[Guide] Lets make a memory based bot

Quote:

Originally Posted by { Angelius } You are totally right.. and what makes it worse is that i never noticed it Right before i start recording a tutorial everything makes since and it seems like i can come up with a perfect tutorial but for some reason whenever i start recording the tutorial and i get into the details shit hits the fan and pyramids falls apart :|

you are doing the tuts fine. i understood everything u had teach us, perfectly, i guess that the other guys that follow your tuts understand them too :) I couldn't wait for your next one, so i decided to try to hook the recive function in the project. and with a little help from ur pervous project (Evolution) i managed to get it done :P note that i ve never worked with olly and asm before, so its a big progress for me, thanks to you.
keep them coming buddy, we are waiting them like apple ppl wait in front of apple stores when a new iphone is coming out :D

Very nice tutorial. I only watched yet the first chapter "Disabling the client protection HQ" but I can tell you I was able to understand well all. Now I'm going to start with next chapter.
EDIT: Just a suggest, for next videos; can you raise the volume of the recording? I can hear your keytypping better than your voice.

Quote:

Originally Posted by Cancer Sol These tutorials doesn't only apply to Conquer Online right?

I'm following the tutorial with a different game also from TQ: Heroes of Might and Magic Online.
Found different stuff (and less protection), but being my first time using OllyDbg I think this tutorial is enough for me to guide me to learn.
I only have basic knowledge of assembler, but with OllyDbg's comments I can manage to understand how the game works.

tried something like this:


void CBClient::Send_To_Client()
{

Sleep(1000);
int TimeStamp = GetTickCount();
int uid = 1030944;
ByteBuffer* Buffer = new ByteBuffer(24);
Buffer->WriteUInt16(24, 0); // length of the packet
Buffer->WriteUInt16(10005, 2); // type - walk packet
Buffer->WriteUInt32(162,4); // direction
Buffer->WriteUInt32(uid,8); //uid
Buffer->WriteUInt32(1,12); // walk/run
Buffer->WriteUInt32(TimeStamp,16); //timestamp
Buffer->WriteUInt32(0,20); // 00 00 00 00


hooks->ADD_Packet(Buffer);
}

and called the Send_To_Client function here ( every time i send a "message" packet):


void CBClient::Send_Packet_Hook_Callback()
{
ByteBuffer Packet((LPVOID)hooks->Outgoing_Packet_Pointer, hooks->Outgoing_Packet_Length);
Console_WriteLine("Client is sending a packet... Type: %u Length: %u ", Packet.ReadUint16(2), Packet.ReadUint16(0));
switch (Packet.ReadUint16(2))
{
case 1004:
{
Send_To_Client();
Console_WriteLine("function called");
}
}

by some logic, the character should move after client has recieved this packet, but it didnt. btw this is my first try to cr8 and send a packet somewhere so i m not sure if the timestamp is correct, or even if the structure of the packet is correct. also for the direction, i typed a random number cuz i dont know how that function works .. xD

Quote:

Originally Posted by dusica tried something like this: void CBClient::Send_To_Client() { Sleep(1000); int TimeStamp = GetTickCount(); int uid = 1030944; ByteBuffer* Buffer = new ByteBuffer(24); Buffer->WriteUInt16(24, 0); // length of the packet Buffer->WriteUInt16(10005, 2); // type - walk packet Buffer->WriteUInt32(162,4); // direction Buffer->WriteUInt32(uid,8); //uid Buffer->WriteUInt32(1,12); // walk/run Buffer->WriteUInt32(TimeStamp,16); //timestamp Buffer->WriteUInt32(0,20); // 00 00 00 00 hooks->ADD_Packet(Buffer); } and called the Send_To_Client function here ( every time i send a "message" packet): void CBClient::Send_Packet_Hook_Callback() { ByteBuffer Packet((LPVOID)hooks->Outgoing_Packet_Pointer, hooks->Outgoing_Packet_Length); Console_WriteLine("Client is sending a packet... Type: %u Length: %u ", Packet.ReadUint16(2), Packet.ReadUint16(0)); switch (Packet.ReadUint16(2)) { case 1004: { Send_To_Client(); Console_WriteLine("function called"); } } by some logic, the character should move after client has recieved this packet, but it didnt. btw this is my first try to cr8 and send a packet somewhere so i m not sure if the timestamp is correct, or even if the structure of the packet is correct. also for the direction, i typed a random number cuz i dont know how that function works .. xD

To send a packet to the client you should start by sending a chat packet or a teleport packet.. something that you can see its effect..

And then in Send_Packet_Hook_Callback() case 1004 you extract the message from the packet and compare it to a certain command such as @teleport @tele etc. And if its equals then you call the Teleport_To_Client();


I'll be explaining how to use these functions a little later when i am done hooking the needed functions.

