[ask] Making an Autopot in general

Page 1 of 2 1 2
03/30/2012 07:54 Smurfin#1
Sorry for making a thread for other game here, but since I only know people from this section, please let me ask about it here, it could be useful too for starters :handsdown:

I'm trying to make an autopot for Ran Online, maybe some of you also play it and have any resources for it to begin with, please share :handsdown: . I used MHS coz CheatEngine is detected by the gameguard, is there any tool for changing its md5 file identity and wintitle like MHS ?

So far I can only find hp/maxhp address, but I dunno how to read it using autoit which I'm gonna use for making the autopot. Does every game have a base address and offsets to point a location in memory so an autopot can be made ?

I'll post screenshots later for further questions after maintenance is done, please help if anyone visits this thread :handsdown:

thanks in advance.

if I have this memread, it says 'int' in there, is it integer ? the hp value uses 'short' type which has different value from integer type, do I have to change it or what ?
Code:
Func memread($adress, $type = 'dword')
	Local $struct = DllStructCreate($type)
	DllCall($kernel32, 'int', 'ReadProcessMemory', 'int', $mid, 'int', $adress, 'ptr', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', '')
	Return DllStructGetData($struct, 1)
EndFunc
-----edit------



This is what it looks like, I searched HP value in short type and got 3 addresses, then I tried to search the pointer of that address range and got 15 results, most tutorial I found on google showed me that step should give me one or fewer result and could be used to determine the pointer, but this gave me 15 results which is confusing.
[Only registered and activated users can see links. Click Here To Register...]


if I choose [Find out what writes to this address] , which in PW gives HP offset directly, it crashes for this game (must be the game guard), but it gave me something with the assembler thing, is there anything useful in there ?
[Only registered and activated users can see links. Click Here To Register...]
03/30/2012 17:34 Sᴡoosh#2
I don't know that game, but I do know this :

Either you have static addresses, or you have structures and thus base address and offsets.

Short is a signed 2 byte datatype.

Also, you can protect CE from GG's eyes by changing name of kernel driver and making it undetected (there are loads of guides on internet on how to, a bit of Delphi knowladge is recommended though).

Maybe if Fyyre is lurking around here, she could give you a hand with GG, she is an epic master in this type of stuff.

Cheers
03/31/2012 10:09 Smurfin#3
thanks for the brief explanation, I guess it's structured so it should have base add and offsets, too bad it's GG'ed so can't experiment much on it with my limited knowledge :(

if anyone recognize the game and have any info on it or can give a short step by step base address/pointer searching in general for making a simple tool like autopot, please post it here :handsdown:
03/31/2012 16:51 dumbfck#4
Quote:
Originally Posted by Smurfin View Post
if I have this memread, it says 'int' in there, is it integer ? the hp value uses 'short' type which has different value from integer type, do I have to change it or what ?
Code:
Func memread($adress, $type = 'dword')
    Local $struct = DllStructCreate($type)
    DllCall($kernel32, 'int', 'ReadProcessMemory', 'int', $mid, 'int', $adress, 'ptr', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', '')
    Return DllStructGetData($struct, 1)
EndFunc
Nope, don't change any of the 'int's as they are required for the ReadProcessMemory API call. If you want to read a 16 bit value, call your memread() function using either 'short' for a signed short or 'USHORT' for an unsigned short integer as the second argument. It's the DllStructCreate API call that needs this.
[Only registered and activated users can see links. Click Here To Register...]

Example:
Code:
memread($someAddress, 'USHORT')
Edit: Just noticed Swoosh has 666 posts :awesome:
03/31/2012 16:58 Sᴡoosh#5
Quote:
Originally Posted by dumbfck View Post
Edit: Just noticed Swoosh has 666 posts :awesome:
And you stole 10 gold from somewhere :D



(667!!)
03/31/2012 17:09 dumbfck#6
Haha it was kindly donated to me ^_^
No bloody idea what it's for or what to do with it though :confused:
Can't be arsed to look it up :D
04/01/2012 05:58 Smurfin#7
I'm curious about that elite gold too, anything with gold interests everyone lol :p

btw, got cheatengine working after hex editing everything in the exe that says 'cheat' and replaced it with 'abcde' , and the debugger crashing wasn't really caused by the publisher's game guarding software, it's the client itself that can detect if a debugger was attached to it. DBVM debugger from CE is really awesome, the [find what writes to this address] is working now though my computer froze after a few minutes the last time I tried it.
04/01/2012 10:13 Interest07#8
Quote:
Originally Posted by Smurfin View Post
I'm curious about that elite gold too, anything with gold interests everyone lol :p

btw, got cheatengine working after hex editing everything in the exe that says 'cheat' and replaced it with 'abcde' , and the debugger crashing wasn't really caused by the publisher's game guarding software, it's the client itself that can detect if a debugger was attached to it. DBVM debugger from CE is really awesome, the [find what writes to this address] is working now though my computer froze after a few minutes the last time I tried it.
Awesome :)

