In the last Tutorial, we learned, how to unpack the Client, and remove the hacking-protection.
This enables us to use Debuggers, to analyze the Client.
Some stuff might become realy annoying, if we have to do the same things over and over again,
whenever the client changes. This tutorial will show you, how you can automate such operations,
if you've managed to find out stuff once.
Our goal in this tutorial will be, to filter usefull stuff from the client, without even having to run it
Step 1: Find out Stuff
Quote:
we've analyzed the DE client, and found the MainBaseAdress, and the offset to the CharStruct.
in the current DE client, they look like this:
All Character informations are stored in one and the same struct in 4Story.
if the Client want's to access the struct, he needs to figure out the Adress too.
in asm that might looks like this:
Code:
mov eax, [mainBaseAdress]
// eax now stores the adress, the mainBaseAdress points to
mov eax, [eax + charStructOffset]
// eax stores the adress of the Character Struct
the CPU parses adresses from the right, to the left.
this means our mainBaseAdress (00 70 D9 68) have to be stored as (68 D9 70 00) somewhere in the client.
Step 3: Search the Client for the desired adress
Quote:
I will use OllyDbg, since i did it in the last tutorial too.
1. Get into the main Modules code (check the last tutorial if you don't know how to)
2. Press CTRL + B to start a Binary Search, and search for the reversed mainBaseAdress
3. Press CTRL + L, untill you've found a nice piece of code, containing your adress
Quote:
to be able to filter the information from the client, it shouldn't be just 2 lines of code.
the best thing would be to scan for a full function.
even better would be a function containing more than just one information, we wanna filter.
the TClient got one small function containing both of the named informations.
This is a screenshot of 4Story EG. But it's allmost the same in the DE Client (Check the comparison screenshot in Step5).
Step 4: Grab the Code
Quote:
the easiest way to get the code out of olly, is to mark it and press CTRL + C
now it's stored in the clipboard, and can be pasted into your favorite editor.
the code looks like this in my case:
now it's time to decide which method we wanna use to filter the code later. i will use AutoIt to build the final tool.
the most efficient way, to handle such a lot of characters in autoit, are the regex functions.
if we compare the function to the same one in other clients, we notice, that the main code stays the same.
the only thing that might differ, are the values in the code.
As allready mentioned before, i'll use AutoIt to build the final tool.
since most people in this section seem to be kinda familar with autoit, the code shouldn't need any further explanation:
(i've added lots of comments, which should be self explaining)
#NoTrayIcon
;// open and read the client in binary mode
$file = FileOpen('TClient.exe', 16)
$content = FileRead($file, FileGetSize('TClient.exe'))
;// filter the wanted stuff from the code
$filter = StringRegExp($content, "558BEC6AFF68.{8}64A1000000005064892500000000518B4D.{2}53568B35(.{8})0FB786.{8}89018B8E(.{8})8B11578965.{2}C745.{2}00000000FF92.{8}8B45.{2}D955.{2}D9188B8E.{8}8B11FF92.{8}D955.{2}8B45.{2}D918B0.{2}8B4D.{2}64890D000000005F5E5B8BE55DC3", 1)
FileClose($file)
;// if the regex filter worked, display the results in a simple gui
If IsArray($filter) Then
GUICreate('Offset Finder', 175, 55, Default, Default, 0x10C80000)
GUICtrlCreateLabel('MainBaseAdress:', 10, 7, 85, 20)
GUICtrlCreateInput('0x'&reverseHex($filter[0]), 95, 5, 70, 20, 0x801)
GUICtrlCreateLabel('CharStructOffset:', 10, 32, 85, 20)
GUICtrlCreateInput('0x'&reverseHex($filter[1]), 95, 30, 70, 20, 0x801)
While GUIGetMsg()<>-3
WEnd
Else
MsgBox(16, 'Error', 'oooops looks like something went wrong :s')
EndIf
Func reverseHex($string)
Local $return
;// if the string got a odd length, add a zero in front of it
If Mod(StringLen($string),2)<>0 Then $string = '0'&$string
;// reverse the hex patterns
For $i=1 To StringLen($string) Step 2
$return = StringMid($string, $i, 2)&$return
Next
;// remove the left-hand zeros
While StringLeft($return, 1)='0'
$return = StringTrimLeft($return, 1)
WEnd
Return $return
EndFunc
Step 7: Proof of concept
Quote:
just as a proof of concept, i'll attach the script and coimpiled versions for x64, x86 and add a screenshot,
showing the script used on 4Story DE/EG, to proof, that it works not only with the current DE client.
knowing the path to the charStruct can speed up finding other offsets (the first time) extrmely, it's pretty easy to build a tool, which scans the charStruct for specific values.
here's a simple example for an extremely easy tool:
aso, du kannst deutsch aber machst das tut in englisch? aber trotzdem würdest du vielen helfen wenn du das in deutsch machst
Sobald ich wieder Zeit habe, werde ich es machen.
Quote:
Originally Posted by Lasch24
Wer das Englisch nicht versteht, hat gelitten.
Hört sich einfach an, aber Bedarf hab ich jetzt nicht.
Du musst aber auch bedenken, dass wir eine Community sind. Hier hilft jeder jeden. Außerdem gehe ich davon aus, dass ungefähr 50% des 4Story Bereichs noch etwas jüngere sind, die diese Sprache noch nicht Beherschen bzw. noch lernen werden.
Update:
i've added some kind of extended offsetfinder as attachment, with some more offsets, which could help newbies to understand, how to add more stuff to search for =)
!! Offset Contest !! - Earn money with your pointers/offsets 08/28/2011 - General Coding - 3 Replies Ich würde mich freunen, wenn ihr euch zahlreich beteiligt :)
What can you win?
1st prize: 20 Euro
2nd prize: 15 Euro on 15+ submitters
3rd prize: 10 Euro on 30+ submitters
How long will the contest be?
60 days started at 08.22.11 14:30
help finding pointers metin2 client 07/22/2011 - Metin2 - 0 Replies Hello i need help, i cant find pointers with cheat engine I patched my metin2 client from hackshield to be able to debug it and to use cheat engine but the problem is that after a very short time the server kicks. can some one please give me a solution I am learning to create my own hacks but i have this big problem stopping me thanks i hope that some one can give me a solution to this Thanks
Finding offsets? 12/04/2009 - CO2 Programming - 2 Replies Btw trying to make an aimbot :P just throwing that out there
EDIT: This is what iv'e found so far,am I on the right track? this is for a v5165 private server that I own,When I was jumping around on one of my chars,around another character of mine that had the proccess on her client,these are the addresses that came up,eventually I got down to the last x and last y address,and every jump they were right,but the question is am I doing this right
Heres what I found:
01175390 - proper x...
neue offsets/pointers... compilen? bwh/bot... etc. 01/20/2006 - World of Warcraft - 0 Replies hi leutz
also mein frage ist
wie und woher krieg ich die aktuellen pointers/offsets
wie baue ich das z.b in bwh ein..
oder den bot... etc.
ich hoffe ihr versteht was ich will...
wenn ich es falsch gepostet habe einfach verschieben...
da sich aber meine frage mehr auf wow bezieht denke ich mal das das hier her gehört...