[HOWTO] Send commands to server on INT

DontBeADick · 06/19/2011, 10:09

To send commands to the server you must:

1. Get your code into the kal process.
Use an injector, or use the recently popular dsound.dll > bot.dll technique (what would we technically call this???).

2. Find the send function address.
Plenty of public code for this around, but let's use this common source (if you originally wrote this code, claim it because I don't know).

Code:

DWORD Send_To_Server_Main_ = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08",0x00400000,0x007FFFFF);

DWORD Send_To_Server_Main  = SearchPattern("55 8B EC 83 EC 18 83 3D x x x x 00 74 07 33 C0 E9 x x x x 8A 45 08", Send_To_Server_Main_+1,0x007FFFFF);

3. Send command to server using simple inline assembly to push values on the stack and call the send function by address. I'm basically using the same declarations for variables as in the public source.

The following will make you sit down.

Code:

LPTSTR Format = "b";
DWORD Flag = 1;
DWORD SendType = 0x1C;
__asm
{
	PUSH Flag;
	PUSH Format;
	PUSH SendType;
	call Send_To_Server_Main; 
}

* The old command for sit, and a few others will give you autoban. If you know what commands will give autoban, kindly reply in this thread please.

BONUS: The following will change your Z position. Run it in a loop or call it a number of times to make you go underground.

Code:

LPTSTR Format = "bbb";
DWORD SendType = 0x12;
__asm
{
	PUSH 128;
	PUSH 0;
	PUSH 0;
	PUSH Format;
	PUSH SendType;
	call Send_To_Server_Main; 
}

BONUS 2: In the public source, there's a STRUCT for mobs. Use it to attack a mob.

Code:

memcpy((void*)&(MOBID),(void*)&Mob[mob_you_want_to_kill].MID,4);
LPTSTR Format = "bbd";
DWORD SendType = 0x0d;
__asm
{
	PUSH MOBID;
	PUSH 1;
	PUSH 4;
	PUSH Format;
	PUSH SendType;
	call Send_To_Server_Main; 
}

If you think my code sucks, FUCK YOU, and release something better. There's many ways to do this, and if you know a better/simpler way, be kind and point others the way.

DontBeADick · 06/19/2011, 10:15

BONUS 3: behead (put it in your receive algorithm)

Code:

case 0x3D:
	memcpy((void*)&id,(void*)((DWORD)Buffer+3),4);
	BYTE state;
	memcpy((void*)&state,(void*)((DWORD)Buffer+3+4),1) ;
	if (state==0x08)
	{
		LPTSTR Format = "bbd";
		DWORD SendType = 0x0d;
		__asm
		{
			PUSH id;
			PUSH 1;
			PUSH 1;
			PUSH Format;
			PUSH SendType;
			call Send_To_Server_Main; 
		}
	}
	break;

pamz12 · 06/19/2011, 11:37

??!??

strik3r2k5 · 06/19/2011, 12:04

Simpler way, with public code
f.e.:SendPacket(0x1D,"ddd",IID,X/32,Y/32); //Pick

Code:

__declspec(naked) int __cdecl SendPacket (BYTE bHeader , LPCSTR szFormat , ... )
{
	__asm
	{
		push ebp
		mov ebp, esp
		sub esp, 18h
	}
	__asm JMP dwSendBack
}

Thiesius · 06/19/2011, 18:36

The engine send function isn't __stdcall call convention -> You push the args to the stack but I don't see you cleaning stack anywhere.

Create a function pointer and simply call the function. It has been shown many times before.

If you want to use hook + my HackShield emulator, then I don't recommend you to hook the whole function.
Hooking functions with variable count of arguments isn't safe.

Instead of that I would recommend you to create hook somewhere between the place where the send buffer is already filled, but not encrypted yet. You can also get pointer to format if you want. This workaround might be slightly more difficult to accomplish but also the chance you will crash is lot smaller (If you do it correctly of-course).