CE is a lot more convenient than MHS with these things lol.
04/01/2012 11:17 Sᴡoosh#9
Quote:
Originally Posted by Smurfin View Post
I'm curious about that elite gold too, anything with gold interests everyone lol :p

btw, got cheatengine working after hex editing everything in the exe that says 'cheat' and replaced it with 'abcde' , and the debugger crashing wasn't really caused by the publisher's game guarding software, it's the client itself that can detect if a debugger was attached to it. DBVM debugger from CE is really awesome, the [find what writes to this address] is working now though my computer froze after a few minutes the last time I tried it.
Are you sure it was GG in the first place? I know for a fact that GG cannot be defeated by simply editing strings, which are by the way encrypted in GG and not viewable with hex editor. It will simply re-download once MD5/SHA check is not passed. They probably detoured some function , used IsDebuggerPresent (lol) , some int3 tricks or other things you can do to make debugging a pain.
04/01/2012 14:50 Smurfin#10
Quote:
Originally Posted by Interest07 View Post
Awesome :)

CE is a lot more convenient than MHS with these things lol.
Yea and with both it's more convenient for us to use :D , MHS has many tools in the menu. Without the data type converters built in MHS, I wouldn't know that I had to search the value in short type for this game, using unknown value took a lot of time. It's useful for beginners :p

Quote:
Originally Posted by Sᴡoosh View Post
Are you sure it was GG in the first place? I know for a fact that GG cannot be defeated by simply editing strings, which are by the way encrypted in GG and not viewable with hex editor. It will simply re-download once MD5/SHA check is not passed. They probably detoured some function , used IsDebuggerPresent (lol) , some int3 tricks or other things you can do to make debugging a pain.
I think it's not GameGuard™ but more like a proprietary game guarding software by the publisher/developer, coz there is a game.exe shared by local Indonesian hacking forum that can be run directly without using launcher.exe so it bypasses the 'game guard' but the game still crashed everytime I clicked [find out what writes to this address], mhs debugger/CE's veh debugger/CE's windows debugger all failed, only CE's kernelmode debugger worked but not for long, it gave me a BSOD last time I tried, haven't got the time to try again, it's really painful for noob ><, have to learn how to find a base address for a game first and react quickly before BSOD happened.

a specialized game protection software like GG or HackShield is really powerful (only when it's running :D), I once played an fps game called PointBlank that used HackShield, when I tried to dual login even from another windows account, it could even still detect that the game was already running in my PC, I was like "damn, seriously?" at that time and played normally :p , but a bypass for it was already around now.
04/01/2012 16:18 Sᴡoosh#11
Quote:
Originally Posted by Smurfin View Post
...I once played an fps game called PointBlank that used HackShield, when I tried to dual login even from another windows account, it could even still detect that the game was already running in my PC, I was like "damn, seriously?"....
That's cause of the heartbeat packets gameguard sends to server to indicate it is still running - one of the steps to counter this would be to strip the exe and write heartbeat emulator. But since this isn't gameguard, it may be simpler. Since you already have access to a stripped version, you should have it fairly easy . What are the differences? Open both in IDA/Olly or whatever and compare :)

Cheers
04/02/2012 00:03 Smurfin#12
I have thought about that but the exe file is packed and has 4 megabytes difference in size from the original.

I won't play multiple chars on this game though, keeping a lot of chars is time consuming, I only need autopotting for this game. I'll try to follow a youtube tutorial later first because it looks like the pointer is multileveled and not an easy task to find like PW which by clicking [find what writes to this address] shows us the offset directly.

I'll put screenshots later, plz give a hint on figuring out the pointers/base add. :handsdown:
04/02/2012 10:52 Sᴡoosh#13
You can try tracing the pointer manually. Try setting breakpoints in CE debugger. If it still crashes, change the breakpoint method in settings. If you can set breakpoints, try to read register contents, then search for the addresses in the registers. Rinse and repeat, it's not that hard once you got it figured out.

For example :

mov eax, [edx+100]

Set bp on this and check what edx register's value is. Now search manually for that. If you have a result, continue.

Cheers
04/02/2012 12:23 Smurfin#14
ok thanks for the tips, I'll experiment with it
---edit---


when I clicked [find out what writes to this address], CE gave me this: mov [ecx],ax, before my computer froze and had BSOD bcoz I was using dbvm+kerneldebugger (I guess it's not stable in my pc or just a bug), anyway..what is ax ? it's not listed in the registers

here is the ss

I also tried with MHS without using debugger and search pointers manually bcoz this game doesn't like debugger of any kind attached to it, but it's like the pointer never ends :mad: , I could put the address along with multi offsets and it could still point to the correct hp address (tried both in CE and MHS), but it never static

if anyone has the time to look into it, pls advise.
04/03/2012 09:48 dumbfck#15
AX is the lower 16 bits (2 bytes) of the EAX register. Conversely, AH is the upper 16 bits of the EAX register.
The other registers can also be accessed in this way, typically for short integer operations. They are similarly named; BX, CX, DX (lower 16 bits of EBX, ECX and EDX registers respectively).

If you don't already have them, it might be worth downloading these for reference:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
Page 1 of 2 1 2