Hooking send/recieve procedures

[payl]

(PAC/Payl haters are supposed to leave now)
I'm thinking about new subsystem to PAC. It would be system that send some reply when got request like '!is_pac_on'. The main problem about that is i don't know what to hook. I've tried hooking some functions in paintball2.exe but it only let me track messages i sent.
So my question: Is it possible to get text recieve/send procedures from exports? This would make hooking easier. If it isn't then what should i hook? Procedure address would be best, but anything can be useful.

This question is obviously mainly for Jitspoe, but if anybody got any hint (and know what i am talking about) feel free to post..

[jitspoe]

I don't remember the function names offhand, but I think there's a function in both the engine and dll that parses player commands.  Should be pretty easy to find looking at the q2 source.  You could also potentially process the raw packet data for commands.

[payl]

I don't remember the function names offhand, but I think there's a function in both the engine and dll that parses player commands.  Should be pretty easy to find looking at the q2 source.

I'll take a look, because i haven't found anything too useful with searching for 'say' pattern in EXE nor DLLs (instead i found your debug code, which i think that should be removed in release version but whatever). I think this also mean that you have nothing against it, this is important because i don't want weird things to happen (like once when PAC detected testw and vice versa).

You could also potentially process the raw packet data for commands.

I have realized that before and i think i'll go for this as this would be easy to implement with actual code design. Then i just have to take care of sending in build specific way. Anyway thank you for trying to help .

Will post results of my searching in q2 code and paintball2 asm later on.

[payl]

Alright, i done it.
Sending messages from hook/program:
In order to be able to send your messages you should call to $403980 (b35). This call takes one parameter that is pointer to ASCIIZ string. Remember that it's cdecl procedure so fix stack.
Also, you should notice that you have to call this code from same thread and at good timing. This shouldn't be done by hooking same function as before, because it only get called if there is a message processed. I decided to hook $401EC0. This procedure is also cdecl and one parameter. You can give your messages just after you return from original procedure.
Notice that this procedure is called very often, so don't hook functions to keys otherwise you'll get "Outbound message overflow".

Tools used to inspect: IDA, Process Hacker.