Reading from Warcraft 3 IO Completion Port

[Excel]

In an attempt to receive data come to the Warcraft 3 client before it the game handles it ( which is a feat in itself ), I am wondering how to actually get at the data?  I've been researching how IO Completion Ports work and can't seem to find the data.

Here is a typical GetQueuedCompletionStatus call

Code Select Expand


// BOOL GetQueuedCompletionStatus( CompletionPortHandle, lpNumberOfBytes, lpCompletionKey, lpOverlapped, dwMilliseconds );
ret = GetQueuedCompletionStatus( 9464, 67501932, 67501944, 67501928, -1 ); // -1 == INFINITE
// ret == 1

Here is some debug output ( value from the lpNumberOfBytes pointer ... as well as the data inside the OVERLAPPED structure )

Bytes Read = 154
hEvent = 142868656 == 0x088400B0
Internal = 142870244 == 0x088406E4
InternalHigh = 154
Offset = 67501952 == 0x0405FF80
OffsetHigh = 4282464 == 0x00415860
Pointer = 67501952 == 0x0405FF80

I was hoping I could simply ReadProcessMemory the address Pointer is set to... for the InternalHigh worth of bytes (since it is identical to the supposed bytes read), however it doesn't give me the data I was expected.  My tests so far have been going to an empty chatroom, chatting, and trying to find the text I had typed "XXXXXXXXXXX".  I've also debugged and stepped through it

Code Select Expand

00415800  |. FF15 10CF4E00  |CALL DWORD PTR DS:[4ECF10] ... is the call that soon after calls GetQueuedCompletionStatus.  Even debugging and looking around, I couldn't find how it looked up the data that it was receiving ( or how it was receiving it ).

I am hoping that someone could help me this.  Does GetQueuedCompletionStatus OVERLAPPED structure give me the information I need to find the data received?  I've seen that typically a programmer would wrap that structure and add additional data ( perhaps the received buffer )... but this is not the case as far as I can tell.  I still see no calls to WSARecv... is this not even used?  Is there a better way I should be approaching this? Any support would be great 

[UserLoser]

Maybe it uses ReadFileEx instead of WSARecv?  It's been a while since I've done anything on War3.exe...

[Excel]

Doesn't hook ReadFileEx, but ReadFile might be the one.

After logging on battle.net, then ALT+F4 to leave... I was given this nice message from ReadFile

[NOTE TO HACKERS -- Changing this file may be hazardous to your progress]
Magic1=-704524704

[Hero]

Doesn't hook ReadFileEx, but ReadFile might be the one.

After logging on battle.net, then ALT+F4 to leave... I was given this nice message from ReadFile

[NOTE TO HACKERS -- Changing this file may be hazardous to your progress]
Magic1=-704524704

Haha, thats nice.

[TheMinistered]

What you want to do is catch the data after Warcraft3 receives it but before it processes/handles it.  You will want to look for some sort of recv call, there are a few for overlapped operations. 

You need to hook it and pass the buffer right after the call to the recv function and before it gets handled.

typically this is how they'll have coded it:

recv(... buffer ...);
handledata(... buffer ...);

you'll want to hook the call to handledata, and your hook will typically look like this:

patchedhandledata(... buffer ...)
{
; function pointer to the real handledata fxn

; code to process buffer with what you want

; code to call the real handledata fxn
}

these hooks kind of work like subclassing a windowproc if you want to think of it like that...  you process the message then call the default window proc when you're done.  So think of it as "subclassing the handledata/buffer processing function in warcraft 3" but you have to go a little out of your way as there is no api for this

[tinman]

I'm trying to do the same thing also...

[tinman]

ah... i did it 
managed to get it works perfectly