Welcome
Ladies and Gents:

These forums are now closed and registration disabled.

Please join us at our new forum on Proboards. Our hope is that these new forums are more stable, provide more and better features, and allow continuation of the project forums in a safer, more secure, long term environment.

me3explorer.proboards.com

--The ME3Explorer Team

ME3 Pipes

Technical research related to the structure of Mass Effect game files.

ME3 Pipes

Postby WarrantyVoider » 21 Nov 2014, 19:21

Origin
\\.\pipe\OriginClientService
BF3
\\.\pipe\venice_snowroller
ME3
\\.\pipe\IGO_pipe_X where X is # of Process



well I was talking with bshtornado about pipes and how programs communicate locally, so I wondered, doesnt origin remote control ME3 when you get an invite? so I thought well, lets throw a tool together and see...

Image

well there it is^^ if anyone wants this tool, source code & binary here

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section

WarrantyVoider has been thanked by:
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Pipes

Postby Erik JS » 22 Nov 2014, 02:09

Hmmm... very interesting. I'll take a look at this.

Is it possible to make a MITM for pipes?

I've been researching something... in secret... I'll just leave an image here:
Spoiler:
Image

This is more or less a mockup. I can create a new string and change the appropriate pointer for the game title, and I'm currently stuck in figuring out how to manipulate some functions from Origin (which would make the title visible to anyone on my friend list).

Maybe sending the right "command" (or whatever the hell apps send thru pipes) may be easier than doing what I'm doing to get that image. Time to research pipes, I guess.

Off-topic, but related to pipes:

8-)
ME3 Private Server Emulator: @ ME3Tweaks | @ SourceForge | @ GitHub | @ Dropbox
Image
User avatar
Erik JS
User
 
Posts: 124
Joined: 31 Jul 2014, 14:44
Has thanked: 13 time
Have thanks: 77 time

Re: ME3 Pipes

Postby WarrantyVoider » 22 Nov 2014, 14:35

\\.\pipe\venice_snowroller

for BF3

greetz WV

PS: updated OP
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Pipes

Postby WarrantyVoider » 22 Nov 2014, 14:37

Erik JS wrote:Is it possible to make a MITM for pipes?


sure, its like sockets, you have a server and a client, just get the client to use another string (change a letter or so) and host your MITM so that it passes stuff along to real pipe server

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Pipes

Postby WarrantyVoider » 22 Nov 2014, 17:43

ok, update: ME3 (with origin!) has a pipe too, its called "IGO_pipe_" and then the number of the process id is added like f.e. "IGO_pipe_5234". but I cant read from it yet, or connect to it

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Pipes

Postby Erik JS » 22 Nov 2014, 19:07

IGO = In-Game Overlay (or Origin In Game).

"IGO_pipe_???" comes from OriginClient.dll.
Spoiler:
Image
ME3 Private Server Emulator: @ ME3Tweaks | @ SourceForge | @ GitHub | @ Dropbox
Image
User avatar
Erik JS
User
 
Posts: 124
Joined: 31 Jul 2014, 14:44
Has thanked: 13 time
Have thanks: 77 time

Re: ME3 Pipes

Postby WarrantyVoider » 22 Nov 2014, 19:15

nope, its handle is from me3! but it guess this dll needs to find it

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Pipes

Postby WarrantyVoider » 22 Nov 2014, 20:06

about OriginClient.dll:

http://pastebin.com/R6tRYA5d

wsprintfW(&NamedPipeName, L"\\\\.\\pipe\\IGO_pipe_%d", a2);
v5 = CreateFileW(&NamedPipeName, 0xC0000000u, 0, 0, 3u, 0x40000000u, 0);
Mode = 2;
SetNamedPipeHandleState(v5, (LPDWORD)&Mode, 0, 0);


the shared access is set to 0, means its not shared and we cant access it directly (I think)

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Pipes

Postby WarrantyVoider » 22 Nov 2014, 20:44

seems they communicate also over its window handle, by registering a special class for it

http://pastebin.com/FrzbHyEV

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 Pipes

Postby WarrantyVoider » 23 Nov 2014, 20:21

11-23-14-21-13-16 Starting Server...
11-23-14-21-13-25 Got Client...
11-23-14-21-13-25 Connecting...
11-23-14-21-13-25 Connected.
11-23-14-21-13-26 Server :
00000000 01 00 00 00 10 00 00 00 10 00 00 00 70 00 00 00 ············p···
00000010 10 00 00 00 71 00 00 00 ····q···

11-23-14-21-13-26 Client :
00000000 04 01 00 00 05 00 00 00 01 00 00 00 00 0D 01 00 ················
00000010 00 01 00 00 00 00 02 01 00 00 04 00 00 00 00 00 ················
00000020 00 00 ··

11-23-14-21-13-26 Server :
00000000 15 01 00 00 1C 00 00 00 4D 00 61 00 73 00 73 00 ········M·a·s·s·
00000010 20 00 45 00 66 00 66 00 65 00 63 00 74 00 22 21 ·E·f·f·e·c·t·"!
00000020 20 00 33 00 ·3·

