Direct Injection Codes - Delphi/C++/AutoIt

Page 3 of 4

05/12/2009 18:53 plixbugmenot#31

50 meg to 200 meg, definately a memory leak!

you don't have to make pointers NULL. Well it is nice after you delete them to make them NULL but it won't delete the object! So if you use operator new, or malloc, you need to free that :)

like

Code:

MyObject *p = new MyObject();

if(p!=NULL) //safety measure, so you don't delete a pointer twice
 delete p;

//safety measure, so you don't delete a pointer twice
p = NULL;

don't know about malloc, I am a c++ coder :p but google can tell you that

Also,in the function for example walking to a place, you make a workobject that gets handed to the workmanager, but I think you do need to delete that workobject afterwards! You should research that :)

Have fun debugging!

05/15/2009 04:43 smokeypokey#32

//004596AD - a1 dc d1 96 00 - mov eax,[0096d1dc] : 0096D860
//004596B2 - 57 - push edi
//004596B3 - 8b 48 20 - mov ecx,[eax+20]
//004596B6 - 81 c1 ec 00 00 00 - add ecx,000000ec
//004596BC - e8 8f c7 14 00 - call 005a5e50
DWORD BaseAddress= 0x0096d1dc;
DWORD CallAddress= 0x005a5e50;

Can someone please explain what the CallAddress is? Is it the address called by the Base Address?

In the newest PW-INT we have:
BaseAddress: 0x0097AC97
Dynamic Addres: 0x0097B33C
Dynamic Address - 0x1C = 0x97B320

the BaseAddress contains the 0x97B320 value...so BaseAddress + 0x1C points to the Dynamic Address. Am I correct to assume that the CallAddress is 0x97B320?

05/15/2009 14:15 leovn#33

CallAddress is an address that points to a function (or a branch of a function). In this case, when some conditions is valid, it will call to that address and do something ... So, it's not 0x97B320 like u said.

05/16/2009 05:16 smokeypokey#34

Quote:

Originally Posted by asgborges

Try use the ESPECIFIC Injection Function for C++ ok?! --> CallRemoteFunction !!!

Dont translate functions from other languages... this dont work well until a lot of tests !!

Code:

#include <tlhelp32.h>
...
[B]typedef[/B]  tagPROCESSENTRY32W pGameProcess;
...
static DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
	//004596AD - a1 dc d1 96 00             - mov eax,[0096d1dc] : 0096D860
	//004596B2 - 57                         - push edi
	//004596B3 - 8b 48 20                   - mov ecx,[eax+20]
	//004596B6 - 81 c1 ec 00 00 00          - add ecx,000000ec
	//004596BC - e8 8f c7 14 00             - call 005a5e50
	DWORD BaseAddress= 0x0096d1dc;
	DWORD CallAddress= 0x005a5e50;
	DWORD MonsterID = (DWORD)lpParam;
	__try
	{
		_asm
		{
		  mov edx, DWORD PTR [BaseAddress]
		  push     MonsterID
		  mov ecx, DWORD PTR [edx+0x20]
		  add ecx, 0xEC
		  mov edx, CallAddress
		  call     edx
		}
	}
	__except(1)
	{
	}
	return 0;
}
[B]bool[/B] CallRemoteFunction(pGameProcess pProcess)
{
	//Remote Thread Handle
	HANDLE hProcess=NULL;
	//Inject Thread handle
	HANDLE hThread=NULL;
	//Inject Fuction Address after allocate
	LPVOID ThreadCodeAddr=NULL;
	//Inject Function
	LPVOID Func=[B][U]SelectMonster[/U][/B];
	//Inject Fuction Stack Address after allocate
	LPVOID ThreadDataAddr=NULL;
	//Inject Fuction Stack Data
	LPCVOID lpParam = NULL;
	DWORD Value = 0;
	lpParam = &Value;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pProcess.th32ProcessID);
	[B]if [/B](!hProcess)
	{
		//Do your Error message (OpenProcess);
		[B]return false[/B];
	}
	ThreadCodeAddr=VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
	ThreadDataAddr=VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory (hProcess, ThreadCodeAddr, Func, 4096, NULL);
	WriteProcessMemory (hProcess, ThreadDataAddr, lpParam, 256, NULL);
	hThread = CreateRemoteThread(hProcess, NULL, NULL,(LPTHREAD_START_ROUTINE)ThreadCodeAddr, ThreadDataAddr, NULL, NULL);
	[B]if[/B] (!hThread)
	 {
		//Do your Error message (CreateRemoteThread);
	 }
	[B]else[/B]
		WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	VirtualFreeEx(hProcess, ThreadCodeAddr, 4096, MEM_RELEASE);
	VirtualFreeEx(hProcess, ThreadDataAddr, 256, MEM_RELEASE);
	CloseHandle(hProcess);
	[B]return false[/B];
}

* this is working fine for me... with Delphi and C++ Builder!!!

I'm new to code injection, so I'm just learning as I go along. Leovn, thanks for the help.

For the target example can I inject into anywhere that looks like mov eax,[BaseAddress] or is that spot specific to targeting because of the call that follows?

05/18/2009 06:43 leovn#35

no, you can't do like that, because if you do like u said (it will crash your element client)

Code:

         mov edx, DWORD PTR [BaseAddress]
		  push     MonsterID
		  mov ecx, DWORD PTR [edx+0x20]
		  add ecx, 0xEC
		  mov edx, CallAddress
		  call     edx

It was taken by viewing memory of element client. In element client assembly, it will have the code like it (not same exactly).

So u must follow ...

05/18/2009 17:41 smokeypokey#36

Ok. I'm getting a hang of this. Check this out.

Here is the original fly function:

Code:

procedure Fly(aPParams: PParams); stdcall;
(*
0044A926 - 8b 15 dc d1 96 00          - mov edx,[0096d1dc] : 0096D860
0044A92C - 6a 01                      - push 01
0044A92E - 51                         - push ecx
0044A92F - 8b 4a 20                   - mov ecx,[edx+20]
0044A932 - 6a 0c                      - push 0c
0044A934 - 6a 01                      - push 01
0044A936 - 81 c1 ec 00 00 00          - add ecx,000000ec
0044A93C - e8 bf b2 15 00             - call 005a5c00
*)
begin
    asm
       mov  edx, DWORD PTR [$0096d1dc]
       push $01
       push $31f7
       mov  ecx, DWORD PTR [edx+$20]
       push $0C
       push $01
       add ecx, $EC
       mov  edx, $005a5c00
       call edx
    end;
end;

Here is the one from the current version of PW-INT:

Code:

0044BF66 - 8b 15 9c ac 97 00          - mov edx,[0097ac9c] : 0097B320
0044BF6C - 6a 01                      - push 01
0044BF6E - 51                         - push ecx
0044BF6F - 8b 4a 20                   - mov ecx,[edx+20]
0044BF72 - 6a 0c                      - push 0c
0044BF74 - 6a 01                      - push 01
0044BF76 - 81 c1 ec 00 00 00          - add ecx,000000ec
0044BF7C - e8 ff 3f 16 00             - call 005aff80

how did someone come up with $31f7 for fly (i need a new value for this, but not sure how to find it)? I can find where npc_id's are stored, hp, etc...because those can be scanned down, but how did they scan down a skill?

Also, do you know if this executes the fly skill or just freezes the fly timer so it does not go to 0?

I ran a trace on
0044BF66 - 8b 15 9c ac 97 00 - mov edx,[0097ac9c] : 0097B320

and when push ecx is executed the value of ecx is 00000830...is this what I'm supposed to use in my code?

05/24/2009 15:35 plixbugmenot#37

Quote:

how did someone come up with $31f7 for fly

this fly function is probably a 'thiscall' function, which means the "this" pointer is passed in ECX. This changes every time you start the game :)

a small example / asm lesson

Code:

.text:00432BE0 sub_432BE0      proc near               ; CODE XREF: sub_42C2D0+298p
.text:00432BE0                                         ; sub_42C2D0+2EFp ...
.text:00432BE0                 mov     eax, [[COLOR="Red"]ecx[/COLOR]+4]
.text:00432BE3                 retn
.text:00432BE3 sub_432BE0      endp

in compiled c++ code you must know 2 things to understand this.

1 this pointer is located in ECX
2 the return value of a function is always stored in EAX

what this function does?
this is actually a getter method.

it may look like this in c++

Code:

int MyClass::GetValue()
{
  return m_MemberVariable;
}

and it gets called like this

Code:

int returnvalue = [COLOR="Red"]MyClass[/COLOR]->GetValue();

this translates (roughly) to:

Code:

mov ecx, [[COLOR="Red"]MyClass[/COLOR]] [COLOR="Green"]//MyClass is the pointer to the class[/COLOR]
call sub_432BE0
mov [address of int returnvalue], [COLOR="Red"]eax[/COLOR][COLOR="Green"]// return value gets stored[/COLOR]

so all this will return the value of MyClass+4

I hope I was clear, if you have any questions please ask

07/31/2009 01:27 somethingclever#38

Uhm would be nice to tell us what $MOD_ID_ADD is supposed to mean, is it the BASE_ADDR?
If so, it makes your client crash, are you sure its not _MemoryPointerWrite(), using Target_Offsets? Also; INJECTCODE() crashes your client too, most likely cos' of $OPCODE being wrong, does that has something to do with wrong base_addr, call_addr, or the $OPCODE?
Can someone give me an example of the full script in Autoit? (I'm talking about full HP bar select).
Or explain me detailed how you figure the asm func calls out using CE/Olly? or detailed description of what it does, not as in "select a full hpbar target" but as in, for example:

_memorywrite($mob_idd_add,$memid,$id) ;targets mob with empty hp bar
pushad() ;whatever.

and so on, i hope someone can give me a detailed guide or something. really want to get code injection to work for me.

Thanks in advance.

09/07/2009 07:49 cableman2#39

you can't overwrite the client side server + your only adding phenomenal codes to your com "Only" not the other which is gonna crash "remember the system program of the game only follows the basic which is massive algo codes" the creators is also a hacker to ;)

P.S. - this is only a tip if you want to surpass them.

09/16/2009 02:45 bhimboy_14#40

pasahan nyo nmn ako ng wire frame [Only registered and activated users can see links. Click Here To Register...]

10/06/2009 20:26 ReEvolve#41

would anyone be able to make an injection script to make smurf it select characters correctly for healing with EP?

11/28/2009 02:36 hongthai1909#42

hi guy
I need help with ASM code of function dig mines,ressources,herbs...
thank alot!

12/15/2009 08:03 muzhig#43

what help do you need?
I am solving this case too.

06/30/2010 17:20 Sᴡoosh#44

Anyone have an Idea how to change mobs, if you have the mobID? These codes dont seem to work, they allways crash my client (Patch version 356). Any Idea? I want to stop using my tab key =/.

08/05/2010 21:55 Sᴡoosh#45

I got a bit smarter meanwhile, here is the call address for mob targeting :

$005E9CC0

Have fun.

Page 3 of 4