_PROCESS_DETACH: Shutting down... [2026-01-09 15:08:15] Crash logger shutting down Quote
Konichu Posted February 4 Posted February 4 For those too lazy to look for a function to hook to receive packets... constexpr uintptr_t RECV_PACKET_ADDRESS = 0x0073CE61; typedef void*(__cdecl* RecvPacketFunc)(void* data, int len); Quote
zMagic Posted February 5 Posted February 5 Great work dude I'm not commenting on your work, but you didn't hook the "send" function. You hooked a pre-send function. ( Before encryption ) That doesn't constitute an issue in the post. However, this information is for those who will be changing the project version. for another clients You have to hook earlier "Send" to get clear packet without client encryption shits Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.