[RELEASE][.NET] Hooking library, take two

Page 1 of 6 1 23 Last »
04/25/2012 21:28 IAmHawtness#1
August 5th, 2012 update: Restrictions are fixed, meaning you will no longer get banned for using this library

New hooking library + sample + source. Enjoy.

It probably has bugs (I'm terrible at C#)
I might make a tutorial on how to use although the sample should be enough
Feel free to ask any questions in the thread

Belth's guide on how to find some important memory addresses (Remember to thank him):

Quote:
Originally Posted by Belth View Post
5609 Addresses:
SendPacketFunction = 0x6C8F56
ReceiveLoop = 0x6C9833

This is how I find the addresses:

Recv Loop
1. Search all referenced text strings for "catch error in process msg" without quotes.
2. Trace back until I find "TEST EAX, EAX" followed by "JNZ SHORT <ADDRESS>".

Send Packet Function
1. Search for the binary string "55 8D AC 24 FC DF FF FF B8 04 20 00 00".

Removing the "You can't jump that far." message
1. Search for the constant 186C0.
2. Trace back to the first "JLE <ADDRESS>" command.
3. Replace JLE (7E) with JMP (EB).
*Note: doing this also means that you can attempt to jump further than the server allows (which will disconnect you) so you should validate all jump packets from the client.

Lock client at 60 FPs
1. Search all intermodular calls for Kernel32.Sleep.
2. Trace back and find ADD ECX, 19.
3. Trace back and find LEA EDX, DWORD PTR DS:[ECX+19].
4. Change 19 to another value. The lower the value the higher the FPS and the reverse is true. I use a value of 10 for 60 FPS.


Yes it's very rudimentary as I am as much a noob at this as anyone.
04/25/2012 21:41 itachi26#2
I take a look quicky!

EDIT :
Quote:
private const uint SendPacketAddress = 0x6BFD0C;
private const uint RecvPacketLoopAddress = 0x6C05E8;
How do you know that?
04/25/2012 21:54 IAmHawtness#3
Quote:
Originally Posted by itachi26 View Post
I take a look quicky!

EDIT :

How do you know that?
Because I found the addresses using olly
04/25/2012 22:06 itachi26#4
Well, I've already tried to open up conquer.exe with olly, and it's just a mess... Is there any tutorial to learn or it is logical?
04/25/2012 22:16 IAmHawtness#5
Quote:
Originally Posted by itachi26 View Post
Well, I've already tried to open up conquer.exe with olly, and it's just a mess... Is there any tutorial to learn or it is logical?
There are plenty of olly tutorials around, just search for them
04/25/2012 22:23 itachi26#6
Okay, I will take a look later. At the moment, the most important thing is to learn how to code in C#, thanks for your advises!
04/25/2012 22:57 -Shunsui-#7
Changes?
04/25/2012 23:05 IAmHawtness#8
Quote:
Originally Posted by -Shunsui- View Post
Changes?
Uhm, it's a whole different library, the old one was in VB, this one is completely different.
04/25/2012 23:11 pro4never#9
You make me so hot
04/26/2012 15:35 ruievmonteiro#10
Did you correct the cpu usage problems that sometimes happened with your old lib? Guess Angelius said those were solved after parsing the exceptions thrown at the debug loop
04/26/2012 16:09 IAmHawtness#11
Quote:
Originally Posted by ruievmonteiro View Post
Did you correct the cpu usage problems that sometimes happened with your old lib? Guess Angelius said those were solved after parsing the exceptions thrown at the debug loop
Yeah, that's fixed. The Conquer process does tend to go to 100% (or 25% if you have a quad core) CPU usage when it's closed after opening co.91.com/signout when you've attached to it, so I added a breakpoint at ShellExececuteA to instantly kill the Conquer process when it tries to open up the website (it's in the HookTest sample).
04/27/2012 22:01 KraHen#12
I love you with all my heart.
04/28/2012 03:17 ruievmonteiro#13
Thank you so much IAmHawtness for sharing your previous and current work.
This new hooking method works like a rolls royce ;)
04/29/2012 12:57 Real~Death#14
another great release :)
04/29/2012 21:56 denominator#15
Had a look at this and I am impressed, however I've also looked around at trying to make it "clientless" and I did find something about "hidden" on Google but I'm a little confused as to where it would be put?

If somebody would like to whisper me that has enough knowledge on this then I can give a url to the page that I found the "hidden" thing on.

Okay never mind I was looking at something else which basically just hides the console >.<
Page 1 of 6 1 23 Last »