11-23-14-21-13-27 Client :
00000000 01 01 00 00 04 00 00 00 ········

11-23-14-21-13-27 Server :
00000000 17 01 00 00 1A 00 00 00 4D 00 61 00 73 00 73 00 ········M·a·s·s·
00000010 20 00 45 00 66 00 66 00 65 00 63 00 74 00 20 00 ·E·f·f·e·c·t· ·
00000020 33 00 3·

11-23-14-21-13-27 Client :
00000000 00 00 00 00 ····

11-23-14-21-13-27 Server :
00000000 18 01 00 00 1A 00 00 00 4D 00 61 00 73 00 73 00 ········M·a·s·s·
00000010 20 00 45 00 66 00 66 00 65 00 63 00 74 00 20 00 ·E·f·f·e·c·t· ·
00000020 33 00 3·

11-23-14-21-13-27 Client :
00000000 02 01 00 00 04 00 00 00 20 03 58 02 ········ ·X·

11-23-14-21-13-27 Server :
00000000 16 01 00 00 74 00 00 00 68 00 74 00 74 00 70 00 ····t···h·t·t·p·
00000010 3A 00 2F 00 2F 00 6D 00 61 00 73 00 73 00 65 00 :·/·/·m·a·s·s·e·
00000020 66 00 66 00 65 00 63 00 74 00 2E 00 63 00 6F 00 f·f·e·c·t·.·c·o·
00000030 6D 00 2F 00 3F 00 67 00 61 00 6D 00 65 00 4C 00 m·/·?·g·a·m·e·L·
00000040 6F 00 63 00 61 00 6C 00 65 00 3D 00 64 00 65 00 o·c·a·l·e·=·d·e·
00000050 5F 00 44 00 45 00 26 00 6F 00 72 00 69 00 67 00 _·D·E·&·o·r·i·g·
00000060 69 00 6E 00 4C 00 6F 00 63 00 61 00 6C 00 65 00 i·n·L·o·c·a·l·e·
00000070 3D 00 64 00 65 00 5F 00 44 00 45 00 =·d·e·_·D·E·

11-23-14-21-15-44 Client :
00000000 04 01 00 00 05 00 00 00 ········

11-23-14-21-15-44 Server :
00000000 12 01 00 00 18 00 00 00 44 00 52 00 3A 00 32 00 ········D·R·:·2·
00000010 32 00 39 00 36 00 34 00 34 00 34 00 30 00 30 00 2·9·6·4·4·4·0·0·

11-23-14-21-15-44 Client :
00000000 00 20 03 58 02 · ·X·

11-23-14-21-15-44 Server :
00000000 13 01 00 00 22 00 00 00 36 00 38 00 34 00 38 00 ····"···6·8·4·8·
00000010 31 00 5F 00 36 00 39 00 33 00 31 00 37 00 5F 00 1·_·6·9·3·1·7·_·
00000020 35 00 30 00 38 00 34 00 34 00 5·0·8·4·4·

11-23-14-21-16-52 Client :
00000000 04 01 00 00 05 00 00 00 ········

11-23-14-21-16-52 Server :
00000000 14 01 00 00 6A 00 00 00 44 00 3A 00 5C 00 47 00 ····j···D·:·\·G·
00000010 61 00 6D 00 65 00 73 00 5C 00 4D 00 61 00 73 00 a·m·e·s·\·M·a·s·
00000020 73 00 20 00 45 00 66 00 66 00 65 00 63 00 74 00 s· ·E·f·f·e·c·t·
00000030 20 00 33 00 5C 00 62 00 69 00 6E 00 61 00 72 00 ·3·\·b·i·n·a·r·
00000040 69 00 65 00 73 00 5C 00 57 00 69 00 6E 00 33 00 i·e·s·\·W·i·n·3·
00000050 32 00 5C 00 4D 00 61 00 73 00 73 00 45 00 66 00 2·\·M·a·s·s·E·f·
00000060 66 00 65 00 63 00 74 00 33 00 2E 00 65 00 78 00 f·e·c·t·3·.·e·x·
00000070 65 00 e·

11-23-14-21-16-52 Client :
00000000 01 20 03 58 02 0D 01 00 00 01 00 00 00 00 02 01 · ·X············
00000010 00 00 04 00 00 00 20 03 58 02 ······ ·X·

11-23-14-21-16-52 Server :
00000000 19 01 00 00 01 00 00 00 00 ·········

11-23-14-21-19-40 Client :
00000000 04 01 00 00 05 00 00 00 ········

11-23-14-21-19-40 Server :
00000000 1A 01 00 00 08 00 00 00 FF FF FF FF FF FF FF FF ········ÿÿÿÿÿÿÿÿ

11-23-14-21-19-40 Client :
00000000 00 20 03 58 02 · ·X·

11-23-14-21-19-40 Server :
00000000 1B 01 00 00 00 00 00 00 ········

11-23-14-21-19-42 Server :
00000000 01 00 00 00 10 00 00 00 10 00 00 00 70 00 00 00 ············p···
00000010 10 00 00 00 71 00 00 00 ····q···


Spoiler:
Image


well not THAT interesting, theres actually pretty little going on here... this was an ugly hack, with a ollydbg edit to change origins pipename and made a little MITM dumper. but meh...

greetz WV

PS: this is from: booting->mp lobby->make a game-> main menu -> exit
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time


Return to Technical Research

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred