[Hack]MobPuller (Tapferkeitsumhang-Hack) + Source

Hi,

ich m�chte euch meinen MobPuller geben. Er funktioniert wie ein Tapferkeitsumhang, aber er kann bis zu 113 Monster pullen (Tapferkeitsumhang max. 20). Man kann dabei auch laufen und bleibt nicht wie bei Moblock auf einem Punkt.

Der Hack funktioniert auf vielen P-Servern und mit einem Bypass auch auf den offiziellen Servern.

Danken m�chte ich noch tim66613 f�r die Magic-CRC-Pieces.

HowToUse:
1.) In Metin2 in das Charakterauswahlmen� gehen
2.) m2MobPuller.exe starten
3.) In das Metin2-Fenster wechseln und F9 dr�cken
4.) Mit P die Monster pullen

Die Dateien d�rft ihr nicht umbenennen!

Video:

Spoiler

Source-Code (Kompiliert mit Microsoft Visual C++):

Spoiler

Code:

#include "windows.h"
#include <Python.h>
#include "detours.h"

DWORD Offset1 = 0; //mainstream
DWORD Offset2 = 0; //AddPacketData Function
DWORD Offset3 = 0; //AddSignatureByte Function
DWORD Offset4 = 0; //Update Function (MainFunc)
DWORD Offset5 = 0; //RegisterVid Function
void (__stdcall* MainFunc)();
void (__stdcall* RegisterVid)();
bool Key1IsPressed = false;
bool pullmobs = true;
DWORD *vids = new DWORD[1000];
DWORD *nVID = new DWORD[1000];
int nVIDcount = 0;
int VIDcount = 0;
DWORD nhVID = 0;


bool ScanForOffsets();
DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask);
bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask);
void* GetCallDest(void* addr);
void CatchKeystrokes();
void Hook_MainFunc();
void Hook_RegisterVid();
void SendPullPackets();
int GetInstanceType(long vid);
double GetCharacterDistance(long vid);
void AppendChat(const char *msg);
bool appIsPressed(long Key);
void RefreshVids();
void AddVID();

BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
	switch (ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			ScanForOffsets();
			MainFunc = (void (__stdcall*)())DetourFunction((PBYTE)Offset4, (PBYTE)Hook_MainFunc); //0x00471F50
			RegisterVid = (void (__stdcall*)())DetourFunction((PBYTE)Offset5, (PBYTE)Hook_RegisterVid); //0x004A0154
			break;
		case DLL_THREAD_ATTACH:
			break;
		case DLL_THREAD_DETACH:
			break;
		case DLL_PROCESS_DETACH:
			break;
	}
	return TRUE;
}

bool ScanForOffsets()
{
	DWORD Base = 0x00400000;
	DWORD SizeOfCode;

	DWORD i = Base;
	while ((memcmp((void *)i, "PE\0\0", 4)) && (i <= Base + 0x1000))
		i++;

	if (i <= Base + 0x1000)
		SizeOfCode = *(DWORD *)(i + 0x1C);


	BYTE Signature1[] = { 0x8B, 0x0D, 0xF4, 0x1C, 0x5F, 0x00, 0x52, 0x50, 0xE8, 0x67,
						  0x60, 0x00, 0x00, 0xE8, 0x12, 0x7B, 0x12, 0x00, 0x5E};


	BYTE Signature2[] = { 0x8B, 0xC1, 0x8B, 0x50, 0x38, 0x8B, 0x48, 0x34, 0x53, 0x8B,
						  0x5C, 0x24, 0x08, 0x2B, 0xCA, 0x3B, 0xD9};

	BYTE Signature3[] = { 0xC2, 0x04, 0x00, 0x8B, 0xCE, 0xE8, 0xB2, 0xCE, 0x0D, 0x00,
						  0x5E};

	BYTE Signature4[] = { 0x83, 0xEC, 0x08, 0x56, 0x8B, 0xF1, 0x8D, 0x44, 0x24, 0x04,
						  0x50, 0x8D, 0x4C, 0x24, 0x0C, 0x51};

	BYTE Signature5[] = { 0x8B, 0x44, 0x24, 0x04, 0x89, 0x81, 0x9C, 0x04, 0x00, 0x00,
						  0xC2, 0x04, 0x00};


	Offset1 = *(DWORD *)(dwFindPattern(Base + 0x1000, SizeOfCode, Signature1, "xx????xxx????x????x") + 2);
	Offset2 = dwFindPattern(Base + 0x1000, SizeOfCode, Signature2, "xxxxxxxxxxxxxxxxx");
	DWORD Offset3_Address = (dwFindPattern(Base + 0x1000, SizeOfCode, Signature3, "xxxxxx????x") + 6);
	Offset3 = reinterpret_cast<DWORD>(GetCallDest((DWORD *)(Offset3_Address - 1)));
	Offset4 = dwFindPattern(Base + 0x1000, SizeOfCode, Signature4, "xxxxxxxxxxxxxxxx");
	Offset5 = dwFindPattern(Base + 0x1000, SizeOfCode, Signature5, "xxxxxxxxxxxxx") + 4;


	if ((Offset1))
		return true;
	else
		return false;
}

void* GetCallDest(void* addr) //by tim66613
{
	unsigned char* callDestAddr = reinterpret_cast<unsigned char*>(addr) + 1;

	uintptr_t relativeDest = *reinterpret_cast<uintptr_t *>(callDestAddr);
	return reinterpret_cast<void*>(uintptr_t(addr) + relativeDest + 5);
}

bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask ) 
            return false;
    return (*szMask) == NULL;
}

DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i < dwLen; i++)
        if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);   
    return 0;
}


void SendPacket(const unsigned char* packetdata, unsigned long len)
{
	DWORD dwSendFunc = Offset2;
	DWORD dwAddSignatureByte = Offset3;
	__asm
	{
		PUSH packetdata
		PUSH len
		MOV EAX, Offset1
		MOV ECX, DWORD PTR DS:[EAX]
		CALL dwSendFunc
		MOV EAX, Offset1
		MOV ECX, DWORD PTR DS:[EAX]
		CALL dwAddSignatureByte
	}
}


void Hook_MainFunc()
{
	_asm pushad
	CatchKeystrokes();
	SendPullPackets();
	RefreshVids();
	__asm popad
	return (*MainFunc)();
}

void SendPullPackets()
{
	if (pullmobs == false) {return;}
	pullmobs = false;
	int pulledmobs = 0;
	for(int i=0; i <= VIDcount && pulledmobs < 113; i++)
	{
		if (GetInstanceType(vids[i]) == 0)
		{
			if (GetCharacterDistance(vids[i]) < 4000)
			{
				unsigned char buf[] = {0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF};
				*(DWORD *)(buf + 2) = DWORD(vids[i]);
				int size = 8;
				SendPacket(buf, size);
				delete [] buf;
				pulledmobs++;
			}
		}
	}
}

int GetInstanceType(long vid)
{
	PyObject* args = PyTuple_New(1);
	PyTuple_SetItem(args, 0, PyInt_FromLong(vid));

	PyObject* ret = PyObject_Call(PyObject_GetAttrString(PyImport_ImportModule("chr"), "GetInstanceType"), args, NULL);

	int result = PyInt_AsLong(ret);
	Py_DECREF(ret);
	Py_XDECREF(args);
	return result;
}

double GetCharacterDistance(long vid)
{
	PyObject* args = PyTuple_New(1);
	PyTuple_SetItem(args, 0, PyInt_FromLong(vid));

	PyObject* ret = PyObject_Call(PyObject_GetAttrString(PyImport_ImportModule("player"), "GetCharacterDistance"), args, NULL);

	double result = PyFloat_AsDouble(ret);
	Py_DECREF(ret);
	Py_XDECREF(args);
	return result;
}

void AppendChat(const char *msg)
{
	PyObject* args = PyTuple_New(2);
	PyTuple_SetItem(args, 0, PyInt_FromLong(1L));
	PyTuple_SetItem(args, 1, PyString_FromString(msg));

	PyObject* ret = PyObject_Call(PyObject_GetAttrString(PyImport_ImportModule("chat"), "AppendChat"), args, NULL);

	Py_XDECREF(ret);
	Py_XDECREF(args);


}
bool appIsPressed(long Key)
{
	PyObject* args = PyTuple_New(1);
	PyTuple_SetItem(args, 0, PyInt_FromLong(Key));

	PyObject* ret = PyObject_Call(PyObject_GetAttrString(PyImport_ImportModule("app"), "IsPressed"), args, NULL);

	bool result = PyInt_AsLong(ret);
	Py_DECREF(ret);
	Py_XDECREF(args);
	return result;
}

void CatchKeystrokes()
{
	if (appIsPressed(25) == true) //25 == P
	{
		if ((Key1IsPressed == false) && (pullmobs == false))
		{
			pullmobs = true;
		}
		Key1IsPressed = true;
	}
	else
	{
		Key1IsPressed = false;
	}
}

void Hook_RegisterVid()
{
	__asm pushad
	__asm MOV nhVID, EAX
	AddVID();
	__asm popad
	return (*RegisterVid)();
}

void RefreshVids()
{
	for(int nvi = 0; nvi < nVIDcount; nvi++)
	{
		if (GetInstanceType(nVID[nvi]) == 0) //Check if vid is monster
		{
			DWORD *new_vids = new DWORD[1000];
			int ni = 0;
			for(int i=0; i < 1000; i++)
			{
				if (GetInstanceType(vids[i]) == 0) //Check if vid is still there
				{
					new_vids[ni] = vids[i];
					ni++;
				}
			}
			new_vids[ni] = nVID[nvi];
			VIDcount = ni;
			delete [] vids; //delete the old array
			vids = &*new_vids; //make vids pointing to the new generated array
		}
	}
	nVIDcount = 0; //reset Vid Count
}

void AddVID()
{
	nVID[nVIDcount] = nhVID;
	nVIDcount++;
}

Interessant auch f�r eure eigenen Projekte:
void SendPacket(const unsigned char* packetdata, unsigned long len)
Der Hook in der Main-Func
Die Patterns

Bitte gebt Credits an, wenn ihr was davon benutzt.

F�r Sch�den (z.B. Bann) �bernehme ich keine Haftung.

Wenn bei euch irgendwas mit DETECT_MEMORY_MODIFY kommt, liegt es daran, dass ihr keinen Hackshield-Bypass habt.

Funktioniert momentan nur auf P-Servern!
Auf den offiziellen Servern funktioniert er nur mit einem Hackshield-Bypass, der es euch erlaubt, andere Opcodes in das Hauptmodul zu schreiben, ohne dass ihr gekickt werdet oder der Prozess terminiert wird.