Updated GWA2

Page 2 of 16 1 2 3412 Last »
02/07/2020 22:05 MrBigBones#16
I'm just here to increase the number of functioning brain cells in this thread.

So, the line 4400-4401 are definitly nothing dangerous. It's simply the instructions that were overwritten when creating the hook on the so-called "engine". It's mostly a hook on the main loop of Guild Wars that allow to execute the command sent by GWA2.

You can see in the following screen the highlighted lines are the instructions replaced by the "jump" to the custom code. Screen capture here: [Only registered and activated users can see links. Click Here To Register...]

Second point: Of course virus total won't detect anything, it's a text file. There is simply not enough information to do any kind of relevant diagnostics, so what virus total tells you is meaningless in this case.

Third point: It's a completly garbage the claim that copy-pasting your password is safe. If the guy can open an r/w handle to the game, the password is there in clear.

Let's move to more interesting to the actual code for whoever is interesting and for whoever made those fixes.
So, you did restore the stack frame after the call of the functions, but you could improve that a bit. Let's take UseFunction as an example:
Code:
_('CommandUseSkill:')
_('mov ecx,dword[eax+C]')
_('push ecx')
_('mov ebx,dword[eax+8]')
_('push ebx')
_('mov edx,dword[eax+4]')
_('dec edx')
_('push edx')
_('mov eax,dword[MyID]')
_('push eax')
_('call UseSkillFunction')
_('pop eax')
_('pop edx')
_('pop ebx')
_('pop ecx')
_('ljmp CommandReturn')
So, you added 4 pops at the end. It will work, but generally speaking you don't really want to pop in ebx, esi & edi, because they are "non-volatile registers". In this case, you could have done the following if you don't care about the return value:
Code:
_('pop eax')
_('pop eax')
_('pop eax')
_('pop eax')
Indeed, the return value is stored in eax. (eax & edx if 64 bits, like uint64_t or double)
But, you can do even better, you can restore the stack frame without affecting any registers. (That's in fact how the compiler does it)
Code:
_('add esp,10')
Indeed, the stack is reversed (it grow down and shrink up), so adding 0x10 = 16 = 4 * 4 has the similar effect of poping 4 times.

Fourth and final point, there is a lot of random stuff and it's understandable, but there is also a bunch that could be taken from other ressources. Especially regarding how things are scanned. See here: [Only registered and activated users can see links. Click Here To Register...]

Finally, there is nothing malicious in the code, but you can expect some instabilities.
02/08/2020 20:21 phat34#17
[In reply to Der Moench message #15]

Those two lines of ASM just move that start of the stack pointer up 8 bytes and do not constitute virus code... you will have to be more elaborate to show how this is dangerous, and since we are dealing with one file...gwa2.au3, instructions that take advantage of this stack pointer setting would also have to be included in this file that would make it be dangerous... VIRUS isn't the word you really mean, malignant code maybe or spy code??

anyway we respect you sticking up for your conviction, especially against an elite member of the site, but, some explaining needs to follow.. and also the choosing of your name is questionable since the original DerMoench14 is a respected member here that has helped the community quite a bit...

Also the web site selling bots has these same lines in their code as well, and as far as I know the person running the site has never stolen accounts... although I do have some issues with him.

Code:
			_("MainProc:")
			_("nop x")
			_("pushad")
			_("mov eax,dword[EnsureEnglish]")
			_("test eax,eax")
			_("jz MainMain")
			_("mov ecx,dword[BasePointer]")
			_("mov ecx,dword[ecx+18]")
			_("mov ecx,dword[ecx+18]")
			_("mov ecx,dword[ecx+194]")
			_("mov al,byte[ecx+4f]")
			_("cmp al,f")
			_("ja MainMain")
			_("mov ecx,dword[ecx+4c]")
			_("mov al,byte[ecx+3f]")
			_("cmp al,f")
			_("ja MainMain")
			_("mov eax,dword[ecx+40]")
			_("test eax,eax")
			_("jz MainMain")
			_("MainMain:")
			_("mov eax,dword[QueueCounter]")
			_("mov ecx,eax")
			_("shl eax,8")
			_("add eax,QueueBase")
			_("mov ebx,dword[eax]")
			_("test ebx,ebx")
			_("jz MainExit")
			_("push ecx")
			_("mov dword[eax],0")
			_("jmp ebx")
			_("CommandReturn:")
			_("pop eax")
			_("inc eax")
			_("cmp eax,QueueSize")
			_("jnz MainSkipReset")
			_("xor eax,eax")
			_("MainSkipReset:")
			_("mov dword[QueueCounter],eax")
			_("MainExit:")
			_("popad")
			_("mov ebp,esp")
			_("fld st(0),dword[ebp+8]")
			_("ljmp MainReturn")
02/08/2020 20:55 notnero#18
1 more have good contact for rupt bot pvp ?
02/09/2020 01:37 Firstnationzqc#19
testing it with Refeather right now seem to work smoothly
[Only registered and activated users can see links. Click Here To Register...]
02/10/2020 16:54 Chris3239#20
Quote:
Originally Posted by Firstnationzqc View Post
testing it with Refeather right now seem to work smoothly
[Only registered and activated users can see links. Click Here To Register...]
Would you mind uploading the working Version of Refeather? Because even with updated GWA2 mine doesn't seem to work.
02/15/2020 08:21 list comprehension#21
Small update seemed to have broken something to do with the return to outpost packet from my initial testing. I will see if I notice anything else broken from the update. I am referring to the update of 2/14/2020.
02/15/2020 09:13 list comprehension#22
So far the only packets I found broken are the return to out post, pickupitem, and sendchat. I have updated them in the file. It is possible more packet headers are broken but that is all that is affected from my testing so far.
02/15/2020 10:14 iTeX-#23
any working presearing bot?
02/15/2020 10:59 oneshout#24
Quote:
Originally Posted by list comprehension View Post
So far the only packets I found broken are the return to out post, pickupitem, and sendchat. I have updated them in the file. It is possible more packet headers are broken but that is all that is affected from my testing so far.
the travel func seem always broken on my test :confused: but i don't have spend to much time time on
02/15/2020 11:59 Zvend#25
Quote:
Originally Posted by CoderAndy View Post
another update and some packet headers changed, wiki says "Performed server maintenance" only, something is going on here 🤔.
not only some. they changed a lot. but easy fix. :) Nothing to worry much about
02/15/2020 12:37 phat34#26
says easy fix but doesn't say what... lmao
02/15/2020 12:47 Zvend#27
Quote:
Originally Posted by phat34 View Post
says easy fix but doesn't say what... lmao
for GStoC: they added a fake packet, so a lot packets just increased by 1. easy fix tho
for CtoGS: they also increased a lot headers with +1 and made few changes to some at the beginning
02/15/2020 17:08 list comprehension#28
Found guild hall travel enter, exit, and map travel broken and fixed.
02/15/2020 17:30 Zvend#29
Quote:
Originally Posted by list comprehension View Post
Found guild hall travel enter, exit, and map travel broken and fixed.
all of them have been fixed already^^.

[Only registered and activated users can see links. Click Here To Register...]
02/15/2020 18:05 list comprehension#30
Quote:
Originally Posted by Zvend View Post
all of them have been fixed already^^.

[Only registered and activated users can see links. Click Here To Register...]
I like to go through things manually to see fine changes and be able to update things on my own but excellent that is available.
Page 2 of 16 1 2 3412 Last »