|
You last visited: Today at 05:42
Advertisement
[Tutorial] Modifying/Using client-internal Functions
Discussion on [Tutorial] Modifying/Using client-internal Functions within the 4Story Hacks, Bots, Cheats & Exploits forum part of the 4Story category.
12/08/2011, 18:51
|
#1
|
elite*gold: 280
Join Date: May 2007
Posts: 2,818
Received Thanks: 3,483
|
[Tutorial] Modifying/Using client-internal Functions
while analyzing the client with your favorite debugger, you might run into some client functions...
especially if you're trying to break/bypass some special stuff, you'll allways have to find the client function, which handles it.
if you wanna break the swearfilter (badword-filter) in the client, you'll allways start with searching for the ChatInputHandler function =)
in this tutorial, i'm not going to explain, how to trace through the client, to find such things. if you're intrested in learning the basics about rever engineering, you should google for tutorials...
a basic binary snipet, to find the ChatInputHandler function looks like this for 4Story:
Code:
64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 24 55 56 8B F1 33 ED 89 6C 24 18
once you've found that function, you should set a breakpoint on that function, and trace through it with a "bad word" and a "good" one of the same length.
you can simply make olly log tracings to files. this will make it more easy to compare both logs later.
comparing those logs, you'll find a place, where both codes run into different directions. as an example, here's my comparisson of log files:
looks like that jge only jumps, if the text gets filtered. so all we have to do, to disable the badword filter, is to never make that jge jump (simply nop it)
this way, we can start playing around a little more with the client.
since i'm not really playin the game, i don't know, which limitations could be more interesting.
but here are some examples for client limitations, which can be easily desabled by a few nops:
ZoomLimit: (BinarySearchString: DFE0F6C441741885D275A6)
Code:
005648A0 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
005648A4 |. 85D2 TEST EDX,EDX
005648A6 |. 0F84 82000000 JE TClient.0056492E
005648AC |. DB4424 08 FILD DWORD PTR SS:[ESP+8]
005648B0 |. D95C24 04 FSTP DWORD PTR SS:[ESP+4]
005648B4 |> 83FA 0A /CMP EDX,0A
005648B7 |. 8BC2 |MOV EAX,EDX
005648B9 |. 72 05 |JB SHORT TClient.005648C0
005648BB |. B8 0A000000 |MOV EAX,0A
005648C0 |> 85C0 |TEST EAX,EAX
005648C2 |. 894424 08 |MOV DWORD PTR SS:[ESP+8],EAX
005648C6 |. DB4424 08 |FILD DWORD PTR SS:[ESP+8]
005648CA |. 7D 06 |JGE SHORT TClient.005648D2
005648CC |. D805 44326800 |FADD DWORD PTR DS:[683244]
005648D2 |> D889 78010000 |FMUL DWORD PTR DS:[ECX+178]
005648D8 |. 2BD0 |SUB EDX,EAX
005648DA |. D84C24 04 |FMUL DWORD PTR SS:[ESP+4]
005648DE |. D805 D0296800 |FADD DWORD PTR DS:[6829D0]
005648E4 |. D889 88010000 |FMUL DWORD PTR DS:[ECX+188]
005648EA |. D891 7C010000 |FCOM DWORD PTR DS:[ECX+17C]
005648F0 |. D991 88010000 |FST DWORD PTR DS:[ECX+188]
005648F6 |. DFE0 |FSTSW AX
005648F8 |. F6C4 05 |TEST AH,5
005648FB |. 7B 14 |JPO SHORT TClient.00564911 <-- Zoom in NOP (0x9090)
005648FD |. D899 80010000 |FCOMP DWORD PTR DS:[ECX+180]
00564903 |. DFE0 |FSTSW AX
00564905 |. F6C4 41 |TEST AH,41
00564908 |. 74 18 |JE SHORT TClient.00564922 <-- Zoom Out NOP (0x9090)
0056490A |. 85D2 |TEST EDX,EDX
0056490C |.^75 A6 \JNZ SHORT TClient.005648B4
0056490E |. C2 0800 RETN 8
00564911 |> 8B81 7C010000 MOV EAX,DWORD PTR DS:[ECX+17C]
00564917 |. DDD8 FSTP ST
00564919 |. 8981 88010000 MOV DWORD PTR DS:[ECX+188],EAX
0056491F |. C2 0800 RETN 8
00564922 |> 8B91 80010000 MOV EDX,DWORD PTR DS:[ECX+180]
00564928 |. 8991 88010000 MOV DWORD PTR DS:[ECX+188],EDX
0056492E \> C2 0800 RETN 8
SwearFilter: (BinarySearchString: 7D0D83C8FF2BC6)
Code:
00564A30 /$ 53 PUSH EBX
00564A31 |. 8B5C24 0C MOV EBX,DWORD PTR SS:[ESP+C]
00564A35 |. 57 PUSH EDI
00564A36 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14]
00564A3A |. 2BFB SUB EDI,EBX
00564A3C |. C1FF 02 SAR EDI,2
00564A3F |. 85FF TEST EDI,EDI
00564A41 |. 7E 3F JLE SHORT TClient.00564A82
00564A43 |. 55 PUSH EBP
00564A44 |. 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C]
00564A48 |. 56 PUSH ESI
00564A49 |. 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
00564A50 |> 8BC7 /MOV EAX,EDI
00564A52 |. 99 |CDQ
00564A53 |. 2BC2 |SUB EAX,EDX
00564A55 |. 8BF0 |MOV ESI,EAX
00564A57 |. 8B45 00 |MOV EAX,DWORD PTR SS:[EBP]
00564A5A |. D1FE |SAR ESI,1
00564A5C |. 8B0CB3 |MOV ECX,DWORD PTR DS:[EBX+ESI*4]
00564A5F |. 50 |PUSH EAX
00564A60 |. 51 |PUSH ECX
00564A61 |. E8 03CE0D00 |CALL TClient.00641869
00564A66 |. 83C4 08 |ADD ESP,8
00564A69 |. 85C0 |TEST EAX,EAX
00564A6B |. 7D 0D |JGE SHORT TClient.00564A7A <-- NOP (0x9090)
00564A6D |. 83C8 FF |OR EAX,FFFFFFFF
00564A70 |. 2BC6 |SUB EAX,ESI
00564A72 |. 8D5CB3 04 |LEA EBX,DWORD PTR DS:[EBX+ESI*4+4]
00564A76 |. 03F8 |ADD EDI,EAX
00564A78 |. EB 02 |JMP SHORT TClient.00564A7C
00564A7A |> 8BFE |MOV EDI,ESI
00564A7C |> 85FF |TEST EDI,EDI
00564A7E |.^7F D0 \JG SHORT TClient.00564A50
00564A80 |. 5E POP ESI
00564A81 |. 5D POP EBP
00564A82 |> 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
00564A86 |. 5F POP EDI
00564A87 |. 8918 MOV DWORD PTR DS:[EAX],EBX
00564A89 |. 5B POP EBX
00564A8A \. C3 RETN
JumpLimit: (BinarySearchString: 83EC64568BF18B06FF90F400000084C00F85640100008B16)
Code:
0053C3E0 > . 83EC 64 SUB ESP,64
0053C3E3 . 56 PUSH ESI
0053C3E4 . 8BF1 MOV ESI,ECX
0053C3E6 . 8B06 MOV EAX,DWORD PTR DS:[ESI]
0053C3E8 . FF90 F4000000 CALL DWORD PTR DS:[EAX+F4]
0053C3EE . 84C0 TEST AL,AL
0053C3F0 0F85 64010000 JNZ TClient.0053C55A
0053C3F6 . 8B16 MOV EDX,DWORD PTR DS:[ESI]
0053C3F8 . 8BCE MOV ECX,ESI
0053C3FA . FF92 E4000000 CALL DWORD PTR DS:[EDX+E4]
0053C400 . 84C0 TEST AL,AL
0053C402 0F85 52010000 JNZ TClient.0053C55A <--- NOP (0x909090909090)
0053C408 . 8B06 MOV EAX,DWORD PTR DS:[ESI]
0053C40A . 8BCE MOV ECX,ESI
0053C40C . FF90 E8000000 CALL DWORD PTR DS:[EAX+E8]
0053C412 . 84C0 TEST AL,AL
0053C414 0F85 40010000 JNZ TClient.0053C55A
0053C41A . 8B16 MOV EDX,DWORD PTR DS:[ESI]
0053C41C . 8BCE MOV ECX,ESI
0053C41E . FF92 EC000000 CALL DWORD PTR DS:[EDX+EC]
0053C424 . 84C0 TEST AL,AL
0053C426 0F85 2E010000 JNZ TClient.0053C55A
0053C42C . 8A86 3A040000 MOV AL,BYTE PTR DS:[ESI+43A]
0053C432 . 84C0 TEST AL,AL
0053C434 0F85 20010000 JNZ TClient.0053C55A
0053C43A . 6A 0A PUSH 0A
0053C43C . E8 9F1D0E00 CALL TClient.0061E1E0
0053C441 . 8A40 06 MOV AL,BYTE PTR DS:[EAX+6]
0053C444 . 8A8E 28040000 MOV CL,BYTE PTR DS:[ESI+428]
0053C44A . 83C4 04 ADD ESP,4
0053C44D . 3AC1 CMP AL,CL
well so far, i only explained, how to modify such functions.
since i removed the jump limit, i'll take the jump function as example.
if we wanna jump ingame, we'd have to send a [space] key to our game...
there's an even better way to perform a jump, by simply calling the jump function itself =)
if you're setting a breakpoint on the entry point of the jump function, and trace it back, u'll see something like this:
Code:
00514043 |. 8B8E A80A0000 MOV ECX,DWORD PTR DS:[ESI+AA8] <--- ESI contains [MainCharBase]
00514049 |. 8B01 MOV EAX,DWORD PTR DS:[ECX]
0051404B |. FF90 50020000 CALL DWORD PTR DS:[EAX+250] <--- Calls the JumpFunction
some of you might think, that we have to inject dlls to use inline functions. this is simply wrong. everything we need for doing stuff like this, is given us by the winapis.
all we need to do, is to allocate some memory in the client, fill it with our code logic, and run it as a new thread.
here's a simple autoit example for using the Jump function in the eg client:
Code:
;~ Jump:
;~ 60 PUSHAD Save all registers
;~ 8B35 D0116F00 MOV ESI,DWORD PTR DS:[6F11D0] Set ESI to [MainCharBase]
;~ 8B8E A80A0000 MOV ECX,DWORD PTR DS:[ESI+AA8] Client code
;~ B8 E0C35300 MOV EAX,TClient.0053C3E0 Move the Jump function to eax
;~ FFD0 CALL EAX Call the Jump function
;~ 61 POPAD Restore the original registers
;~ C3 RETN Return to the main programm
$mid = OpenProcess(ProcessExists('TClient.exe'))
$codeSection = VirtualAllocEx($mid)
WriteProcessMemory($mid, $codeSection, '608B35D0116F008B8EA80A0000B8E0C35300FFD061C3')
$thread = CreateRemoteThread($mid, $codeSection)
WaitForSingleObject($thread)
VirtualFreeEx($mid, $codeSection)
CloseHandle($mid)
Func OpenProcess($pid)
Local $mid = DllCall('kernel32.dll', 'int', 'OpenProcess', 'int', 0x1F0FFF, 'int', 1, 'int', $pid)
Return $mid[0]
EndFunc
Func WriteProcessMemory($process_hwnd, $adress, $data, $type = 'binary')
Local $struct, $i
If $type = 'binary' Then
Local $struct = DllStructCreate('byte[' & BinaryLen('0x' & $data) & ']')
For $i = DllStructGetSize($struct) To 1 Step -1
DllStructSetData($struct, 1, BinaryMid('0x' & $data, $i, 1), $i)
Next
ElseIf $type = 'string' Then
$struct = DllStructCreate('char['&StringLen($data)+1&']')
For $i = 1 To StringLen($data)
DllStructSetData($struct, 1, StringMid($data, $i, 1), $i)
Next
Else
$struct = DllStructCreate($type)
DllStructSetData($struct, 1, $data)
EndIf
DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $process_hwnd, 'int', $adress, 'int', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', 0)
EndFunc
Func CloseHandle($hwnd)
DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hwnd)
EndFunc
Func VirtualAllocEx($process_hwnd, $size = 1024)
Local $adress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $process_hwnd, 'ptr', 0, 'int', $size, 'int', 0x1000, 'int', 0x40)
Return $adress[0]
EndFunc
Func VirtualFreeEx($process_hwnd, $adress)
DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $process_hwnd, 'int', $adress, 'int', 0, 'int', 0x8000)
EndFunc
Func CreateRemoteThread($process_hwnd, $adress)
Local $thread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $process_hwnd, 'int', 0, 'int', 0, 'int', $adress, 'ptr', 0, 'int', 0, 'int', 0)
Return $thread[0]
EndFunc
Func WaitForSingleObject($thread)
Do
$return = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $thread, 'int', 50)
Until $return[0] <> 258
EndFunc
|
|
|
12/11/2011, 03:25
|
#2
|
elite*gold: 328
Join Date: Feb 2011
Posts: 1,867
Received Thanks: 434
|
Deine Tutorials hauen mich jedes mal aufs neue um! Danke dir
|
|
|
12/11/2011, 11:26
|
#3
|
elite*gold: 280
Join Date: Nov 2009
Posts: 2,005
Received Thanks: 26,682
|
Quote:
Originally Posted by xFr3aKsTyL3D
Deine Tutorials hauen mich jedes mal aufs neue um! Danke dir
|
Dem kann ich mich nur anschließen, ist jedes mal nen absoluter Knaller.
