Do whatever u want ;) Pixel reading suits our purpose well, it es realy easy to do and will probably work forever without needing any patch. We do some OCR to read the coordinates and others than that you don't need much.Quote:
To me, pixel reading is just crap ... at least go for memory reading, + the game is piece of cake to reverse.
(And yeah, I gonna release a descent bot soon aswell :p)
Aura Kingdom Bot
07/14/2014 18:23
botgramming#16
07/14/2014 20:11
JuJuBoSc1#17
I wonder how you can get descent movements with only pixel reading
07/14/2014 21:27
botgramming#18
We read the coordinates on the map an click where we want to go ;)Quote:
07/14/2014 22:37
pureleech#19
i heard that one few months ago :bandit:Quote:
07/15/2014 01:29
JuJuBoSc1#20
Yep, in fact we released it to some people already :pQuote:
07/15/2014 11:03
AlainProvist#21
I don't know what you reversed to say it is a piece of cake, but after reversing the function behind the tab press (to change target), in order to make a better one not based on the fov, and the way the skill cooldownsworks, I definitly say it is a nightmare to reverse (and I'm not alone to say this)...
07/15/2014 12:35
Oriya9#22
You have a good point. we should actually check it out.Quote:
My only concern is about crashes. The game creates a dump and zip it with logs and additionnal informations when restarting the launcher. I usually delete the dump before restarting the launcher but end users won't when using a dll-injection-based bot. At the end they probably have the information that a dll has been injected but they probably don't care about this and just discard the crash report (more likely because aeria is just an editor that bought a licence from the real developpers, and devs don't really care about account bans).
I don't know what their privacy policy says about sending it to them without the user's approval but I assume the user must press "Send" on that small window that is popping up when there's an unhandled exception.
[Only registered and activated users can see links. Click Here To Register...]
([Only registered and activated users can see links. Click Here To Register...])
If they do send it even without the user's approval (say.. when you re-launch the game or something) then yes, this is indeed a problem.
first things first, we need to find out if the client really send it or not because we can just get rid of that.
but if the goal is to stop it from dumping stuff regardless, then we can hook the function that is being used to create a dump file and just kill the client when it's called.
but what if somehow the hook itself fails and generates an error? this is where the most secure way to solve this is to just edit the executable with RETN on the dump creation function.
it's possible because it's a function, it's not in the heap, it's in the actual code. in our case, it's in the executable ("game.bin").
and a return is just one or three bytes to edit (depends on what type of RETN), can even be done with an HEX editor.
Here's an example on how to stop "game.dmp" creations:
in "game.bin" (the actual file, no need to run it) search for:
PHP Code:
55 8B EC 81 EC 08 01 00 00 53 56 57 68 03 01 00 00
* if you want to try it and you're using the game's launcher to launch the game, you'll have to make "game.bin" read-only (otherwise the launcher will replace it due to CRC mismatch), you'll get 2 errors with the launcher but it will still work.
As for logs, there is more than one function, I've got most of them but there are some issues with a few of them, I might look deeper into it later this week.
but you've actually opened my eyes about this, I didn't even think about it and I should've.
Cheers!
Oriya.
07/15/2014 12:44
JuJuBoSc1#23
Well I reversed pretty much everything needed, inventory stuff, entity, well, feel free to add me on skype (jujubosc) I can show you some stuff.Quote:
07/15/2014 13:19
AlainProvist#24
Good job on finding the dump creation location ;).Quote:
I don't know what their privacy policy says about sending it to them without the user's approval but I assume the user must press "Send" on that small window that is popping up when there's an unhandled exception.
[Only registered and activated users can see links. Click Here To Register...]
([Only registered and activated users can see links. Click Here To Register...])
If they do send it even without the user's approval (say.. when you re-launch the game or something) then yes, this is indeed a problem.
first things first, we need to find out if the client really send it or not because we can just get rid of that.
but if the goal is to stop it from dumping stuff regardless, then we can hook the function that is being used to create a dump file and just kill the client when it's called.
but what if somehow the hook itself fails and generates an error? this is where the most secure way to solve this is to just edit the executable with RETN on the dump creation function.
it's possible because it's a function, it's not in the heap, it's in the actual code. in our case, it's in the executable ("game.bin").
and a return is just one or three bytes to edit (depends on what type of RETN), can even be done with an HEX editor.
Here's an example on how to stop "game.dmp" creations:
in "game.bin" (the actual file, no need to run it) search for:
and change the first byte to C3 (RETN) and voila, no "game.dmp" will be created anymore.PHP Code:55 8B EC 81 EC 08 01 00 00 53 56 57 68 03 01 00 00
* if you want to try it and you're using the game's launcher to launch the game, you'll have to make "game.bin" read-only (otherwise the launcher will replace it due to CRC mismatch), you'll get 2 errors with the launcher but it will still work.
As for logs, there is more than one function, I've got most of them but there are some issues with a few of them, I might look deeper into it later this week.
but you've actually opened my eyes about this, I didn't even think about it and I should've.
Cheers!
Oriya.
I'll add it to my bot (live memory opcode replacement when injecting the dll).
From what I've seen the game creates a dump, a screenshot and updates multiple log files when crashing. Then it pop the crash handler windows that probably zip everything and send it to the devs.
Where the funny part comes is that if you killed the process to prevent any send, and then restart the launcher, it seems that it checks something (takes so long time), and during this, zips the crash files and probably sends them oO.
@JuJuBoSc1 : Thanks for proposing, but I'm nearly retired (and tired lol) with this game. We created a dev section some month ago to share knowledge and pieces of code. But the only active devs there are retired now. We reversed multiple things together from data structures (entity, skills, cooldown, inventory, objects, fishing interface, targeting stuffs), to game functions (go to location, inventory usage/discard/salvage, use skill from bar/id, check skill cooldown, target anything (objects/mobs/npc), custom targeting methods, eudemon talk stuffs, npc talk (repair wnd call) and so on...). But now I don't have sufficient free time and motivation to continue the work.
07/15/2014 13:31
JuJuBoSc1#25
Well still, feel free to contact me to talk :D looks like you are french too (according to your nickname :p)
Or anyone else that wanna talk about reversing this game for the fun ;)
Or anyone else that wanna talk about reversing this game for the fun ;)
07/15/2014 14:11
AlainProvist#26
@JuJu : je t'ai ajouté ;)
@Oriya9 : I finally put my ret 2 functions over the dumper one (search for 50 64 89 25 00 00 00 00 83 EC 2C 56 57 8D 45 F3). No more crash handling at all = nor more logs + dump creation = no more waste of time on the launcher on next start :p.
@Oriya9 : I finally put my ret 2 functions over the dumper one (search for 50 64 89 25 00 00 00 00 83 EC 2C 56 57 8D 45 F3). No more crash handling at all = nor more logs + dump creation = no more waste of time on the launcher on next start :p.
07/15/2014 14:17
ntKid#27
You guys getting expensive with offsets =P just Detour CreateFileA and CreateFileW API's and check if lpFileName matches one of the logs you want to avoid, if so return INVALID_FILE_HANDLE and its done.
BTW nice to see you are still alive Alain and Oriya9.
BTW nice to see you are still alive Alain and Oriya9.
07/15/2014 14:25
AlainProvist#28
Heeey ntKid ! Nice to see you alive too bro ^^ (I really thought you were retired :p).
You're right about offset but i'm still unsure about how the launcher detects a crash occured last time (tried to remove all files created but nothing changes about the time required for the launcher to pop the launch button). With this ret instruction, I remove any sin from the root ^^.
You're right about offset but i'm still unsure about how the launcher detects a crash occured last time (tried to remove all files created but nothing changes about the time required for the launcher to pop the launch button). With this ret instruction, I remove any sin from the root ^^.
07/15/2014 14:42
jetrenz45#29
It has been a long time since someone release a good one tho. Hope you guys release stuffs again, big fan anyway :). Cheers.
07/15/2014 14:51
ntKid#30
I "retired" from Aura for a while( playing Defiance while aura doesnt have a proper content patch ), i pretty much achieved all my coding goals on Aura.. my idea of adding AngelScript and Packet support to the BOT got me boosting the development speed by 100% -.-'( no recompile 500 times to test new code and no stupid double precision floating point support converted integers like lua was doing ). Have a friend that already automated entire dungeons and daily quests on the new map by AngelScript.Quote:
You're right about offset but i'm still unsure about how the launcher detects a crash occured last time (tried to remove all files created but nothing changes about the time required for the launcher to pop the launch button). With this ret instruction, I remove any sin from the root ^^.
I will be here on the future to share the pain of finding those offsets with you guys =P
Cheers.