@dusica it's way better to create a method for every packet , but for testing you could use the chat packet for better effect as it does not require timestamp or anything that may confuse
and maybe it's because there is no seal ? i have no idea if the sending method add seal or not but you may add the client seal and test it on a new account , gl bud

@{ Angelius } i got a question if i may ask :) , at evolution you was hooking the jump/walk pla pla , i was wondering why you just hook there functions instead of making the packet
i mean for ex. why do you send the coords to the hooked jump method instead of creating the packet and send it to the hooked sending method :) couldn't see the point out of that

Quote:

Originally Posted by go for it @{ Angelius } i got a question if i may ask :) , at evolution you was hooking the jump/walk pla pla , i was wondering why you just hook there functions instead of making the packet i mean for ex. why do you send the coords to the hooked jump method instead of creating the packet and send it to the hooked sending method :) couldn't see the point out of that

Because the hooked jump function doesn't only send a packet to the server it checks the Distance + height + validity of the given X/Y and if all went ok it does the actual jump and then it sends a packet to the server.

Its like holding ctrl + Left Click to jump in game but without holding the ctrl + Left Click.. you simply call the Jump(X, Y) and watch the player jumping as if if it was magic :P

Quote:

Originally Posted by { Angelius } Because the hooked jump function doesn't only send a packet to the server it checks the Distance + height + validity of the given X/Y and if all went ok it does the actual jump and then it sends a packet to the server. Its like holding ctrl + Left Click to jump in game but without holding the ctrl + Left Click.. you simply call the Jump(X, Y) and watch the player jumping as if if it was magic :P

does this mean i don't need to read maps anymore to know the height and just send the A* coord then if it's valid i go next if not i send another point with the A* ?
if my guess is right that would save alot , that was such an smart idea :D

I might be missing something here, but when I open my Conquer.exe in olly, the stack elements all have 00000000 in the second column, also no red comments. It is started with admin rights, am I doing something wrong?

Quote:

Originally Posted by urgabel EDIT: Just a suggest, for next videos; can you raise the volume of the recording? I can hear your keytypping better than your voice. .

Unfortunately whenever i try to make any changes to the sound.. Camtasia fucks up the whole sound timeline and it starts to sound more like i am speaking through an old beat up microphone, it also extends the video size dramatically just by raising the volume by 25% :|

You might notice that in tutorial 5.

Quote:

Originally Posted by KraHen I might be missing something here, but when I open my Conquer.exe in olly, the stack elements all have 00000000 in the second column,

Did you disable any of the anti debugging crap before you open Conquer.exe?
Does it load any modules when you first open it or no?
Does it say "terminated" on the lower right corner in olly?
Can you submit some screen shots?

Quote:

Originally Posted by KraHen also no red comments.

For the black + red comments/tips to appear you have to analyze the module when its done loading by hitting Ctrl + A on your keyboard or by right clicking on the CPU window -> Analysis -> Analyse code .

good job, adel ><
.

im watching part 5 now and i've got idea at the overriding find pattern / searching for constants
the addresses changes which to why we search for them with a pattern
but does the difference between them changes without tq changing them ?

what i mean is
if find pattren search first occurance is at 005E222F and our real jump function is at 005E2C16
we could have just did something like
0x5E2C16-0x5E222F = 9e7h = 2535
so could have we done something like
Jump_Function_Address = ASM::FindPattern(0x005BCD72, 0x0062F49B, Jump_Function_Bytes, 8) + 2535;

edit : lmao nvm you have just did something close to that moments later in the video :D

Quote:

Originally Posted by { Angelius } Unfortunately whenever i try to make any changes to the sound.. Camtasia fucks up the whole sound timeline and it starts to sound more like i am speaking through an old beat up microphone, it also extends the video size dramatically just by raising the volume by 25% :| You might notice that in tutorial 5.

Noticed the higher weight of the video, but few difference, if any, on the volume. Do not worry too much about that.
And I forgot to tell you: you have a very sexy voice...

While part 6 is coming, I will install C++ and start playing with the code. Thanks again.

@Angelius : I did not disable anything, it loads the modules (until ntdll), it does say terminated, I did analyze the code. I`m really sorry for taking your time, I feel like a newbie (and when it comes to reverse engineering I somewhat am, lol). Btw it works just fine with the 4267

Don`t mind the other CO window, it has nothing to do with this. client.

[Only registered and activated users can see links. Click Here To Register...]

Quote:

Originally Posted by KraHen @Angelius : I did not disable anything, it loads the modules (until ntdll), it does say terminated, I did analyze the code. I`m really sorry for taking your time, I feel like a newbie (and when it comes to reverse engineering I somewhat am, lol). Btw it works just fine with the 4267 Don`t mind the other CO window, it has nothing to do with this. client. [Only registered and activated users can see links. Click Here To Register...]

watch part 1 , there is 2 dlls you need to patch which terminate the process
antiroboticclient.dll , tqanp.dll
watch [Tutorial 1] Disabling the client protection HQ
and it won't terminate anymore

Yes, I get it, I can do those, but I`m curious why my Olly behaves differently at the start than the one presented in the video. My primary intention is to learn a little bit of reverse engineering, not to create any program whatsoever.