Nur blöde wenn man keine Ahnung hat woher du diese zahl hast:
64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 24 55 56 8B F1 33 ED 89 6C 24 18
|
|
|
12/11/2011, 13:42
|
#4
|
elite*gold: 280
Join Date: May 2007
Posts: 2,818
Received Thanks: 3,483
|
naja das finden von client funktionen ist sehr aufwändig und hat in der regel auch viel mit glück zu tun.
das finden von der zoom funktion, war in diesem falle relativ leicht, da es einen floatwert für die kameraposition gibt, welcher hierbei global immer gesetzt wird.
das heist man kann ganz normal den speicher nach einem wert durchsuchen, welcher sich nur durch scrollen ändert.
hat man diesen ersteinmal gefundn, so reicht es ja zu schauen, wo der client diesen denn beim scrollen verändert. sobald man sich ersteinmal in der zoomfunktion befindet, dann nurnoch die conditional jumps beobachten, und schauen welche jumps sich anders verhalten, wenn ich beispielsweise den maximalen zoomwert nach aussen bzw innen erreicht habe =)
Edit:
das selbe gilt für die jumpfunktion :P
|
|
|
12/14/2011, 19:27
|
#5
|
elite*gold: 0
Join Date: Dec 2011
Posts: 4
Received Thanks: 0
|
it doesn't work!
|
|
|
12/14/2011, 19:48
|
#6
|
elite*gold: 280
Join Date: May 2007
Posts: 2,818
Received Thanks: 3,483
|
the word "work" makes absolutely no sense, if the tutorial just shows some code snipets...
|
|
|
|
Similar Threads
|
[Guide]Modifying client.
06/21/2012 - PW Hacks, Bots, Cheats, Exploits - 178 Replies
In the guide, it will teach you on modifying the client to have jump,zoom,multi, launcher bypass and finding debug registers.
Guide is in .doc form available for download.
Multi-client bypass Laucher
credits,akson.
Download OllyDBG from OllyDbg v1.10
--------------*
Open OllyDBG
--------------*
|
C# client internal functions, problem
08/24/2011 - SRO Coding Corner - 10 Replies
I have a problem to use Client internal function in C# for SRO, my source doesnt work at the moment and i dont know why. Here is my source:
#region WriteChatText
uint chatFunc = VirtualAllocEx(SroProcessHandle, IntPtr.Zero, 26, 0x1000, 0x4);
//uint message = VirtualAllocEx(SroProcessHandle, IntPtr.Zero, 47, 0x1000, 0x4);
byte Text = { 0x60, //Pushad
0x8B, 0x0D, //mov ecx, dword ptr ds:
...
|
Modifying the Client? ?
05/16/2011 - Archlord - 3 Replies
A few questions back when the scion released and the crit bug was there. The first patch made it to impossible to put wep in bag but not pet bag. Also noticed it was a client patch only. 2nd patch made the pet bag impossible but made refined rings stack with evolution.Also noticed only a client patch. So my question was it a client only and not a server patch and if so then can't we modify the client and glitch hack what ever?.. And yes I can bypass patch process completely no not GG though.
|
[Guide] Using Client (internal) Functions
02/21/2011 - SRO PServer Guides & Releases - 0 Replies
since many people are asking for sources of my Loaders, here are some asm code pieces directly out of the zszc client.
you should be able to use them in almost all coding languages...
hope this will be useful for coders in the pserv sections. its also possible to send/recyve packets directly through the client, but that would require some hooks in the client, so i won't really explain how to do that in this post (since its not/hardly realizable in scripting languages)...
if u're interested...
|
FlyFF Client Modifying[Leute gesucht]
12/06/2008 - Flyff - 14 Replies
Also habe vor ein bisschen den FlyFF Client zu verändern.
d.h. Neue Themes,Music,Sounds,Texturen,Item Designs und was es da alles gibt.
Suche Leute mit...
Photoshop/Gimp Kenntnisse
C4D Kenntnisse
Kreativität
Einen wirklichen Namen für das Project habe ich noch nicht.
|
All times are GMT +2. The time now is 05:42.
|
|